external/boringssl: bump revision.
This change bumps the BoringSSL revision to the current tip-of-tree.
Change-Id: I91d5bf467e16e8d86cb19a4de873985f524e5faa
diff --git a/src/BUILDING b/src/BUILDING
index 18ddde1..d818f95 100644
--- a/src/BUILDING
+++ b/src/BUILDING
@@ -3,7 +3,8 @@
* CMake[1] 2.8.8 or later is required.
* Perl 5.6.1 or later is required. On Windows, Strawberry Perl and MSYS Perl
- have both been reported to work.
+ have both been reported to work. If not found by CMake, it may be configured
+ explicitly by setting PERL_EXECUTABLE.
* On Windows you currently must use Ninja[2] to build; on other platforms,
it is not required, but recommended, because it makes builds faster.
@@ -11,16 +12,15 @@
* If you need to build Ninja from source, then a recent version of
Python[3] is required (Python 2.7.5 works).
- * On Windows only, Yasm[4] is required.
+ * On Windows only, Yasm[4] is required. If not found by CMake, it may be
+ configured explicitly by setting CMAKE_ASM_NASM_COMPILER.
* A C compiler is required. On Windows, MSVC 12 (Visual Studio 2013) or later
with Platform SDK 8.1 or later are supported. Recent versions of GCC and
Clang should work on non-Windows platforms, and maybe on Windows too.
- * Bash is required for running some tests, but not for building.
-
- * Go[5] is required for running some tests, but not for building. Note that
- these tests do not work on Windows.
+ * Go[5] is required. If not found by CMake, the go executable may be
+ configured explicitly by setting GO_EXECUTABLE.
Using Ninja (note the 'N' is capitalized in the cmake invocation):
@@ -43,17 +43,37 @@
Note that the default build flags in the top-level CMakeLists.txt are for
debugging - optimisation isn't enabled.
-If you want to cross-compile then there are example toolchain files for 32-bit
-Intel and ARM in util/. Wipe out the build directory, recreate it and run cmake
+If you want to cross-compile then there is an example toolchain file for
+32-bit Intel in util/. Wipe out the build directory, recreate it and run cmake
like this:
- cmake -DCMAKE_TOOLCHAIN_FILE=../util/arm-toolchain.cmake -GNinja ..
+ cmake -DCMAKE_TOOLCHAIN_FILE=../util/32-bit-toolchain.cmake -GNinja ..
If you want to build as a shared library, pass -DBUILD_SHARED_LIBS=1. On
Windows, where functions need to be tagged with "dllimport" when coming from a
shared library, define BORINGSSL_SHARED_LIBRARY in any code which #includes the
BoringSSL headers.
+
+Building for Android:
+
+It's possible to build BoringSSL with the Android NDK using CMake. This has
+been tested with version 10d of the NDK.
+
+Unpack the Android NDK somewhere and export ANDROID_NDK to point to the
+directory. Clone https://github.com/taka-no-me/android-cmake into util/.
+Then make a build directory as above and run CMake *twice* like this:
+
+ cmake -DANDROID_NATIVE_API_LEVEL=android-9 \
+ -DANDROID_ABI=armeabi-v7a \
+ -DCMAKE_TOOLCHAIN_FILE=../util/android-cmake/android.toolchain.cmake \
+ -GNinja ..
+
+Once you've run that twice, ninja should produce Android-compatible binaries.
+You can replace "armeabi-v7a" in the above with "arm64-v8a" to build aarch64
+binaries.
+
+
Known Limitations on Windows:
* Versions of cmake since 3.0.2 have a bug in its Ninja generator that causes
@@ -65,8 +85,6 @@
don't have steps for assembling the assembly language source files, so they
currently cannot be used to build BoringSSL.
- * The tests written in Go do not work.
-
[1] http://www.cmake.org/download/
[2] https://martine.github.io/ninja/
@@ -75,7 +93,4 @@
[4] http://yasm.tortall.net/
- Either ensure yasm.exe is in %PATH% or configure CMAKE_ASM_NASM_COMPILER
- appropriately.
-
[5] https://golang.org/dl/
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 9a61495..6e41ee9 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -2,6 +2,20 @@
project (BoringSSL)
+if(ANDROID)
+ # Android-NDK CMake files reconfigure the path and so Go and Perl won't be
+ # found. However, ninja will still find them in $PATH if we just name them.
+ set(PERL_EXECUTABLE "perl")
+ set(GO_EXECUTABLE "go")
+else()
+ find_package(Perl REQUIRED)
+ find_program(GO_EXECUTABLE go)
+endif()
+
+if (NOT GO_EXECUTABLE)
+ message(FATAL_ERROR "Could not find Go")
+endif()
+
if(CMAKE_COMPILER_IS_GNUCXX OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror -ggdb -fvisibility=hidden")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wall -Werror -ggdb -std=c++0x -fvisibility=hidden")
@@ -11,12 +25,17 @@
"C4127" # conditional expression is constant
"C4200" # nonstandard extension used : zero-sized array in
# struct/union.
+ "C4210" # nonstandard extension used : function given file scope
"C4242" # 'function' : conversion from 'int' to 'uint8_t',
# possible loss of data
"C4244" # 'function' : conversion from 'int' to 'uint8_t',
# possible loss of data
"C4245" # 'initializing' : conversion from 'long' to
# 'unsigned long', signed/unsigned mismatch
+ "C4267" # conversion from 'size_t' to 'int', possible loss of data
+ "C4371" # layout of class may have changed from a previous version of the
+ # compiler due to better packing of member '...'
+ "C4388" # signed/unsigned mismatch
"C4296" # '>=' : expression is always true
"C4350" # behavior change: 'std::_Wrap_alloc...'
"C4365" # '=' : conversion from 'size_t' to 'int',
@@ -29,7 +48,10 @@
# side-effect" caused by FD_* macros.
"C4610" # struct 'argument' can never be instantiated - user defined
# constructor required.
- "C4701" # potentially uninitialized local variable 'mdlen' used
+ "C4625" # copy constructor could not be generated because a base class
+ # copy constructor is inaccessible or deleted
+ "C4626" # assignment operator could not be generated because a base class
+ # assignment operator is inaccessible or deleted
"C4706" # assignment within conditional expression
"C4710" # 'function': function not inlined
"C4711" # function 'function' selected for inline expansion
@@ -45,9 +67,10 @@
set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR}")
add_definitions(-D_HAS_EXCEPTIONS=0)
add_definitions(-DWIN32_LEAN_AND_MEAN)
+ add_definitions(-DNOMINMAX)
endif()
-if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.5.99") OR
+if((CMAKE_COMPILER_IS_GNUCXX AND CMAKE_C_COMPILER_VERSION VERSION_GREATER "4.7.99") OR
CMAKE_CXX_COMPILER_ID MATCHES "Clang")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wshadow")
@@ -81,12 +104,21 @@
set(ARCH "x86")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm")
set(ARCH "arm")
+elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv7-a")
+ set(ARCH "arm")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
set(ARCH "aarch64")
else()
message(FATAL_ERROR "Unknown processor:" ${CMAKE_SYSTEM_PROCESSOR})
endif()
+if (ANDROID AND ${ARCH} STREQUAL "arm")
+ # The Android-NDK CMake files somehow fail to set the -march flag for
+ # assembly files. Without this flag, the compiler believes that it's
+ # building for ARMv5.
+ set(CMAKE_ASM_FLAGS "${CMAKE_ASM_FLAGS} -march=armv7-a")
+endif()
+
if (${ARCH} STREQUAL "x86" AND APPLE)
# With CMake 2.8.x, ${CMAKE_SYSTEM_PROCESSOR} evalutes to i386 on OS X,
# but clang defaults to 64-bit builds on OS X unless otherwise told.
@@ -94,7 +126,13 @@
set(ARCH "x86_64")
endif()
+if (OPENSSL_NO_ASM)
+ add_definitions(-DOPENSSL_NO_ASM)
+ set(ARCH "generic")
+endif()
+
add_subdirectory(crypto)
add_subdirectory(ssl)
add_subdirectory(ssl/test)
add_subdirectory(tool)
+add_subdirectory(decrepit)
diff --git a/src/STYLE b/src/STYLE
new file mode 100644
index 0000000..578da68
--- /dev/null
+++ b/src/STYLE
@@ -0,0 +1,198 @@
+BoringSSL Style Guide.
+
+BoringSSL usually follows the Google C++ style guide, found below. The
+rest of this document describes differences and clarifications on top
+of the base guide.
+
+https://google-styleguide.googlecode.com/svn/trunk/cppguide.html
+
+
+Legacy code.
+
+As a derivative of OpenSSL, BoringSSL contains a lot of legacy code
+that does not follow this style guide. Particularly where public API
+is concerned, balance consistency within a module with the benefits of
+a given rule. Module-wide deviations on naming should be respected
+while integer and return value conventions take precedence over
+consistency.
+
+Some modules have seen few changes, so they still retain the original
+indentation style for now. When editing these, try to retain the
+original style. For Emacs, doc/c-indentation.el from OpenSSL may be
+helpful in this.
+
+
+Language.
+
+The majority of the project is in C, so C++-specific rules in the
+Google style guide do not apply. Support for C99 features depends on
+our target platforms. Typically, Chromium's target MSVC is the most
+restrictive.
+
+Variable declarations in the middle of a function are allowed.
+
+Comments should be /* C-style */ for consistency.
+
+When declaration pointer types, * should be placed next to the variable
+name, not the type. So
+
+ uint8_t *ptr;
+
+not
+
+ uint8_t* ptr;
+
+Rather than malloc() and free(), use the wrappers OPENSSL_malloc() and
+OPENSSL_free(). Use the standard C assert() function freely.
+
+For new constants, prefer enums when the values are sequential and typed
+constants for flags. If adding values to an existing set of #defines, continue
+with #define.
+
+
+Formatting.
+
+Single-statement blocks are not allowed. All conditions and loops must
+use braces:
+
+ if (foo) {
+ do_something();
+ }
+
+not
+
+ if (foo)
+ do_something();
+
+
+Integers.
+
+Prefer using explicitly-sized integers where appropriate rather than
+generic C ones. For instance, to represent a byte, use uint8_t, not
+unsigned char. Likewise, represent a two-byte field as uint16_t, not
+unsigned short.
+
+Sizes are represented as size_t.
+
+Within a struct that is retained across the lifetime of an SSL
+connection, if bounds of a size are known and it's easy, use a smaller
+integer type like uint8_t. This is a "free" connection footprint
+optimization for servers. Don't make code significantly more complex
+for it, and do still check the bounds when passing in and out of the
+struct. This narrowing should not propagate to local variables and
+function parameters.
+
+When doing arithmetic, account for overflow conditions.
+
+Except with platform APIs, do not use ssize_t. MSVC lacks it, and
+prefer out-of-band error signaling for size_t (see Return values).
+
+
+Naming.
+
+Follow Google naming conventions in C++ files. In C files, use the
+following naming conventions for consistency with existing OpenSSL and C
+styles:
+
+Define structs with typedef named TYPE_NAME. The corresponding struct
+should be named struct type_name_st.
+
+Name public functions as MODULE_function_name, unless the module
+already uses a different naming scheme for legacy reasons. The module
+name should be a type name if the function is a method of a particular
+type.
+
+Some types are allocated within the library while others are
+initialized into a struct allocated by the caller, often on the
+stack. Name these functions TYPE_NAME_new/TYPE_NAME_free and
+TYPE_NAME_init/TYPE_NAME_cleanup, respectively. All TYPE_NAME_free
+functions must do nothing on NULL input.
+
+If a variable is the length of a pointer value, it has the suffix
+_len. An output parameter is named out or has an out_ prefix. For
+instance, For instance:
+
+ uint8_t *out,
+ size_t *out_len,
+ const uint8_t *in,
+ size_t in_len,
+
+Name public headers like include/openssl/evp.h with header guards like
+OPENSSL_HEADER_EVP_H. Name internal headers like crypto/ec/internal.h
+with header guards like OPENSSL_HEADER_EC_INTERNAL_H.
+
+Name enums like unix_hacker_t. For instance:
+
+enum should_free_handshake_buffer_t {
+ free_handshake_buffer,
+ dont_free_handshake_buffer,
+};
+
+
+Return values.
+
+As even malloc may fail in BoringSSL, the vast majority of functions
+will have a failure case. Functions should return int with one on
+success and zero on error. Do not overload the return value to both
+signal success/failure and output an integer. For example:
+
+ OPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out);
+
+If a function needs more than a true/false result code, define an enum
+rather than arbitrarily assigning meaning to int values.
+
+If a function outputs a pointer to an object on success and there are no
+other outputs, return the pointer directly and NULL on error.
+
+
+Parameters.
+
+Where not constrained by legacy code, parameter order should be:
+
+1. context parameters
+2. output parameters
+3. input parameters
+
+For example,
+
+/* CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an
+ * ASN.1 object can be written. The |tag| argument will be used as the tag for
+ * the object. It returns one on success or zero on error. */
+OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag);
+
+
+Documentation.
+
+All public symbols must have a documentation comment in their header
+file. The style is based on that of Go. The first sentence begins with
+the symbol name, optionally prefixed with "A" or "An". Apart from the
+initial mention of symbol, references to other symbols or parameter
+names should be surrounded by |pipes|.
+
+Documentation should be concise but completely describe the exposed
+behavior of the function. Pay special note to success/failure behaviors
+and caller obligations on object lifetimes. If this sacrifices
+conciseness, consider simplifying the function's behavior.
+
+/* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+ * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
+ * zero otherwise. */
+OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
+ size_t len);
+
+Explicitly mention any surprising edge cases or deviations from common
+return value patterns in legacy functions.
+
+/* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+ * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+ * least |RSA_size| bytes of space. It returns the number of bytes written, or
+ * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+ * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
+ *
+ * WARNING: this function is dangerous because it breaks the usual return value
+ * convention. Use |RSA_sign_raw| instead. */
+OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
+ uint8_t *to, RSA *rsa, int padding);
+
+Document private functions in their internal.h header or, if static,
+where defined.
diff --git a/src/crypto/CMakeLists.txt b/src/crypto/CMakeLists.txt
index cb8f63a..6433dc6 100644
--- a/src/crypto/CMakeLists.txt
+++ b/src/crypto/CMakeLists.txt
@@ -2,7 +2,7 @@
if(APPLE)
if (${ARCH} STREQUAL "x86")
- set(PERLASM_FLAGS "-fPIC")
+ set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
endif()
set(PERLASM_STYLE macosx)
set(ASM_EXT S)
@@ -12,8 +12,10 @@
# The "armx" Perl scripts look for "64" in the style argument
# in order to decide whether to generate 32- or 64-bit asm.
set(PERLASM_STYLE linux64)
+ elseif (${ARCH} STREQUAL "arm")
+ set(PERLASM_STYLE linux32)
elseif (${ARCH} STREQUAL "x86")
- set(PERLASM_FLAGS "-fPIC")
+ set(PERLASM_FLAGS "-fPIC -DOPENSSL_IA32_SSE2")
set(PERLASM_STYLE elf)
else()
set(PERLASM_STYLE elf)
@@ -27,6 +29,7 @@
else()
message("Using win32n")
set(PERLASM_STYLE win32n)
+ set(PERLASM_FLAGS "-DOPENSSL_IA32_SSE2")
endif()
# On Windows, we use the NASM output, specifically built with Yasm.
@@ -37,9 +40,10 @@
function(perlasm dest src)
add_custom_command(
OUTPUT ${dest}
- COMMAND perl ${CMAKE_CURRENT_SOURCE_DIR}/${src} ${PERLASM_STYLE} ${PERLASM_FLAGS} ${ARGN} > ${dest}
+ COMMAND ${PERL_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/${src} ${PERLASM_STYLE} ${PERLASM_FLAGS} ${ARGN} > ${dest}
DEPENDS
${src}
+ ${PROJECT_SOURCE_DIR}/crypto/perlasm/arm-xlate.pl
${PROJECT_SOURCE_DIR}/crypto/perlasm/x86_64-xlate.pl
${PROJECT_SOURCE_DIR}/crypto/perlasm/x86asm.pl
${PROJECT_SOURCE_DIR}/crypto/perlasm/x86gas.pl
@@ -72,6 +76,7 @@
CRYPTO_ARCH_SOURCES
cpu-arm.c
+ cpu-arm-asm.S
)
endif()
@@ -123,6 +128,7 @@
add_subdirectory(hmac)
# Level 3
+add_subdirectory(cmac)
add_subdirectory(evp)
add_subdirectory(hkdf)
add_subdirectory(pem)
@@ -132,15 +138,19 @@
# Level 4
add_subdirectory(pkcs8)
+# Test support code
+add_subdirectory(test)
+
add_library(
crypto
crypto.c
- crypto_error.c
mem.c
thread.c
+ thread_none.c
+ thread_pthread.c
+ thread_win.c
ex_data.c
- ex_data_impl.c
time_support.c
directory_posix.c
directory_win.c
@@ -178,6 +188,7 @@
$<TARGET_OBJECTS:ecdh>
$<TARGET_OBJECTS:ecdsa>
$<TARGET_OBJECTS:hmac>
+ $<TARGET_OBJECTS:cmac>
$<TARGET_OBJECTS:evp>
$<TARGET_OBJECTS:hkdf>
$<TARGET_OBJECTS:pem>
@@ -186,6 +197,10 @@
$<TARGET_OBJECTS:pkcs8>
)
+if(NOT MSVC AND NOT ANDROID)
+ target_link_libraries(crypto pthread)
+endif()
+
add_executable(
constant_time_test
@@ -194,5 +209,13 @@
target_link_libraries(constant_time_test crypto)
+add_executable(
+ thread_test
+
+ thread_test.c
+)
+
+target_link_libraries(thread_test crypto)
+
perlasm(cpu-x86_64-asm.${ASM_EXT} cpu-x86_64-asm.pl)
perlasm(cpu-x86-asm.${ASM_EXT} cpu-x86-asm.pl)
diff --git a/src/crypto/aes/aes.c b/src/crypto/aes/aes.c
index 97b4fbd..933aa07 100644
--- a/src/crypto/aes/aes.c
+++ b/src/crypto/aes/aes.c
@@ -1033,17 +1033,25 @@
#endif /* ?FULL_UNROLL */
/* apply last round and
* map cipher state to byte array block: */
- s0 = (Td4[(t0 >> 24)] << 24) ^ (Td4[(t3 >> 16) & 0xff] << 16) ^
- (Td4[(t2 >> 8) & 0xff] << 8) ^ (Td4[(t1) & 0xff]) ^ rk[0];
+ s0 = ((uint32_t)Td4[(t0 >> 24)] << 24) ^
+ ((uint32_t)Td4[(t3 >> 16) & 0xff] << 16) ^
+ ((uint32_t)Td4[(t2 >> 8) & 0xff] << 8) ^
+ ((uint32_t)Td4[(t1) & 0xff]) ^ rk[0];
PUTU32(out, s0);
- s1 = (Td4[(t1 >> 24)] << 24) ^ (Td4[(t0 >> 16) & 0xff] << 16) ^
- (Td4[(t3 >> 8) & 0xff] << 8) ^ (Td4[(t2) & 0xff]) ^ rk[1];
+ s1 = ((uint32_t)Td4[(t1 >> 24)] << 24) ^
+ ((uint32_t)Td4[(t0 >> 16) & 0xff] << 16) ^
+ ((uint32_t)Td4[(t3 >> 8) & 0xff] << 8) ^
+ ((uint32_t)Td4[(t2) & 0xff]) ^ rk[1];
PUTU32(out + 4, s1);
- s2 = (Td4[(t2 >> 24)] << 24) ^ (Td4[(t1 >> 16) & 0xff] << 16) ^
- (Td4[(t0 >> 8) & 0xff] << 8) ^ (Td4[(t3) & 0xff]) ^ rk[2];
+ s2 = ((uint32_t)Td4[(t2 >> 24)] << 24) ^
+ ((uint32_t)Td4[(t1 >> 16) & 0xff] << 16) ^
+ ((uint32_t)Td4[(t0 >> 8) & 0xff] << 8) ^
+ ((uint32_t)Td4[(t3) & 0xff]) ^ rk[2];
PUTU32(out + 8, s2);
- s3 = (Td4[(t3 >> 24)] << 24) ^ (Td4[(t2 >> 16) & 0xff] << 16) ^
- (Td4[(t1 >> 8) & 0xff] << 8) ^ (Td4[(t0) & 0xff]) ^ rk[3];
+ s3 = ((uint32_t)Td4[(t3 >> 24)] << 24) ^
+ ((uint32_t)Td4[(t2 >> 16) & 0xff] << 16) ^
+ ((uint32_t)Td4[(t1 >> 8) & 0xff] << 8) ^
+ ((uint32_t)Td4[(t0) & 0xff]) ^ rk[3];
PUTU32(out + 12, s3);
}
diff --git a/src/crypto/aes/asm/aes-armv4.pl b/src/crypto/aes/asm/aes-armv4.pl
index 3bd9a6d..36cd3b6 100644
--- a/src/crypto/aes/asm/aes-armv4.pl
+++ b/src/crypto/aes/asm/aes-armv4.pl
@@ -32,8 +32,20 @@
# Profiler-assisted and platform-specific optimization resulted in 16%
# improvement on Cortex A8 core and ~21.5 cycles per byte.
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
$s0="r0";
$s1="r1";
@@ -63,7 +75,7 @@
.code 32
#else
.syntax unified
-# ifdef __thumb2__
+# if defined(__thumb2__) && !defined(__APPLE__)
.thumb
# else
.code 32
@@ -189,9 +201,13 @@
adr r3,asm_AES_encrypt
#endif
stmdb sp!,{r1,r4-r12,lr}
+#ifdef __APPLE__
+ adr $tbl,AES_Te
+#else
+ sub $tbl,r3,#asm_AES_encrypt-AES_Te @ Te
+#endif
mov $rounds,r0 @ inp
mov $key,r2
- sub $tbl,r3,#asm_AES_encrypt-AES_Te @ Te
#if __ARM_ARCH__<7
ldrb $s0,[$rounds,#3] @ load input data in endian-neutral
ldrb $t1,[$rounds,#2] @ manner...
@@ -460,12 +476,16 @@
bne .Labrt
.Lok: stmdb sp!,{r4-r12,lr}
- sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4
-
mov $rounds,r0 @ inp
mov lr,r1 @ bits
mov $key,r2 @ key
+#ifdef __APPLE__
+ adr $tbl,AES_Te+1024 @ Te4
+#else
+ sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4
+#endif
+
#if __ARM_ARCH__<7
ldrb $s0,[$rounds,#3] @ load input data in endian-neutral
ldrb $t1,[$rounds,#2] @ manner...
@@ -718,8 +738,8 @@
.Ldone: mov r0,#0
ldmia sp!,{r4-r12,lr}
.Labrt:
-#if defined(__thumb2__) && __ARM_ARCH__>=7
- .short 0x4770 @ bx lr in Thumb2 encoding
+#if __ARM_ARCH__>=5
+ ret @ bx lr
#else
tst lr,#1
moveq pc,lr @ be binary compatible with V4, yet
@@ -961,9 +981,13 @@
adr r3,asm_AES_decrypt
#endif
stmdb sp!,{r1,r4-r12,lr}
+#ifdef __APPLE__
+ adr $tbl,AES_Td
+#else
+ sub $tbl,r3,#asm_AES_decrypt-AES_Td @ Td
+#endif
mov $rounds,r0 @ inp
mov $key,r2
- sub $tbl,r3,#asm_AES_decrypt-AES_Td @ Td
#if __ARM_ARCH__<7
ldrb $s0,[$rounds,#3] @ load input data in endian-neutral
ldrb $t1,[$rounds,#2] @ manner...
@@ -1211,6 +1235,7 @@
___
$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4
+$code =~ s/\bret\b/bx\tlr/gm;
open SELF,$0;
while(<SELF>) {
diff --git a/src/crypto/aes/asm/aesni-x86.pl b/src/crypto/aes/asm/aesni-x86.pl
index 3deb86a..f67df8c 100644
--- a/src/crypto/aes/asm/aesni-x86.pl
+++ b/src/crypto/aes/asm/aesni-x86.pl
@@ -51,7 +51,7 @@
# Westmere 3.77/1.37 1.37 1.52 1.27
# * Bridge 5.07/0.98 0.99 1.09 0.91
# Haswell 4.44/0.80 0.97 1.03 0.72
-# Atom 5.77/3.56 3.67 4.03 3.46
+# Silvermont 5.77/3.56 3.67 4.03 3.46
# Bulldozer 5.80/0.98 1.05 1.24 0.93
$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
@@ -65,6 +65,9 @@
&asm_init($ARGV[0],$0);
+&external_label("OPENSSL_ia32cap_P");
+&static_label("key_const");
+
if ($PREFIX eq "aesni") { $movekey=\&movups; }
else { $movekey=\&movups; }
@@ -181,7 +184,10 @@
{ &aesni_inline_generate1("enc"); }
else
{ &call ("_aesni_encrypt1"); }
+ &pxor ($rndkey0,$rndkey0); # clear register bank
+ &pxor ($rndkey1,$rndkey1);
&movups (&QWP(0,"eax"),$inout0);
+ &pxor ($inout0,$inout0);
&ret ();
&function_end_B("${PREFIX}_encrypt");
@@ -197,7 +203,10 @@
{ &aesni_inline_generate1("dec"); }
else
{ &call ("_aesni_decrypt1"); }
+ &pxor ($rndkey0,$rndkey0); # clear register bank
+ &pxor ($rndkey1,$rndkey1);
&movups (&QWP(0,"eax"),$inout0);
+ &pxor ($inout0,$inout0);
&ret ();
&function_end_B("${PREFIX}_decrypt");
@@ -349,17 +358,15 @@
&neg ($rounds);
eval"&aes${p} ($inout2,$rndkey1)";
&pxor ($inout5,$rndkey0);
+ &$movekey ($rndkey0,&QWP(0,$key,$rounds));
&add ($rounds,16);
- eval"&aes${p} ($inout3,$rndkey1)";
- eval"&aes${p} ($inout4,$rndkey1)";
- eval"&aes${p} ($inout5,$rndkey1)";
- &$movekey ($rndkey0,&QWP(-16,$key,$rounds));
- &jmp (&label("_aesni_${p}rypt6_enter"));
+ &jmp (&label("_aesni_${p}rypt6_inner"));
&set_label("${p}6_loop",16);
eval"&aes${p} ($inout0,$rndkey1)";
eval"&aes${p} ($inout1,$rndkey1)";
eval"&aes${p} ($inout2,$rndkey1)";
+ &set_label("_aesni_${p}rypt6_inner");
eval"&aes${p} ($inout3,$rndkey1)";
eval"&aes${p} ($inout4,$rndkey1)";
eval"&aes${p} ($inout5,$rndkey1)";
@@ -615,6 +622,14 @@
&movups (&QWP(0x30,$out),$inout3);
&set_label("ecb_ret");
+ &pxor ("xmm0","xmm0"); # clear register bank
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &pxor ("xmm3","xmm3");
+ &pxor ("xmm4","xmm4");
+ &pxor ("xmm5","xmm5");
+ &pxor ("xmm6","xmm6");
+ &pxor ("xmm7","xmm7");
&function_end("aesni_ecb_encrypt");
�
######################################################################
@@ -704,6 +719,15 @@
&mov ("esp",&DWP(48,"esp"));
&mov ($out,&wparam(5));
&movups (&QWP(0,$out),$cmac);
+
+ &pxor ("xmm0","xmm0"); # clear register bank
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &pxor ("xmm3","xmm3");
+ &pxor ("xmm4","xmm4");
+ &pxor ("xmm5","xmm5");
+ &pxor ("xmm6","xmm6");
+ &pxor ("xmm7","xmm7");
&function_end("aesni_ccm64_encrypt_blocks");
&function_begin("aesni_ccm64_decrypt_blocks");
@@ -804,6 +828,15 @@
&mov ("esp",&DWP(48,"esp"));
&mov ($out,&wparam(5));
&movups (&QWP(0,$out),$cmac);
+
+ &pxor ("xmm0","xmm0"); # clear register bank
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &pxor ("xmm3","xmm3");
+ &pxor ("xmm4","xmm4");
+ &pxor ("xmm5","xmm5");
+ &pxor ("xmm6","xmm6");
+ &pxor ("xmm7","xmm7");
&function_end("aesni_ccm64_decrypt_blocks");
}
�
@@ -1053,6 +1086,17 @@
&movups (&QWP(0x30,$out),$inout3);
&set_label("ctr32_ret");
+ &pxor ("xmm0","xmm0"); # clear register bank
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &pxor ("xmm3","xmm3");
+ &pxor ("xmm4","xmm4");
+ &movdqa (&QWP(32,"esp"),"xmm0"); # clear stack
+ &pxor ("xmm5","xmm5");
+ &movdqa (&QWP(48,"esp"),"xmm0");
+ &pxor ("xmm6","xmm6");
+ &movdqa (&QWP(64,"esp"),"xmm0");
+ &pxor ("xmm7","xmm7");
&mov ("esp",&DWP(80,"esp"));
&function_end("aesni_ctr32_encrypt_blocks");
�
@@ -1394,6 +1438,20 @@
&movups (&QWP(-16,$out),$inout0); # write output
&set_label("xts_enc_ret");
+ &pxor ("xmm0","xmm0"); # clear register bank
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &movdqa (&QWP(16*0,"esp"),"xmm0"); # clear stack
+ &pxor ("xmm3","xmm3");
+ &movdqa (&QWP(16*1,"esp"),"xmm0");
+ &pxor ("xmm4","xmm4");
+ &movdqa (&QWP(16*2,"esp"),"xmm0");
+ &pxor ("xmm5","xmm5");
+ &movdqa (&QWP(16*3,"esp"),"xmm0");
+ &pxor ("xmm6","xmm6");
+ &movdqa (&QWP(16*4,"esp"),"xmm0");
+ &pxor ("xmm7","xmm7");
+ &movdqa (&QWP(16*5,"esp"),"xmm0");
&mov ("esp",&DWP(16*7+4,"esp")); # restore %esp
&function_end("aesni_xts_encrypt");
@@ -1756,6 +1814,20 @@
&movups (&QWP(0,$out),$inout0); # write output
&set_label("xts_dec_ret");
+ &pxor ("xmm0","xmm0"); # clear register bank
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &movdqa (&QWP(16*0,"esp"),"xmm0"); # clear stack
+ &pxor ("xmm3","xmm3");
+ &movdqa (&QWP(16*1,"esp"),"xmm0");
+ &pxor ("xmm4","xmm4");
+ &movdqa (&QWP(16*2,"esp"),"xmm0");
+ &pxor ("xmm5","xmm5");
+ &movdqa (&QWP(16*3,"esp"),"xmm0");
+ &pxor ("xmm6","xmm6");
+ &movdqa (&QWP(16*4,"esp"),"xmm0");
+ &pxor ("xmm7","xmm7");
+ &movdqa (&QWP(16*5,"esp"),"xmm0");
&mov ("esp",&DWP(16*7+4,"esp")); # restore %esp
&function_end("aesni_xts_decrypt");
}
@@ -1808,6 +1880,7 @@
&add ($len,16);
&jnz (&label("cbc_enc_tail"));
&movaps ($ivec,$inout0);
+ &pxor ($inout0,$inout0);
&jmp (&label("cbc_ret"));
&set_label("cbc_enc_tail");
@@ -1871,7 +1944,7 @@
&movaps ($inout0,$inout5);
&movaps ($ivec,$rndkey0);
&add ($len,0x50);
- &jle (&label("cbc_dec_tail_collected"));
+ &jle (&label("cbc_dec_clear_tail_collected"));
&movups (&QWP(0,$out),$inout0);
&lea ($out,&DWP(0x10,$out));
&set_label("cbc_dec_tail");
@@ -1910,10 +1983,14 @@
&xorps ($inout4,$rndkey0);
&movups (&QWP(0,$out),$inout0);
&movups (&QWP(0x10,$out),$inout1);
+ &pxor ($inout1,$inout1);
&movups (&QWP(0x20,$out),$inout2);
+ &pxor ($inout2,$inout2);
&movups (&QWP(0x30,$out),$inout3);
+ &pxor ($inout3,$inout3);
&lea ($out,&DWP(0x40,$out));
&movaps ($inout0,$inout4);
+ &pxor ($inout4,$inout4);
&sub ($len,0x50);
&jmp (&label("cbc_dec_tail_collected"));
@@ -1933,6 +2010,7 @@
&xorps ($inout1,$in0);
&movups (&QWP(0,$out),$inout0);
&movaps ($inout0,$inout1);
+ &pxor ($inout1,$inout1);
&lea ($out,&DWP(0x10,$out));
&movaps ($ivec,$in1);
&sub ($len,0x20);
@@ -1945,7 +2023,9 @@
&xorps ($inout2,$in1);
&movups (&QWP(0,$out),$inout0);
&movaps ($inout0,$inout2);
+ &pxor ($inout2,$inout2);
&movups (&QWP(0x10,$out),$inout1);
+ &pxor ($inout1,$inout1);
&lea ($out,&DWP(0x20,$out));
&movups ($ivec,&QWP(0x20,$inp));
&sub ($len,0x30);
@@ -1961,29 +2041,44 @@
&movups (&QWP(0,$out),$inout0);
&xorps ($inout2,$rndkey1);
&movups (&QWP(0x10,$out),$inout1);
+ &pxor ($inout1,$inout1);
&xorps ($inout3,$rndkey0);
&movups (&QWP(0x20,$out),$inout2);
+ &pxor ($inout2,$inout2);
&lea ($out,&DWP(0x30,$out));
&movaps ($inout0,$inout3);
+ &pxor ($inout3,$inout3);
&sub ($len,0x40);
+ &jmp (&label("cbc_dec_tail_collected"));
+&set_label("cbc_dec_clear_tail_collected",16);
+ &pxor ($inout1,$inout1);
+ &pxor ($inout2,$inout2);
+ &pxor ($inout3,$inout3);
+ &pxor ($inout4,$inout4);
&set_label("cbc_dec_tail_collected");
&and ($len,15);
&jnz (&label("cbc_dec_tail_partial"));
&movups (&QWP(0,$out),$inout0);
+ &pxor ($rndkey0,$rndkey0);
&jmp (&label("cbc_ret"));
&set_label("cbc_dec_tail_partial",16);
&movaps (&QWP(0,"esp"),$inout0);
+ &pxor ($rndkey0,$rndkey0);
&mov ("ecx",16);
&mov ($inp,"esp");
&sub ("ecx",$len);
&data_word(0xA4F3F689); # rep movsb
+ &movdqa (&QWP(0,"esp"),$inout0);
&set_label("cbc_ret");
&mov ("esp",&DWP(16,"esp")); # pull original %esp
&mov ($key_,&wparam(4));
+ &pxor ($inout0,$inout0);
+ &pxor ($rndkey1,$rndkey1);
&movups (&QWP(0,$key_),$ivec); # output IV
+ &pxor ($ivec,$ivec);
&set_label("cbc_abort");
&function_end("${PREFIX}_cbc_encrypt");
�
@@ -2000,14 +2095,24 @@
# $round rounds
&function_begin_B("_aesni_set_encrypt_key");
+ &push ("ebp");
+ &push ("ebx");
&test ("eax","eax");
&jz (&label("bad_pointer"));
&test ($key,$key);
&jz (&label("bad_pointer"));
+ &call (&label("pic"));
+&set_label("pic");
+ &blindpop("ebx");
+ &lea ("ebx",&DWP(&label("key_const")."-".&label("pic"),"ebx"));
+
+ &picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const"));
&movups ("xmm0",&QWP(0,"eax")); # pull first 128 bits of *userKey
&xorps ("xmm4","xmm4"); # low dword of xmm4 is assumed 0
+ &mov ("ebp",&DWP(4,"ebp"));
&lea ($key,&DWP(16,$key));
+ &and ("ebp",1<<28|1<<11); # AVX and XOP bits
&cmp ($rounds,256);
&je (&label("14rounds"));
&cmp ($rounds,192);
@@ -2016,6 +2121,9 @@
&jne (&label("bad_keybits"));
&set_label("10rounds",16);
+ &cmp ("ebp",1<<28);
+ &je (&label("10rounds_alt"));
+
&mov ($rounds,9);
&$movekey (&QWP(-16,$key),"xmm0"); # round 0
&aeskeygenassist("xmm1","xmm0",0x01); # round 1
@@ -2040,8 +2148,8 @@
&call (&label("key_128"));
&$movekey (&QWP(0,$key),"xmm0");
&mov (&DWP(80,$key),$rounds);
- &xor ("eax","eax");
- &ret();
+
+ &jmp (&label("good_key"));
&set_label("key_128",16);
&$movekey (&QWP(0,$key),"xmm0");
@@ -2055,8 +2163,76 @@
&xorps ("xmm0","xmm1");
&ret();
+&set_label("10rounds_alt",16);
+ &movdqa ("xmm5",&QWP(0x00,"ebx"));
+ &mov ($rounds,8);
+ &movdqa ("xmm4",&QWP(0x20,"ebx"));
+ &movdqa ("xmm2","xmm0");
+ &movdqu (&QWP(-16,$key),"xmm0");
+
+&set_label("loop_key128");
+ &pshufb ("xmm0","xmm5");
+ &aesenclast ("xmm0","xmm4");
+ &pslld ("xmm4",1);
+ &lea ($key,&DWP(16,$key));
+
+ &movdqa ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm2","xmm3");
+
+ &pxor ("xmm0","xmm2");
+ &movdqu (&QWP(-16,$key),"xmm0");
+ &movdqa ("xmm2","xmm0");
+
+ &dec ($rounds);
+ &jnz (&label("loop_key128"));
+
+ &movdqa ("xmm4",&QWP(0x30,"ebx"));
+
+ &pshufb ("xmm0","xmm5");
+ &aesenclast ("xmm0","xmm4");
+ &pslld ("xmm4",1);
+
+ &movdqa ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm2","xmm3");
+
+ &pxor ("xmm0","xmm2");
+ &movdqu (&QWP(0,$key),"xmm0");
+
+ &movdqa ("xmm2","xmm0");
+ &pshufb ("xmm0","xmm5");
+ &aesenclast ("xmm0","xmm4");
+
+ &movdqa ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm3","xmm2");
+ &pslldq ("xmm2",4);
+ &pxor ("xmm2","xmm3");
+
+ &pxor ("xmm0","xmm2");
+ &movdqu (&QWP(16,$key),"xmm0");
+
+ &mov ($rounds,9);
+ &mov (&DWP(96,$key),$rounds);
+
+ &jmp (&label("good_key"));
+
&set_label("12rounds",16);
&movq ("xmm2",&QWP(16,"eax")); # remaining 1/3 of *userKey
+ &cmp ("ebp",1<<28);
+ &je (&label("12rounds_alt"));
+
&mov ($rounds,11);
&$movekey (&QWP(-16,$key),"xmm0"); # round 0
&aeskeygenassist("xmm1","xmm2",0x01); # round 1,2
@@ -2077,8 +2253,8 @@
&call (&label("key_192b"));
&$movekey (&QWP(0,$key),"xmm0");
&mov (&DWP(48,$key),$rounds);
- &xor ("eax","eax");
- &ret();
+
+ &jmp (&label("good_key"));
&set_label("key_192a",16);
&$movekey (&QWP(0,$key),"xmm0");
@@ -2108,10 +2284,52 @@
&lea ($key,&DWP(32,$key));
&jmp (&label("key_192b_warm"));
+&set_label("12rounds_alt",16);
+ &movdqa ("xmm5",&QWP(0x10,"ebx"));
+ &movdqa ("xmm4",&QWP(0x20,"ebx"));
+ &mov ($rounds,8);
+ &movdqu (&QWP(-16,$key),"xmm0");
+
+&set_label("loop_key192");
+ &movq (&QWP(0,$key),"xmm2");
+ &movdqa ("xmm1","xmm2");
+ &pshufb ("xmm2","xmm5");
+ &aesenclast ("xmm2","xmm4");
+ &pslld ("xmm4",1);
+ &lea ($key,&DWP(24,$key));
+
+ &movdqa ("xmm3","xmm0");
+ &pslldq ("xmm0",4);
+ &pxor ("xmm3","xmm0");
+ &pslldq ("xmm0",4);
+ &pxor ("xmm3","xmm0");
+ &pslldq ("xmm0",4);
+ &pxor ("xmm0","xmm3");
+
+ &pshufd ("xmm3","xmm0",0xff);
+ &pxor ("xmm3","xmm1");
+ &pslldq ("xmm1",4);
+ &pxor ("xmm3","xmm1");
+
+ &pxor ("xmm0","xmm2");
+ &pxor ("xmm2","xmm3");
+ &movdqu (&QWP(-16,$key),"xmm0");
+
+ &dec ($rounds);
+ &jnz (&label("loop_key192"));
+
+ &mov ($rounds,11);
+ &mov (&DWP(32,$key),$rounds);
+
+ &jmp (&label("good_key"));
+
&set_label("14rounds",16);
&movups ("xmm2",&QWP(16,"eax")); # remaining half of *userKey
- &mov ($rounds,13);
&lea ($key,&DWP(16,$key));
+ &cmp ("ebp",1<<28);
+ &je (&label("14rounds_alt"));
+
+ &mov ($rounds,13);
&$movekey (&QWP(-32,$key),"xmm0"); # round 0
&$movekey (&QWP(-16,$key),"xmm2"); # round 1
&aeskeygenassist("xmm1","xmm2",0x01); # round 2
@@ -2143,7 +2361,8 @@
&$movekey (&QWP(0,$key),"xmm0");
&mov (&DWP(16,$key),$rounds);
&xor ("eax","eax");
- &ret();
+
+ &jmp (&label("good_key"));
&set_label("key_256a",16);
&$movekey (&QWP(0,$key),"xmm2");
@@ -2169,11 +2388,77 @@
&xorps ("xmm2","xmm1");
&ret();
+&set_label("14rounds_alt",16);
+ &movdqa ("xmm5",&QWP(0x00,"ebx"));
+ &movdqa ("xmm4",&QWP(0x20,"ebx"));
+ &mov ($rounds,7);
+ &movdqu (&QWP(-32,$key),"xmm0");
+ &movdqa ("xmm1","xmm2");
+ &movdqu (&QWP(-16,$key),"xmm2");
+
+&set_label("loop_key256");
+ &pshufb ("xmm2","xmm5");
+ &aesenclast ("xmm2","xmm4");
+
+ &movdqa ("xmm3","xmm0");
+ &pslldq ("xmm0",4);
+ &pxor ("xmm3","xmm0");
+ &pslldq ("xmm0",4);
+ &pxor ("xmm3","xmm0");
+ &pslldq ("xmm0",4);
+ &pxor ("xmm0","xmm3");
+ &pslld ("xmm4",1);
+
+ &pxor ("xmm0","xmm2");
+ &movdqu (&QWP(0,$key),"xmm0");
+
+ &dec ($rounds);
+ &jz (&label("done_key256"));
+
+ &pshufd ("xmm2","xmm0",0xff);
+ &pxor ("xmm3","xmm3");
+ &aesenclast ("xmm2","xmm3");
+
+ &movdqa ("xmm3","xmm1")
+ &pslldq ("xmm1",4);
+ &pxor ("xmm3","xmm1");
+ &pslldq ("xmm1",4);
+ &pxor ("xmm3","xmm1");
+ &pslldq ("xmm1",4);
+ &pxor ("xmm1","xmm3");
+
+ &pxor ("xmm2","xmm1");
+ &movdqu (&QWP(16,$key),"xmm2");
+ &lea ($key,&DWP(32,$key));
+ &movdqa ("xmm1","xmm2");
+ &jmp (&label("loop_key256"));
+
+&set_label("done_key256");
+ &mov ($rounds,13);
+ &mov (&DWP(16,$key),$rounds);
+
+&set_label("good_key");
+ &pxor ("xmm0","xmm0");
+ &pxor ("xmm1","xmm1");
+ &pxor ("xmm2","xmm2");
+ &pxor ("xmm3","xmm3");
+ &pxor ("xmm4","xmm4");
+ &pxor ("xmm5","xmm5");
+ &xor ("eax","eax");
+ &pop ("ebx");
+ &pop ("ebp");
+ &ret ();
+
&set_label("bad_pointer",4);
&mov ("eax",-1);
+ &pop ("ebx");
+ &pop ("ebp");
&ret ();
&set_label("bad_keybits",4);
+ &pxor ("xmm0","xmm0");
&mov ("eax",-2);
+ &pop ("ebx");
+ &pop ("ebp");
&ret ();
&function_end_B("_aesni_set_encrypt_key");
@@ -2223,10 +2508,18 @@
&aesimc ("xmm0","xmm0");
&$movekey (&QWP(0,$key),"xmm0");
+ &pxor ("xmm0","xmm0");
+ &pxor ("xmm1","xmm1");
&xor ("eax","eax"); # return success
&set_label("dec_key_ret");
&ret ();
&function_end_B("${PREFIX}_set_decrypt_key");
+
+&set_label("key_const",64);
+&data_word(0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d);
+&data_word(0x04070605,0x04070605,0x04070605,0x04070605);
+&data_word(1,1,1,1);
+&data_word(0x1b,0x1b,0x1b,0x1b);
&asciz("AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>");
&asm_finish();
diff --git a/src/crypto/aes/asm/aesni-x86_64.pl b/src/crypto/aes/asm/aesni-x86_64.pl
index 5f61746..25ca574 100644
--- a/src/crypto/aes/asm/aesni-x86_64.pl
+++ b/src/crypto/aes/asm/aesni-x86_64.pl
@@ -165,11 +165,11 @@
# Westmere 3.77/1.25 1.25 1.25 1.26
# * Bridge 5.07/0.74 0.75 0.90 0.85
# Haswell 4.44/0.63 0.63 0.73 0.63
-# Atom 5.75/3.54 3.56 4.12 3.87(*)
+# Silvermont 5.75/3.54 3.56 4.12 3.87(*)
# Bulldozer 5.77/0.70 0.72 0.90 0.70
#
-# (*) Atom ECB result is suboptimal because of penalties incurred
-# by operations on %xmm8-15. As ECB is not considered
+# (*) Atom Silvermont ECB result is suboptimal because of penalties
+# incurred by operations on %xmm8-15. As ECB is not considered
# critical, nothing was done to mitigate the problem.
$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
@@ -263,7 +263,10 @@
___
&aesni_generate1("enc",$key,$rounds);
$code.=<<___;
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
movups $inout0,($out) # output
+ pxor $inout0,$inout0
ret
.size ${PREFIX}_encrypt,.-${PREFIX}_encrypt
@@ -276,7 +279,10 @@
___
&aesni_generate1("dec",$key,$rounds);
$code.=<<___;
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
movups $inout0,($out) # output
+ pxor $inout0,$inout0
ret
.size ${PREFIX}_decrypt, .-${PREFIX}_decrypt
___
@@ -445,21 +451,18 @@
pxor $rndkey0,$inout4
aes${dir} $rndkey1,$inout2
pxor $rndkey0,$inout5
+ $movkey ($key,%rax),$rndkey0
add \$16,%rax
- aes${dir} $rndkey1,$inout3
- aes${dir} $rndkey1,$inout4
- aes${dir} $rndkey1,$inout5
- $movkey -16($key,%rax),$rndkey0
jmp .L${dir}_loop6_enter
.align 16
.L${dir}_loop6:
aes${dir} $rndkey1,$inout0
aes${dir} $rndkey1,$inout1
aes${dir} $rndkey1,$inout2
+.L${dir}_loop6_enter:
aes${dir} $rndkey1,$inout3
aes${dir} $rndkey1,$inout4
aes${dir} $rndkey1,$inout5
-.L${dir}_loop6_enter:
$movkey ($key,%rax),$rndkey1
add \$32,%rax
aes${dir} $rndkey0,$inout0
@@ -506,23 +509,18 @@
lea 32($key,$rounds),$key
neg %rax # $rounds
aes${dir} $rndkey1,$inout0
- add \$16,%rax
pxor $rndkey0,$inout5
- aes${dir} $rndkey1,$inout1
pxor $rndkey0,$inout6
+ aes${dir} $rndkey1,$inout1
pxor $rndkey0,$inout7
- aes${dir} $rndkey1,$inout2
- aes${dir} $rndkey1,$inout3
- aes${dir} $rndkey1,$inout4
- aes${dir} $rndkey1,$inout5
- aes${dir} $rndkey1,$inout6
- aes${dir} $rndkey1,$inout7
- $movkey -16($key,%rax),$rndkey0
- jmp .L${dir}_loop8_enter
+ $movkey ($key,%rax),$rndkey0
+ add \$16,%rax
+ jmp .L${dir}_loop8_inner
.align 16
.L${dir}_loop8:
aes${dir} $rndkey1,$inout0
aes${dir} $rndkey1,$inout1
+.L${dir}_loop8_inner:
aes${dir} $rndkey1,$inout2
aes${dir} $rndkey1,$inout3
aes${dir} $rndkey1,$inout4
@@ -587,15 +585,15 @@
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
- movaps %xmm6,(%rsp)
+ movaps %xmm6,(%rsp) # offload $inout4..7
movaps %xmm7,0x10(%rsp)
movaps %xmm8,0x20(%rsp)
movaps %xmm9,0x30(%rsp)
.Lecb_enc_body:
___
$code.=<<___;
- and \$-16,$len
- jz .Lecb_ret
+ and \$-16,$len # if ($len<16)
+ jz .Lecb_ret # return
mov 240($key),$rounds # key->rounds
$movkey ($key),$rndkey0
@@ -604,10 +602,10 @@
test %r8d,%r8d # 5th argument
jz .Lecb_decrypt
#--------------------------- ECB ENCRYPT ------------------------------#
- cmp \$0x80,$len
- jb .Lecb_enc_tail
+ cmp \$0x80,$len # if ($len<8*16)
+ jb .Lecb_enc_tail # short input
- movdqu ($inp),$inout0
+ movdqu ($inp),$inout0 # load 8 input blocks
movdqu 0x10($inp),$inout1
movdqu 0x20($inp),$inout2
movdqu 0x30($inp),$inout3
@@ -615,14 +613,14 @@
movdqu 0x50($inp),$inout5
movdqu 0x60($inp),$inout6
movdqu 0x70($inp),$inout7
- lea 0x80($inp),$inp
- sub \$0x80,$len
+ lea 0x80($inp),$inp # $inp+=8*16
+ sub \$0x80,$len # $len-=8*16 (can be zero)
jmp .Lecb_enc_loop8_enter
.align 16
.Lecb_enc_loop8:
- movups $inout0,($out)
+ movups $inout0,($out) # store 8 output blocks
mov $key_,$key # restore $key
- movdqu ($inp),$inout0
+ movdqu ($inp),$inout0 # load 8 input blocks
mov $rnds_,$rounds # restore $rounds
movups $inout1,0x10($out)
movdqu 0x10($inp),$inout1
@@ -637,17 +635,17 @@
movups $inout6,0x60($out)
movdqu 0x60($inp),$inout6
movups $inout7,0x70($out)
- lea 0x80($out),$out
+ lea 0x80($out),$out # $out+=8*16
movdqu 0x70($inp),$inout7
- lea 0x80($inp),$inp
+ lea 0x80($inp),$inp # $inp+=8*16
.Lecb_enc_loop8_enter:
call _aesni_encrypt8
sub \$0x80,$len
- jnc .Lecb_enc_loop8
+ jnc .Lecb_enc_loop8 # loop if $len-=8*16 didn't borrow
- movups $inout0,($out)
+ movups $inout0,($out) # store 8 output blocks
mov $key_,$key # restore $key
movups $inout1,0x10($out)
mov $rnds_,$rounds # restore $rounds
@@ -657,11 +655,11 @@
movups $inout5,0x50($out)
movups $inout6,0x60($out)
movups $inout7,0x70($out)
- lea 0x80($out),$out
- add \$0x80,$len
- jz .Lecb_ret
+ lea 0x80($out),$out # $out+=8*16
+ add \$0x80,$len # restore real remaining $len
+ jz .Lecb_ret # done if ($len==0)
-.Lecb_enc_tail:
+.Lecb_enc_tail: # $len is less than 8*16
movups ($inp),$inout0
cmp \$0x20,$len
jb .Lecb_enc_one
@@ -678,8 +676,9 @@
movups 0x50($inp),$inout5
je .Lecb_enc_six
movdqu 0x60($inp),$inout6
+ xorps $inout7,$inout7
call _aesni_encrypt8
- movups $inout0,($out)
+ movups $inout0,($out) # store 7 output blocks
movups $inout1,0x10($out)
movups $inout2,0x20($out)
movups $inout3,0x30($out)
@@ -692,25 +691,25 @@
___
&aesni_generate1("enc",$key,$rounds);
$code.=<<___;
- movups $inout0,($out)
+ movups $inout0,($out) # store one output block
jmp .Lecb_ret
.align 16
.Lecb_enc_two:
call _aesni_encrypt2
- movups $inout0,($out)
+ movups $inout0,($out) # store 2 output blocks
movups $inout1,0x10($out)
jmp .Lecb_ret
.align 16
.Lecb_enc_three:
call _aesni_encrypt3
- movups $inout0,($out)
+ movups $inout0,($out) # store 3 output blocks
movups $inout1,0x10($out)
movups $inout2,0x20($out)
jmp .Lecb_ret
.align 16
.Lecb_enc_four:
call _aesni_encrypt4
- movups $inout0,($out)
+ movups $inout0,($out) # store 4 output blocks
movups $inout1,0x10($out)
movups $inout2,0x20($out)
movups $inout3,0x30($out)
@@ -719,7 +718,7 @@
.Lecb_enc_five:
xorps $inout5,$inout5
call _aesni_encrypt6
- movups $inout0,($out)
+ movups $inout0,($out) # store 5 output blocks
movups $inout1,0x10($out)
movups $inout2,0x20($out)
movups $inout3,0x30($out)
@@ -728,7 +727,7 @@
.align 16
.Lecb_enc_six:
call _aesni_encrypt6
- movups $inout0,($out)
+ movups $inout0,($out) # store 6 output blocks
movups $inout1,0x10($out)
movups $inout2,0x20($out)
movups $inout3,0x30($out)
@@ -738,10 +737,10 @@
�#--------------------------- ECB DECRYPT ------------------------------#
.align 16
.Lecb_decrypt:
- cmp \$0x80,$len
- jb .Lecb_dec_tail
+ cmp \$0x80,$len # if ($len<8*16)
+ jb .Lecb_dec_tail # short input
- movdqu ($inp),$inout0
+ movdqu ($inp),$inout0 # load 8 input blocks
movdqu 0x10($inp),$inout1
movdqu 0x20($inp),$inout2
movdqu 0x30($inp),$inout3
@@ -749,14 +748,14 @@
movdqu 0x50($inp),$inout5
movdqu 0x60($inp),$inout6
movdqu 0x70($inp),$inout7
- lea 0x80($inp),$inp
- sub \$0x80,$len
+ lea 0x80($inp),$inp # $inp+=8*16
+ sub \$0x80,$len # $len-=8*16 (can be zero)
jmp .Lecb_dec_loop8_enter
.align 16
.Lecb_dec_loop8:
- movups $inout0,($out)
+ movups $inout0,($out) # store 8 output blocks
mov $key_,$key # restore $key
- movdqu ($inp),$inout0
+ movdqu ($inp),$inout0 # load 8 input blocks
mov $rnds_,$rounds # restore $rounds
movups $inout1,0x10($out)
movdqu 0x10($inp),$inout1
@@ -771,30 +770,38 @@
movups $inout6,0x60($out)
movdqu 0x60($inp),$inout6
movups $inout7,0x70($out)
- lea 0x80($out),$out
+ lea 0x80($out),$out # $out+=8*16
movdqu 0x70($inp),$inout7
- lea 0x80($inp),$inp
+ lea 0x80($inp),$inp # $inp+=8*16
.Lecb_dec_loop8_enter:
call _aesni_decrypt8
$movkey ($key_),$rndkey0
sub \$0x80,$len
- jnc .Lecb_dec_loop8
+ jnc .Lecb_dec_loop8 # loop if $len-=8*16 didn't borrow
- movups $inout0,($out)
+ movups $inout0,($out) # store 8 output blocks
+ pxor $inout0,$inout0 # clear register bank
mov $key_,$key # restore $key
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
mov $rnds_,$rounds # restore $rounds
movups $inout2,0x20($out)
+ pxor $inout2,$inout2
movups $inout3,0x30($out)
+ pxor $inout3,$inout3
movups $inout4,0x40($out)
+ pxor $inout4,$inout4
movups $inout5,0x50($out)
+ pxor $inout5,$inout5
movups $inout6,0x60($out)
+ pxor $inout6,$inout6
movups $inout7,0x70($out)
- lea 0x80($out),$out
- add \$0x80,$len
- jz .Lecb_ret
+ pxor $inout7,$inout7
+ lea 0x80($out),$out # $out+=8*16
+ add \$0x80,$len # restore real remaining $len
+ jz .Lecb_ret # done if ($len==0)
.Lecb_dec_tail:
movups ($inp),$inout0
@@ -814,70 +821,107 @@
je .Lecb_dec_six
movups 0x60($inp),$inout6
$movkey ($key),$rndkey0
+ xorps $inout7,$inout7
call _aesni_decrypt8
- movups $inout0,($out)
+ movups $inout0,($out) # store 7 output blocks
+ pxor $inout0,$inout0 # clear register bank
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
movups $inout2,0x20($out)
+ pxor $inout2,$inout2
movups $inout3,0x30($out)
+ pxor $inout3,$inout3
movups $inout4,0x40($out)
+ pxor $inout4,$inout4
movups $inout5,0x50($out)
+ pxor $inout5,$inout5
movups $inout6,0x60($out)
+ pxor $inout6,$inout6
+ pxor $inout7,$inout7
jmp .Lecb_ret
.align 16
.Lecb_dec_one:
___
&aesni_generate1("dec",$key,$rounds);
$code.=<<___;
- movups $inout0,($out)
+ movups $inout0,($out) # store one output block
+ pxor $inout0,$inout0 # clear register bank
jmp .Lecb_ret
.align 16
.Lecb_dec_two:
call _aesni_decrypt2
- movups $inout0,($out)
+ movups $inout0,($out) # store 2 output blocks
+ pxor $inout0,$inout0 # clear register bank
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
jmp .Lecb_ret
.align 16
.Lecb_dec_three:
call _aesni_decrypt3
- movups $inout0,($out)
+ movups $inout0,($out) # store 3 output blocks
+ pxor $inout0,$inout0 # clear register bank
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
movups $inout2,0x20($out)
+ pxor $inout2,$inout2
jmp .Lecb_ret
.align 16
.Lecb_dec_four:
call _aesni_decrypt4
- movups $inout0,($out)
+ movups $inout0,($out) # store 4 output blocks
+ pxor $inout0,$inout0 # clear register bank
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
movups $inout2,0x20($out)
+ pxor $inout2,$inout2
movups $inout3,0x30($out)
+ pxor $inout3,$inout3
jmp .Lecb_ret
.align 16
.Lecb_dec_five:
xorps $inout5,$inout5
call _aesni_decrypt6
- movups $inout0,($out)
+ movups $inout0,($out) # store 5 output blocks
+ pxor $inout0,$inout0 # clear register bank
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
movups $inout2,0x20($out)
+ pxor $inout2,$inout2
movups $inout3,0x30($out)
+ pxor $inout3,$inout3
movups $inout4,0x40($out)
+ pxor $inout4,$inout4
+ pxor $inout5,$inout5
jmp .Lecb_ret
.align 16
.Lecb_dec_six:
call _aesni_decrypt6
- movups $inout0,($out)
+ movups $inout0,($out) # store 6 output blocks
+ pxor $inout0,$inout0 # clear register bank
movups $inout1,0x10($out)
+ pxor $inout1,$inout1
movups $inout2,0x20($out)
+ pxor $inout2,$inout2
movups $inout3,0x30($out)
+ pxor $inout3,$inout3
movups $inout4,0x40($out)
+ pxor $inout4,$inout4
movups $inout5,0x50($out)
+ pxor $inout5,$inout5
.Lecb_ret:
+ xorps $rndkey0,$rndkey0 # %xmm0
+ pxor $rndkey1,$rndkey1
___
$code.=<<___ if ($win64);
movaps (%rsp),%xmm6
+ movaps %xmm0,(%rsp) # clear stack
movaps 0x10(%rsp),%xmm7
+ movaps %xmm0,0x10(%rsp)
movaps 0x20(%rsp),%xmm8
+ movaps %xmm0,0x20(%rsp)
movaps 0x30(%rsp),%xmm9
+ movaps %xmm0,0x30(%rsp)
lea 0x58(%rsp),%rsp
.Lecb_enc_ret:
___
@@ -911,10 +955,10 @@
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
- movaps %xmm6,(%rsp)
- movaps %xmm7,0x10(%rsp)
- movaps %xmm8,0x20(%rsp)
- movaps %xmm9,0x30(%rsp)
+ movaps %xmm6,(%rsp) # $iv
+ movaps %xmm7,0x10(%rsp) # $bswap_mask
+ movaps %xmm8,0x20(%rsp) # $in0
+ movaps %xmm9,0x30(%rsp) # $increment
.Lccm64_enc_body:
___
$code.=<<___;
@@ -956,7 +1000,7 @@
aesenc $rndkey1,$inout0
aesenc $rndkey1,$inout1
paddq $increment,$iv
- dec $len
+ dec $len # $len-- ($len is in blocks)
aesenclast $rndkey0,$inout0
aesenclast $rndkey0,$inout1
@@ -965,16 +1009,26 @@
movdqa $iv,$inout0
movups $in0,($out) # save output
pshufb $bswap_mask,$inout0
- lea 16($out),$out
- jnz .Lccm64_enc_outer
+ lea 16($out),$out # $out+=16
+ jnz .Lccm64_enc_outer # loop if ($len!=0)
- movups $inout1,($cmac)
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
+ pxor $inout0,$inout0
+ movups $inout1,($cmac) # store resulting mac
+ pxor $inout1,$inout1
+ pxor $in0,$in0
+ pxor $iv,$iv
___
$code.=<<___ if ($win64);
movaps (%rsp),%xmm6
+ movaps %xmm0,(%rsp) # clear stack
movaps 0x10(%rsp),%xmm7
+ movaps %xmm0,0x10(%rsp)
movaps 0x20(%rsp),%xmm8
+ movaps %xmm0,0x20(%rsp)
movaps 0x30(%rsp),%xmm9
+ movaps %xmm0,0x30(%rsp)
lea 0x58(%rsp),%rsp
.Lccm64_enc_ret:
___
@@ -991,10 +1045,10 @@
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
- movaps %xmm6,(%rsp)
- movaps %xmm7,0x10(%rsp)
- movaps %xmm8,0x20(%rsp)
- movaps %xmm9,0x30(%rsp)
+ movaps %xmm6,(%rsp) # $iv
+ movaps %xmm7,0x10(%rsp) # $bswap_mask
+ movaps %xmm8,0x20(%rsp) # $in8
+ movaps %xmm9,0x30(%rsp) # $increment
.Lccm64_dec_body:
___
$code.=<<___;
@@ -1015,7 +1069,7 @@
mov \$16,$rounds
movups ($inp),$in0 # load inp
paddq $increment,$iv
- lea 16($inp),$inp
+ lea 16($inp),$inp # $inp+=16
sub %r10,%rax # twisted $rounds
lea 32($key_,$rnds_),$key # end of key schedule
mov %rax,%r10
@@ -1025,11 +1079,11 @@
xorps $inout0,$in0 # inp ^= E(iv)
movdqa $iv,$inout0
movups $in0,($out) # save output
- lea 16($out),$out
+ lea 16($out),$out # $out+=16
pshufb $bswap_mask,$inout0
- sub \$1,$len
- jz .Lccm64_dec_break
+ sub \$1,$len # $len-- ($len is in blocks)
+ jz .Lccm64_dec_break # if ($len==0) break
$movkey ($key_),$rndkey0
mov %r10,%rax
@@ -1049,13 +1103,13 @@
aesenc $rndkey0,$inout1
$movkey -16($key,%rax),$rndkey0
jnz .Lccm64_dec2_loop
- movups ($inp),$in0 # load inp
+ movups ($inp),$in0 # load input
paddq $increment,$iv
aesenc $rndkey1,$inout0
aesenc $rndkey1,$inout1
aesenclast $rndkey0,$inout0
aesenclast $rndkey0,$inout1
- lea 16($inp),$inp
+ lea 16($inp),$inp # $inp+=16
jmp .Lccm64_dec_outer
.align 16
@@ -1065,13 +1119,23 @@
___
&aesni_generate1("enc",$key_,$rounds,$inout1,$in0);
$code.=<<___;
- movups $inout1,($cmac)
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
+ pxor $inout0,$inout0
+ movups $inout1,($cmac) # store resulting mac
+ pxor $inout1,$inout1
+ pxor $in0,$in0
+ pxor $iv,$iv
___
$code.=<<___ if ($win64);
movaps (%rsp),%xmm6
+ movaps %xmm0,(%rsp) # clear stack
movaps 0x10(%rsp),%xmm7
+ movaps %xmm0,0x10(%rsp)
movaps 0x20(%rsp),%xmm8
+ movaps %xmm0,0x20(%rsp)
movaps 0x30(%rsp),%xmm9
+ movaps %xmm0,0x30(%rsp)
lea 0x58(%rsp),%rsp
.Lccm64_dec_ret:
___
@@ -1102,13 +1166,34 @@
.type aesni_ctr32_encrypt_blocks,\@function,5
.align 16
aesni_ctr32_encrypt_blocks:
+ cmp \$1,$len
+ jne .Lctr32_bulk
+
+ # handle single block without allocating stack frame,
+ # useful when handling edges
+ movups ($ivp),$inout0
+ movups ($inp),$inout1
+ mov 240($key),%edx # key->rounds
+___
+ &aesni_generate1("enc",$key,"%edx");
+$code.=<<___;
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
+ xorps $inout1,$inout0
+ pxor $inout1,$inout1
+ movups $inout0,($out)
+ xorps $inout0,$inout0
+ jmp .Lctr32_epilogue
+
+.align 16
+.Lctr32_bulk:
lea (%rsp),%rax
push %rbp
sub \$$frame_size,%rsp
and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
___
$code.=<<___ if ($win64);
- movaps %xmm6,-0xa8(%rax)
+ movaps %xmm6,-0xa8(%rax) # offload everything
movaps %xmm7,-0x98(%rax)
movaps %xmm8,-0x88(%rax)
movaps %xmm9,-0x78(%rax)
@@ -1123,8 +1208,8 @@
$code.=<<___;
lea -8(%rax),%rbp
- cmp \$1,$len
- je .Lctr32_one_shortcut
+ # 8 16-byte words on top of stack are counter values
+ # xor-ed with zero-round key
movdqu ($ivp),$inout0
movdqu ($key),$rndkey0
@@ -1139,7 +1224,7 @@
movdqa $inout0,0x40(%rsp)
movdqa $inout0,0x50(%rsp)
movdqa $inout0,0x60(%rsp)
- mov %rdx,%r10 # borrow %rdx
+ mov %rdx,%r10 # about to borrow %rdx
movdqa $inout0,0x70(%rsp)
lea 1($ctr),%rax
@@ -1183,15 +1268,15 @@
movdqa 0x40(%rsp),$inout4
movdqa 0x50(%rsp),$inout5
- cmp \$8,$len
- jb .Lctr32_tail
+ cmp \$8,$len # $len is in blocks
+ jb .Lctr32_tail # short input if ($len<8)
- sub \$6,$len
+ sub \$6,$len # $len is biased by -6
cmp \$`1<<22`,%r10d # check for MOVBE without XSAVE
- je .Lctr32_6x
+ je .Lctr32_6x # [which denotes Atom Silvermont]
lea 0x80($key),$key # size optimization
- sub \$2,$len
+ sub \$2,$len # $len is biased by -8
jmp .Lctr32_loop8
.align 16
@@ -1205,13 +1290,13 @@
.align 16
.Lctr32_loop6:
- add \$6,$ctr
+ add \$6,$ctr # next counter value
$movkey -48($key,$rnds_),$rndkey0
aesenc $rndkey1,$inout0
mov $ctr,%eax
xor $key0,%eax
aesenc $rndkey1,$inout1
- movbe %eax,`0x00+12`(%rsp)
+ movbe %eax,`0x00+12`(%rsp) # store next counter value
lea 1($ctr),%eax
aesenc $rndkey1,$inout2
xor $key0,%eax
@@ -1244,16 +1329,16 @@
call .Lenc_loop6
- movdqu ($inp),$inout6
+ movdqu ($inp),$inout6 # load 6 input blocks
movdqu 0x10($inp),$inout7
movdqu 0x20($inp),$in0
movdqu 0x30($inp),$in1
movdqu 0x40($inp),$in2
movdqu 0x50($inp),$in3
- lea 0x60($inp),$inp
+ lea 0x60($inp),$inp # $inp+=6*16
$movkey -64($key,$rnds_),$rndkey1
- pxor $inout0,$inout6
- movaps 0x00(%rsp),$inout0
+ pxor $inout0,$inout6 # inp^=E(ctr)
+ movaps 0x00(%rsp),$inout0 # load next counter [xor-ed with 0 round]
pxor $inout1,$inout7
movaps 0x10(%rsp),$inout1
pxor $inout2,$in0
@@ -1264,19 +1349,19 @@
movaps 0x40(%rsp),$inout4
pxor $inout5,$in3
movaps 0x50(%rsp),$inout5
- movdqu $inout6,($out)
+ movdqu $inout6,($out) # store 6 output blocks
movdqu $inout7,0x10($out)
movdqu $in0,0x20($out)
movdqu $in1,0x30($out)
movdqu $in2,0x40($out)
movdqu $in3,0x50($out)
- lea 0x60($out),$out
-
- sub \$6,$len
- jnc .Lctr32_loop6
+ lea 0x60($out),$out # $out+=6*16
- add \$6,$len
- jz .Lctr32_done
+ sub \$6,$len
+ jnc .Lctr32_loop6 # loop if $len-=6 didn't borrow
+
+ add \$6,$len # restore real remaining $len
+ jz .Lctr32_done # done if ($len==0)
lea -48($rnds_),$rounds
lea -80($key,$rnds_),$key # restore $key
@@ -1286,7 +1371,7 @@
.align 32
.Lctr32_loop8:
- add \$8,$ctr
+ add \$8,$ctr # next counter value
movdqa 0x60(%rsp),$inout6
aesenc $rndkey1,$inout0
mov $ctr,%r9d
@@ -1298,7 +1383,7 @@
xor $key0,%r9d
nop
aesenc $rndkey1,$inout3
- mov %r9d,0x00+12(%rsp)
+ mov %r9d,0x00+12(%rsp) # store next counter value
lea 1($ctr),%r9
aesenc $rndkey1,$inout4
aesenc $rndkey1,$inout5
@@ -1331,7 +1416,7 @@
aesenc $rndkey0,$inout1
aesenc $rndkey0,$inout2
xor $key0,%r9d
- movdqu 0x00($inp),$in0
+ movdqu 0x00($inp),$in0 # start loading input
aesenc $rndkey0,$inout3
mov %r9d,0x70+12(%rsp)
cmp \$11,$rounds
@@ -1388,7 +1473,7 @@
.align 16
.Lctr32_enc_done:
movdqu 0x10($inp),$in1
- pxor $rndkey0,$in0
+ pxor $rndkey0,$in0 # input^=round[last]
movdqu 0x20($inp),$in2
pxor $rndkey0,$in1
movdqu 0x30($inp),$in3
@@ -1406,11 +1491,11 @@
aesenc $rndkey1,$inout5
aesenc $rndkey1,$inout6
aesenc $rndkey1,$inout7
- movdqu 0x60($inp),$rndkey1
- lea 0x80($inp),$inp
+ movdqu 0x60($inp),$rndkey1 # borrow $rndkey1 for inp[6]
+ lea 0x80($inp),$inp # $inp+=8*16
- aesenclast $in0,$inout0
- pxor $rndkey0,$rndkey1
+ aesenclast $in0,$inout0 # $inN is inp[N]^round[last]
+ pxor $rndkey0,$rndkey1 # borrowed $rndkey
movdqu 0x70-0x80($inp),$in0
aesenclast $in1,$inout1
pxor $rndkey0,$in0
@@ -1425,10 +1510,10 @@
movdqa 0x40(%rsp),$in5
aesenclast $rndkey1,$inout6
movdqa 0x50(%rsp),$rndkey0
- $movkey 0x10-0x80($key),$rndkey1
+ $movkey 0x10-0x80($key),$rndkey1#real 1st-round key
aesenclast $in0,$inout7
- movups $inout0,($out) # store output
+ movups $inout0,($out) # store 8 output blocks
movdqa $in1,$inout0
movups $inout1,0x10($out)
movdqa $in2,$inout1
@@ -1442,21 +1527,24 @@
movdqa $rndkey0,$inout5
movups $inout6,0x60($out)
movups $inout7,0x70($out)
- lea 0x80($out),$out
-
- sub \$8,$len
- jnc .Lctr32_loop8
+ lea 0x80($out),$out # $out+=8*16
- add \$8,$len
- jz .Lctr32_done
+ sub \$8,$len
+ jnc .Lctr32_loop8 # loop if $len-=8 didn't borrow
+
+ add \$8,$len # restore real remainig $len
+ jz .Lctr32_done # done if ($len==0)
lea -0x80($key),$key
.Lctr32_tail:
+ # note that at this point $inout0..5 are populated with
+ # counter values xor-ed with 0-round key
lea 16($key),$key
cmp \$4,$len
jb .Lctr32_loop3
je .Lctr32_loop4
+ # if ($len>4) compute 7 E(counter)
shl \$4,$rounds
movdqa 0x60(%rsp),$inout6
pxor $inout7,$inout7
@@ -1464,14 +1552,14 @@
$movkey 16($key),$rndkey0
aesenc $rndkey1,$inout0
aesenc $rndkey1,$inout1
- lea 32-16($key,$rounds),$key
+ lea 32-16($key,$rounds),$key# prepare for .Lenc_loop8_enter
neg %rax
aesenc $rndkey1,$inout2
- add \$16,%rax
+ add \$16,%rax # prepare for .Lenc_loop8_enter
movups ($inp),$in0
aesenc $rndkey1,$inout3
aesenc $rndkey1,$inout4
- movups 0x10($inp),$in1
+ movups 0x10($inp),$in1 # pre-load input
movups 0x20($inp),$in2
aesenc $rndkey1,$inout5
aesenc $rndkey1,$inout6
@@ -1482,7 +1570,7 @@
pxor $in0,$inout0
movdqu 0x40($inp),$in0
pxor $in1,$inout1
- movdqu $inout0,($out)
+ movdqu $inout0,($out) # store output
pxor $in2,$inout2
movdqu $inout1,0x10($out)
pxor $in3,$inout3
@@ -1491,17 +1579,17 @@
movdqu $inout3,0x30($out)
movdqu $inout4,0x40($out)
cmp \$6,$len
- jb .Lctr32_done
+ jb .Lctr32_done # $len was 5, stop store
movups 0x50($inp),$in1
xorps $in1,$inout5
movups $inout5,0x50($out)
- je .Lctr32_done
+ je .Lctr32_done # $len was 6, stop store
movups 0x60($inp),$in2
xorps $in2,$inout6
movups $inout6,0x60($out)
- jmp .Lctr32_done
+ jmp .Lctr32_done # $len was 7, stop store
.align 32
.Lctr32_loop4:
@@ -1515,7 +1603,7 @@
jnz .Lctr32_loop4
aesenclast $rndkey1,$inout0
aesenclast $rndkey1,$inout1
- movups ($inp),$in0
+ movups ($inp),$in0 # load input
movups 0x10($inp),$in1
aesenclast $rndkey1,$inout2
aesenclast $rndkey1,$inout3
@@ -1523,14 +1611,14 @@
movups 0x30($inp),$in3
xorps $in0,$inout0
- movups $inout0,($out)
+ movups $inout0,($out) # store output
xorps $in1,$inout1
movups $inout1,0x10($out)
pxor $in2,$inout2
movdqu $inout2,0x20($out)
pxor $in3,$inout3
movdqu $inout3,0x30($out)
- jmp .Lctr32_done
+ jmp .Lctr32_done # $len was 4, stop store
.align 32
.Lctr32_loop3:
@@ -1545,48 +1633,79 @@
aesenclast $rndkey1,$inout1
aesenclast $rndkey1,$inout2
- movups ($inp),$in0
+ movups ($inp),$in0 # load input
xorps $in0,$inout0
- movups $inout0,($out)
+ movups $inout0,($out) # store output
cmp \$2,$len
- jb .Lctr32_done
+ jb .Lctr32_done # $len was 1, stop store
movups 0x10($inp),$in1
xorps $in1,$inout1
movups $inout1,0x10($out)
- je .Lctr32_done
+ je .Lctr32_done # $len was 2, stop store
movups 0x20($inp),$in2
xorps $in2,$inout2
- movups $inout2,0x20($out)
- jmp .Lctr32_done
+ movups $inout2,0x20($out) # $len was 3, stop store
-.align 16
-.Lctr32_one_shortcut:
- movups ($ivp),$inout0
- movups ($inp),$in0
- mov 240($key),$rounds # key->rounds
-___
- &aesni_generate1("enc",$key,$rounds);
-$code.=<<___;
- xorps $in0,$inout0
- movups $inout0,($out)
- jmp .Lctr32_done
-
-.align 16
.Lctr32_done:
+ xorps %xmm0,%xmm0 # clear regiser bank
+ xor $key0,$key0
+ pxor %xmm1,%xmm1
+ pxor %xmm2,%xmm2
+ pxor %xmm3,%xmm3
+ pxor %xmm4,%xmm4
+ pxor %xmm5,%xmm5
+___
+$code.=<<___ if (!$win64);
+ pxor %xmm6,%xmm6
+ pxor %xmm7,%xmm7
+ movaps %xmm0,0x00(%rsp) # clear stack
+ pxor %xmm8,%xmm8
+ movaps %xmm0,0x10(%rsp)
+ pxor %xmm9,%xmm9
+ movaps %xmm0,0x20(%rsp)
+ pxor %xmm10,%xmm10
+ movaps %xmm0,0x30(%rsp)
+ pxor %xmm11,%xmm11
+ movaps %xmm0,0x40(%rsp)
+ pxor %xmm12,%xmm12
+ movaps %xmm0,0x50(%rsp)
+ pxor %xmm13,%xmm13
+ movaps %xmm0,0x60(%rsp)
+ pxor %xmm14,%xmm14
+ movaps %xmm0,0x70(%rsp)
+ pxor %xmm15,%xmm15
___
$code.=<<___ if ($win64);
movaps -0xa0(%rbp),%xmm6
+ movaps %xmm0,-0xa0(%rbp) # clear stack
movaps -0x90(%rbp),%xmm7
+ movaps %xmm0,-0x90(%rbp)
movaps -0x80(%rbp),%xmm8
+ movaps %xmm0,-0x80(%rbp)
movaps -0x70(%rbp),%xmm9
+ movaps %xmm0,-0x70(%rbp)
movaps -0x60(%rbp),%xmm10
+ movaps %xmm0,-0x60(%rbp)
movaps -0x50(%rbp),%xmm11
+ movaps %xmm0,-0x50(%rbp)
movaps -0x40(%rbp),%xmm12
+ movaps %xmm0,-0x40(%rbp)
movaps -0x30(%rbp),%xmm13
+ movaps %xmm0,-0x30(%rbp)
movaps -0x20(%rbp),%xmm14
+ movaps %xmm0,-0x20(%rbp)
movaps -0x10(%rbp),%xmm15
+ movaps %xmm0,-0x10(%rbp)
+ movaps %xmm0,0x00(%rsp)
+ movaps %xmm0,0x10(%rsp)
+ movaps %xmm0,0x20(%rsp)
+ movaps %xmm0,0x30(%rsp)
+ movaps %xmm0,0x40(%rsp)
+ movaps %xmm0,0x50(%rsp)
+ movaps %xmm0,0x60(%rsp)
+ movaps %xmm0,0x70(%rsp)
___
$code.=<<___;
lea (%rbp),%rsp
@@ -1619,7 +1738,7 @@
and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
___
$code.=<<___ if ($win64);
- movaps %xmm6,-0xa8(%rax)
+ movaps %xmm6,-0xa8(%rax) # offload everything
movaps %xmm7,-0x98(%rax)
movaps %xmm8,-0x88(%rax)
movaps %xmm9,-0x78(%rax)
@@ -1679,7 +1798,7 @@
movaps $rndkey1,0x60(%rsp) # save round[0]^round[last]
sub \$16*6,$len
- jc .Lxts_enc_short
+ jc .Lxts_enc_short # if $len-=6*16 borrowed
mov \$16+96,$rounds
lea 32($key_,$rnds_),$key # end of key schedule
@@ -1694,7 +1813,7 @@
movdqu `16*0`($inp),$inout0 # load input
movdqa $rndkey0,$twmask
movdqu `16*1`($inp),$inout1
- pxor @tweak[0],$inout0
+ pxor @tweak[0],$inout0 # input^=tweak^round[0]
movdqu `16*2`($inp),$inout2
pxor @tweak[1],$inout1
aesenc $rndkey1,$inout0
@@ -1713,10 +1832,10 @@
lea `16*6`($inp),$inp
pxor $twmask,$inout5
- pxor $twres,@tweak[0]
+ pxor $twres,@tweak[0] # calclulate tweaks^round[last]
aesenc $rndkey1,$inout4
pxor $twres,@tweak[1]
- movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key
+ movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^round[last]
aesenc $rndkey1,$inout5
$movkey 48($key_),$rndkey1
pxor $twres,@tweak[2]
@@ -1757,7 +1876,7 @@
$movkey -80($key,%rax),$rndkey0
jnz .Lxts_enc_loop6
- movdqa (%r8),$twmask
+ movdqa (%r8),$twmask # start calculating next tweak
movdqa $twres,$twtmp
paddd $twres,$twres
aesenc $rndkey1,$inout0
@@ -1851,15 +1970,15 @@
aesenclast `16*5`(%rsp),$inout5
pxor $twres,@tweak[5]
- lea `16*6`($out),$out
- movups $inout0,`-16*6`($out) # write output
+ lea `16*6`($out),$out # $out+=6*16
+ movups $inout0,`-16*6`($out) # store 6 output blocks
movups $inout1,`-16*5`($out)
movups $inout2,`-16*4`($out)
movups $inout3,`-16*3`($out)
movups $inout4,`-16*2`($out)
movups $inout5,`-16*1`($out)
sub \$16*6,$len
- jnc .Lxts_enc_grandloop
+ jnc .Lxts_enc_grandloop # loop if $len-=6*16 didn't borrow
mov \$16+96,$rounds
sub $rnds_,$rounds
@@ -1867,34 +1986,36 @@
shr \$4,$rounds # restore original value
.Lxts_enc_short:
+ # at the point @tweak[0..5] are populated with tweak values
mov $rounds,$rnds_ # backup $rounds
pxor $rndkey0,@tweak[0]
- add \$16*6,$len
- jz .Lxts_enc_done
+ add \$16*6,$len # restore real remaining $len
+ jz .Lxts_enc_done # done if ($len==0)
pxor $rndkey0,@tweak[1]
cmp \$0x20,$len
- jb .Lxts_enc_one
+ jb .Lxts_enc_one # $len is 1*16
pxor $rndkey0,@tweak[2]
- je .Lxts_enc_two
+ je .Lxts_enc_two # $len is 2*16
pxor $rndkey0,@tweak[3]
cmp \$0x40,$len
- jb .Lxts_enc_three
+ jb .Lxts_enc_three # $len is 3*16
pxor $rndkey0,@tweak[4]
- je .Lxts_enc_four
+ je .Lxts_enc_four # $len is 4*16
- movdqu ($inp),$inout0
+ movdqu ($inp),$inout0 # $len is 5*16
movdqu 16*1($inp),$inout1
movdqu 16*2($inp),$inout2
pxor @tweak[0],$inout0
movdqu 16*3($inp),$inout3
pxor @tweak[1],$inout1
movdqu 16*4($inp),$inout4
- lea 16*5($inp),$inp
+ lea 16*5($inp),$inp # $inp+=5*16
pxor @tweak[2],$inout2
pxor @tweak[3],$inout3
pxor @tweak[4],$inout4
+ pxor $inout5,$inout5
call _aesni_encrypt6
@@ -1902,35 +2023,35 @@
movdqa @tweak[5],@tweak[0]
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
- movdqu $inout0,($out)
+ movdqu $inout0,($out) # store 5 output blocks
xorps @tweak[3],$inout3
movdqu $inout1,16*1($out)
xorps @tweak[4],$inout4
movdqu $inout2,16*2($out)
movdqu $inout3,16*3($out)
movdqu $inout4,16*4($out)
- lea 16*5($out),$out
+ lea 16*5($out),$out # $out+=5*16
jmp .Lxts_enc_done
.align 16
.Lxts_enc_one:
movups ($inp),$inout0
- lea 16*1($inp),$inp
+ lea 16*1($inp),$inp # inp+=1*16
xorps @tweak[0],$inout0
___
&aesni_generate1("enc",$key,$rounds);
$code.=<<___;
xorps @tweak[0],$inout0
movdqa @tweak[1],@tweak[0]
- movups $inout0,($out)
- lea 16*1($out),$out
+ movups $inout0,($out) # store one output block
+ lea 16*1($out),$out # $out+=1*16
jmp .Lxts_enc_done
.align 16
.Lxts_enc_two:
movups ($inp),$inout0
movups 16($inp),$inout1
- lea 32($inp),$inp
+ lea 32($inp),$inp # $inp+=2*16
xorps @tweak[0],$inout0
xorps @tweak[1],$inout1
@@ -1939,9 +2060,9 @@
xorps @tweak[0],$inout0
movdqa @tweak[2],@tweak[0]
xorps @tweak[1],$inout1
- movups $inout0,($out)
+ movups $inout0,($out) # store 2 output blocks
movups $inout1,16*1($out)
- lea 16*2($out),$out
+ lea 16*2($out),$out # $out+=2*16
jmp .Lxts_enc_done
.align 16
@@ -1949,7 +2070,7 @@
movups ($inp),$inout0
movups 16*1($inp),$inout1
movups 16*2($inp),$inout2
- lea 16*3($inp),$inp
+ lea 16*3($inp),$inp # $inp+=3*16
xorps @tweak[0],$inout0
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
@@ -1960,10 +2081,10 @@
movdqa @tweak[3],@tweak[0]
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
- movups $inout0,($out)
+ movups $inout0,($out) # store 3 output blocks
movups $inout1,16*1($out)
movups $inout2,16*2($out)
- lea 16*3($out),$out
+ lea 16*3($out),$out # $out+=3*16
jmp .Lxts_enc_done
.align 16
@@ -1973,7 +2094,7 @@
movups 16*2($inp),$inout2
xorps @tweak[0],$inout0
movups 16*3($inp),$inout3
- lea 16*4($inp),$inp
+ lea 16*4($inp),$inp # $inp+=4*16
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
xorps @tweak[3],$inout3
@@ -1984,17 +2105,17 @@
movdqa @tweak[4],@tweak[0]
pxor @tweak[1],$inout1
pxor @tweak[2],$inout2
- movdqu $inout0,($out)
+ movdqu $inout0,($out) # store 4 output blocks
pxor @tweak[3],$inout3
movdqu $inout1,16*1($out)
movdqu $inout2,16*2($out)
movdqu $inout3,16*3($out)
- lea 16*4($out),$out
+ lea 16*4($out),$out # $out+=4*16
jmp .Lxts_enc_done
.align 16
.Lxts_enc_done:
- and \$15,$len_
+ and \$15,$len_ # see if $len%16 is 0
jz .Lxts_enc_ret
mov $len_,$len
@@ -2021,18 +2142,60 @@
movups $inout0,-16($out)
.Lxts_enc_ret:
+ xorps %xmm0,%xmm0 # clear register bank
+ pxor %xmm1,%xmm1
+ pxor %xmm2,%xmm2
+ pxor %xmm3,%xmm3
+ pxor %xmm4,%xmm4
+ pxor %xmm5,%xmm5
+___
+$code.=<<___ if (!$win64);
+ pxor %xmm6,%xmm6
+ pxor %xmm7,%xmm7
+ movaps %xmm0,0x00(%rsp) # clear stack
+ pxor %xmm8,%xmm8
+ movaps %xmm0,0x10(%rsp)
+ pxor %xmm9,%xmm9
+ movaps %xmm0,0x20(%rsp)
+ pxor %xmm10,%xmm10
+ movaps %xmm0,0x30(%rsp)
+ pxor %xmm11,%xmm11
+ movaps %xmm0,0x40(%rsp)
+ pxor %xmm12,%xmm12
+ movaps %xmm0,0x50(%rsp)
+ pxor %xmm13,%xmm13
+ movaps %xmm0,0x60(%rsp)
+ pxor %xmm14,%xmm14
+ pxor %xmm15,%xmm15
___
$code.=<<___ if ($win64);
movaps -0xa0(%rbp),%xmm6
+ movaps %xmm0,-0xa0(%rbp) # clear stack
movaps -0x90(%rbp),%xmm7
+ movaps %xmm0,-0x90(%rbp)
movaps -0x80(%rbp),%xmm8
+ movaps %xmm0,-0x80(%rbp)
movaps -0x70(%rbp),%xmm9
+ movaps %xmm0,-0x70(%rbp)
movaps -0x60(%rbp),%xmm10
+ movaps %xmm0,-0x60(%rbp)
movaps -0x50(%rbp),%xmm11
+ movaps %xmm0,-0x50(%rbp)
movaps -0x40(%rbp),%xmm12
+ movaps %xmm0,-0x40(%rbp)
movaps -0x30(%rbp),%xmm13
+ movaps %xmm0,-0x30(%rbp)
movaps -0x20(%rbp),%xmm14
+ movaps %xmm0,-0x20(%rbp)
movaps -0x10(%rbp),%xmm15
+ movaps %xmm0,-0x10(%rbp)
+ movaps %xmm0,0x00(%rsp)
+ movaps %xmm0,0x10(%rsp)
+ movaps %xmm0,0x20(%rsp)
+ movaps %xmm0,0x30(%rsp)
+ movaps %xmm0,0x40(%rsp)
+ movaps %xmm0,0x50(%rsp)
+ movaps %xmm0,0x60(%rsp)
___
$code.=<<___;
lea (%rbp),%rsp
@@ -2053,7 +2216,7 @@
and \$-16,%rsp # Linux kernel stack can be incorrectly seeded
___
$code.=<<___ if ($win64);
- movaps %xmm6,-0xa8(%rax)
+ movaps %xmm6,-0xa8(%rax) # offload everything
movaps %xmm7,-0x98(%rax)
movaps %xmm8,-0x88(%rax)
movaps %xmm9,-0x78(%rax)
@@ -2116,7 +2279,7 @@
movaps $rndkey1,0x60(%rsp) # save round[0]^round[last]
sub \$16*6,$len
- jc .Lxts_dec_short
+ jc .Lxts_dec_short # if $len-=6*16 borrowed
mov \$16+96,$rounds
lea 32($key_,$rnds_),$key # end of key schedule
@@ -2131,7 +2294,7 @@
movdqu `16*0`($inp),$inout0 # load input
movdqa $rndkey0,$twmask
movdqu `16*1`($inp),$inout1
- pxor @tweak[0],$inout0
+ pxor @tweak[0],$inout0 # intput^=tweak^round[0]
movdqu `16*2`($inp),$inout2
pxor @tweak[1],$inout1
aesdec $rndkey1,$inout0
@@ -2150,7 +2313,7 @@
lea `16*6`($inp),$inp
pxor $twmask,$inout5
- pxor $twres,@tweak[0]
+ pxor $twres,@tweak[0] # calclulate tweaks^round[last]
aesdec $rndkey1,$inout4
pxor $twres,@tweak[1]
movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key
@@ -2194,7 +2357,7 @@
$movkey -80($key,%rax),$rndkey0
jnz .Lxts_dec_loop6
- movdqa (%r8),$twmask
+ movdqa (%r8),$twmask # start calculating next tweak
movdqa $twres,$twtmp
paddd $twres,$twres
aesdec $rndkey1,$inout0
@@ -2288,15 +2451,15 @@
aesdeclast `16*5`(%rsp),$inout5
pxor $twres,@tweak[5]
- lea `16*6`($out),$out
- movups $inout0,`-16*6`($out) # write output
+ lea `16*6`($out),$out # $out+=6*16
+ movups $inout0,`-16*6`($out) # store 6 output blocks
movups $inout1,`-16*5`($out)
movups $inout2,`-16*4`($out)
movups $inout3,`-16*3`($out)
movups $inout4,`-16*2`($out)
movups $inout5,`-16*1`($out)
sub \$16*6,$len
- jnc .Lxts_dec_grandloop
+ jnc .Lxts_dec_grandloop # loop if $len-=6*16 didn't borrow
mov \$16+96,$rounds
sub $rnds_,$rounds
@@ -2304,31 +2467,32 @@
shr \$4,$rounds # restore original value
.Lxts_dec_short:
+ # at the point @tweak[0..5] are populated with tweak values
mov $rounds,$rnds_ # backup $rounds
pxor $rndkey0,@tweak[0]
pxor $rndkey0,@tweak[1]
- add \$16*6,$len
- jz .Lxts_dec_done
+ add \$16*6,$len # restore real remaining $len
+ jz .Lxts_dec_done # done if ($len==0)
pxor $rndkey0,@tweak[2]
cmp \$0x20,$len
- jb .Lxts_dec_one
+ jb .Lxts_dec_one # $len is 1*16
pxor $rndkey0,@tweak[3]
- je .Lxts_dec_two
+ je .Lxts_dec_two # $len is 2*16
pxor $rndkey0,@tweak[4]
cmp \$0x40,$len
- jb .Lxts_dec_three
- je .Lxts_dec_four
+ jb .Lxts_dec_three # $len is 3*16
+ je .Lxts_dec_four # $len is 4*16
- movdqu ($inp),$inout0
+ movdqu ($inp),$inout0 # $len is 5*16
movdqu 16*1($inp),$inout1
movdqu 16*2($inp),$inout2
pxor @tweak[0],$inout0
movdqu 16*3($inp),$inout3
pxor @tweak[1],$inout1
movdqu 16*4($inp),$inout4
- lea 16*5($inp),$inp
+ lea 16*5($inp),$inp # $inp+=5*16
pxor @tweak[2],$inout2
pxor @tweak[3],$inout3
pxor @tweak[4],$inout4
@@ -2338,7 +2502,7 @@
xorps @tweak[0],$inout0
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
- movdqu $inout0,($out)
+ movdqu $inout0,($out) # store 5 output blocks
xorps @tweak[3],$inout3
movdqu $inout1,16*1($out)
xorps @tweak[4],$inout4
@@ -2347,7 +2511,7 @@
movdqu $inout3,16*3($out)
pcmpgtd @tweak[5],$twtmp
movdqu $inout4,16*4($out)
- lea 16*5($out),$out
+ lea 16*5($out),$out # $out+=5*16
pshufd \$0x13,$twtmp,@tweak[1] # $twres
and \$15,$len_
jz .Lxts_dec_ret
@@ -2361,23 +2525,23 @@
.align 16
.Lxts_dec_one:
movups ($inp),$inout0
- lea 16*1($inp),$inp
+ lea 16*1($inp),$inp # $inp+=1*16
xorps @tweak[0],$inout0
___
&aesni_generate1("dec",$key,$rounds);
$code.=<<___;
xorps @tweak[0],$inout0
movdqa @tweak[1],@tweak[0]
- movups $inout0,($out)
+ movups $inout0,($out) # store one output block
movdqa @tweak[2],@tweak[1]
- lea 16*1($out),$out
+ lea 16*1($out),$out # $out+=1*16
jmp .Lxts_dec_done
.align 16
.Lxts_dec_two:
movups ($inp),$inout0
movups 16($inp),$inout1
- lea 32($inp),$inp
+ lea 32($inp),$inp # $inp+=2*16
xorps @tweak[0],$inout0
xorps @tweak[1],$inout1
@@ -2387,9 +2551,9 @@
movdqa @tweak[2],@tweak[0]
xorps @tweak[1],$inout1
movdqa @tweak[3],@tweak[1]
- movups $inout0,($out)
+ movups $inout0,($out) # store 2 output blocks
movups $inout1,16*1($out)
- lea 16*2($out),$out
+ lea 16*2($out),$out # $out+=2*16
jmp .Lxts_dec_done
.align 16
@@ -2397,7 +2561,7 @@
movups ($inp),$inout0
movups 16*1($inp),$inout1
movups 16*2($inp),$inout2
- lea 16*3($inp),$inp
+ lea 16*3($inp),$inp # $inp+=3*16
xorps @tweak[0],$inout0
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
@@ -2409,10 +2573,10 @@
xorps @tweak[1],$inout1
movdqa @tweak[4],@tweak[1]
xorps @tweak[2],$inout2
- movups $inout0,($out)
+ movups $inout0,($out) # store 3 output blocks
movups $inout1,16*1($out)
movups $inout2,16*2($out)
- lea 16*3($out),$out
+ lea 16*3($out),$out # $out+=3*16
jmp .Lxts_dec_done
.align 16
@@ -2422,7 +2586,7 @@
movups 16*2($inp),$inout2
xorps @tweak[0],$inout0
movups 16*3($inp),$inout3
- lea 16*4($inp),$inp
+ lea 16*4($inp),$inp # $inp+=4*16
xorps @tweak[1],$inout1
xorps @tweak[2],$inout2
xorps @tweak[3],$inout3
@@ -2434,17 +2598,17 @@
pxor @tweak[1],$inout1
movdqa @tweak[5],@tweak[1]
pxor @tweak[2],$inout2
- movdqu $inout0,($out)
+ movdqu $inout0,($out) # store 4 output blocks
pxor @tweak[3],$inout3
movdqu $inout1,16*1($out)
movdqu $inout2,16*2($out)
movdqu $inout3,16*3($out)
- lea 16*4($out),$out
+ lea 16*4($out),$out # $out+=4*16
jmp .Lxts_dec_done
.align 16
.Lxts_dec_done:
- and \$15,$len_
+ and \$15,$len_ # see if $len%16 is 0
jz .Lxts_dec_ret
.Lxts_dec_done2:
mov $len_,$len
@@ -2482,18 +2646,60 @@
movups $inout0,($out)
.Lxts_dec_ret:
+ xorps %xmm0,%xmm0 # clear register bank
+ pxor %xmm1,%xmm1
+ pxor %xmm2,%xmm2
+ pxor %xmm3,%xmm3
+ pxor %xmm4,%xmm4
+ pxor %xmm5,%xmm5
+___
+$code.=<<___ if (!$win64);
+ pxor %xmm6,%xmm6
+ pxor %xmm7,%xmm7
+ movaps %xmm0,0x00(%rsp) # clear stack
+ pxor %xmm8,%xmm8
+ movaps %xmm0,0x10(%rsp)
+ pxor %xmm9,%xmm9
+ movaps %xmm0,0x20(%rsp)
+ pxor %xmm10,%xmm10
+ movaps %xmm0,0x30(%rsp)
+ pxor %xmm11,%xmm11
+ movaps %xmm0,0x40(%rsp)
+ pxor %xmm12,%xmm12
+ movaps %xmm0,0x50(%rsp)
+ pxor %xmm13,%xmm13
+ movaps %xmm0,0x60(%rsp)
+ pxor %xmm14,%xmm14
+ pxor %xmm15,%xmm15
___
$code.=<<___ if ($win64);
movaps -0xa0(%rbp),%xmm6
+ movaps %xmm0,-0xa0(%rbp) # clear stack
movaps -0x90(%rbp),%xmm7
+ movaps %xmm0,-0x90(%rbp)
movaps -0x80(%rbp),%xmm8
+ movaps %xmm0,-0x80(%rbp)
movaps -0x70(%rbp),%xmm9
+ movaps %xmm0,-0x70(%rbp)
movaps -0x60(%rbp),%xmm10
+ movaps %xmm0,-0x60(%rbp)
movaps -0x50(%rbp),%xmm11
+ movaps %xmm0,-0x50(%rbp)
movaps -0x40(%rbp),%xmm12
+ movaps %xmm0,-0x40(%rbp)
movaps -0x30(%rbp),%xmm13
+ movaps %xmm0,-0x30(%rbp)
movaps -0x20(%rbp),%xmm14
+ movaps %xmm0,-0x20(%rbp)
movaps -0x10(%rbp),%xmm15
+ movaps %xmm0,-0x10(%rbp)
+ movaps %xmm0,0x00(%rsp)
+ movaps %xmm0,0x10(%rsp)
+ movaps %xmm0,0x20(%rsp)
+ movaps %xmm0,0x30(%rsp)
+ movaps %xmm0,0x40(%rsp)
+ movaps %xmm0,0x50(%rsp)
+ movaps %xmm0,0x60(%rsp)
___
$code.=<<___;
lea (%rbp),%rsp
@@ -2548,7 +2754,11 @@
jnc .Lcbc_enc_loop
add \$16,$len
jnz .Lcbc_enc_tail
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
movups $inout0,($ivp)
+ pxor $inout0,$inout0
+ pxor $inout1,$inout1
jmp .Lcbc_ret
.Lcbc_enc_tail:
@@ -2568,6 +2778,27 @@
�#--------------------------- CBC DECRYPT ------------------------------#
.align 16
.Lcbc_decrypt:
+ cmp \$16,$len
+ jne .Lcbc_decrypt_bulk
+
+ # handle single block without allocating stack frame,
+ # useful in ciphertext stealing mode
+ movdqu ($inp),$inout0 # load input
+ movdqu ($ivp),$inout1 # load iv
+ movdqa $inout0,$inout2 # future iv
+___
+ &aesni_generate1("dec",$key,$rnds_);
+$code.=<<___;
+ pxor $rndkey0,$rndkey0 # clear register bank
+ pxor $rndkey1,$rndkey1
+ movdqu $inout2,($ivp) # store iv
+ xorps $inout1,$inout0 # ^=iv
+ pxor $inout1,$inout1
+ movups $inout0,($out) # store output
+ pxor $inout0,$inout0
+ jmp .Lcbc_ret
+.align 16
+.Lcbc_decrypt_bulk:
lea (%rsp),%rax
push %rbp
sub \$$frame_size,%rsp
@@ -2609,11 +2840,11 @@
cmp \$0x70,$len
jbe .Lcbc_dec_six_or_seven
- and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE
- sub \$0x50,$len
+ and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE
+ sub \$0x50,$len # $len is biased by -5*16
cmp \$`1<<22`,%r9d # check for MOVBE without XSAVE
- je .Lcbc_dec_loop6_enter
- sub \$0x20,$len
+ je .Lcbc_dec_loop6_enter # [which denotes Atom Silvermont]
+ sub \$0x20,$len # $len is biased by -7*16
lea 0x70($key),$key # size optimization
jmp .Lcbc_dec_loop8_enter
.align 16
@@ -2740,7 +2971,7 @@
movaps $inout7,$inout0
lea -0x70($key),$key
add \$0x70,$len
- jle .Lcbc_dec_tail_collected
+ jle .Lcbc_dec_clear_tail_collected
movups $inout7,($out)
lea 0x10($out),$out
cmp \$0x50,$len
@@ -2759,14 +2990,19 @@
movdqu $inout0,($out)
pxor $in1,$inout2
movdqu $inout1,0x10($out)
+ pxor $inout1,$inout1 # clear register bank
pxor $in2,$inout3
movdqu $inout2,0x20($out)
+ pxor $inout2,$inout2
pxor $in3,$inout4
movdqu $inout3,0x30($out)
+ pxor $inout3,$inout3
pxor $in4,$inout5
movdqu $inout4,0x40($out)
+ pxor $inout4,$inout4
lea 0x50($out),$out
movdqa $inout5,$inout0
+ pxor $inout5,$inout5
jmp .Lcbc_dec_tail_collected
.align 16
@@ -2781,16 +3017,23 @@
movdqu $inout0,($out)
pxor $in1,$inout2
movdqu $inout1,0x10($out)
+ pxor $inout1,$inout1 # clear register bank
pxor $in2,$inout3
movdqu $inout2,0x20($out)
+ pxor $inout2,$inout2
pxor $in3,$inout4
movdqu $inout3,0x30($out)
+ pxor $inout3,$inout3
pxor $in4,$inout5
movdqu $inout4,0x40($out)
+ pxor $inout4,$inout4
pxor $inout7,$inout6
movdqu $inout5,0x50($out)
+ pxor $inout5,$inout5
lea 0x60($out),$out
movdqa $inout6,$inout0
+ pxor $inout6,$inout6
+ pxor $inout7,$inout7
jmp .Lcbc_dec_tail_collected
.align 16
@@ -2834,31 +3077,31 @@
movdqa $inout5,$inout0
add \$0x50,$len
- jle .Lcbc_dec_tail_collected
+ jle .Lcbc_dec_clear_tail_collected
movups $inout5,($out)
lea 0x10($out),$out
.Lcbc_dec_tail:
movups ($inp),$inout0
sub \$0x10,$len
- jbe .Lcbc_dec_one
+ jbe .Lcbc_dec_one # $len is 1*16 or less
movups 0x10($inp),$inout1
movaps $inout0,$in0
sub \$0x10,$len
- jbe .Lcbc_dec_two
+ jbe .Lcbc_dec_two # $len is 2*16 or less
movups 0x20($inp),$inout2
movaps $inout1,$in1
sub \$0x10,$len
- jbe .Lcbc_dec_three
+ jbe .Lcbc_dec_three # $len is 3*16 or less
movups 0x30($inp),$inout3
movaps $inout2,$in2
sub \$0x10,$len
- jbe .Lcbc_dec_four
+ jbe .Lcbc_dec_four # $len is 4*16 or less
- movups 0x40($inp),$inout4
+ movups 0x40($inp),$inout4 # $len is 5*16 or less
movaps $inout3,$in3
movaps $inout4,$in4
xorps $inout5,$inout5
@@ -2869,12 +3112,17 @@
movdqu $inout0,($out)
pxor $in1,$inout2
movdqu $inout1,0x10($out)
+ pxor $inout1,$inout1 # clear register bank
pxor $in2,$inout3
movdqu $inout2,0x20($out)
+ pxor $inout2,$inout2
pxor $in3,$inout4
movdqu $inout3,0x30($out)
+ pxor $inout3,$inout3
lea 0x40($out),$out
movdqa $inout4,$inout0
+ pxor $inout4,$inout4
+ pxor $inout5,$inout5
sub \$0x10,$len
jmp .Lcbc_dec_tail_collected
@@ -2896,6 +3144,7 @@
pxor $in0,$inout1
movdqu $inout0,($out)
movdqa $inout1,$inout0
+ pxor $inout1,$inout1 # clear register bank
lea 0x10($out),$out
jmp .Lcbc_dec_tail_collected
.align 16
@@ -2908,7 +3157,9 @@
movdqu $inout0,($out)
pxor $in1,$inout2
movdqu $inout1,0x10($out)
+ pxor $inout1,$inout1 # clear register bank
movdqa $inout2,$inout0
+ pxor $inout2,$inout2
lea 0x20($out),$out
jmp .Lcbc_dec_tail_collected
.align 16
@@ -2921,41 +3172,71 @@
movdqu $inout0,($out)
pxor $in1,$inout2
movdqu $inout1,0x10($out)
+ pxor $inout1,$inout1 # clear register bank
pxor $in2,$inout3
movdqu $inout2,0x20($out)
+ pxor $inout2,$inout2
movdqa $inout3,$inout0
+ pxor $inout3,$inout3
lea 0x30($out),$out
jmp .Lcbc_dec_tail_collected
.align 16
+.Lcbc_dec_clear_tail_collected:
+ pxor $inout1,$inout1 # clear register bank
+ pxor $inout2,$inout2
+ pxor $inout3,$inout3
+___
+$code.=<<___ if (!$win64);
+ pxor $inout4,$inout4 # %xmm6..9
+ pxor $inout5,$inout5
+ pxor $inout6,$inout6
+ pxor $inout7,$inout7
+___
+$code.=<<___;
.Lcbc_dec_tail_collected:
movups $iv,($ivp)
and \$15,$len
jnz .Lcbc_dec_tail_partial
movups $inout0,($out)
+ pxor $inout0,$inout0
jmp .Lcbc_dec_ret
.align 16
.Lcbc_dec_tail_partial:
movaps $inout0,(%rsp)
+ pxor $inout0,$inout0
mov \$16,%rcx
mov $out,%rdi
sub $len,%rcx
lea (%rsp),%rsi
- .long 0x9066A4F3 # rep movsb
+ .long 0x9066A4F3 # rep movsb
+ movdqa $inout0,(%rsp)
.Lcbc_dec_ret:
+ xorps $rndkey0,$rndkey0 # %xmm0
+ pxor $rndkey1,$rndkey1
___
$code.=<<___ if ($win64);
movaps 0x10(%rsp),%xmm6
+ movaps %xmm0,0x10(%rsp) # clear stack
movaps 0x20(%rsp),%xmm7
+ movaps %xmm0,0x20(%rsp)
movaps 0x30(%rsp),%xmm8
+ movaps %xmm0,0x30(%rsp)
movaps 0x40(%rsp),%xmm9
+ movaps %xmm0,0x40(%rsp)
movaps 0x50(%rsp),%xmm10
+ movaps %xmm0,0x50(%rsp)
movaps 0x60(%rsp),%xmm11
+ movaps %xmm0,0x60(%rsp)
movaps 0x70(%rsp),%xmm12
+ movaps %xmm0,0x70(%rsp)
movaps 0x80(%rsp),%xmm13
+ movaps %xmm0,0x80(%rsp)
movaps 0x90(%rsp),%xmm14
+ movaps %xmm0,0x90(%rsp)
movaps 0xa0(%rsp),%xmm15
+ movaps %xmm0,0xa0(%rsp)
___
$code.=<<___;
lea (%rbp),%rsp
@@ -2965,8 +3246,15 @@
.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
___
} �
-# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey,
+# int ${PREFIX}_set_decrypt_key(const unsigned char *inp,
# int bits, AES_KEY *key)
+#
+# input: $inp user-supplied key
+# $bits $inp length in bits
+# $key pointer to key schedule
+# output: %eax 0 denoting success, -1 or -2 - failure (see C)
+# *$key key schedule
+#
{ my ($inp,$bits,$key) = @_4args;
$bits =~ s/%r/%e/;
@@ -3003,7 +3291,9 @@
$movkey ($key),%xmm0 # inverse middle
aesimc %xmm0,%xmm0
+ pxor %xmm1,%xmm1
$movkey %xmm0,($inp)
+ pxor %xmm0,%xmm0
.Ldec_key_ret:
add \$8,%rsp
ret
@@ -3020,6 +3310,22 @@
# Agressively optimized in respect to aeskeygenassist's critical path
# and is contained in %xmm0-5 to meet Win64 ABI requirement.
#
+# int ${PREFIX}_set_encrypt_key(const unsigned char *inp,
+# int bits, AES_KEY * const key);
+#
+# input: $inp user-supplied key
+# $bits $inp length in bits
+# $key pointer to key schedule
+# output: %eax 0 denoting success, -1 or -2 - failure (see C)
+# $bits rounds-1 (used in aesni_set_decrypt_key)
+# *$key key schedule
+# $key pointer to key schedule (used in
+# aesni_set_decrypt_key)
+#
+# Subroutine is frame-less, which means that only volatile registers
+# are used. Note that it's declared "abi-omnipotent", which means that
+# amount of volatile registers is smaller on Windows.
+#
$code.=<<___;
.globl ${PREFIX}_set_encrypt_key
.type ${PREFIX}_set_encrypt_key,\@abi-omnipotent
@@ -3033,9 +3339,11 @@
test $key,$key
jz .Lenc_key_ret
+ mov \$`1<<28|1<<11`,%r10d # AVX and XOP bits
movups ($inp),%xmm0 # pull first 128 bits of *userKey
xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0
- lea 16($key),%rax
+ and OPENSSL_ia32cap_P+4(%rip),%r10d
+ lea 16($key),%rax # %rax is used as modifiable copy of $key
cmp \$256,$bits
je .L14rounds
cmp \$192,$bits
@@ -3045,6 +3353,9 @@
.L10rounds:
mov \$9,$bits # 10 rounds for 128-bit key
+ cmp \$`1<<28`,%r10d # AVX, bit no XOP
+ je .L10rounds_alt
+
$movkey %xmm0,($key) # round 0
aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1
call .Lkey_expansion_128_cold
@@ -3072,9 +3383,79 @@
jmp .Lenc_key_ret
.align 16
+.L10rounds_alt:
+ movdqa .Lkey_rotate(%rip),%xmm5
+ mov \$8,%r10d
+ movdqa .Lkey_rcon1(%rip),%xmm4
+ movdqa %xmm0,%xmm2
+ movdqu %xmm0,($key)
+ jmp .Loop_key128
+
+.align 16
+.Loop_key128:
+ pshufb %xmm5,%xmm0
+ aesenclast %xmm4,%xmm0
+ pslld \$1,%xmm4
+ lea 16(%rax),%rax
+
+ movdqa %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm3,%xmm2
+
+ pxor %xmm2,%xmm0
+ movdqu %xmm0,-16(%rax)
+ movdqa %xmm0,%xmm2
+
+ dec %r10d
+ jnz .Loop_key128
+
+ movdqa .Lkey_rcon1b(%rip),%xmm4
+
+ pshufb %xmm5,%xmm0
+ aesenclast %xmm4,%xmm0
+ pslld \$1,%xmm4
+
+ movdqa %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm3,%xmm2
+
+ pxor %xmm2,%xmm0
+ movdqu %xmm0,(%rax)
+
+ movdqa %xmm0,%xmm2
+ pshufb %xmm5,%xmm0
+ aesenclast %xmm4,%xmm0
+
+ movdqa %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm2,%xmm3
+ pslldq \$4,%xmm2
+ pxor %xmm3,%xmm2
+
+ pxor %xmm2,%xmm0
+ movdqu %xmm0,16(%rax)
+
+ mov $bits,96(%rax) # 240($key)
+ xor %eax,%eax
+ jmp .Lenc_key_ret
+
+.align 16
.L12rounds:
movq 16($inp),%xmm2 # remaining 1/3 of *userKey
mov \$11,$bits # 12 rounds for 192
+ cmp \$`1<<28`,%r10d # AVX, but no XOP
+ je .L12rounds_alt
+
$movkey %xmm0,($key) # round 0
aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2
call .Lkey_expansion_192a_cold
@@ -3098,10 +3479,54 @@
jmp .Lenc_key_ret
.align 16
+.L12rounds_alt:
+ movdqa .Lkey_rotate192(%rip),%xmm5
+ movdqa .Lkey_rcon1(%rip),%xmm4
+ mov \$8,%r10d
+ movdqu %xmm0,($key)
+ jmp .Loop_key192
+
+.align 16
+.Loop_key192:
+ movq %xmm2,0(%rax)
+ movdqa %xmm2,%xmm1
+ pshufb %xmm5,%xmm2
+ aesenclast %xmm4,%xmm2
+ pslld \$1, %xmm4
+ lea 24(%rax),%rax
+
+ movdqa %xmm0,%xmm3
+ pslldq \$4,%xmm0
+ pxor %xmm0,%xmm3
+ pslldq \$4,%xmm0
+ pxor %xmm0,%xmm3
+ pslldq \$4,%xmm0
+ pxor %xmm3,%xmm0
+
+ pshufd \$0xff,%xmm0,%xmm3
+ pxor %xmm1,%xmm3
+ pslldq \$4,%xmm1
+ pxor %xmm1,%xmm3
+
+ pxor %xmm2,%xmm0
+ pxor %xmm3,%xmm2
+ movdqu %xmm0,-16(%rax)
+
+ dec %r10d
+ jnz .Loop_key192
+
+ mov $bits,32(%rax) # 240($key)
+ xor %eax,%eax
+ jmp .Lenc_key_ret
+
+.align 16
.L14rounds:
movups 16($inp),%xmm2 # remaning half of *userKey
mov \$13,$bits # 14 rounds for 256
lea 16(%rax),%rax
+ cmp \$`1<<28`,%r10d # AVX, but no XOP
+ je .L14rounds_alt
+
$movkey %xmm0,($key) # round 0
$movkey %xmm2,16($key) # round 1
aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2
@@ -3136,9 +3561,69 @@
jmp .Lenc_key_ret
.align 16
+.L14rounds_alt:
+ movdqa .Lkey_rotate(%rip),%xmm5
+ movdqa .Lkey_rcon1(%rip),%xmm4
+ mov \$7,%r10d
+ movdqu %xmm0,0($key)
+ movdqa %xmm2,%xmm1
+ movdqu %xmm2,16($key)
+ jmp .Loop_key256
+
+.align 16
+.Loop_key256:
+ pshufb %xmm5,%xmm2
+ aesenclast %xmm4,%xmm2
+
+ movdqa %xmm0,%xmm3
+ pslldq \$4,%xmm0
+ pxor %xmm0,%xmm3
+ pslldq \$4,%xmm0
+ pxor %xmm0,%xmm3
+ pslldq \$4,%xmm0
+ pxor %xmm3,%xmm0
+ pslld \$1,%xmm4
+
+ pxor %xmm2,%xmm0
+ movdqu %xmm0,(%rax)
+
+ dec %r10d
+ jz .Ldone_key256
+
+ pshufd \$0xff,%xmm0,%xmm2
+ pxor %xmm3,%xmm3
+ aesenclast %xmm3,%xmm2
+
+ movdqa %xmm1,%xmm3
+ pslldq \$4,%xmm1
+ pxor %xmm1,%xmm3
+ pslldq \$4,%xmm1
+ pxor %xmm1,%xmm3
+ pslldq \$4,%xmm1
+ pxor %xmm3,%xmm1
+
+ pxor %xmm1,%xmm2
+ movdqu %xmm2,16(%rax)
+ lea 32(%rax),%rax
+ movdqa %xmm2,%xmm1
+
+ jmp .Loop_key256
+
+.Ldone_key256:
+ mov $bits,16(%rax) # 240($key)
+ xor %eax,%eax
+ jmp .Lenc_key_ret
+
+.align 16
.Lbad_keybits:
mov \$-2,%rax
.Lenc_key_ret:
+ pxor %xmm0,%xmm0
+ pxor %xmm1,%xmm1
+ pxor %xmm2,%xmm2
+ pxor %xmm3,%xmm3
+ pxor %xmm4,%xmm4
+ pxor %xmm5,%xmm5
add \$8,%rsp
ret
.LSEH_end_set_encrypt_key:
@@ -3228,6 +3713,14 @@
.long 0x87,0,1,0
.Lincrement1:
.byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1
+.Lkey_rotate:
+ .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d
+.Lkey_rotate192:
+ .long 0x04070605,0x04070605,0x04070605,0x04070605
+.Lkey_rcon1:
+ .long 1,1,1,1
+.Lkey_rcon1b:
+ .long 0x1b,0x1b,0x1b,0x1b
.asciz "AES for Intel AES-NI, CRYPTOGAMS by <appro\@openssl.org>"
.align 64
@@ -3345,7 +3838,7 @@
mov 152($context),%rax # pull context->Rsp
mov 248($context),%rbx # pull context->Rip
- lea .Lcbc_decrypt(%rip),%r10
+ lea .Lcbc_decrypt_bulk(%rip),%r10
cmp %r10,%rbx # context->Rip<"prologue" label
jb .Lcommon_seh_tail
diff --git a/src/crypto/aes/asm/aesv8-armx.pl b/src/crypto/aes/asm/aesv8-armx.pl
index 703da04..b0916f6 100644
--- a/src/crypto/aes/asm/aesv8-armx.pl
+++ b/src/crypto/aes/asm/aesv8-armx.pl
@@ -24,11 +24,23 @@
#
# CBC enc CBC dec CTR
# Apple A7 2.39 1.20 1.20
-# Cortex-A53 2.45 1.87 1.94
-# Cortex-A57 3.64 1.34 1.32
+# Cortex-A53 1.32 1.29 1.46
+# Cortex-A57(*) 1.95 0.85 0.93
+# Denver 1.96 0.86 0.80
+#
+# (*) original 3.64/1.34/1.32 results were for r0p0 revision
+# and are still same even for updated module;
$flavour = shift;
-open STDOUT,">".shift;
+$output = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$prefix="aes_v8";
@@ -38,10 +50,9 @@
#if __ARM_MAX_ARCH__>=7
.text
___
-
-$code.=<<___ if ($flavour =~ /64/);
+$code.=<<___ if ($flavour =~ /64/);
#if !defined(__clang__)
-.arch armv8-a+crypto
+.arch armv8-a+crypto
#endif
___
$code.=".arch armv7-a\n.fpu neon\n.code 32\n" if ($flavour !~ /64/);
@@ -61,7 +72,7 @@
$code.=<<___;
.align 5
-rcon:
+.Lrcon:
.long 0x01,0x01,0x01,0x01
.long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
.long 0x1b,0x1b,0x1b,0x1b
@@ -90,7 +101,7 @@
tst $bits,#0x3f
b.ne .Lenc_key_abort
- adr $ptr,rcon
+ adr $ptr,.Lrcon
cmp $bits,#192
veor $zero,$zero,$zero
@@ -313,17 +324,17 @@
.Loop_${dir}c:
aes$e $inout,$rndkey0
- vld1.32 {$rndkey0},[$key],#16
aes$mc $inout,$inout
+ vld1.32 {$rndkey0},[$key],#16
subs $rounds,$rounds,#2
aes$e $inout,$rndkey1
- vld1.32 {$rndkey1},[$key],#16
aes$mc $inout,$inout
+ vld1.32 {$rndkey1},[$key],#16
b.gt .Loop_${dir}c
aes$e $inout,$rndkey0
- vld1.32 {$rndkey0},[$key]
aes$mc $inout,$inout
+ vld1.32 {$rndkey0},[$key]
aes$e $inout,$rndkey1
veor $inout,$inout,$rndkey0
@@ -341,6 +352,7 @@
my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
+my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);
### q8-q15 preloaded key schedule
@@ -390,25 +402,50 @@
veor $rndzero_n_last,q8,$rndlast
b.eq .Lcbc_enc128
+ vld1.32 {$in0-$in1},[$key_]
+ add $key_,$key,#16
+ add $key4,$key,#16*4
+ add $key5,$key,#16*5
+ aese $dat,q8
+ aesmc $dat,$dat
+ add $key6,$key,#16*6
+ add $key7,$key,#16*7
+ b .Lenter_cbc_enc
+
+.align 4
.Loop_cbc_enc:
aese $dat,q8
- vld1.32 {q8},[$key_],#16
aesmc $dat,$dat
- subs $cnt,$cnt,#2
+ vst1.8 {$ivec},[$out],#16
+.Lenter_cbc_enc:
aese $dat,q9
- vld1.32 {q9},[$key_],#16
aesmc $dat,$dat
- b.gt .Loop_cbc_enc
+ aese $dat,$in0
+ aesmc $dat,$dat
+ vld1.32 {q8},[$key4]
+ cmp $rounds,#4
+ aese $dat,$in1
+ aesmc $dat,$dat
+ vld1.32 {q9},[$key5]
+ b.eq .Lcbc_enc192
aese $dat,q8
aesmc $dat,$dat
+ vld1.32 {q8},[$key6]
+ aese $dat,q9
+ aesmc $dat,$dat
+ vld1.32 {q9},[$key7]
+ nop
+
+.Lcbc_enc192:
+ aese $dat,q8
+ aesmc $dat,$dat
subs $len,$len,#16
aese $dat,q9
aesmc $dat,$dat
cclr $step,eq
aese $dat,q10
aesmc $dat,$dat
- add $key_,$key,#16
aese $dat,q11
aesmc $dat,$dat
vld1.8 {q8},[$inp],$step
@@ -417,16 +454,14 @@
veor q8,q8,$rndzero_n_last
aese $dat,q13
aesmc $dat,$dat
- vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
+ vld1.32 {q9},[$key_] // re-pre-load rndkey[1]
aese $dat,q14
aesmc $dat,$dat
aese $dat,q15
-
- mov $cnt,$rounds
veor $ivec,$dat,$rndlast
- vst1.8 {$ivec},[$out],#16
b.hs .Loop_cbc_enc
+ vst1.8 {$ivec},[$out],#16
b .Lcbc_done
.align 5
@@ -488,79 +523,78 @@
.Loop3x_cbc_dec:
aesd $dat0,q8
- aesd $dat1,q8
- aesd $dat2,q8
- vld1.32 {q8},[$key_],#16
aesimc $dat0,$dat0
+ aesd $dat1,q8
aesimc $dat1,$dat1
+ aesd $dat2,q8
aesimc $dat2,$dat2
+ vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aesd $dat0,q9
- aesd $dat1,q9
- aesd $dat2,q9
- vld1.32 {q9},[$key_],#16
aesimc $dat0,$dat0
+ aesd $dat1,q9
aesimc $dat1,$dat1
+ aesd $dat2,q9
aesimc $dat2,$dat2
+ vld1.32 {q9},[$key_],#16
b.gt .Loop3x_cbc_dec
aesd $dat0,q8
+ aesimc $dat0,$dat0
aesd $dat1,q8
+ aesimc $dat1,$dat1
aesd $dat2,q8
+ aesimc $dat2,$dat2
veor $tmp0,$ivec,$rndlast
- aesimc $dat0,$dat0
- aesimc $dat1,$dat1
- aesimc $dat2,$dat2
- veor $tmp1,$in0,$rndlast
- aesd $dat0,q9
- aesd $dat1,q9
- aesd $dat2,q9
- veor $tmp2,$in1,$rndlast
subs $len,$len,#0x30
- aesimc $dat0,$dat0
- aesimc $dat1,$dat1
- aesimc $dat2,$dat2
- vorr $ivec,$in2,$in2
+ veor $tmp1,$in0,$rndlast
mov.lo x6,$len // x6, $cnt, is zero at this point
- aesd $dat0,q12
- aesd $dat1,q12
- aesd $dat2,q12
+ aesd $dat0,q9
+ aesimc $dat0,$dat0
+ aesd $dat1,q9
+ aesimc $dat1,$dat1
+ aesd $dat2,q9
+ aesimc $dat2,$dat2
+ veor $tmp2,$in1,$rndlast
add $inp,$inp,x6 // $inp is adjusted in such way that
// at exit from the loop $dat1-$dat2
// are loaded with last "words"
- aesimc $dat0,$dat0
- aesimc $dat1,$dat1
- aesimc $dat2,$dat2
+ vorr $ivec,$in2,$in2
mov $key_,$key
- aesd $dat0,q13
- aesd $dat1,q13
- aesd $dat2,q13
- vld1.8 {$in0},[$inp],#16
+ aesd $dat0,q12
aesimc $dat0,$dat0
+ aesd $dat1,q12
aesimc $dat1,$dat1
+ aesd $dat2,q12
+ aesimc $dat2,$dat2
+ vld1.8 {$in0},[$inp],#16
+ aesd $dat0,q13
+ aesimc $dat0,$dat0
+ aesd $dat1,q13
+ aesimc $dat1,$dat1
+ aesd $dat2,q13
aesimc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
aesd $dat0,q14
- aesd $dat1,q14
- aesd $dat2,q14
- vld1.8 {$in2},[$inp],#16
aesimc $dat0,$dat0
+ aesd $dat1,q14
aesimc $dat1,$dat1
+ aesd $dat2,q14
aesimc $dat2,$dat2
- vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
+ vld1.8 {$in2},[$inp],#16
aesd $dat0,q15
aesd $dat1,q15
aesd $dat2,q15
-
+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
add $cnt,$rounds,#2
veor $tmp0,$tmp0,$dat0
veor $tmp1,$tmp1,$dat1
veor $dat2,$dat2,$tmp2
vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
- vorr $dat0,$in0,$in0
vst1.8 {$tmp0},[$out],#16
- vorr $dat1,$in1,$in1
+ vorr $dat0,$in0,$in0
vst1.8 {$tmp1},[$out],#16
+ vorr $dat1,$in1,$in1
vst1.8 {$dat2},[$out],#16
vorr $dat2,$in2,$in2
b.hs .Loop3x_cbc_dec
@@ -571,39 +605,39 @@
.Lcbc_dec_tail:
aesd $dat1,q8
- aesd $dat2,q8
- vld1.32 {q8},[$key_],#16
aesimc $dat1,$dat1
+ aesd $dat2,q8
aesimc $dat2,$dat2
+ vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aesd $dat1,q9
- aesd $dat2,q9
- vld1.32 {q9},[$key_],#16
aesimc $dat1,$dat1
+ aesd $dat2,q9
aesimc $dat2,$dat2
+ vld1.32 {q9},[$key_],#16
b.gt .Lcbc_dec_tail
aesd $dat1,q8
- aesd $dat2,q8
aesimc $dat1,$dat1
+ aesd $dat2,q8
aesimc $dat2,$dat2
aesd $dat1,q9
- aesd $dat2,q9
aesimc $dat1,$dat1
+ aesd $dat2,q9
aesimc $dat2,$dat2
aesd $dat1,q12
- aesd $dat2,q12
aesimc $dat1,$dat1
+ aesd $dat2,q12
aesimc $dat2,$dat2
cmn $len,#0x20
aesd $dat1,q13
- aesd $dat2,q13
aesimc $dat1,$dat1
+ aesd $dat2,q13
aesimc $dat2,$dat2
veor $tmp1,$ivec,$rndlast
aesd $dat1,q14
- aesd $dat2,q14
aesimc $dat1,$dat1
+ aesd $dat2,q14
aesimc $dat2,$dat2
veor $tmp2,$in1,$rndlast
aesd $dat1,q15
@@ -704,70 +738,69 @@
.align 4
.Loop3x_ctr32:
aese $dat0,q8
- aese $dat1,q8
- aese $dat2,q8
- vld1.32 {q8},[$key_],#16
aesmc $dat0,$dat0
+ aese $dat1,q8
aesmc $dat1,$dat1
+ aese $dat2,q8
aesmc $dat2,$dat2
+ vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aese $dat0,q9
- aese $dat1,q9
- aese $dat2,q9
- vld1.32 {q9},[$key_],#16
aesmc $dat0,$dat0
+ aese $dat1,q9
aesmc $dat1,$dat1
+ aese $dat2,q9
aesmc $dat2,$dat2
+ vld1.32 {q9},[$key_],#16
b.gt .Loop3x_ctr32
aese $dat0,q8
- aese $dat1,q8
- aese $dat2,q8
- mov $key_,$key
aesmc $tmp0,$dat0
- vld1.8 {$in0},[$inp],#16
+ aese $dat1,q8
aesmc $tmp1,$dat1
- aesmc $dat2,$dat2
+ vld1.8 {$in0},[$inp],#16
vorr $dat0,$ivec,$ivec
- aese $tmp0,q9
+ aese $dat2,q8
+ aesmc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
- aese $tmp1,q9
- aese $dat2,q9
vorr $dat1,$ivec,$ivec
+ aese $tmp0,q9
aesmc $tmp0,$tmp0
- vld1.8 {$in2},[$inp],#16
+ aese $tmp1,q9
aesmc $tmp1,$tmp1
+ vld1.8 {$in2},[$inp],#16
+ mov $key_,$key
+ aese $dat2,q9
aesmc $tmp2,$dat2
vorr $dat2,$ivec,$ivec
add $tctr0,$ctr,#1
aese $tmp0,q12
+ aesmc $tmp0,$tmp0
aese $tmp1,q12
- aese $tmp2,q12
+ aesmc $tmp1,$tmp1
veor $in0,$in0,$rndlast
add $tctr1,$ctr,#2
- aesmc $tmp0,$tmp0
- aesmc $tmp1,$tmp1
+ aese $tmp2,q12
aesmc $tmp2,$tmp2
veor $in1,$in1,$rndlast
add $ctr,$ctr,#3
aese $tmp0,q13
+ aesmc $tmp0,$tmp0
aese $tmp1,q13
- aese $tmp2,q13
+ aesmc $tmp1,$tmp1
veor $in2,$in2,$rndlast
rev $tctr0,$tctr0
- aesmc $tmp0,$tmp0
- vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
- aesmc $tmp1,$tmp1
+ aese $tmp2,q13
aesmc $tmp2,$tmp2
vmov.32 ${dat0}[3], $tctr0
rev $tctr1,$tctr1
aese $tmp0,q14
+ aesmc $tmp0,$tmp0
aese $tmp1,q14
- aese $tmp2,q14
+ aesmc $tmp1,$tmp1
vmov.32 ${dat1}[3], $tctr1
rev $tctr2,$ctr
- aesmc $tmp0,$tmp0
- aesmc $tmp1,$tmp1
+ aese $tmp2,q14
aesmc $tmp2,$tmp2
vmov.32 ${dat2}[3], $tctr2
subs $len,$len,#3
@@ -775,13 +808,14 @@
aese $tmp1,q15
aese $tmp2,q15
- mov $cnt,$rounds
veor $in0,$in0,$tmp0
+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
+ vst1.8 {$in0},[$out],#16
veor $in1,$in1,$tmp1
+ mov $cnt,$rounds
+ vst1.8 {$in1},[$out],#16
veor $in2,$in2,$tmp2
vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
- vst1.8 {$in0},[$out],#16
- vst1.8 {$in1},[$out],#16
vst1.8 {$in2},[$out],#16
b.hs .Loop3x_ctr32
@@ -793,40 +827,40 @@
.Lctr32_tail:
aese $dat0,q8
- aese $dat1,q8
- vld1.32 {q8},[$key_],#16
aesmc $dat0,$dat0
+ aese $dat1,q8
aesmc $dat1,$dat1
+ vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aese $dat0,q9
- aese $dat1,q9
- vld1.32 {q9},[$key_],#16
aesmc $dat0,$dat0
+ aese $dat1,q9
aesmc $dat1,$dat1
+ vld1.32 {q9},[$key_],#16
b.gt .Lctr32_tail
aese $dat0,q8
- aese $dat1,q8
aesmc $dat0,$dat0
+ aese $dat1,q8
aesmc $dat1,$dat1
aese $dat0,q9
- aese $dat1,q9
aesmc $dat0,$dat0
+ aese $dat1,q9
aesmc $dat1,$dat1
vld1.8 {$in0},[$inp],$step
aese $dat0,q12
+ aesmc $dat0,$dat0
aese $dat1,q12
+ aesmc $dat1,$dat1
vld1.8 {$in1},[$inp]
- aesmc $dat0,$dat0
- aesmc $dat1,$dat1
aese $dat0,q13
+ aesmc $dat0,$dat0
aese $dat1,q13
- aesmc $dat0,$dat0
aesmc $dat1,$dat1
- aese $dat0,q14
- aese $dat1,q14
veor $in0,$in0,$rndlast
+ aese $dat0,q14
aesmc $dat0,$dat0
+ aese $dat1,q14
aesmc $dat1,$dat1
veor $in1,$in1,$rndlast
aese $dat0,q15
diff --git a/src/crypto/aes/asm/bsaes-armv7.pl b/src/crypto/aes/asm/bsaes-armv7.pl
index d70f3ea..a5e4a98 100644
--- a/src/crypto/aes/asm/bsaes-armv7.pl
+++ b/src/crypto/aes/asm/bsaes-armv7.pl
@@ -47,8 +47,20 @@
#
# <ard.biesheuvel@linaro.org>
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
my ($inp,$out,$len,$key)=("r0","r1","r2","r3");
my @XMM=map("q$_",(0..15));
@@ -703,29 +715,35 @@
# define BSAES_ASM_EXTENDED_KEY
# define XTS_CHAIN_TWEAK
# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
#endif
#ifdef __thumb__
# define adrl adr
#endif
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch armv7-a
+.fpu neon
+
.text
.syntax unified @ ARMv7-capable assembler is expected to handle this
-#ifdef __thumb2__
+#if defined(__thumb2__) && !defined(__APPLE__)
.thumb
#else
.code 32
#endif
-.fpu neon
-
.type _bsaes_decrypt8,%function
.align 4
_bsaes_decrypt8:
adr $const,_bsaes_decrypt8
vldmia $key!, {@XMM[9]} @ round 0 key
+#ifdef __APPLE__
+ adr $const,.LM0ISR
+#else
add $const,$const,#.LM0ISR-_bsaes_decrypt8
+#endif
vldmia $const!, {@XMM[8]} @ .LM0ISR
veor @XMM[10], @XMM[0], @XMM[9] @ xor with round0 key
@@ -820,7 +838,11 @@
_bsaes_encrypt8:
adr $const,_bsaes_encrypt8
vldmia $key!, {@XMM[9]} @ round 0 key
+#ifdef __APPLE__
+ adr $const,.LM0SR
+#else
sub $const,$const,#_bsaes_encrypt8-.LM0SR
+#endif
vldmia $const!, {@XMM[8]} @ .LM0SR
_bsaes_encrypt8_alt:
@@ -924,7 +946,11 @@
_bsaes_key_convert:
adr $const,_bsaes_key_convert
vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key
+#ifdef __APPLE__
+ adr $const,.LM0
+#else
sub $const,$const,#_bsaes_key_convert-.LM0
+#endif
vld1.8 {@XMM[15]}, [$inp]! @ load round 1 key
vmov.i8 @XMM[8], #0x01 @ bit masks
@@ -1397,7 +1423,12 @@
vstmia r12, {@XMM[7]} @ save last round key
vld1.8 {@XMM[0]}, [$ctr] @ load counter
+#ifdef __APPLE__
+ mov $ctr, #.LREVM0SR-.LM0
+ add $ctr, $const, $ctr
+#else
add $ctr, $const, #.LREVM0SR-.LM0 @ borrow $ctr
+#endif
vldmia $keysched, {@XMM[4]} @ load round0 key
#else
ldr r12, [$key, #244]
@@ -1454,7 +1485,12 @@
vldmia $ctr, {@XMM[8]} @ .LREVM0SR
mov r5, $rounds @ pass rounds
vstmia $fp, {@XMM[10]} @ save next counter
+#ifdef __APPLE__
+ mov $const, #.LREVM0SR-.LSR
+ sub $const, $ctr, $const
+#else
sub $const, $ctr, #.LREVM0SR-.LSR @ pass constants
+#endif
bl _bsaes_encrypt8_alt
@@ -1555,7 +1591,7 @@
rev r8, r8
#endif
sub sp, sp, #0x10
- vst1.8 {@XMM[1]}, [sp,:64] @ copy counter value
+ vst1.8 {@XMM[1]}, [sp] @ copy counter value
sub sp, sp, #0x10
.Lctr_enc_short_loop:
@@ -1566,7 +1602,7 @@
bl AES_encrypt
vld1.8 {@XMM[0]}, [r4]! @ load input
- vld1.8 {@XMM[1]}, [sp,:64] @ load encrypted counter
+ vld1.8 {@XMM[1]}, [sp] @ load encrypted counter
add r8, r8, #1
#ifdef __ARMEL__
rev r0, r8
@@ -2085,9 +2121,11 @@
vld1.8 {@XMM[8]}, [r0] @ initial tweak
adr $magic, .Lxts_magic
+#ifndef XTS_CHAIN_TWEAK
tst $len, #0xf @ if not multiple of 16
it ne @ Thumb2 thing, sanity check in ARM
subne $len, #0x10 @ subtract another 16 bytes
+#endif
subs $len, #0x80
blo .Lxts_dec_short
diff --git a/src/crypto/asn1/CMakeLists.txt b/src/crypto/asn1/CMakeLists.txt
index 35e1bec..283636e 100644
--- a/src/crypto/asn1/CMakeLists.txt
+++ b/src/crypto/asn1/CMakeLists.txt
@@ -23,7 +23,6 @@
a_type.c
a_utctm.c
a_utf8.c
- asn1_error.c
asn1_lib.c
asn1_par.c
asn_pack.c
diff --git a/src/crypto/asn1/a_d2i_fp.c b/src/crypto/asn1/a_d2i_fp.c
index c28532b..6022c74 100644
--- a/src/crypto/asn1/a_d2i_fp.c
+++ b/src/crypto/asn1/a_d2i_fp.c
@@ -194,7 +194,7 @@
len-off);
if (c.inf & 0x80)
{
- unsigned long e;
+ uint32_t e;
e=ERR_GET_REASON(ERR_peek_error());
if (e != ASN1_R_TOO_LONG)
diff --git a/src/crypto/asn1/a_gentm.c b/src/crypto/asn1/a_gentm.c
index 355feff..be093a4 100644
--- a/src/crypto/asn1/a_gentm.c
+++ b/src/crypto/asn1/a_gentm.c
@@ -57,6 +57,7 @@
#include <openssl/asn1.h>
#include <string.h>
+#include <time.h>
#include <openssl/err.h>
#include <openssl/mem.h>
diff --git a/src/crypto/asn1/a_time.c b/src/crypto/asn1/a_time.c
index f0badcc..e02e858 100644
--- a/src/crypto/asn1/a_time.c
+++ b/src/crypto/asn1/a_time.c
@@ -57,6 +57,7 @@
#include <openssl/asn1.h>
#include <string.h>
+#include <time.h>
#include <openssl/asn1t.h>
#include <openssl/buf.h>
diff --git a/src/crypto/asn1/a_type.c b/src/crypto/asn1/a_type.c
index 75a17d5..fd3d5b1 100644
--- a/src/crypto/asn1/a_type.c
+++ b/src/crypto/asn1/a_type.c
@@ -125,6 +125,9 @@
case V_ASN1_NULL:
result = 0; /* They do not have content. */
break;
+ case V_ASN1_BOOLEAN:
+ result = a->value.boolean - b->value.boolean;
+ break;
case V_ASN1_INTEGER:
case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
diff --git a/src/crypto/asn1/a_utctm.c b/src/crypto/asn1/a_utctm.c
index 7a3f5f6..52b010f 100644
--- a/src/crypto/asn1/a_utctm.c
+++ b/src/crypto/asn1/a_utctm.c
@@ -57,6 +57,7 @@
#include <openssl/asn1.h>
#include <string.h>
+#include <time.h>
#include <openssl/err.h>
#include <openssl/mem.h>
@@ -287,7 +288,7 @@
if (!OPENSSL_gmtime(&t, &ttm))
return -2;
- if (!OPENSSL_gmtime_diff(&day, &sec, &stm, &ttm))
+ if (!OPENSSL_gmtime_diff(&day, &sec, &ttm, &stm))
return -2;
if (day > 0)
diff --git a/src/crypto/asn1/asn1_error.c b/src/crypto/asn1/asn1_error.c
deleted file mode 100644
index 5e9fcaa..0000000
--- a/src/crypto/asn1/asn1_error.c
+++ /dev/null
@@ -1,203 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/asn1.h>
-
-const ERR_STRING_DATA ASN1_error_string_data[] = {
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_BIT_STRING_set_bit, 0), "ASN1_BIT_STRING_set_bit"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ENUMERATED_set, 0), "ASN1_ENUMERATED_set"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ENUMERATED_to_BN, 0), "ASN1_ENUMERATED_to_BN"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_GENERALIZEDTIME_adj, 0), "ASN1_GENERALIZEDTIME_adj"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_INTEGER_set, 0), "ASN1_INTEGER_set"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_INTEGER_to_BN, 0), "ASN1_INTEGER_to_BN"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_OBJECT_new, 0), "ASN1_OBJECT_new"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_PCTX_new, 0), "ASN1_PCTX_new"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_STRING_TABLE_add, 0), "ASN1_STRING_TABLE_add"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_STRING_set, 0), "ASN1_STRING_set"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_STRING_type_new, 0), "ASN1_STRING_type_new"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_TIME_adj, 0), "ASN1_TIME_adj"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_UTCTIME_adj, 0), "ASN1_UTCTIME_adj"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_d2i_fp, 0), "ASN1_d2i_fp"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_dup, 0), "ASN1_dup"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_get_object, 0), "ASN1_get_object"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_i2d_bio, 0), "ASN1_i2d_bio"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_i2d_fp, 0), "ASN1_i2d_fp"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_d2i_fp, 0), "ASN1_item_d2i_fp"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_dup, 0), "ASN1_item_dup"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_ex_d2i, 0), "ASN1_item_ex_d2i"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_i2d_bio, 0), "ASN1_item_i2d_bio"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_i2d_fp, 0), "ASN1_item_i2d_fp"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_pack, 0), "ASN1_item_pack"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_item_unpack, 0), "ASN1_item_unpack"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_mbstring_ncopy, 0), "ASN1_mbstring_ncopy"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_pack_string, 0), "ASN1_pack_string"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_seq_pack, 0), "ASN1_seq_pack"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_seq_unpack, 0), "ASN1_seq_unpack"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_template_new, 0), "ASN1_template_new"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_unpack_string, 0), "ASN1_unpack_string"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_BIO_new_NDEF, 0), "BIO_new_NDEF"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_BN_to_ASN1_ENUMERATED, 0), "BN_to_ASN1_ENUMERATED"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_BN_to_ASN1_INTEGER, 0), "BN_to_ASN1_INTEGER"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2d_ASN1_OBJECT, 0), "a2d_ASN1_OBJECT"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2i_ASN1_ENUMERATED, 0), "a2i_ASN1_ENUMERATED"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2i_ASN1_INTEGER, 0), "a2i_ASN1_INTEGER"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_a2i_ASN1_STRING, 0), "a2i_ASN1_STRING"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_check_tlen, 0), "asn1_check_tlen"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_collate_primitive, 0), "asn1_collate_primitive"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_collect, 0), "asn1_collect"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_d2i_ex_primitive, 0), "asn1_d2i_ex_primitive"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_d2i_read_bio, 0), "asn1_d2i_read_bio"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_do_adb, 0), "asn1_do_adb"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_ex_c2i, 0), "asn1_ex_c2i"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_find_end, 0), "asn1_find_end"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_item_ex_combine_new, 0), "asn1_item_ex_combine_new"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_template_ex_d2i, 0), "asn1_template_ex_d2i"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_asn1_template_noexp_d2i, 0), "asn1_template_noexp_d2i"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_c2i_ASN1_BIT_STRING, 0), "c2i_ASN1_BIT_STRING"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_c2i_ASN1_INTEGER, 0), "c2i_ASN1_INTEGER"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_c2i_ASN1_OBJECT, 0), "c2i_ASN1_OBJECT"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_collect_data, 0), "collect_data"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_BOOLEAN, 0), "d2i_ASN1_BOOLEAN"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_OBJECT, 0), "d2i_ASN1_OBJECT"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_UINTEGER, 0), "d2i_ASN1_UINTEGER"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_UTCTIME, 0), "d2i_ASN1_UTCTIME"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_bytes, 0), "d2i_ASN1_bytes"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_d2i_ASN1_type_bytes, 0), "d2i_ASN1_type_bytes"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_i2d_ASN1_TIME, 0), "i2d_ASN1_TIME"},
- {ERR_PACK(ERR_LIB_ASN1, ASN1_F_long_c2i, 0), "long_c2i"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ADDING_OBJECT), "ADDING_OBJECT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ASN1_LENGTH_MISMATCH), "ASN1_LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ASN1_PARSE_ERROR), "ASN1_PARSE_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ASN1_SIG_PARSE_ERROR), "ASN1_SIG_PARSE_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "AUX_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_CLASS), "BAD_CLASS"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_GET_ASN1_OBJECT_CALL), "BAD_GET_ASN1_OBJECT_CALL"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "BAD_OBJECT_HEADER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_PASSWORD_READ), "BAD_PASSWORD_READ"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TAG), "BAD_TAG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH), "BMPSTRING_IS_WRONG_LENGTH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "BN_LIB"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BOOLEAN_IS_WRONG_LENGTH), "BOOLEAN_IS_WRONG_LENGTH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER), "CIPHER_HAS_NO_OBJECT_IDENTIFIER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_CONTEXT_NOT_INITIALISED), "CONTEXT_NOT_INITIALISED"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DATA_IS_WRONG), "DATA_IS_WRONG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DECODE_ERROR), "DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DECODING_ERROR), "DECODING_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_DEPTH_EXCEEDED), "DEPTH_EXCEEDED"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ENCODE_ERROR), "ENCODE_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_GETTING_TIME), "ERROR_GETTING_TIME"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_LOADING_SECTION), "ERROR_LOADING_SECTION"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_PARSING_SET_ELEMENT), "ERROR_PARSING_SET_ELEMENT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ERROR_SETTING_CIPHER_PARAMS), "ERROR_SETTING_CIPHER_PARAMS"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_AN_ASN1_SEQUENCE), "EXPECTING_AN_ASN1_SEQUENCE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_AN_INTEGER), "EXPECTING_AN_INTEGER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_AN_OBJECT), "EXPECTING_AN_OBJECT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_A_BOOLEAN), "EXPECTING_A_BOOLEAN"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPECTING_A_TIME), "EXPECTING_A_TIME"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPLICIT_LENGTH_MISMATCH), "EXPLICIT_LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED), "EXPLICIT_TAG_NOT_CONSTRUCTED"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_FIELD_MISSING), "FIELD_MISSING"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_FIRST_NUM_TOO_LARGE), "FIRST_NUM_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_HEADER_TOO_LONG), "HEADER_TOO_LONG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_BITSTRING_FORMAT), "ILLEGAL_BITSTRING_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_BOOLEAN), "ILLEGAL_BOOLEAN"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_CHARACTERS), "ILLEGAL_CHARACTERS"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_FORMAT), "ILLEGAL_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_HEX), "ILLEGAL_HEX"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_IMPLICIT_TAG), "ILLEGAL_IMPLICIT_TAG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_INTEGER), "ILLEGAL_INTEGER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_NESTED_TAGGING), "ILLEGAL_NESTED_TAGGING"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_NULL), "ILLEGAL_NULL"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_NULL_VALUE), "ILLEGAL_NULL_VALUE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_OBJECT), "ILLEGAL_OBJECT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_OPTIONAL_ANY), "ILLEGAL_OPTIONAL_ANY"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE), "ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_TAGGED_ANY), "ILLEGAL_TAGGED_ANY"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ILLEGAL_TIME_VALUE), "ILLEGAL_TIME_VALUE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INTEGER_NOT_ASCII_FORMAT), "INTEGER_NOT_ASCII_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG), "INTEGER_TOO_LARGE_FOR_LONG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_BIT_STRING_BITS_LEFT), "INVALID_BIT_STRING_BITS_LEFT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_BMPSTRING_LENGTH), "INVALID_BMPSTRING_LENGTH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_DIGIT), "INVALID_DIGIT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_MIME_TYPE), "INVALID_MIME_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_MODIFIER), "INVALID_MODIFIER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_NUMBER), "INVALID_NUMBER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_OBJECT_ENCODING), "INVALID_OBJECT_ENCODING"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_SEPARATOR), "INVALID_SEPARATOR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_TIME_FORMAT), "INVALID_TIME_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UNIVERSALSTRING_LENGTH), "INVALID_UNIVERSALSTRING_LENGTH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_INVALID_UTF8STRING), "INVALID_UTF8STRING"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_IV_TOO_LARGE), "IV_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LENGTH_ERROR), "LENGTH_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_LIST_ERROR), "LIST_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MALLOC_FAILURE), "MALLOC_FAILURE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_NO_CONTENT_TYPE), "MIME_NO_CONTENT_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_PARSE_ERROR), "MIME_PARSE_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MIME_SIG_PARSE_ERROR), "MIME_SIG_PARSE_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_ASN1_EOS), "MISSING_ASN1_EOS"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_EOC), "MISSING_EOC"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_SECOND_NUMBER), "MISSING_SECOND_NUMBER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MISSING_VALUE), "MISSING_VALUE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MSTRING_NOT_UNIVERSAL), "MSTRING_NOT_UNIVERSAL"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_MSTRING_WRONG_TAG), "MSTRING_WRONG_TAG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NESTED_ASN1_ERROR), "NESTED_ASN1_ERROR"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NESTED_ASN1_STRING), "NESTED_ASN1_STRING"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NON_HEX_CHARACTERS), "NON_HEX_CHARACTERS"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NOT_ASCII_FORMAT), "NOT_ASCII_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NOT_ENOUGH_DATA), "NOT_ENOUGH_DATA"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_CONTENT_TYPE), "NO_CONTENT_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_DEFAULT_DIGEST), "NO_DEFAULT_DIGEST"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_MATCHING_CHOICE_TYPE), "NO_MATCHING_CHOICE_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_MULTIPART_BODY_FAILURE), "NO_MULTIPART_BODY_FAILURE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_MULTIPART_BOUNDARY), "NO_MULTIPART_BOUNDARY"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NO_SIG_CONTENT_TYPE), "NO_SIG_CONTENT_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_NULL_IS_WRONG_LENGTH), "NULL_IS_WRONG_LENGTH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_OBJECT_NOT_ASCII_FORMAT), "OBJECT_NOT_ASCII_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_ODD_NUMBER_OF_CHARS), "ODD_NUMBER_OF_CHARS"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_PRIVATE_KEY_HEADER_MISSING), "PRIVATE_KEY_HEADER_MISSING"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SECOND_NUMBER_TOO_LARGE), "SECOND_NUMBER_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SEQUENCE_LENGTH_MISMATCH), "SEQUENCE_LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SEQUENCE_NOT_CONSTRUCTED), "SEQUENCE_NOT_CONSTRUCTED"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG), "SEQUENCE_OR_SET_NEEDS_CONFIG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SHORT_LINE), "SHORT_LINE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_SIG_INVALID_MIME_TYPE), "SIG_INVALID_MIME_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_STREAMING_NOT_SUPPORTED), "STREAMING_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_STRING_TOO_LONG), "STRING_TOO_LONG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_STRING_TOO_SHORT), "STRING_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TAG_VALUE_TOO_HIGH), "TAG_VALUE_TOO_HIGH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TIME_NOT_ASCII_FORMAT), "TIME_NOT_ASCII_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TOO_LONG), "TOO_LONG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TYPE_NOT_CONSTRUCTED), "TYPE_NOT_CONSTRUCTED"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_TYPE_NOT_PRIMITIVE), "TYPE_NOT_PRIMITIVE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNABLE_TO_DECODE_RSA_KEY), "UNABLE_TO_DECODE_RSA_KEY"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY), "UNABLE_TO_DECODE_RSA_PRIVATE_KEY"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNEXPECTED_EOC), "UNEXPECTED_EOC"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH), "UNIVERSALSTRING_IS_WRONG_LENGTH"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_FORMAT), "UNKNOWN_FORMAT"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_OBJECT_TYPE), "UNKNOWN_OBJECT_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE), "UNKNOWN_PUBLIC_KEY_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNKNOWN_TAG), "UNKNOWN_TAG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE), "UNSUPPORTED_ANY_DEFINED_BY_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_CIPHER), "UNSUPPORTED_CIPHER"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM), "UNSUPPORTED_ENCRYPTION_ALGORITHM"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "UNSUPPORTED_PUBLIC_KEY_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_UNSUPPORTED_TYPE), "UNSUPPORTED_TYPE"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_WRONG_TAG), "WRONG_TAG"},
- {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_WRONG_TYPE), "WRONG_TYPE"},
- {0, NULL},
-};
diff --git a/src/crypto/asn1/asn1_lib.c b/src/crypto/asn1/asn1_lib.c
index 1fc2c06..9aa2678 100644
--- a/src/crypto/asn1/asn1_lib.c
+++ b/src/crypto/asn1/asn1_lib.c
@@ -63,8 +63,46 @@
#include <openssl/err.h>
#include <openssl/mem.h>
+
+/* Used in asn1_mac.h.
+ * TODO(davidben): Remove this once asn1_mac.h is gone or trimmed. */
OPENSSL_DECLARE_ERROR_REASON(ASN1, MALLOC_FAILURE);
+/* Cross-module errors from crypto/x509/i2d_pr.c */
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, i2d_PrivateKey);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE);
+
+/* Cross-module errors from crypto/x509/asn1_gen.c.
+ * TODO(davidben): Remove these once asn1_gen.c is gone. */
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, ASN1_generate_v3);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, asn1_cb);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, parse_tagging);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, append_exp);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, asn1_str2type);
+OPENSSL_DECLARE_ERROR_FUNCTION(ASN1, bitstr_cb);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, DEPTH_EXCEEDED);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BITSTRING_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BOOLEAN);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_HEX);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_IMPLICIT_TAG);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_INTEGER);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_NESTED_TAGGING);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_NULL_VALUE);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_OBJECT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_TIME_VALUE);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INTEGER_NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_MODIFIER);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_NUMBER);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, LIST_ERROR);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, MISSING_VALUE);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, OBJECT_NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, SEQUENCE_OR_SET_NEEDS_CONFIG);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, TIME_NOT_ASCII_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG);
+OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE);
static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max);
static void asn1_put_length(unsigned char **pp, int length);
@@ -466,15 +504,6 @@
return(i);
}
-void asn1_add_error(const unsigned char *address, int offset)
- {
- char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
-
- BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
- BIO_snprintf(buf2,sizeof buf2,"%d",offset);
- ERR_add_error_data(4,"address=",buf1," offset=",buf2);
- }
-
int ASN1_STRING_length(const ASN1_STRING *x)
{ return M_ASN1_STRING_length(x); }
diff --git a/src/crypto/asn1/asn1_par.c b/src/crypto/asn1/asn1_par.c
index 53b11fe..aff3e2b 100644
--- a/src/crypto/asn1/asn1_par.c
+++ b/src/crypto/asn1/asn1_par.c
@@ -137,7 +137,7 @@
#endif
if (j & 0x80)
{
- if (BIO_write(bp,"Error in encoding\n",18) <= 0)
+ if (BIO_puts(bp, "Error in encoding\n") <= 0)
goto end;
ret=0;
goto end;
@@ -165,7 +165,7 @@
if (j & V_ASN1_CONSTRUCTED)
{
ep=p+len;
- if (BIO_write(bp,"\n",1) <= 0) goto end;
+ if (BIO_puts(bp, "\n") <= 0) goto end;
if (len > length)
{
BIO_printf(bp,
@@ -196,7 +196,7 @@
else if (xclass != 0)
{
p+=len;
- if (BIO_write(bp,"\n",1) <= 0) goto end;
+ if (BIO_puts(bp, "\n") <= 0) goto end;
}
else
{
@@ -210,7 +210,7 @@
(tag == V_ASN1_UTCTIME) ||
(tag == V_ASN1_GENERALIZEDTIME))
{
- if (BIO_write(bp,":",1) <= 0) goto end;
+ if (BIO_puts(bp, ":") <= 0) goto end;
if ((len > 0) &&
BIO_write(bp,(const char *)p,(int)len)
!= (int)len)
@@ -221,12 +221,12 @@
opp=op;
if (d2i_ASN1_OBJECT(&o,&opp,len+hl) != NULL)
{
- if (BIO_write(bp,":",1) <= 0) goto end;
+ if (BIO_puts(bp, ":") <= 0) goto end;
i2a_ASN1_OBJECT(bp,o);
}
else
{
- if (BIO_write(bp,":BAD OBJECT",11) <= 0)
+ if (BIO_puts(bp, ":BAD OBJECT") <= 0)
goto end;
}
}
@@ -238,7 +238,7 @@
ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl);
if (ii < 0)
{
- if (BIO_write(bp,"Bad boolean\n",12) <= 0)
+ if (BIO_puts(bp, "Bad boolean\n") <= 0)
goto end;
}
BIO_printf(bp,":%d",ii);
@@ -273,7 +273,7 @@
if (printable)
/* printable string */
{
- if (BIO_write(bp,":",1) <= 0)
+ if (BIO_puts(bp, ":") <= 0)
goto end;
if (BIO_write(bp,(const char *)opp,
os->length) <= 0)
@@ -283,7 +283,7 @@
/* not printable => print octet string
* as hex dump */
{
- if (BIO_write(bp,"[HEX DUMP]:",11) <= 0)
+ if (BIO_puts(bp, "[HEX DUMP]:") <= 0)
goto end;
for (i=0; i<os->length; i++)
{
@@ -297,7 +297,7 @@
{
if (!nl)
{
- if (BIO_write(bp,"\n",1) <= 0)
+ if (BIO_puts(bp, "\n") <= 0)
goto end;
}
if (!BIO_hexdump(bp, opp,
@@ -323,9 +323,9 @@
bs=d2i_ASN1_INTEGER(NULL,&opp,len+hl);
if (bs != NULL)
{
- if (BIO_write(bp,":",1) <= 0) goto end;
+ if (BIO_puts(bp, ":") <= 0) goto end;
if (bs->type == V_ASN1_NEG_INTEGER)
- if (BIO_write(bp,"-",1) <= 0)
+ if (BIO_puts(bp, "-") <= 0)
goto end;
for (i=0; i<bs->length; i++)
{
@@ -335,13 +335,13 @@
}
if (bs->length == 0)
{
- if (BIO_write(bp,"00",2) <= 0)
+ if (BIO_puts(bp, "00") <= 0)
goto end;
}
}
else
{
- if (BIO_write(bp,"BAD INTEGER",11) <= 0)
+ if (BIO_puts(bp, "BAD INTEGER") <= 0)
goto end;
}
M_ASN1_INTEGER_free(bs);
@@ -355,9 +355,9 @@
bs=d2i_ASN1_ENUMERATED(NULL,&opp,len+hl);
if (bs != NULL)
{
- if (BIO_write(bp,":",1) <= 0) goto end;
+ if (BIO_puts(bp, ":") <= 0) goto end;
if (bs->type == V_ASN1_NEG_ENUMERATED)
- if (BIO_write(bp,"-",1) <= 0)
+ if (BIO_puts(bp, "-") <= 0)
goto end;
for (i=0; i<bs->length; i++)
{
@@ -367,13 +367,13 @@
}
if (bs->length == 0)
{
- if (BIO_write(bp,"00",2) <= 0)
+ if (BIO_puts(bp, "00") <= 0)
goto end;
}
}
else
{
- if (BIO_write(bp,"BAD ENUMERATED",11) <= 0)
+ if (BIO_puts(bp, "BAD ENUMERATED") <= 0)
goto end;
}
M_ASN1_ENUMERATED_free(bs);
@@ -382,7 +382,7 @@
{
if (!nl)
{
- if (BIO_write(bp,"\n",1) <= 0)
+ if (BIO_puts(bp, "\n") <= 0)
goto end;
}
if (!BIO_hexdump(bp,p,
@@ -394,7 +394,7 @@
if (!nl)
{
- if (BIO_write(bp,"\n",1) <= 0) goto end;
+ if (BIO_puts(bp, "\n") <= 0) goto end;
}
p+=len;
if ((tag == V_ASN1_EOC) && (xclass == 0))
diff --git a/src/crypto/asn1/bio_ndef.c b/src/crypto/asn1/bio_ndef.c
index c814814..2f7105d 100644
--- a/src/crypto/asn1/bio_ndef.c
+++ b/src/crypto/asn1/bio_ndef.c
@@ -170,6 +170,9 @@
derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
p = OPENSSL_malloc(derlen);
+ if (p == NULL)
+ return 0;
+
ndef_aux->derbuf = p;
*pbuf = p;
derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
@@ -235,6 +238,9 @@
derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it);
p = OPENSSL_malloc(derlen);
+ if (p == NULL)
+ return 0;
+
ndef_aux->derbuf = p;
*pbuf = p;
derlen = ASN1_item_ndef_i2d(ndef_aux->val, &p, ndef_aux->it);
diff --git a/src/crypto/asn1/tasn_dec.c b/src/crypto/asn1/tasn_dec.c
index 4cece89..73d3bb3 100644
--- a/src/crypto/asn1/tasn_dec.c
+++ b/src/crypto/asn1/tasn_dec.c
@@ -63,6 +63,8 @@
#include <openssl/err.h>
#include <openssl/mem.h>
+#include "../internal.h"
+
static int asn1_check_eoc(const unsigned char **in, long len);
static int asn1_find_end(const unsigned char **in, long len, char inf);
@@ -304,8 +306,19 @@
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
- /* Allocate structure */
- if (!*pval && !ASN1_item_ex_new(pval, it))
+ if (*pval)
+ {
+ /* Free up and zero CHOICE value if initialised */
+ i = asn1_get_choice_selector(pval, it);
+ if ((i >= 0) && (i < it->tcount))
+ {
+ tt = it->templates + i;
+ pchptr = asn1_get_field_ptr(pval, tt);
+ ASN1_template_free(pchptr, tt);
+ asn1_set_choice_selector(pval, -1, it);
+ }
+ }
+ else if (!ASN1_item_ex_new(pval, it))
{
OPENSSL_PUT_ERROR(ASN1, ASN1_item_ex_d2i, ASN1_R_NESTED_ASN1_ERROR);
goto err;
@@ -394,6 +407,19 @@
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
+ /* Free up and zero any ADB found */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+ {
+ if (tt->flags & ASN1_TFLG_ADB_MASK)
+ {
+ const ASN1_TEMPLATE *seqtt;
+ ASN1_VALUE **pseqval;
+ seqtt = asn1_do_adb(pval, tt, 1);
+ pseqval = asn1_get_field_ptr(pval, seqtt);
+ ASN1_template_free(pseqval, seqtt);
+ }
+ }
+
/* Get each field entry */
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
{
@@ -738,6 +764,7 @@
const unsigned char **in, long inlen,
const ASN1_ITEM *it,
int tag, int aclass, char opt, ASN1_TLC *ctx)
+ OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
{
int ret = 0, utype;
long plen;
@@ -1193,7 +1220,7 @@
len = buf->length;
if (!BUF_MEM_grow_clean(buf, len + plen))
{
- OPENSSL_PUT_ERROR(ASN1, asn1_collect, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, collect_data, ERR_R_MALLOC_FAILURE);
return 0;
}
memcpy(buf->data + len, *p, plen);
diff --git a/src/crypto/asn1/tasn_new.c b/src/crypto/asn1/tasn_new.c
index b68eed7..918aba7 100644
--- a/src/crypto/asn1/tasn_new.c
+++ b/src/crypto/asn1/tasn_new.c
@@ -100,8 +100,6 @@
else
asn1_cb = 0;
- if (!combine) *pval = NULL;
-
#ifdef CRYPTO_MDEBUG
if (it->sname)
CRYPTO_push_info(it->sname);
@@ -212,6 +210,7 @@
memerr:
OPENSSL_PUT_ERROR(ASN1, asn1_item_ex_combine_new, ERR_R_MALLOC_FAILURE);
+ ASN1_item_ex_free(pval, it);
#ifdef CRYPTO_MDEBUG
if (it->sname) CRYPTO_pop_info();
#endif
@@ -328,14 +327,17 @@
ASN1_STRING *str;
int utype;
- if (it && it->funcs)
+ if (!it)
+ return 0;
+
+ if (it->funcs)
{
const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
if (pf->prim_new)
return pf->prim_new(pval, it);
}
- if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+ if (it->itype == ASN1_ITYPE_MSTRING)
utype = -1;
else
utype = it->utype;
diff --git a/src/crypto/asn1/tasn_prn.c b/src/crypto/asn1/tasn_prn.c
index 4eb522d..df19ff0 100644
--- a/src/crypto/asn1/tasn_prn.c
+++ b/src/crypto/asn1/tasn_prn.c
@@ -229,6 +229,7 @@
if (!asn1_template_print_ctx(out, fld, indent,
it->templates, pctx))
return 0;
+ break;
}
/* fall thru */
case ASN1_ITYPE_MSTRING:
@@ -309,6 +310,8 @@
{
const ASN1_TEMPLATE *seqtt;
seqtt = asn1_do_adb(fld, tt, 1);
+ if (!seqtt)
+ return 0;
tmpfld = asn1_get_field_ptr(fld, seqtt);
if (!asn1_template_print_ctx(out, tmpfld,
indent + 2, seqtt, pctx))
diff --git a/src/crypto/asn1/tasn_typ.c b/src/crypto/asn1/tasn_typ.c
index f2bbbc8..f004b0d 100644
--- a/src/crypto/asn1/tasn_typ.c
+++ b/src/crypto/asn1/tasn_typ.c
@@ -61,53 +61,38 @@
/* Declarations for string types */
-IMPLEMENT_ASN1_TYPE(ASN1_INTEGER);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_INTEGER);
+#define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \
+ IMPLEMENT_ASN1_TYPE(sname) \
+ IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(sname, sname, sname) \
+ sname *sname##_new(void) \
+ { \
+ return ASN1_STRING_type_new(V_##sname); \
+ } \
+ void sname##_free(sname *x) \
+ { \
+ ASN1_STRING_free(x); \
+ }
-IMPLEMENT_ASN1_TYPE(ASN1_ENUMERATED);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_ENUMERATED);
-
-IMPLEMENT_ASN1_TYPE(ASN1_BIT_STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_BIT_STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_OCTET_STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_OCTET_STRING);
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_OCTET_STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_INTEGER)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_ENUMERATED)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BIT_STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTF8STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_PRINTABLESTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_T61STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_IA5STRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALSTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTCTIME)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALIZEDTIME)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_VISIBLESTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UNIVERSALSTRING)
+IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BMPSTRING)
IMPLEMENT_ASN1_TYPE(ASN1_NULL);
IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL);
IMPLEMENT_ASN1_TYPE(ASN1_OBJECT);
-IMPLEMENT_ASN1_TYPE(ASN1_UTF8STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTF8STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_PRINTABLESTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_T61STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_T61STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_IA5STRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_IA5STRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_GENERALSTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALSTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_UTCTIME);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_UTCTIME);
-
-IMPLEMENT_ASN1_TYPE(ASN1_GENERALIZEDTIME);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME);
-
-IMPLEMENT_ASN1_TYPE(ASN1_VISIBLESTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_VISIBLESTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_UNIVERSALSTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING);
-
-IMPLEMENT_ASN1_TYPE(ASN1_BMPSTRING);
-IMPLEMENT_ASN1_FUNCTIONS(ASN1_BMPSTRING);
-
IMPLEMENT_ASN1_TYPE(ASN1_ANY);
/* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */;
diff --git a/src/crypto/asn1/tasn_utl.c b/src/crypto/asn1/tasn_utl.c
index f6045e4..1b9de94 100644
--- a/src/crypto/asn1/tasn_utl.c
+++ b/src/crypto/asn1/tasn_utl.c
@@ -62,6 +62,7 @@
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/err.h>
+#include <openssl/thread.h>
/* Utility functions for manipulating fields and offsets */
diff --git a/src/crypto/base64/CMakeLists.txt b/src/crypto/base64/CMakeLists.txt
index 2b4f081..8bc531a 100644
--- a/src/crypto/base64/CMakeLists.txt
+++ b/src/crypto/base64/CMakeLists.txt
@@ -11,7 +11,7 @@
add_executable(
base64_test
- base64_test.c
+ base64_test.cc
)
target_link_libraries(base64_test crypto)
diff --git a/src/crypto/base64/base64.c b/src/crypto/base64/base64.c
index 12a52cf..4822fb8 100644
--- a/src/crypto/base64/base64.c
+++ b/src/crypto/base64/base64.c
@@ -373,6 +373,10 @@
rv = 0;
goto end;
}
+ if (eof > v) {
+ rv = -1;
+ goto end;
+ }
ret += (v - eof);
} else {
eof = 1;
diff --git a/src/crypto/base64/base64_test.c b/src/crypto/base64/base64_test.cc
similarity index 72%
rename from src/crypto/base64/base64_test.c
rename to src/crypto/base64/base64_test.cc
index 411323f..fde0b46 100644
--- a/src/crypto/base64/base64_test.c
+++ b/src/crypto/base64/base64_test.cc
@@ -20,13 +20,13 @@
#include <openssl/err.h>
-typedef struct {
+struct TestVector {
const char *decoded;
const char *encoded;
-} TEST_VECTOR;
+};
-/* Test vectors from RFC 4648. */
-static const TEST_VECTOR test_vectors[] = {
+// Test vectors from RFC 4648.
+static const TestVector kTestVectors[] = {
{ "", "" },
{ "f" , "Zg==" },
{ "fo", "Zm8=" },
@@ -36,95 +36,90 @@
{ "foobar", "Zm9vYmFy" },
};
-static const size_t kNumTests = sizeof(test_vectors) / sizeof(test_vectors[0]);
+static const size_t kNumTests = sizeof(kTestVectors) / sizeof(kTestVectors[0]);
-static int test_encode(void) {
- uint8_t out[9];
- size_t i, len;
-
- for (i = 0; i < kNumTests; i++) {
- const TEST_VECTOR *t = &test_vectors[i];
- len = EVP_EncodeBlock(out, (const uint8_t*)t->decoded, strlen(t->decoded));
+static bool TestEncode() {
+ for (size_t i = 0; i < kNumTests; i++) {
+ const TestVector *t = &kTestVectors[i];
+ uint8_t out[9];
+ size_t len = EVP_EncodeBlock(out, (const uint8_t*)t->decoded,
+ strlen(t->decoded));
if (len != strlen(t->encoded) ||
memcmp(out, t->encoded, len) != 0) {
fprintf(stderr, "encode(\"%s\") = \"%.*s\", want \"%s\"\n",
t->decoded, (int)len, (const char*)out, t->encoded);
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
-static int test_decode(void) {
+static bool TestDecode() {
uint8_t out[6];
- size_t i, len;
- int ret;
+ size_t len;
- for (i = 0; i < kNumTests; i++) {
- /* Test the normal API. */
- const TEST_VECTOR *t = &test_vectors[i];
+ for (size_t i = 0; i < kNumTests; i++) {
+ // Test the normal API.
+ const TestVector *t = &kTestVectors[i];
size_t expected_len = strlen(t->decoded);
if (!EVP_DecodeBase64(out, &len, sizeof(out),
(const uint8_t*)t->encoded, strlen(t->encoded))) {
fprintf(stderr, "decode(\"%s\") failed\n", t->encoded);
- return 0;
+ return false;
}
if (len != strlen(t->decoded) ||
memcmp(out, t->decoded, len) != 0) {
fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
t->encoded, (int)len, (const char*)out, t->decoded);
- return 0;
+ return false;
}
- /* Test that the padding behavior of the deprecated API is
- * preserved. */
- ret = EVP_DecodeBlock(out, (const uint8_t*)t->encoded, strlen(t->encoded));
+ // Test that the padding behavior of the deprecated API is preserved.
+ int ret = EVP_DecodeBlock(out, (const uint8_t*)t->encoded,
+ strlen(t->encoded));
if (ret < 0) {
fprintf(stderr, "decode(\"%s\") failed\n", t->encoded);
- return 0;
+ return false;
}
if (ret % 3 != 0) {
fprintf(stderr, "EVP_DecodeBlock did not ignore padding\n");
- return 0;
+ return false;
}
if (expected_len % 3 != 0) {
ret -= 3 - (expected_len % 3);
}
- if (ret != strlen(t->decoded) ||
+ if (static_cast<size_t>(ret) != strlen(t->decoded) ||
memcmp(out, t->decoded, ret) != 0) {
fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
t->encoded, ret, (const char*)out, t->decoded);
- return 0;
+ return false;
}
}
if (EVP_DecodeBase64(out, &len, sizeof(out), (const uint8_t*)"a!bc", 4)) {
fprintf(stderr, "Failed to reject invalid characters in the middle.\n");
- return 0;
+ return false;
}
if (EVP_DecodeBase64(out, &len, sizeof(out), (const uint8_t*)"a=bc", 4)) {
fprintf(stderr, "Failed to reject invalid characters in the middle.\n");
- return 0;
+ return false;
}
if (EVP_DecodeBase64(out, &len, sizeof(out), (const uint8_t*)"abc", 4)) {
fprintf(stderr, "Failed to reject invalid input length.\n");
- return 0;
+ return false;
}
- return 1;
+ return true;
}
int main(void) {
CRYPTO_library_init();
ERR_load_crypto_strings();
- if (!test_encode()) {
- return 1;
- }
-
- if (!test_decode()) {
+ if (!TestEncode() ||
+ !TestDecode()) {
return 1;
}
diff --git a/src/crypto/bio/CMakeLists.txt b/src/crypto/bio/CMakeLists.txt
index 6211e85..f4122c4 100644
--- a/src/crypto/bio/CMakeLists.txt
+++ b/src/crypto/bio/CMakeLists.txt
@@ -6,7 +6,6 @@
OBJECT
bio.c
- bio_error.c
bio_mem.c
buffer.c
connect.c
@@ -22,7 +21,7 @@
add_executable(
bio_test
- bio_test.c
+ bio_test.cc
)
target_link_libraries(bio_test crypto)
diff --git a/src/crypto/bio/bio.c b/src/crypto/bio/bio.c
index 4d947a6..48c1466 100644
--- a/src/crypto/bio/bio.c
+++ b/src/crypto/bio/bio.c
@@ -58,7 +58,6 @@
#include <errno.h>
#include <limits.h>
-#include <stddef.h>
#include <string.h>
#include <openssl/err.h>
@@ -78,17 +77,10 @@
bio->shutdown = 1;
bio->references = 1;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data)) {
+ if (method->create != NULL && !method->create(bio)) {
return 0;
}
- if (method->create != NULL) {
- if (!method->create(bio)) {
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
- return 0;
- }
- }
-
return 1;
}
@@ -125,8 +117,6 @@
next_bio = BIO_pop(bio);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
-
if (bio->method != NULL && bio->method->destroy != NULL) {
bio->method->destroy(bio);
}
@@ -136,6 +126,11 @@
return 1;
}
+BIO *BIO_up_ref(BIO *bio) {
+ CRYPTO_add(&bio->references, 1, CRYPTO_LOCK_BIO);
+ return bio;
+}
+
void BIO_vfree(BIO *bio) {
BIO_free(bio);
}
@@ -397,10 +392,6 @@
}
last_bio->next_bio = appended_bio;
- /* TODO(fork): this seems very suspect. If we got rid of BIO SSL, we could
- * get rid of this. */
- BIO_ctrl(bio, BIO_CTRL_PUSH, 0, bio);
-
return bio;
}
@@ -411,7 +402,6 @@
return NULL;
}
ret = bio->next_bio;
- BIO_ctrl(bio, BIO_CTRL_POP, 0, bio);
bio->next_bio = NULL;
return ret;
}
@@ -462,12 +452,6 @@
return 1;
}
-void BIO_print_errors_fp(FILE *out) {
- BIO *bio = BIO_new_fp(out, BIO_NOCLOSE);
- BIO_print_errors(bio);
- BIO_free(bio);
-}
-
static int print_bio(const char *str, size_t len, void *bio) {
return BIO_write((BIO *)bio, str, len);
}
diff --git a/src/crypto/bio/bio_error.c b/src/crypto/bio/bio_error.c
deleted file mode 100644
index 09585e4..0000000
--- a/src/crypto/bio/bio_error.c
+++ /dev/null
@@ -1,59 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/bio.h>
-
-const ERR_STRING_DATA BIO_error_string_data[] = {
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_callback_ctrl, 0), "BIO_callback_ctrl"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_ctrl, 0), "BIO_ctrl"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_new, 0), "BIO_new"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_new_file, 0), "BIO_new_file"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_new_mem_buf, 0), "BIO_new_mem_buf"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_read_buf, 0), "BIO_zero_copy_get_read_buf"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_read_buf_done, 0), "BIO_zero_copy_get_read_buf_done"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_write_buf, 0), "BIO_zero_copy_get_write_buf"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_zero_copy_get_write_buf_done, 0), "BIO_zero_copy_get_write_buf_done"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_ctrl, 0), "bio_ctrl"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_io, 0), "bio_io"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_ip_and_port_to_socket_and_addr, 0), "bio_ip_and_port_to_socket_and_addr"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_make_pair, 0), "bio_make_pair"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_bio_write, 0), "bio_write"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_buffer_ctrl, 0), "buffer_ctrl"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_conn_ctrl, 0), "conn_ctrl"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_conn_state, 0), "conn_state"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_file_ctrl, 0), "file_ctrl"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_file_read, 0), "file_read"},
- {ERR_PACK(ERR_LIB_BIO, BIO_F_mem_write, 0), "mem_write"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_ASN1_OBJECT_TOO_LONG), "ASN1_OBJECT_TOO_LONG"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_BAD_FOPEN_MODE), "BAD_FOPEN_MODE"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_BROKEN_PIPE), "BROKEN_PIPE"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_CONNECT_ERROR), "CONNECT_ERROR"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_ERROR_SETTING_NBIO), "ERROR_SETTING_NBIO"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_INVALID_ARGUMENT), "INVALID_ARGUMENT"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_IN_USE), "IN_USE"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_KEEPALIVE), "KEEPALIVE"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NBIO_CONNECT_ERROR), "NBIO_CONNECT_ERROR"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_HOSTNAME_SPECIFIED), "NO_HOSTNAME_SPECIFIED"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_PORT_SPECIFIED), "NO_PORT_SPECIFIED"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NO_SUCH_FILE), "NO_SUCH_FILE"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_NULL_PARAMETER), "NULL_PARAMETER"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_SYS_LIB), "SYS_LIB"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNABLE_TO_CREATE_SOCKET), "UNABLE_TO_CREATE_SOCKET"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNINITIALIZED), "UNINITIALIZED"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_UNSUPPORTED_METHOD), "UNSUPPORTED_METHOD"},
- {ERR_PACK(ERR_LIB_BIO, 0, BIO_R_WRITE_TO_READ_ONLY_BIO), "WRITE_TO_READ_ONLY_BIO"},
- {0, NULL},
-};
diff --git a/src/crypto/bio/bio_test.c b/src/crypto/bio/bio_test.c
deleted file mode 100644
index ee11acc..0000000
--- a/src/crypto/bio/bio_test.c
+++ /dev/null
@@ -1,362 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 201410L
-#endif
-
-#include <openssl/base.h>
-
-#if !defined(OPENSSL_WINDOWS)
-#include <arpa/inet.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <unistd.h>
-#else
-#include <io.h>
-#pragma warning(push, 3)
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#pragma warning(pop)
-#endif
-
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-#define MIN(a, b) ((a < b) ? a : b)
-
-#if !defined(OPENSSL_WINDOWS)
-static int closesocket(int sock) {
- return close(sock);
-}
-
-static void print_socket_error(const char *func) {
- perror(func);
-}
-#else
-static void print_socket_error(const char *func) {
- fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
-}
-#endif
-
-static int test_socket_connect(void) {
- int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
- int sock;
- struct sockaddr_in sin;
- socklen_t sockaddr_len = sizeof(sin);
- static const char kTestMessage[] = "test";
- char hostname[80], buf[5];
- BIO *bio;
-
- memset(&sin, 0, sizeof(sin));
- sin.sin_family = AF_INET;
- if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
- print_socket_error("inet_pton");
- return 0;
- }
-
- if (bind(listening_sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
- print_socket_error("bind");
- return 0;
- }
-
- if (listen(listening_sock, 1)) {
- print_socket_error("listen");
- return 0;
- }
-
- if (getsockname(listening_sock, (struct sockaddr *)&sin, &sockaddr_len) ||
- sockaddr_len != sizeof(sin)) {
- print_socket_error("getsockname");
- return 0;
- }
-
- BIO_snprintf(hostname, sizeof(hostname), "%s:%d", "127.0.0.1",
- ntohs(sin.sin_port));
- bio = BIO_new_connect(hostname);
- if (!bio) {
- fprintf(stderr, "BIO_new_connect failed.\n");
- return 0;
- }
-
- if (BIO_write(bio, kTestMessage, sizeof(kTestMessage)) !=
- sizeof(kTestMessage)) {
- fprintf(stderr, "BIO_write failed.\n");
- BIO_print_errors_fp(stderr);
- return 0;
- }
-
- sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
- if (sock < 0) {
- print_socket_error("accept");
- return 0;
- }
-
- if (recv(sock, buf, sizeof(buf), 0) != sizeof(kTestMessage)) {
- print_socket_error("read");
- return 0;
- }
-
- if (memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
- return 0;
- }
-
- closesocket(sock);
- closesocket(listening_sock);
- BIO_free(bio);
-
- return 1;
-}
-
-
-/* bio_read_zero_copy_wrapper is a wrapper around the zero-copy APIs to make
- * testing easier. */
-static size_t bio_read_zero_copy_wrapper(BIO *bio, uint8_t *data, size_t len) {
- uint8_t *read_buf;
- size_t read_buf_offset;
- size_t available_bytes;
- size_t len_read = 0;
-
- do {
- if (!BIO_zero_copy_get_read_buf(bio, &read_buf, &read_buf_offset,
- &available_bytes)) {
- return 0;
- }
-
- available_bytes = MIN(available_bytes, len - len_read);
- memmove(data + len_read, read_buf + read_buf_offset, available_bytes);
-
- BIO_zero_copy_get_read_buf_done(bio, available_bytes);
-
- len_read += available_bytes;
- } while (len - len_read > 0 && available_bytes > 0);
-
- return len_read;
-}
-
-/* bio_write_zero_copy_wrapper is a wrapper around the zero-copy APIs to make
- * testing easier. */
-static size_t bio_write_zero_copy_wrapper(BIO *bio, const uint8_t *data,
- size_t len) {
- uint8_t *write_buf;
- size_t write_buf_offset;
- size_t available_bytes;
- size_t len_written = 0;
-
- do {
- if (!BIO_zero_copy_get_write_buf(bio, &write_buf, &write_buf_offset,
- &available_bytes)) {
- return 0;
- }
-
- available_bytes = MIN(available_bytes, len - len_written);
- memmove(write_buf + write_buf_offset, data + len_written, available_bytes);
-
- BIO_zero_copy_get_write_buf_done(bio, available_bytes);
-
- len_written += available_bytes;
- } while (len - len_written > 0 && available_bytes > 0);
-
- return len_written;
-}
-
-static int test_zero_copy_bio_pairs(void) {
- /* Test read and write, especially triggering the ring buffer wrap-around.*/
- BIO* bio1;
- BIO* bio2;
- size_t i, j;
- uint8_t bio1_application_send_buffer[1024];
- uint8_t bio2_application_recv_buffer[1024];
- size_t total_read = 0;
- size_t total_write = 0;
- uint8_t* write_buf;
- size_t write_buf_offset;
- size_t available_bytes;
- size_t bytes_left;
-
- const size_t kLengths[] = {254, 255, 256, 257, 510, 511, 512, 513};
-
- /* These trigger ring buffer wrap around. */
- const size_t kPartialLengths[] = {0, 1, 2, 3, 128, 255, 256, 257, 511, 512};
-
- static const size_t kBufferSize = 512;
-
- srand(1);
- for (i = 0; i < sizeof(bio1_application_send_buffer); i++) {
- bio1_application_send_buffer[i] = rand() & 255;
- }
-
- /* Transfer bytes from bio1_application_send_buffer to
- * bio2_application_recv_buffer in various ways. */
- for (i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
- for (j = 0; j < sizeof(kPartialLengths) / sizeof(kPartialLengths[0]); j++) {
- total_write = 0;
- total_read = 0;
-
- BIO_new_bio_pair(&bio1, kBufferSize, &bio2, kBufferSize);
-
- total_write += bio_write_zero_copy_wrapper(
- bio1, bio1_application_send_buffer, kLengths[i]);
-
- /* This tests interleaved read/write calls. Do a read between zero copy
- * write calls. */
- if (!BIO_zero_copy_get_write_buf(bio1, &write_buf, &write_buf_offset,
- &available_bytes)) {
- return 0;
- }
-
- /* Free kPartialLengths[j] bytes in the beginning of bio1 write buffer.
- * This enables ring buffer wrap around for the next write. */
- total_read += BIO_read(bio2, bio2_application_recv_buffer + total_read,
- kPartialLengths[j]);
-
- size_t interleaved_write_len = MIN(kPartialLengths[j], available_bytes);
-
- /* Write the data for the interleaved write call. If the buffer becomes
- * empty after a read, the write offset is normally set to 0. Check that
- * this does not happen for interleaved read/write and that
- * |write_buf_offset| is still valid. */
- memcpy(write_buf + write_buf_offset,
- bio1_application_send_buffer + total_write, interleaved_write_len);
- if (BIO_zero_copy_get_write_buf_done(bio1, interleaved_write_len)) {
- total_write += interleaved_write_len;
- }
-
- /* Do another write in case |write_buf_offset| was wrapped */
- total_write += bio_write_zero_copy_wrapper(
- bio1, bio1_application_send_buffer + total_write,
- kPartialLengths[j] - interleaved_write_len);
-
- /* Drain the rest. */
- bytes_left = BIO_pending(bio2);
- total_read += bio_read_zero_copy_wrapper(
- bio2, bio2_application_recv_buffer + total_read, bytes_left);
-
- BIO_free(bio1);
- BIO_free(bio2);
-
- if (total_read != total_write) {
- fprintf(stderr, "Lengths not equal in round (%u, %u)\n", (unsigned)i,
- (unsigned)j);
- return 0;
- }
- if (total_read > kLengths[i] + kPartialLengths[j]) {
- fprintf(stderr, "Bad lengths in round (%u, %u)\n", (unsigned)i,
- (unsigned)j);
- return 0;
- }
- if (memcmp(bio1_application_send_buffer, bio2_application_recv_buffer,
- total_read) != 0) {
- fprintf(stderr, "Buffers not equal in round (%u, %u)\n", (unsigned)i,
- (unsigned)j);
- return 0;
- }
- }
- }
-
- return 1;
-}
-
-static int test_printf(void) {
- /* Test a short output, a very long one, and various sizes around
- * 256 (the size of the buffer) to ensure edge cases are correct. */
- static const size_t kLengths[] = { 5, 250, 251, 252, 253, 254, 1023 };
- BIO *bio;
- char string[1024];
- int ret;
- const uint8_t *contents;
- size_t i, len;
-
- bio = BIO_new(BIO_s_mem());
- if (!bio) {
- fprintf(stderr, "BIO_new failed\n");
- return 0;
- }
-
- for (i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
- if (kLengths[i] >= sizeof(string)) {
- fprintf(stderr, "Bad test string length\n");
- return 0;
- }
- memset(string, 'a', sizeof(string));
- string[kLengths[i]] = '\0';
-
- ret = BIO_printf(bio, "test %s", string);
- if (ret != 5 + kLengths[i]) {
- fprintf(stderr, "BIO_printf failed: %d\n", ret);
- return 0;
- }
- if (!BIO_mem_contents(bio, &contents, &len)) {
- fprintf(stderr, "BIO_mem_contents failed\n");
- return 0;
- }
- if (len != 5 + kLengths[i] ||
- strncmp((const char *)contents, "test ", 5) != 0 ||
- strncmp((const char *)contents + 5, string, kLengths[i]) != 0) {
- fprintf(stderr, "Contents did not match: %.*s\n", (int)len, contents);
- return 0;
- }
-
- if (!BIO_reset(bio)) {
- fprintf(stderr, "BIO_reset failed\n");
- return 0;
- }
- }
-
- BIO_free(bio);
- return 1;
-}
-
-int main(void) {
-#if defined(OPENSSL_WINDOWS)
- WSADATA wsa_data;
- WORD wsa_version;
- int wsa_err;
-#endif
-
- CRYPTO_library_init();
- ERR_load_crypto_strings();
-
-#if defined(OPENSSL_WINDOWS)
- /* Initialize Winsock. */
- wsa_version = MAKEWORD(2, 2);
- wsa_err = WSAStartup(wsa_version, &wsa_data);
- if (wsa_err != 0) {
- fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
- return 1;
- }
- if (wsa_data.wVersion != wsa_version) {
- fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
- return 1;
- }
-#endif
-
- if (!test_socket_connect()) {
- return 1;
- }
-
- if (!test_printf()) {
- return 1;
- }
-
- if (!test_zero_copy_bio_pairs()) {
- return 1;
- }
-
- printf("PASS\n");
- return 0;
-}
diff --git a/src/crypto/bio/bio_test.cc b/src/crypto/bio/bio_test.cc
new file mode 100644
index 0000000..4c88df5
--- /dev/null
+++ b/src/crypto/bio/bio_test.cc
@@ -0,0 +1,359 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#if !defined(_POSIX_C_SOURCE)
+#define _POSIX_C_SOURCE 201410L
+#endif
+
+#include <openssl/base.h>
+
+#if !defined(OPENSSL_WINDOWS)
+#include <arpa/inet.h>
+#include <fcntl.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#else
+#include <io.h>
+#pragma warning(push, 3)
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#pragma warning(pop)
+#endif
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include <algorithm>
+
+#include "../test/scoped_types.h"
+
+
+#if !defined(OPENSSL_WINDOWS)
+static int closesocket(int sock) {
+ return close(sock);
+}
+
+static void PrintSocketError(const char *func) {
+ perror(func);
+}
+#else
+static void PrintSocketError(const char *func) {
+ fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
+}
+#endif
+
+class ScopedSocket {
+ public:
+ ScopedSocket(int sock) : sock_(sock) {}
+ ~ScopedSocket() {
+ closesocket(sock_);
+ }
+
+ private:
+ const int sock_;
+};
+
+static bool TestSocketConnect() {
+ static const char kTestMessage[] = "test";
+
+ int listening_sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (listening_sock == -1) {
+ PrintSocketError("socket");
+ return false;
+ }
+ ScopedSocket listening_sock_closer(listening_sock);
+
+ struct sockaddr_in sin;
+ memset(&sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
+ if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
+ PrintSocketError("inet_pton");
+ return false;
+ }
+ if (bind(listening_sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
+ PrintSocketError("bind");
+ return false;
+ }
+ if (listen(listening_sock, 1)) {
+ PrintSocketError("listen");
+ return false;
+ }
+ socklen_t sockaddr_len = sizeof(sin);
+ if (getsockname(listening_sock, (struct sockaddr *)&sin, &sockaddr_len) ||
+ sockaddr_len != sizeof(sin)) {
+ PrintSocketError("getsockname");
+ return false;
+ }
+
+ char hostname[80];
+ BIO_snprintf(hostname, sizeof(hostname), "%s:%d", "127.0.0.1",
+ ntohs(sin.sin_port));
+ ScopedBIO bio(BIO_new_connect(hostname));
+ if (!bio) {
+ fprintf(stderr, "BIO_new_connect failed.\n");
+ return false;
+ }
+
+ if (BIO_write(bio.get(), kTestMessage, sizeof(kTestMessage)) !=
+ sizeof(kTestMessage)) {
+ fprintf(stderr, "BIO_write failed.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ int sock = accept(listening_sock, (struct sockaddr *) &sin, &sockaddr_len);
+ if (sock == -1) {
+ PrintSocketError("accept");
+ return false;
+ }
+ ScopedSocket sock_closer(sock);
+
+ char buf[5];
+ if (recv(sock, buf, sizeof(buf), 0) != sizeof(kTestMessage)) {
+ PrintSocketError("read");
+ return false;
+ }
+ if (memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
+ return false;
+ }
+
+ return true;
+}
+
+
+// BioReadZeroCopyWrapper is a wrapper around the zero-copy APIs to make
+// testing easier.
+static size_t BioReadZeroCopyWrapper(BIO *bio, uint8_t *data, size_t len) {
+ uint8_t *read_buf;
+ size_t read_buf_offset;
+ size_t available_bytes;
+ size_t len_read = 0;
+
+ do {
+ if (!BIO_zero_copy_get_read_buf(bio, &read_buf, &read_buf_offset,
+ &available_bytes)) {
+ return 0;
+ }
+
+ available_bytes = std::min(available_bytes, len - len_read);
+ memmove(data + len_read, read_buf + read_buf_offset, available_bytes);
+
+ BIO_zero_copy_get_read_buf_done(bio, available_bytes);
+
+ len_read += available_bytes;
+ } while (len - len_read > 0 && available_bytes > 0);
+
+ return len_read;
+}
+
+// BioWriteZeroCopyWrapper is a wrapper around the zero-copy APIs to make
+// testing easier.
+static size_t BioWriteZeroCopyWrapper(BIO *bio, const uint8_t *data,
+ size_t len) {
+ uint8_t *write_buf;
+ size_t write_buf_offset;
+ size_t available_bytes;
+ size_t len_written = 0;
+
+ do {
+ if (!BIO_zero_copy_get_write_buf(bio, &write_buf, &write_buf_offset,
+ &available_bytes)) {
+ return 0;
+ }
+
+ available_bytes = std::min(available_bytes, len - len_written);
+ memmove(write_buf + write_buf_offset, data + len_written, available_bytes);
+
+ BIO_zero_copy_get_write_buf_done(bio, available_bytes);
+
+ len_written += available_bytes;
+ } while (len - len_written > 0 && available_bytes > 0);
+
+ return len_written;
+}
+
+static bool TestZeroCopyBioPairs() {
+ // Test read and write, especially triggering the ring buffer wrap-around.
+ uint8_t bio1_application_send_buffer[1024];
+ uint8_t bio2_application_recv_buffer[1024];
+
+ const size_t kLengths[] = {254, 255, 256, 257, 510, 511, 512, 513};
+
+ // These trigger ring buffer wrap around.
+ const size_t kPartialLengths[] = {0, 1, 2, 3, 128, 255, 256, 257, 511, 512};
+
+ static const size_t kBufferSize = 512;
+
+ srand(1);
+ for (size_t i = 0; i < sizeof(bio1_application_send_buffer); i++) {
+ bio1_application_send_buffer[i] = rand() & 255;
+ }
+
+ // Transfer bytes from bio1_application_send_buffer to
+ // bio2_application_recv_buffer in various ways.
+ for (size_t i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
+ for (size_t j = 0; j < sizeof(kPartialLengths) / sizeof(kPartialLengths[0]);
+ j++) {
+ size_t total_write = 0;
+ size_t total_read = 0;
+
+ BIO *bio1, *bio2;
+ if (!BIO_new_bio_pair(&bio1, kBufferSize, &bio2, kBufferSize)) {
+ return false;
+ }
+ ScopedBIO bio1_scoper(bio1);
+ ScopedBIO bio2_scoper(bio2);
+
+ total_write += BioWriteZeroCopyWrapper(
+ bio1, bio1_application_send_buffer, kLengths[i]);
+
+ // This tests interleaved read/write calls. Do a read between zero copy
+ // write calls.
+ uint8_t *write_buf;
+ size_t write_buf_offset;
+ size_t available_bytes;
+ if (!BIO_zero_copy_get_write_buf(bio1, &write_buf, &write_buf_offset,
+ &available_bytes)) {
+ return false;
+ }
+
+ // Free kPartialLengths[j] bytes in the beginning of bio1 write buffer.
+ // This enables ring buffer wrap around for the next write.
+ total_read += BIO_read(bio2, bio2_application_recv_buffer + total_read,
+ kPartialLengths[j]);
+
+ size_t interleaved_write_len = std::min(kPartialLengths[j],
+ available_bytes);
+
+ // Write the data for the interleaved write call. If the buffer becomes
+ // empty after a read, the write offset is normally set to 0. Check that
+ // this does not happen for interleaved read/write and that
+ // |write_buf_offset| is still valid.
+ memcpy(write_buf + write_buf_offset,
+ bio1_application_send_buffer + total_write, interleaved_write_len);
+ if (BIO_zero_copy_get_write_buf_done(bio1, interleaved_write_len)) {
+ total_write += interleaved_write_len;
+ }
+
+ // Do another write in case |write_buf_offset| was wrapped.
+ total_write += BioWriteZeroCopyWrapper(
+ bio1, bio1_application_send_buffer + total_write,
+ kPartialLengths[j] - interleaved_write_len);
+
+ // Drain the rest.
+ size_t bytes_left = BIO_pending(bio2);
+ total_read += BioReadZeroCopyWrapper(
+ bio2, bio2_application_recv_buffer + total_read, bytes_left);
+
+ if (total_read != total_write) {
+ fprintf(stderr, "Lengths not equal in round (%u, %u)\n", (unsigned)i,
+ (unsigned)j);
+ return false;
+ }
+ if (total_read > kLengths[i] + kPartialLengths[j]) {
+ fprintf(stderr, "Bad lengths in round (%u, %u)\n", (unsigned)i,
+ (unsigned)j);
+ return false;
+ }
+ if (memcmp(bio1_application_send_buffer, bio2_application_recv_buffer,
+ total_read) != 0) {
+ fprintf(stderr, "Buffers not equal in round (%u, %u)\n", (unsigned)i,
+ (unsigned)j);
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+static bool TestPrintf() {
+ // Test a short output, a very long one, and various sizes around
+ // 256 (the size of the buffer) to ensure edge cases are correct.
+ static const size_t kLengths[] = { 5, 250, 251, 252, 253, 254, 1023 };
+
+ ScopedBIO bio(BIO_new(BIO_s_mem()));
+ if (!bio) {
+ fprintf(stderr, "BIO_new failed\n");
+ return false;
+ }
+
+ for (size_t i = 0; i < sizeof(kLengths) / sizeof(kLengths[0]); i++) {
+ char string[1024];
+ if (kLengths[i] >= sizeof(string)) {
+ fprintf(stderr, "Bad test string length\n");
+ return false;
+ }
+ memset(string, 'a', sizeof(string));
+ string[kLengths[i]] = '\0';
+
+ int ret = BIO_printf(bio.get(), "test %s", string);
+ if (ret < 0 || static_cast<size_t>(ret) != 5 + kLengths[i]) {
+ fprintf(stderr, "BIO_printf failed: %d\n", ret);
+ return false;
+ }
+ const uint8_t *contents;
+ size_t len;
+ if (!BIO_mem_contents(bio.get(), &contents, &len)) {
+ fprintf(stderr, "BIO_mem_contents failed\n");
+ return false;
+ }
+ if (len != 5 + kLengths[i] ||
+ strncmp((const char *)contents, "test ", 5) != 0 ||
+ strncmp((const char *)contents + 5, string, kLengths[i]) != 0) {
+ fprintf(stderr, "Contents did not match: %.*s\n", (int)len, contents);
+ return false;
+ }
+
+ if (!BIO_reset(bio.get())) {
+ fprintf(stderr, "BIO_reset failed\n");
+ return false;
+ }
+ }
+
+ return true;
+}
+
+int main(void) {
+ CRYPTO_library_init();
+ ERR_load_crypto_strings();
+
+#if defined(OPENSSL_WINDOWS)
+ // Initialize Winsock.
+ WORD wsa_version = MAKEWORD(2, 2);
+ WSADATA wsa_data;
+ int wsa_err = WSAStartup(wsa_version, &wsa_data);
+ if (wsa_err != 0) {
+ fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
+ return 1;
+ }
+ if (wsa_data.wVersion != wsa_version) {
+ fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
+ return 1;
+ }
+#endif
+
+ if (!TestSocketConnect() ||
+ !TestPrintf() ||
+ !TestZeroCopyBioPairs()) {
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/bio/buffer.c b/src/crypto/bio/buffer.c
index 5e423a1..3fc0685 100644
--- a/src/crypto/bio/buffer.c
+++ b/src/crypto/bio/buffer.c
@@ -122,17 +122,13 @@
static int buffer_free(BIO *bio) {
BIO_F_BUFFER_CTX *ctx;
- if (bio == NULL) {
+ if (bio == NULL || bio->ptr == NULL) {
return 0;
}
ctx = (BIO_F_BUFFER_CTX *)bio->ptr;
- if (ctx->ibuf != NULL) {
- OPENSSL_free(ctx->ibuf);
- }
- if (ctx->obuf != NULL) {
- OPENSSL_free(ctx->obuf);
- }
+ OPENSSL_free(ctx->ibuf);
+ OPENSSL_free(ctx->obuf);
OPENSSL_free(bio->ptr);
bio->ptr = NULL;
@@ -315,8 +311,9 @@
case BIO_CTRL_WPENDING:
ret = (long)ctx->obuf_len;
if (ret == 0) {
- if (b->next_bio == NULL)
+ if (b->next_bio == NULL) {
return 0;
+ }
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
}
break;
diff --git a/src/crypto/bio/connect.c b/src/crypto/bio/connect.c
index cbb1bb6..32361bf 100644
--- a/src/crypto/bio/connect.c
+++ b/src/crypto/bio/connect.c
@@ -161,9 +161,7 @@
break;
}
}
- if (c->param_port != NULL) {
- OPENSSL_free(c->param_port);
- }
+ OPENSSL_free(c->param_port);
c->param_port = BUF_strdup(p);
}
}
@@ -286,12 +284,8 @@
return;
}
- if (c->param_hostname != NULL) {
- OPENSSL_free(c->param_hostname);
- }
- if (c->param_port != NULL) {
- OPENSSL_free(c->param_port);
- }
+ OPENSSL_free(c->param_hostname);
+ OPENSSL_free(c->param_port);
OPENSSL_free(c);
}
@@ -397,10 +391,11 @@
break;
case BIO_C_DO_STATE_MACHINE:
/* use this one to start the connection */
- if (data->state != BIO_CONN_S_OK)
+ if (data->state != BIO_CONN_S_OK) {
ret = (long)conn_state(bio, data);
- else
+ } else {
ret = 1;
+ }
break;
case BIO_C_GET_CONNECT:
/* TODO(fork): can this be removed? (Or maybe this whole file). */
@@ -425,15 +420,17 @@
if (ptr != NULL) {
bio->init = 1;
if (num == 0) {
- if (data->param_hostname != NULL) {
- OPENSSL_free(data->param_hostname);
- }
+ OPENSSL_free(data->param_hostname);
data->param_hostname = BUF_strdup(ptr);
- } else if (num == 1) {
- if (data->param_port != NULL) {
- OPENSSL_free(data->param_port);
+ if (data->param_hostname == NULL) {
+ ret = 0;
}
+ } else if (num == 1) {
+ OPENSSL_free(data->param_port);
data->param_port = BUF_strdup(ptr);
+ if (data->param_port == NULL) {
+ ret = 0;
+ }
} else {
ret = 0;
}
diff --git a/src/crypto/bio/pair.c b/src/crypto/bio/pair.c
index de2b4cb..cc55950 100644
--- a/src/crypto/bio/pair.c
+++ b/src/crypto/bio/pair.c
@@ -145,7 +145,7 @@
bio_destroy_pair(bio);
}
- if (b->buf != NULL && !b->buf_externally_allocated) {
+ if (!b->buf_externally_allocated) {
OPENSSL_free(b->buf);
}
@@ -793,14 +793,10 @@
err:
if (ret == 0) {
- if (bio1) {
- BIO_free(bio1);
- bio1 = NULL;
- }
- if (bio2) {
- BIO_free(bio2);
- bio2 = NULL;
- }
+ BIO_free(bio1);
+ bio1 = NULL;
+ BIO_free(bio2);
+ bio2 = NULL;
}
*bio1_p = bio1;
diff --git a/src/crypto/bio/socket.c b/src/crypto/bio/socket.c
index e86befe..98f32a6 100644
--- a/src/crypto/bio/socket.c
+++ b/src/crypto/bio/socket.c
@@ -66,6 +66,8 @@
#pragma warning(push, 3)
#include <winsock2.h>
#pragma warning(pop)
+
+#pragma comment(lib, "Ws2_32.lib")
#endif
#include "internal.h"
@@ -150,11 +152,13 @@
case BIO_C_GET_FD:
if (b->init) {
ip = (int *)ptr;
- if (ip != NULL)
+ if (ip != NULL) {
*ip = b->num;
+ }
ret = b->num;
- } else
+ } else {
ret = -1;
+ }
break;
case BIO_CTRL_GET_CLOSE:
ret = b->shutdown;
diff --git a/src/crypto/bn/CMakeLists.txt b/src/crypto/bn/CMakeLists.txt
index 600be4d..25663af 100644
--- a/src/crypto/bn/CMakeLists.txt
+++ b/src/crypto/bn/CMakeLists.txt
@@ -37,7 +37,6 @@
OBJECT
- bn_error.c
add.c
bn.c
cmp.c
@@ -70,7 +69,7 @@
add_executable(
bn_test
- bn_test.c
+ bn_test.cc
)
target_link_libraries(bn_test crypto)
diff --git a/src/crypto/bn/asm/armv4-mont.pl b/src/crypto/bn/asm/armv4-mont.pl
index 5cc1328..0f1b6a9 100644
--- a/src/crypto/bn/asm/armv4-mont.pl
+++ b/src/crypto/bn/asm/armv4-mont.pl
@@ -38,8 +38,20 @@
# for execution on all NEON-capable processors, because gain on
# others outweighs the marginal loss on Cortex-A9.
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
$num="r0"; # starts as num argument, but holds &tp[num-1]
$ap="r1";
@@ -72,10 +84,10 @@
.text
.code 32
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
.align 5
.LOPENSSL_armcap:
-.word OPENSSL_armcap_P-bn_mul_mont
+.word OPENSSL_armcap_P-.Lbn_mul_mont
#endif
.global bn_mul_mont
@@ -84,14 +96,18 @@
.align 5
bn_mul_mont:
+.Lbn_mul_mont:
ldr ip,[sp,#4] @ load num
stmdb sp!,{r0,r2} @ sp points at argument block
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
tst ip,#7
bne .Lialu
adr r0,bn_mul_mont
ldr r2,.LOPENSSL_armcap
ldr r0,[r0,r2]
+#ifdef __APPLE__
+ ldr r0,[r0]
+#endif
tst r0,#1 @ NEON available?
ldmia sp, {r0,r2}
beq .Lialu
@@ -231,9 +247,14 @@
ldmia sp!,{r4-r12,lr} @ restore registers
add sp,sp,#2*4 @ skip over {r0,r2}
mov r0,#1
-.Labrt: tst lr,#1
+.Labrt:
+#if __ARM_ARCH__>=5
+ ret @ bx lr
+#else
+ tst lr,#1
moveq pc,lr @ be binary compatible with V4, yet
bx lr @ interoperable with Thumb ISA:-)
+#endif
.size bn_mul_mont,.-bn_mul_mont
___
{
@@ -252,7 +273,8 @@
my ($tinptr,$toutptr,$inner,$outer)=map("r$_",(6..9));
$code.=<<___;
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch armv7-a
.fpu neon
.type bn_mul8x_mont_neon,%function
@@ -651,7 +673,7 @@
sub sp,ip,#96
vldmia sp!,{d8-d15}
ldmia sp!,{r4-r11}
- bx lr
+ ret @ bx lr
.size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
#endif
___
@@ -659,12 +681,14 @@
$code.=<<___;
.asciz "Montgomery multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
.align 2
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
.comm OPENSSL_armcap_P,4,4
+.hidden OPENSSL_armcap_P
#endif
___
$code =~ s/\`([^\`]*)\`/eval $1/gem;
$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4
+$code =~ s/\bret\b/bx lr/gm;
print $code;
close STDOUT;
diff --git a/src/crypto/bn/asm/x86_64-gcc.c b/src/crypto/bn/asm/x86_64-gcc.c
index c05e433..ac63934 100644
--- a/src/crypto/bn/asm/x86_64-gcc.c
+++ b/src/crypto/bn/asm/x86_64-gcc.c
@@ -1,6 +1,6 @@
#include <openssl/bn.h>
-#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS)
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS)
#include "../internal.h"
@@ -100,8 +100,9 @@
BN_ULONG w) {
BN_ULONG c1 = 0;
- if (num <= 0)
+ if (num <= 0) {
return (c1);
+ }
while (num & ~3) {
mul_add(rp[0], ap[0], w, c1);
@@ -114,23 +115,26 @@
}
if (num) {
mul_add(rp[0], ap[0], w, c1);
- if (--num == 0)
+ if (--num == 0) {
return c1;
+ }
mul_add(rp[1], ap[1], w, c1);
- if (--num == 0)
+ if (--num == 0) {
return c1;
+ }
mul_add(rp[2], ap[2], w, c1);
return c1;
}
- return (c1);
+ return c1;
}
BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) {
BN_ULONG c1 = 0;
- if (num <= 0)
- return (c1);
+ if (num <= 0) {
+ return c1;
+ }
while (num & ~3) {
mul(rp[0], ap[0], w, c1);
@@ -143,19 +147,22 @@
}
if (num) {
mul(rp[0], ap[0], w, c1);
- if (--num == 0)
+ if (--num == 0) {
return c1;
+ }
mul(rp[1], ap[1], w, c1);
- if (--num == 0)
+ if (--num == 0) {
return c1;
+ }
mul(rp[2], ap[2], w, c1);
}
- return (c1);
+ return c1;
}
void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) {
- if (n <= 0)
+ if (n <= 0) {
return;
+ }
while (n & ~3) {
sqr(r[0], r[1], a[0]);
@@ -168,11 +175,13 @@
}
if (n) {
sqr(r[0], r[1], a[0]);
- if (--n == 0)
+ if (--n == 0) {
return;
+ }
sqr(r[2], r[3], a[1]);
- if (--n == 0)
+ if (--n == 0) {
return;
+ }
sqr(r[4], r[5], a[2]);
}
}
@@ -190,8 +199,9 @@
BN_ULONG ret;
size_t i = 0;
- if (n <= 0)
+ if (n <= 0) {
return 0;
+ }
asm volatile (
" subq %0,%0 \n" /* clear carry */
@@ -216,8 +226,9 @@
BN_ULONG ret;
size_t i = 0;
- if (n <= 0)
+ if (n <= 0) {
return 0;
+ }
asm volatile (
" subq %0,%0 \n" /* clear borrow */
@@ -242,47 +253,56 @@
BN_ULONG t1, t2;
int c = 0;
- if (n <= 0)
- return ((BN_ULONG)0);
+ if (n <= 0) {
+ return (BN_ULONG)0;
+ }
for (;;) {
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
- if (--n <= 0)
+ }
+ if (--n <= 0) {
break;
+ }
t1 = a[1];
t2 = b[1];
r[1] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
- if (--n <= 0)
+ }
+ if (--n <= 0) {
break;
+ }
t1 = a[2];
t2 = b[2];
r[2] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
- if (--n <= 0)
+ }
+ if (--n <= 0) {
break;
+ }
t1 = a[3];
t2 = b[3];
r[3] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
- if (--n <= 0)
+ }
+ if (--n <= 0) {
break;
+ }
a += 4;
b += 4;
r += 4;
}
- return (c);
+ return c;
}
#endif
@@ -576,4 +596,4 @@
r[7] = c2;
}
-#endif /* !NO_ASM && X86_64 && !WINDOWS */
+#endif /* defined(OPENSSL_X86_64) && !defined(OPENSSL_WINDOWS) */
diff --git a/src/crypto/bn/bn.c b/src/crypto/bn/bn.c
index 368c4f1..f32d6b0 100644
--- a/src/crypto/bn/bn.c
+++ b/src/crypto/bn/bn.c
@@ -88,7 +88,7 @@
return;
}
- if (bn->d != NULL && (bn->flags & BN_FLG_STATIC_DATA) == 0) {
+ if ((bn->flags & BN_FLG_STATIC_DATA) == 0) {
OPENSSL_free(bn->d);
}
@@ -200,13 +200,15 @@
if (l & 0xffff000000000000L) {
if (l & 0xff00000000000000L) {
return (bits[(int)(l >> 56)] + 56);
- } else
+ } else {
return (bits[(int)(l >> 48)] + 48);
+ }
} else {
if (l & 0x0000ff0000000000L) {
return (bits[(int)(l >> 40)] + 40);
- } else
+ } else {
return (bits[(int)(l >> 32)] + 32);
+ }
}
} else
#endif
@@ -302,9 +304,7 @@
memcpy(a, bn->d, sizeof(BN_ULONG) * bn->top);
- if (bn->d) {
- OPENSSL_free(bn->d);
- }
+ OPENSSL_free(bn->d);
bn->d = a;
bn->dmax = words;
diff --git a/src/crypto/bn/bn_error.c b/src/crypto/bn/bn_error.c
deleted file mode 100644
index b522c2a..0000000
--- a/src/crypto/bn/bn_error.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/bn.h>
-
-const ERR_STRING_DATA BN_error_string_data[] = {
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_CTX_get, 0), "BN_CTX_get"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_CTX_new, 0), "BN_CTX_new"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_CTX_start, 0), "BN_CTX_start"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_bn2dec, 0), "BN_bn2dec"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_bn2hex, 0), "BN_bn2hex"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_div, 0), "BN_div"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_div_recp, 0), "BN_div_recp"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_exp, 0), "BN_exp"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_generate_dsa_nonce, 0), "BN_generate_dsa_nonce"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_generate_prime_ex, 0), "BN_generate_prime_ex"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp2_mont, 0), "BN_mod_exp2_mont"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont, 0), "BN_mod_exp_mont"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont_consttime, 0), "BN_mod_exp_mont_consttime"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_exp_mont_word, 0), "BN_mod_exp_mont_word"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_inverse, 0), "BN_mod_inverse"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_inverse_no_branch, 0), "BN_mod_inverse_no_branch"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_lshift_quick, 0), "BN_mod_lshift_quick"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_mod_sqrt, 0), "BN_mod_sqrt"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_new, 0), "BN_new"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_rand, 0), "BN_rand"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_rand_range, 0), "BN_rand_range"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_sqrt, 0), "BN_sqrt"},
- {ERR_PACK(ERR_LIB_BN, BN_F_BN_usub, 0), "BN_usub"},
- {ERR_PACK(ERR_LIB_BN, BN_F_bn_wexpand, 0), "bn_wexpand"},
- {ERR_PACK(ERR_LIB_BN, BN_F_mod_exp_recp, 0), "mod_exp_recp"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_ARG2_LT_ARG3), "ARG2_LT_ARG3"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_BAD_RECIPROCAL), "BAD_RECIPROCAL"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_BIGNUM_TOO_LONG), "BIGNUM_TOO_LONG"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL), "BITS_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_CALLED_WITH_EVEN_MODULUS), "CALLED_WITH_EVEN_MODULUS"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_DIV_BY_ZERO), "DIV_BY_ZERO"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA), "EXPAND_ON_STATIC_BIGNUM_DATA"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_INPUT_NOT_REDUCED), "INPUT_NOT_REDUCED"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_INVALID_RANGE), "INVALID_RANGE"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_NEGATIVE_NUMBER), "NEGATIVE_NUMBER"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_NOT_A_SQUARE), "NOT_A_SQUARE"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_NOT_INITIALIZED), "NOT_INITIALIZED"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_NO_INVERSE), "NO_INVERSE"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_PRIVATE_KEY_TOO_LARGE), "PRIVATE_KEY_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_P_IS_NOT_PRIME), "P_IS_NOT_PRIME"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_TOO_MANY_ITERATIONS), "TOO_MANY_ITERATIONS"},
- {ERR_PACK(ERR_LIB_BN, 0, BN_R_TOO_MANY_TEMPORARY_VARIABLES), "TOO_MANY_TEMPORARY_VARIABLES"},
- {0, NULL},
-};
diff --git a/src/crypto/bn/bn_test.c b/src/crypto/bn/bn_test.c
deleted file mode 100644
index e342ed8..0000000
--- a/src/crypto/bn/bn_test.c
+++ /dev/null
@@ -1,1471 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- *
- * Portions of the attached software ("Contribution") are developed by
- * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
- *
- * The Contribution is licensed pursuant to the Eric Young open source
- * license provided above.
- *
- * The binary polynomial arithmetic software is originally written by
- * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
- * Laboratories. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-
-#include "internal.h"
-
-
-static const int num0 = 100; /* number of tests */
-static const int num1 = 50; /* additional tests for some functions */
-static const int num2 = 5; /* number of tests for slow functions */
-
-int test_add(BIO *bp);
-int test_sub(BIO *bp);
-int test_lshift1(BIO *bp);
-int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_);
-int test_rshift1(BIO *bp);
-int test_rshift(BIO *bp, BN_CTX *ctx);
-int test_sqr(BIO *bp, BN_CTX *ctx);
-int test_mul(BIO *bp);
-int test_div(BIO *bp, BN_CTX *ctx);
-int rand_neg(void);
-
-int test_div_word(BIO *bp);
-int test_mont(BIO *bp, BN_CTX *ctx);
-int test_mod(BIO *bp, BN_CTX *ctx);
-int test_mod_mul(BIO *bp, BN_CTX *ctx);
-int test_mod_exp(BIO *bp, BN_CTX *ctx);
-int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx);
-int test_exp(BIO *bp, BN_CTX *ctx);
-int test_mod_sqrt(BIO *bp, BN_CTX *ctx);
-static int test_exp_mod_zero(void);
-int test_small_prime(BIO *bp,BN_CTX *ctx);
-int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx);
-int test_sqrt(BIO *bp, BN_CTX *ctx);
-int test_bn2bin_padded(BIO *bp, BN_CTX *ctx);
-#if 0
-int test_gf2m_add(BIO *bp);
-int test_gf2m_mod(BIO *bp);
-int test_gf2m_mod_mul(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_sqr(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_inv(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_div(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_exp(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_sqrt(BIO *bp, BN_CTX *ctx);
-int test_gf2m_mod_solve_quad(BIO *bp, BN_CTX *ctx);
-#endif
-static int results = 0;
-
-static unsigned char lst[] =
- "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
- "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
-
-static void ERR_print_errors_fp(FILE *out) {
-}
-
-static void message(BIO *out, char *m) {
- BIO_puts(out, "print \"test ");
- BIO_puts(out, m);
- BIO_puts(out, "\\n\"\n");
-}
-
-int main(int argc, char *argv[]) {
- BN_CTX *ctx;
- BIO *out = NULL;
- char *outfile = NULL;
-
- CRYPTO_library_init();
-
- results = 0;
-
- argc--;
- argv++;
- while (argc >= 1) {
- if (strcmp(*argv, "-results") == 0)
- results = 1;
- else if (strcmp(*argv, "-out") == 0) {
- if (--argc < 1)
- break;
- outfile = *(++argv);
- }
- argc--;
- argv++;
- }
-
-
- ctx = BN_CTX_new();
- if (ctx == NULL)
- return 1;
-
- out = BIO_new(BIO_s_file());
- if (out == NULL) {
- return 1;
- }
-
- if (outfile == NULL) {
- BIO_set_fp(out, stdout, BIO_NOCLOSE);
- } else {
- if (!BIO_write_filename(out, outfile)) {
- perror(outfile);
- return 1;
- }
- }
-
- if (!results)
- BIO_puts(out, "obase=16\nibase=16\n");
-
- message(out, "BN_add");
- if (!test_add(out))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_sub");
- if (!test_sub(out))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_lshift1");
- if (!test_lshift1(out))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_lshift (fixed)");
- if (!test_lshift(out, ctx, BN_bin2bn(lst, sizeof(lst) - 1, NULL)))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_lshift");
- if (!test_lshift(out, ctx, NULL))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_rshift1");
- if (!test_rshift1(out))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_rshift");
- if (!test_rshift(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_sqr");
- if (!test_sqr(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_mul");
- if (!test_mul(out))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_div");
- if (!test_div(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_div_word");
- if (!test_div_word(out))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_mod");
- if (!test_mod(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_mod_mul");
- if (!test_mod_mul(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_mont");
- if (!test_mont(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_mod_exp");
- if (!test_mod_exp(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_mod_exp_mont_consttime");
- if (!test_mod_exp_mont_consttime(out, ctx) ||
- !test_mod_exp_mont5(out, ctx)) {
- goto err;
- }
- (void)BIO_flush(out);
-
- message(out, "BN_exp");
- if (!test_exp(out, ctx) ||
- !test_exp_mod_zero()) {
- goto err;
- }
- (void)BIO_flush(out);
-
- message(out, "BN_mod_sqrt");
- if (!test_mod_sqrt(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "Small prime generation");
- if (!test_small_prime(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_sqrt");
- if (!test_sqrt(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- message(out, "BN_bn2bin_padded");
- if (!test_bn2bin_padded(out, ctx))
- goto err;
- (void)BIO_flush(out);
-
- BN_CTX_free(ctx);
- BIO_free(out);
-
- printf("PASS\n");
- return 0;
-
-err:
- BIO_puts(out, "1\n"); /* make sure the Perl script fed by bc notices
- * the failure, see test_bn in test/Makefile.ssl*/
- (void)BIO_flush(out);
-
- return 1;
-}
-
-int test_add(BIO *bp) {
- BIGNUM a, b, c;
- int i;
-
- BN_init(&a);
- BN_init(&b);
- BN_init(&c);
-
- BN_rand(&a, 512, 0, 0);
- for (i = 0; i < num0; i++) {
- BN_rand(&b, 450 + i, 0, 0);
- a.neg = rand_neg();
- b.neg = rand_neg();
- BN_add(&c, &a, &b);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " + ");
- BN_print(bp, &b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &c);
- BIO_puts(bp, "\n");
- }
- a.neg = !a.neg;
- b.neg = !b.neg;
- BN_add(&c, &c, &b);
- BN_add(&c, &c, &a);
- if (!BN_is_zero(&c)) {
- fprintf(stderr, "Add test failed!\n");
- return 0;
- }
- }
- BN_free(&a);
- BN_free(&b);
- BN_free(&c);
- return (1);
-}
-
-int test_sub(BIO *bp) {
- BIGNUM a, b, c;
- int i;
-
- BN_init(&a);
- BN_init(&b);
- BN_init(&c);
-
- for (i = 0; i < num0 + num1; i++) {
- if (i < num1) {
- BN_rand(&a, 512, 0, 0);
- BN_copy(&b, &a);
- if (BN_set_bit(&a, i) == 0)
- return (0);
- BN_add_word(&b, i);
- } else {
- BN_rand(&b, 400 + i - num1, 0, 0);
- a.neg = rand_neg();
- b.neg = rand_neg();
- }
- BN_sub(&c, &a, &b);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " - ");
- BN_print(bp, &b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &c);
- BIO_puts(bp, "\n");
- }
- BN_add(&c, &c, &b);
- BN_sub(&c, &c, &a);
- if (!BN_is_zero(&c)) {
- fprintf(stderr, "Subtract test failed!\n");
- return 0;
- }
- }
- BN_free(&a);
- BN_free(&b);
- BN_free(&c);
- return (1);
-}
-
-int test_div(BIO *bp, BN_CTX *ctx) {
- BIGNUM a, b, c, d, e;
- int i;
-
- BN_init(&a);
- BN_init(&b);
- BN_init(&c);
- BN_init(&d);
- BN_init(&e);
-
- for (i = 0; i < num0 + num1; i++) {
- if (i < num1) {
- BN_rand(&a, 400, 0, 0);
- BN_copy(&b, &a);
- BN_lshift(&a, &a, i);
- BN_add_word(&a, i);
- } else
- BN_rand(&b, 50 + 3 * (i - num1), 0, 0);
- a.neg = rand_neg();
- b.neg = rand_neg();
- BN_div(&d, &c, &a, &b, ctx);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " / ");
- BN_print(bp, &b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &d);
- BIO_puts(bp, "\n");
-
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " % ");
- BN_print(bp, &b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &c);
- BIO_puts(bp, "\n");
- }
- BN_mul(&e, &d, &b, ctx);
- BN_add(&d, &e, &c);
- BN_sub(&d, &d, &a);
- if (!BN_is_zero(&d)) {
- fprintf(stderr, "Division test failed!\n");
- return 0;
- }
- }
- BN_free(&a);
- BN_free(&b);
- BN_free(&c);
- BN_free(&d);
- BN_free(&e);
- return (1);
-}
-
-int test_lshift1(BIO *bp) {
- BIGNUM *a, *b, *c;
- int i;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
-
- BN_rand(a, 200, 0, 0); /**/
- a->neg = rand_neg();
- for (i = 0; i < num0; i++) {
- BN_lshift1(b, a);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " * 2");
- BIO_puts(bp, " - ");
- }
- BN_print(bp, b);
- BIO_puts(bp, "\n");
- }
- BN_add(c, a, a);
- BN_sub(a, b, c);
- if (!BN_is_zero(a)) {
- fprintf(stderr, "Left shift one test failed!\n");
- return 0;
- }
-
- BN_copy(a, b);
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- return (1);
-}
-
-int test_rshift(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *b, *c, *d, *e;
- int i;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
- d = BN_new();
- e = BN_new();
- BN_one(c);
-
- BN_rand(a, 200, 0, 0); /**/
- a->neg = rand_neg();
- for (i = 0; i < num0; i++) {
- BN_rshift(b, a, i + 1);
- BN_add(c, c, c);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " / ");
- BN_print(bp, c);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, b);
- BIO_puts(bp, "\n");
- }
- BN_div(d, e, a, c, ctx);
- BN_sub(d, d, b);
- if (!BN_is_zero(d)) {
- fprintf(stderr, "Right shift test failed!\n");
- return 0;
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(d);
- BN_free(e);
- return (1);
-}
-
-int test_rshift1(BIO *bp) {
- BIGNUM *a, *b, *c;
- int i;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
-
- BN_rand(a, 200, 0, 0); /**/
- a->neg = rand_neg();
- for (i = 0; i < num0; i++) {
- BN_rshift1(b, a);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " / 2");
- BIO_puts(bp, " - ");
- }
- BN_print(bp, b);
- BIO_puts(bp, "\n");
- }
- BN_sub(c, a, b);
- BN_sub(c, c, b);
- if (!BN_is_zero(c) && !BN_abs_is_word(c, 1)) {
- fprintf(stderr, "Right shift one test failed!\n");
- return 0;
- }
- BN_copy(a, b);
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- return (1);
-}
-
-int test_lshift(BIO *bp, BN_CTX *ctx, BIGNUM *a_) {
- BIGNUM *a, *b, *c, *d;
- int i;
-
- b = BN_new();
- c = BN_new();
- d = BN_new();
- BN_one(c);
-
- if (a_)
- a = a_;
- else {
- a = BN_new();
- BN_rand(a, 200, 0, 0); /**/
- a->neg = rand_neg();
- }
- for (i = 0; i < num0; i++) {
- BN_lshift(b, a, i + 1);
- BN_add(c, c, c);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " * ");
- BN_print(bp, c);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, b);
- BIO_puts(bp, "\n");
- }
- BN_mul(d, a, c, ctx);
- BN_sub(d, d, b);
- if (!BN_is_zero(d)) {
- fprintf(stderr, "Left shift test failed!\n");
- fprintf(stderr, "a=");
- BN_print_fp(stderr, a);
- fprintf(stderr, "\nb=");
- BN_print_fp(stderr, b);
- fprintf(stderr, "\nc=");
- BN_print_fp(stderr, c);
- fprintf(stderr, "\nd=");
- BN_print_fp(stderr, d);
- fprintf(stderr, "\n");
- return 0;
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(d);
- return (1);
-}
-
-int test_mul(BIO *bp) {
- BIGNUM a, b, c, d, e;
- int i;
- BN_CTX *ctx;
-
- ctx = BN_CTX_new();
- if (ctx == NULL)
- abort();
-
- BN_init(&a);
- BN_init(&b);
- BN_init(&c);
- BN_init(&d);
- BN_init(&e);
-
- for (i = 0; i < num0 + num1; i++) {
- if (i <= num1) {
- BN_rand(&a, 100, 0, 0);
- BN_rand(&b, 100, 0, 0);
- } else
- BN_rand(&b, i - num1, 0, 0);
- a.neg = rand_neg();
- b.neg = rand_neg();
- BN_mul(&c, &a, &b, ctx);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " * ");
- BN_print(bp, &b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &c);
- BIO_puts(bp, "\n");
- }
- BN_div(&d, &e, &c, &a, ctx);
- BN_sub(&d, &d, &b);
- if (!BN_is_zero(&d) || !BN_is_zero(&e)) {
- fprintf(stderr, "Multiplication test failed!\n");
- return 0;
- }
- }
- BN_free(&a);
- BN_free(&b);
- BN_free(&c);
- BN_free(&d);
- BN_free(&e);
- BN_CTX_free(ctx);
- return (1);
-}
-
-int test_sqr(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *c, *d, *e;
- int i, ret = 0;
-
- a = BN_new();
- c = BN_new();
- d = BN_new();
- e = BN_new();
- if (a == NULL || c == NULL || d == NULL || e == NULL) {
- goto err;
- }
-
- for (i = 0; i < num0; i++) {
- BN_rand(a, 40 + i * 10, 0, 0);
- a->neg = rand_neg();
- BN_sqr(c, a, ctx);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " * ");
- BN_print(bp, a);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, c);
- BIO_puts(bp, "\n");
- }
- BN_div(d, e, c, a, ctx);
- BN_sub(d, d, a);
- if (!BN_is_zero(d) || !BN_is_zero(e)) {
- fprintf(stderr, "Square test failed!\n");
- goto err;
- }
- }
-
- /* Regression test for a BN_sqr overflow bug. */
- BN_hex2bn(&a,
- "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");
- BN_sqr(c, a, ctx);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " * ");
- BN_print(bp, a);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, c);
- BIO_puts(bp, "\n");
- }
- BN_mul(d, a, a, ctx);
- if (BN_cmp(c, d)) {
- fprintf(stderr,
- "Square test failed: BN_sqr and BN_mul produce "
- "different results!\n");
- goto err;
- }
-
- /* Regression test for a BN_sqr overflow bug. */
- BN_hex2bn(&a,
- "80000000000000000000000080000001FFFFFFFE000000000000000000000000");
- BN_sqr(c, a, ctx);
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " * ");
- BN_print(bp, a);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, c);
- BIO_puts(bp, "\n");
- }
- BN_mul(d, a, a, ctx);
- if (BN_cmp(c, d)) {
- fprintf(stderr,
- "Square test failed: BN_sqr and BN_mul produce "
- "different results!\n");
- goto err;
- }
- ret = 1;
-
-err:
- if (a != NULL) {
- BN_free(a);
- }
- if (c != NULL) {
- BN_free(c);
- }
- if (d != NULL) {
- BN_free(d);
- }
- if (e != NULL) {
- BN_free(e);
- }
- return ret;
-}
-
-
-int rand_neg(void) {
- static unsigned int neg = 0;
- static int sign[8] = {0, 0, 0, 1, 1, 0, 1, 1};
-
- return (sign[(neg++) % 8]);
-}
-
-static void print_word(BIO *bp, BN_ULONG w) {
- BIO_printf(bp, BN_HEX_FMT1, w);
-}
-
-int test_div_word(BIO *bp) {
- BIGNUM a, b;
- BN_ULONG r, s;
- int i;
-
- BN_init(&a);
- BN_init(&b);
-
- for (i = 0; i < num0; i++) {
- do {
- BN_rand(&a, 512, -1, 0);
- BN_rand(&b, BN_BITS2, -1, 0);
- s = b.d[0];
- } while (!s);
-
- BN_copy(&b, &a);
- r = BN_div_word(&b, s);
-
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " / ");
- print_word(bp, s);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &b);
- BIO_puts(bp, "\n");
-
- if (!results) {
- BN_print(bp, &a);
- BIO_puts(bp, " % ");
- print_word(bp, s);
- BIO_puts(bp, " - ");
- }
- print_word(bp, r);
- BIO_puts(bp, "\n");
- }
- BN_mul_word(&b, s);
- BN_add_word(&b, r);
- BN_sub(&b, &a, &b);
- if (!BN_is_zero(&b)) {
- fprintf(stderr, "Division (word) test failed!\n");
- return 0;
- }
- }
- BN_free(&a);
- BN_free(&b);
- return (1);
-}
-
-int test_mont(BIO *bp, BN_CTX *ctx) {
- BIGNUM a, b, c, d, A, B;
- BIGNUM n;
- int i;
- BN_MONT_CTX *mont;
-
- BN_init(&a);
- BN_init(&b);
- BN_init(&c);
- BN_init(&d);
- BN_init(&A);
- BN_init(&B);
- BN_init(&n);
-
- mont = BN_MONT_CTX_new();
- if (mont == NULL)
- return 0;
-
- BN_rand(&a, 100, 0, 0); /**/
- BN_rand(&b, 100, 0, 0); /**/
- for (i = 0; i < num2; i++) {
- int bits = (200 * (i + 1)) / num2;
-
- if (bits == 0)
- continue;
- BN_rand(&n, bits, 0, 1);
- BN_MONT_CTX_set(mont, &n, ctx);
-
- BN_nnmod(&a, &a, &n, ctx);
- BN_nnmod(&b, &b, &n, ctx);
-
- BN_to_montgomery(&A, &a, mont, ctx);
- BN_to_montgomery(&B, &b, mont, ctx);
-
- BN_mod_mul_montgomery(&c, &A, &B, mont, ctx); /**/
- BN_from_montgomery(&A, &c, mont, ctx); /**/
- if (bp != NULL) {
- if (!results) {
-#ifdef undef
- fprintf(stderr, "%d * %d %% %d\n", BN_num_bits(&a), BN_num_bits(&b),
- BN_num_bits(mont->N));
-#endif
- BN_print(bp, &a);
- BIO_puts(bp, " * ");
- BN_print(bp, &b);
- BIO_puts(bp, " % ");
- BN_print(bp, &(mont->N));
- BIO_puts(bp, " - ");
- }
- BN_print(bp, &A);
- BIO_puts(bp, "\n");
- }
- BN_mod_mul(&d, &a, &b, &n, ctx);
- BN_sub(&d, &d, &A);
- if (!BN_is_zero(&d)) {
- fprintf(stderr, "Montgomery multiplication test failed!\n");
- return 0;
- }
- }
- BN_MONT_CTX_free(mont);
- BN_free(&a);
- BN_free(&b);
- BN_free(&c);
- BN_free(&d);
- BN_free(&A);
- BN_free(&B);
- BN_free(&n);
- return (1);
-}
-
-int test_mod(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *b, *c, *d, *e;
- int i;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
- d = BN_new();
- e = BN_new();
-
- BN_rand(a, 1024, 0, 0); /**/
- for (i = 0; i < num0; i++) {
- BN_rand(b, 450 + i * 10, 0, 0); /**/
- a->neg = rand_neg();
- b->neg = rand_neg();
- BN_mod(c, a, b, ctx); /**/
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " % ");
- BN_print(bp, b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, c);
- BIO_puts(bp, "\n");
- }
- BN_div(d, e, a, b, ctx);
- BN_sub(e, e, c);
- if (!BN_is_zero(e)) {
- fprintf(stderr, "Modulo test failed!\n");
- return 0;
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(d);
- BN_free(e);
- return (1);
-}
-
-int test_mod_mul(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *b, *c, *d, *e;
- int i, j;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
- d = BN_new();
- e = BN_new();
-
- for (j = 0; j < 3; j++) {
- BN_rand(c, 1024, 0, 0); /**/
- for (i = 0; i < num0; i++) {
- BN_rand(a, 475 + i * 10, 0, 0); /**/
- BN_rand(b, 425 + i * 11, 0, 0); /**/
- a->neg = rand_neg();
- b->neg = rand_neg();
- if (!BN_mod_mul(e, a, b, c, ctx)) {
- unsigned long l;
-
- while ((l = ERR_get_error()))
- fprintf(stderr, "ERROR:%s\n", ERR_error_string(l, NULL));
- abort();
- }
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " * ");
- BN_print(bp, b);
- BIO_puts(bp, " % ");
- BN_print(bp, c);
- if ((a->neg ^ b->neg) && !BN_is_zero(e)) {
- /* If (a*b) % c is negative, c must be added
- * in order to obtain the normalized remainder
- * (new with OpenSSL 0.9.7, previous versions of
- * BN_mod_mul could generate negative results)
- */
- BIO_puts(bp, " + ");
- BN_print(bp, c);
- }
- BIO_puts(bp, " - ");
- }
- BN_print(bp, e);
- BIO_puts(bp, "\n");
- }
- BN_mul(d, a, b, ctx);
- BN_sub(d, d, e);
- BN_div(a, b, d, c, ctx);
- if (!BN_is_zero(b)) {
- fprintf(stderr, "Modulo multiply test failed!\n");
- ERR_print_errors_fp(stderr);
- return 0;
- }
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(d);
- BN_free(e);
- return (1);
-}
-
-int test_mod_exp(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *b, *c, *d, *e;
- int i;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
- d = BN_new();
- e = BN_new();
-
- BN_rand(c, 30, 0, 1); /* must be odd for montgomery */
- for (i = 0; i < num2; i++) {
- BN_rand(a, 20 + i * 5, 0, 0); /**/
- BN_rand(b, 2 + i, 0, 0); /**/
-
- if (!BN_mod_exp(d, a, b, c, ctx))
- return (0);
-
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " ^ ");
- BN_print(bp, b);
- BIO_puts(bp, " % ");
- BN_print(bp, c);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, d);
- BIO_puts(bp, "\n");
- }
- BN_exp(e, a, b, ctx);
- BN_sub(e, e, d);
- BN_div(a, b, e, c, ctx);
- if (!BN_is_zero(b)) {
- fprintf(stderr, "Modulo exponentiation test failed!\n");
- return 0;
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(d);
- BN_free(e);
- return (1);
-}
-
-int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *b, *c, *d, *e;
- int i;
-
- a = BN_new();
- b = BN_new();
- c = BN_new();
- d = BN_new();
- e = BN_new();
-
- BN_rand(c, 30, 0, 1); /* must be odd for montgomery */
- for (i = 0; i < num2; i++) {
- BN_rand(a, 20 + i * 5, 0, 0); /**/
- BN_rand(b, 2 + i, 0, 0); /**/
-
- if (!BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL))
- return (00);
-
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " ^ ");
- BN_print(bp, b);
- BIO_puts(bp, " % ");
- BN_print(bp, c);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, d);
- BIO_puts(bp, "\n");
- }
- BN_exp(e, a, b, ctx);
- BN_sub(e, e, d);
- BN_div(a, b, e, c, ctx);
- if (!BN_is_zero(b)) {
- fprintf(stderr, "Modulo exponentiation test failed!\n");
- return 0;
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(d);
- BN_free(e);
- return (1);
-}
-
-/* Test constant-time modular exponentiation with 1024-bit inputs,
- * which on x86_64 cause a different code branch to be taken. */
-int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *p, *m, *d, *e;
-
- BN_MONT_CTX *mont;
-
- a = BN_new();
- p = BN_new();
- m = BN_new();
- d = BN_new();
- e = BN_new();
-
- mont = BN_MONT_CTX_new();
-
- BN_rand(m, 1024, 0, 1); /* must be odd for montgomery */
- /* Zero exponent */
- BN_rand(a, 1024, 0, 0);
- BN_zero(p);
- if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
- return 0;
- if (!BN_is_one(d)) {
- fprintf(stderr, "Modular exponentiation test failed!\n");
- return 0;
- }
- /* Zero input */
- BN_rand(p, 1024, 0, 0);
- BN_zero(a);
- if (!BN_mod_exp_mont_consttime(d, a, p, m, ctx, NULL))
- return 0;
- if (!BN_is_zero(d)) {
- fprintf(stderr, "Modular exponentiation test failed!\n");
- return 0;
- }
- /* Craft an input whose Montgomery representation is 1,
- * i.e., shorter than the modulus m, in order to test
- * the const time precomputation scattering/gathering.
- */
- BN_one(a);
- BN_MONT_CTX_set(mont, m, ctx);
- if (!BN_from_montgomery(e, a, mont, ctx) ||
- !BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL) ||
- !BN_mod_exp(a, e, p, m, ctx)) {
- return 0;
- }
- if (BN_cmp(a, d) != 0) {
- fprintf(stderr, "Modular exponentiation test failed!\n");
- return 0;
- }
- /* Finally, some regular test vectors. */
- BN_rand(e, 1024, 0, 0);
- if (!BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL))
- return 0;
- if (!BN_mod_exp(a, e, p, m, ctx))
- return 0;
- if (BN_cmp(a, d) != 0) {
- fprintf(stderr, "Modular exponentiation test failed!\n");
- return 0;
- }
-
- BN_MONT_CTX_free(mont);
- BN_free(a);
- BN_free(p);
- BN_free(m);
- BN_free(d);
- BN_free(e);
- return (1);
-}
-
-int test_exp(BIO *bp, BN_CTX *ctx) {
- BIGNUM *a, *b, *d, *e, *one;
- int i;
-
- a = BN_new();
- b = BN_new();
- d = BN_new();
- e = BN_new();
- one = BN_new();
- BN_one(one);
-
- for (i = 0; i < num2; i++) {
- BN_rand(a, 20 + i * 5, 0, 0); /**/
- BN_rand(b, 2 + i, 0, 0); /**/
-
- if (BN_exp(d, a, b, ctx) <= 0)
- return (0);
-
- if (bp != NULL) {
- if (!results) {
- BN_print(bp, a);
- BIO_puts(bp, " ^ ");
- BN_print(bp, b);
- BIO_puts(bp, " - ");
- }
- BN_print(bp, d);
- BIO_puts(bp, "\n");
- }
- BN_one(e);
- for (; !BN_is_zero(b); BN_sub(b, b, one))
- BN_mul(e, e, a, ctx);
- BN_sub(e, e, d);
- if (!BN_is_zero(e)) {
- fprintf(stderr, "Exponentiation test failed!\n");
- return 0;
- }
- }
- BN_free(a);
- BN_free(b);
- BN_free(d);
- BN_free(e);
- BN_free(one);
- return (1);
-}
-
-/* test_exp_mod_zero tests that x**0 mod 1 == 0. */
-static int test_exp_mod_zero(void) {
- BIGNUM a, p, m;
- BIGNUM r;
- BN_CTX *ctx = BN_CTX_new();
- int ret = 0;
-
- BN_init(&m);
- BN_one(&m);
-
- BN_init(&a);
- BN_one(&a);
-
- BN_init(&p);
- BN_zero(&p);
-
- BN_init(&r);
- BN_mod_exp(&r, &a, &p, &m, ctx);
- BN_CTX_free(ctx);
-
- if (BN_is_zero(&r)) {
- ret = 1;
- } else {
- printf("1**0 mod 1 = ");
- BN_print_fp(stdout, &r);
- printf(", should be 0\n");
- }
-
- BN_free(&r);
- BN_free(&a);
- BN_free(&p);
- BN_free(&m);
-
- return ret;
-}
-
-static int genprime_cb(int p, int n, BN_GENCB *arg) {
- char c = '*';
-
- if (p == 0)
- c = '.';
- if (p == 1)
- c = '+';
- if (p == 2)
- c = '*';
- if (p == 3)
- c = '\n';
- putc(c, stdout);
- fflush(stdout);
- return 1;
-}
-
-int test_mod_sqrt(BIO *bp, BN_CTX *ctx) {
- BN_GENCB cb;
- BIGNUM *a, *p, *r;
- int i, j;
- int ret = 0;
-
- a = BN_new();
- p = BN_new();
- r = BN_new();
- if (a == NULL || p == NULL || r == NULL)
- goto err;
-
- BN_GENCB_set(&cb, genprime_cb, NULL);
-
- for (i = 0; i < 16; i++) {
- if (i < 8) {
- unsigned primes[8] = {2, 3, 5, 7, 11, 13, 17, 19};
-
- if (!BN_set_word(p, primes[i]))
- goto err;
- } else {
- if (!BN_set_word(a, 32))
- goto err;
- if (!BN_set_word(r, 2 * i + 1))
- goto err;
-
- if (!BN_generate_prime_ex(p, 256, 0, a, r, &cb))
- goto err;
- putc('\n', stdout);
- }
- p->neg = rand_neg();
-
- for (j = 0; j < num2; j++) {
- /* construct 'a' such that it is a square modulo p,
- * but in general not a proper square and not reduced modulo p */
- if (!BN_rand(r, 256, 0, 3))
- goto err;
- if (!BN_nnmod(r, r, p, ctx))
- goto err;
- if (!BN_mod_sqr(r, r, p, ctx))
- goto err;
- if (!BN_rand(a, 256, 0, 3))
- goto err;
- if (!BN_nnmod(a, a, p, ctx))
- goto err;
- if (!BN_mod_sqr(a, a, p, ctx))
- goto err;
- if (!BN_mul(a, a, r, ctx))
- goto err;
- if (rand_neg())
- if (!BN_sub(a, a, p))
- goto err;
-
- if (!BN_mod_sqrt(r, a, p, ctx))
- goto err;
- if (!BN_mod_sqr(r, r, p, ctx))
- goto err;
-
- if (!BN_nnmod(a, a, p, ctx))
- goto err;
-
- if (BN_cmp(a, r) != 0) {
- fprintf(stderr, "BN_mod_sqrt failed: a = ");
- BN_print_fp(stderr, a);
- fprintf(stderr, ", r = ");
- BN_print_fp(stderr, r);
- fprintf(stderr, ", p = ");
- BN_print_fp(stderr, p);
- fprintf(stderr, "\n");
- goto err;
- }
-
- putc('.', stdout);
- fflush(stdout);
- }
-
- putc('\n', stdout);
- fflush(stderr);
- }
- ret = 1;
-err:
- if (a != NULL)
- BN_free(a);
- if (p != NULL)
- BN_free(p);
- if (r != NULL)
- BN_free(r);
- return ret;
-}
-
-int test_small_prime(BIO *bp, BN_CTX *ctx) {
- static const int bits = 10;
- int ret = 0;
- BIGNUM r;
-
- BN_init(&r);
- if (!BN_generate_prime_ex(&r, bits, 0, NULL, NULL, NULL)) {
- goto err;
- }
- if (BN_num_bits(&r) != bits) {
- BIO_printf(bp, "Expected %d bit prime, got %d bit number\n", bits,
- BN_num_bits(&r));
- goto err;
- }
-
- ret = 1;
-
-err:
- BN_free(&r);
- return ret;
-}
-
-int test_sqrt(BIO *bp, BN_CTX *ctx) {
- BIGNUM *n = BN_new(), *nn = BN_new(), *sqrt = BN_new();
- unsigned i;
-
- /* Test some random squares. */
- for (i = 0; i < 100; i++) {
- if (!BN_rand(n, 1024 /* bit length */, -1 /* no modification of top bits */,
- 0 /* don't modify bottom bit */) ||
- !BN_mul(nn, n, n, ctx) ||
- !BN_sqrt(sqrt, nn, ctx)) {
- BIO_print_errors_fp(stderr);
- return 0;
- }
- if (BN_cmp(n, sqrt) != 0) {
- fprintf(stderr, "Bad result from BN_sqrt.\n");
- return 0;
- }
- }
-
- /* Test some non-squares */
- for (i = 0; i < 100; i++) {
- if (!BN_rand(n, 1024 /* bit length */, -1 /* no modification of top bits */,
- 0 /* don't modify bottom bit */) ||
- !BN_mul(nn, n, n, ctx) ||
- !BN_add(nn, nn, BN_value_one())) {
- BIO_print_errors_fp(stderr);
- return 0;
- }
-
- if (BN_sqrt(sqrt, nn, ctx)) {
- char *nn_str = BN_bn2dec(nn);
- fprintf(stderr, "BIO_sqrt didn't fail on a non-square: %s\n", nn_str);
- OPENSSL_free(nn_str);
- }
- }
-
- BN_free(n);
- BN_free(sqrt);
- BN_free(nn);
-
- return 1;
-}
-
-int test_bn2bin_padded(BIO *bp, BN_CTX *ctx) {
- BIGNUM *n = BN_new();
- uint8_t zeros[256], out[256], reference[128];
- size_t bytes;
-
- memset(zeros, 0, sizeof(zeros));
-
- /* Test edge case at 0. */
- if (!BN_bn2bin_padded(NULL, 0, n)) {
- fprintf(stderr,
- "BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");
- return 0;
- }
- memset(out, -1, sizeof(out));
- if (!BN_bn2bin_padded(out, sizeof(out), n)) {
- fprintf(stderr,
- "BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");
- return 0;
- }
- if (memcmp(zeros, out, sizeof(out))) {
- fprintf(stderr, "BN_bn2bin_padded did not zero buffer.\n");
- return 0;
- }
-
- /* Test a random numbers at various byte lengths. */
- for (bytes = 128 - 7; bytes <= 128; bytes++) {
- if (!BN_rand(n, bytes * 8, 0 /* make sure top bit is 1 */,
- 0 /* don't modify bottom bit */)) {
- BIO_print_errors_fp(stderr);
- return 0;
- }
- if (BN_num_bytes(n) != bytes || BN_bn2bin(n, reference) != bytes) {
- fprintf(stderr, "Bad result from BN_rand; bytes.\n");
- return 0;
- }
- /* Empty buffer should fail. */
- if (BN_bn2bin_padded(NULL, 0, n)) {
- fprintf(stderr,
- "BN_bn2bin_padded incorrectly succeeded on empty buffer.\n");
- return 0;
- }
- /* One byte short should fail. */
- if (BN_bn2bin_padded(out, bytes - 1, n)) {
- fprintf(stderr, "BN_bn2bin_padded incorrectly succeeded on short.\n");
- return 0;
- }
- /* Exactly right size should encode. */
- if (!BN_bn2bin_padded(out, bytes, n) ||
- memcmp(out, reference, bytes) != 0) {
- fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
- return 0;
- }
- /* Pad up one byte extra. */
- if (!BN_bn2bin_padded(out, bytes + 1, n) ||
- memcmp(out + 1, reference, bytes) || memcmp(out, zeros, 1)) {
- fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
- return 0;
- }
- /* Pad up to 256. */
- if (!BN_bn2bin_padded(out, sizeof(out), n) ||
- memcmp(out + sizeof(out) - bytes, reference, bytes) ||
- memcmp(out, zeros, sizeof(out) - bytes)) {
- fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
- return 0;
- }
- }
-
- BN_free(n);
-
- return 1;
-}
diff --git a/src/crypto/bn/bn_test.cc b/src/crypto/bn/bn_test.cc
new file mode 100644
index 0000000..9aa2bf5
--- /dev/null
+++ b/src/crypto/bn/bn_test.cc
@@ -0,0 +1,1619 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ *
+ * Portions of the attached software ("Contribution") are developed by
+ * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
+ *
+ * The Contribution is licensed pursuant to the Eric Young open source
+ * license provided above.
+ *
+ * The binary polynomial arithmetic software is originally written by
+ * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
+ * Laboratories. */
+
+/* For BIGNUM format macros. */
+#if !defined(__STDC_FORMAT_MACROS)
+#define __STDC_FORMAT_MACROS
+#endif
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../crypto/test/scoped_types.h"
+
+
+static const int num0 = 100; // number of tests
+static const int num1 = 50; // additional tests for some functions
+static const int num2 = 5; // number of tests for slow functions
+
+static bool test_add(FILE *fp);
+static bool test_sub(FILE *fp);
+static bool test_lshift1(FILE *fp);
+static bool test_lshift(FILE *fp, BN_CTX *ctx, ScopedBIGNUM a);
+static bool test_rshift1(FILE *fp);
+static bool test_rshift(FILE *fp, BN_CTX *ctx);
+static bool test_sqr(FILE *fp, BN_CTX *ctx);
+static bool test_mul(FILE *fp);
+static bool test_div(FILE *fp, BN_CTX *ctx);
+static int rand_neg();
+
+static bool test_div_word(FILE *fp);
+static bool test_mont(FILE *fp, BN_CTX *ctx);
+static bool test_mod(FILE *fp, BN_CTX *ctx);
+static bool test_mod_mul(FILE *fp, BN_CTX *ctx);
+static bool test_mod_exp(FILE *fp, BN_CTX *ctx);
+static bool test_mod_exp_mont_consttime(FILE *fp, BN_CTX *ctx);
+static bool test_exp(FILE *fp, BN_CTX *ctx);
+static bool test_mod_sqrt(FILE *fp, BN_CTX *ctx);
+static bool test_exp_mod_zero(void);
+static bool test_small_prime(FILE *fp, BN_CTX *ctx);
+static bool test_mod_exp_mont5(FILE *fp, BN_CTX *ctx);
+static bool test_sqrt(FILE *fp, BN_CTX *ctx);
+static bool test_bn2bin_padded(FILE *fp, BN_CTX *ctx);
+static bool test_dec2bn(FILE *fp, BN_CTX *ctx);
+static bool test_hex2bn(FILE *fp, BN_CTX *ctx);
+static bool test_asc2bn(FILE *fp, BN_CTX *ctx);
+
+// g_results can be set to true to cause the result of each computation to be
+// printed.
+static bool g_results = false;
+
+static const uint8_t kSample[] =
+ "\xC6\x4F\x43\x04\x2A\xEA\xCA\x6E\x58\x36\x80\x5B\xE8\xC9"
+ "\x9B\x04\x5D\x48\x36\xC2\xFD\x16\xC9\x64\xF0";
+
+// A wrapper around puts that takes its arguments in the same order as our *_fp
+// functions.
+static void puts_fp(FILE *out, const char *m) {
+ fputs(m, out);
+}
+
+static void message(FILE *out, const char *m) {
+ puts_fp(out, "print \"test ");
+ puts_fp(out, m);
+ puts_fp(out, "\\n\"\n");
+}
+
+int main(int argc, char *argv[]) {
+ CRYPTO_library_init();
+
+ argc--;
+ argv++;
+ while (argc >= 1) {
+ if (strcmp(*argv, "-results") == 0) {
+ g_results = true;
+ }
+ argc--;
+ argv++;
+ }
+
+
+ ScopedBN_CTX ctx(BN_CTX_new());
+ if (!ctx) {
+ return 1;
+ }
+
+ if (!g_results) {
+ puts_fp(stdout, "obase=16\nibase=16\n");
+ }
+
+ message(stdout, "BN_add");
+ if (!test_add(stdout)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_sub");
+ if (!test_sub(stdout)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_lshift1");
+ if (!test_lshift1(stdout)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_lshift (fixed)");
+ ScopedBIGNUM sample(BN_bin2bn(kSample, sizeof(kSample) - 1, NULL));
+ if (!sample) {
+ return 1;
+ }
+ if (!test_lshift(stdout, ctx.get(), bssl::move(sample))) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_lshift");
+ if (!test_lshift(stdout, ctx.get(), nullptr)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_rshift1");
+ if (!test_rshift1(stdout)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_rshift");
+ if (!test_rshift(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_sqr");
+ if (!test_sqr(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mul");
+ if (!test_mul(stdout)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_div");
+ if (!test_div(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_div_word");
+ if (!test_div_word(stdout)) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mod");
+ if (!test_mod(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mod_mul");
+ if (!test_mod_mul(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mont");
+ if (!test_mont(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mod_exp");
+ if (!test_mod_exp(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mod_exp_mont_consttime");
+ if (!test_mod_exp_mont_consttime(stdout, ctx.get()) ||
+ !test_mod_exp_mont5(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_exp");
+ if (!test_exp(stdout, ctx.get()) ||
+ !test_exp_mod_zero()) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_mod_sqrt");
+ if (!test_mod_sqrt(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "Small prime generation");
+ if (!test_small_prime(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_sqrt");
+ if (!test_sqrt(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_bn2bin_padded");
+ if (!test_bn2bin_padded(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_dec2bn");
+ if (!test_dec2bn(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_hex2bn");
+ if (!test_hex2bn(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ message(stdout, "BN_asc2bn");
+ if (!test_asc2bn(stdout, ctx.get())) {
+ return 1;
+ }
+ fflush(stdout);
+
+ printf("PASS\n");
+ return 0;
+}
+
+static bool test_add(FILE *fp) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ if (!a || !b || !c || !BN_rand(a.get(), 512, 0, 0)) {
+ return false;
+ }
+
+ for (int i = 0; i < num0; i++) {
+ if (!BN_rand(b.get(), 450 + i, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ b->neg = rand_neg();
+ if (!BN_add(c.get(), a.get(), b.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " + ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ a->neg = !a->neg;
+ b->neg = !b->neg;
+ if (!BN_add(c.get(), c.get(), b.get()) ||
+ !BN_add(c.get(), c.get(), a.get())) {
+ return false;
+ }
+ if (!BN_is_zero(c.get())) {
+ fprintf(stderr, "Add test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_sub(FILE *fp) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ if (!a || !b || !c) {
+ return false;
+ }
+
+ for (int i = 0; i < num0 + num1; i++) {
+ if (i < num1) {
+ if (!BN_rand(a.get(), 512, 0, 0) ||
+ !BN_copy(b.get(), a.get()) ||
+ !BN_set_bit(a.get(), i) ||
+ !BN_add_word(b.get(), i)) {
+ return false;
+ }
+ } else {
+ if (!BN_rand(b.get(), 400 + i - num1, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ b->neg = rand_neg();
+ }
+ if (!BN_sub(c.get(), a.get(), b.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " - ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_add(c.get(), c.get(), b.get()) ||
+ !BN_sub(c.get(), c.get(), a.get())) {
+ return false;
+ }
+ if (!BN_is_zero(c.get())) {
+ fprintf(stderr, "Subtract test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_div(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !c || !d || !e) {
+ return false;
+ }
+
+ for (int i = 0; i < num0 + num1; i++) {
+ if (i < num1) {
+ if (!BN_rand(a.get(), 400, 0, 0) ||
+ !BN_copy(b.get(), a.get()) ||
+ !BN_lshift(a.get(), a.get(), i) ||
+ !BN_add_word(a.get(), i)) {
+ return false;
+ }
+ } else if (!BN_rand(b.get(), 50 + 3 * (i - num1), 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ b->neg = rand_neg();
+ if (!BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " / ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, d.get());
+ puts_fp(fp, "\n");
+
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " % ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mul(e.get(), d.get(), b.get(), ctx) ||
+ !BN_add(d.get(), e.get(), c.get()) ||
+ !BN_sub(d.get(), d.get(), a.get())) {
+ return false;
+ }
+ if (!BN_is_zero(d.get())) {
+ fprintf(stderr, "Division test failed!\n");
+ return false;
+ }
+ }
+
+ // Test that BN_div never gives negative zero in the quotient.
+ if (!BN_set_word(a.get(), 1) ||
+ !BN_set_word(b.get(), 2)) {
+ return false;
+ }
+ BN_set_negative(a.get(), 1);
+ if (!BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+ return false;
+ }
+ if (!BN_is_zero(d.get()) || BN_is_negative(d.get())) {
+ fprintf(stderr, "Division test failed!\n");
+ return false;
+ }
+
+ // Test that BN_div never gives negative zero in the remainder.
+ if (!BN_set_word(b.get(), 1)) {
+ return false;
+ }
+ if (!BN_div(d.get(), c.get(), a.get(), b.get(), ctx)) {
+ return false;
+ }
+ if (!BN_is_zero(c.get()) || BN_is_negative(c.get())) {
+ fprintf(stderr, "Division test failed!\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_lshift1(FILE *fp) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ if (!a || !b || !c || !BN_rand(a.get(), 200, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ for (int i = 0; i < num0; i++) {
+ if (!BN_lshift1(b.get(), a.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * 2");
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_add(c.get(), a.get(), a.get()) ||
+ !BN_sub(a.get(), b.get(), c.get())) {
+ return false;
+ }
+ if (!BN_is_zero(a.get())) {
+ fprintf(stderr, "Left shift one test failed!\n");
+ return false;
+ }
+
+ if (!BN_copy(a.get(), b.get())) {
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_rshift(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !c || !d || !e || !BN_one(c.get()) ||
+ !BN_rand(a.get(), 200, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ for (int i = 0; i < num0; i++) {
+ if (!BN_rshift(b.get(), a.get(), i + 1) ||
+ !BN_add(c.get(), c.get(), c.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " / ");
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_div(d.get(), e.get(), a.get(), c.get(), ctx) ||
+ !BN_sub(d.get(), d.get(), b.get())) {
+ return false;
+ }
+ if (!BN_is_zero(d.get())) {
+ fprintf(stderr, "Right shift test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_rshift1(FILE *fp) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ if (!a || !b || !c || !BN_rand(a.get(), 200, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+
+ for (int i = 0; i < num0; i++) {
+ if (!BN_rshift1(b.get(), a.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " / 2");
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_sub(c.get(), a.get(), b.get()) ||
+ !BN_sub(c.get(), c.get(), b.get())) {
+ return false;
+ }
+ if (!BN_is_zero(c.get()) && !BN_abs_is_word(c.get(), 1)) {
+ fprintf(stderr, "Right shift one test failed!\n");
+ return false;
+ }
+ if (!BN_copy(a.get(), b.get())) {
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_lshift(FILE *fp, BN_CTX *ctx, ScopedBIGNUM a) {
+ if (!a) {
+ a.reset(BN_new());
+ if (!a || !BN_rand(a.get(), 200, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ }
+
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ if (!b || !c || !d || !BN_one(c.get())) {
+ return false;
+ }
+
+ for (int i = 0; i < num0; i++) {
+ if (!BN_lshift(b.get(), a.get(), i + 1) ||
+ !BN_add(c.get(), c.get(), c.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mul(d.get(), a.get(), c.get(), ctx) ||
+ !BN_sub(d.get(), d.get(), b.get())) {
+ return false;
+ }
+ if (!BN_is_zero(d.get())) {
+ fprintf(stderr, "Left shift test failed!\n");
+ fprintf(stderr, "a=");
+ BN_print_fp(stderr, a.get());
+ fprintf(stderr, "\nb=");
+ BN_print_fp(stderr, b.get());
+ fprintf(stderr, "\nc=");
+ BN_print_fp(stderr, c.get());
+ fprintf(stderr, "\nd=");
+ BN_print_fp(stderr, d.get());
+ fprintf(stderr, "\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_mul(FILE *fp) {
+ ScopedBN_CTX ctx(BN_CTX_new());
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!ctx || !a || !b || !c || !d || !e) {
+ return false;
+ }
+
+ for (int i = 0; i < num0 + num1; i++) {
+ if (i <= num1) {
+ if (!BN_rand(a.get(), 100, 0, 0) ||
+ !BN_rand(b.get(), 100, 0, 0)) {
+ return false;
+ }
+ } else if (!BN_rand(b.get(), i - num1, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ b->neg = rand_neg();
+ if (!BN_mul(c.get(), a.get(), b.get(), ctx.get())) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_div(d.get(), e.get(), c.get(), a.get(), ctx.get()) ||
+ !BN_sub(d.get(), d.get(), b.get())) {
+ return false;
+ }
+ if (!BN_is_zero(d.get()) || !BN_is_zero(e.get())) {
+ fprintf(stderr, "Multiplication test failed!\n");
+ return false;
+ }
+ }
+
+ // Test that BN_mul never gives negative zero.
+ if (!BN_set_word(a.get(), 1)) {
+ return false;
+ }
+ BN_set_negative(a.get(), 1);
+ BN_zero(b.get());
+ if (!BN_mul(c.get(), a.get(), b.get(), ctx.get())) {
+ return false;
+ }
+ if (!BN_is_zero(c.get()) || BN_is_negative(c.get())) {
+ fprintf(stderr, "Multiplication test failed!\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_sqr(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !c || !d || !e) {
+ return false;
+ }
+
+ for (int i = 0; i < num0; i++) {
+ if (!BN_rand(a.get(), 40 + i * 10, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ if (!BN_sqr(c.get(), a.get(), ctx)) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_div(d.get(), e.get(), c.get(), a.get(), ctx) ||
+ !BN_sub(d.get(), d.get(), a.get())) {
+ return false;
+ }
+ if (!BN_is_zero(d.get()) || !BN_is_zero(e.get())) {
+ fprintf(stderr, "Square test failed!\n");
+ return false;
+ }
+ }
+
+ // Regression test for a BN_sqr overflow bug.
+ BIGNUM *a_raw = a.get();
+ if (!BN_hex2bn(
+ &a_raw,
+ "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000") ||
+ !BN_sqr(c.get(), a.get(), ctx)) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mul(d.get(), a.get(), a.get(), ctx)) {
+ return false;
+ }
+ if (BN_cmp(c.get(), d.get())) {
+ fprintf(stderr,
+ "Square test failed: BN_sqr and BN_mul produce "
+ "different results!\n");
+ return false;
+ }
+
+ // Regression test for a BN_sqr overflow bug.
+ a_raw = a.get();
+ if (!BN_hex2bn(
+ &a_raw,
+ "80000000000000000000000080000001FFFFFFFE000000000000000000000000") ||
+ !BN_sqr(c.get(), a.get(), ctx)) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mul(d.get(), a.get(), a.get(), ctx)) {
+ return false;
+ }
+ if (BN_cmp(c.get(), d.get())) {
+ fprintf(stderr,
+ "Square test failed: BN_sqr and BN_mul produce "
+ "different results!\n");
+ return false;
+ }
+
+ return true;
+}
+
+
+static int rand_neg() {
+ static unsigned int neg = 0;
+ static const int sign[8] = {0, 0, 0, 1, 1, 0, 1, 1};
+
+ return sign[(neg++) % 8];
+}
+
+static void print_word(FILE *fp, BN_ULONG w) {
+ fprintf(fp, BN_HEX_FMT1, w);
+}
+
+static bool test_div_word(FILE *fp) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ if (!a || !b) {
+ return false;
+ }
+
+ for (int i = 0; i < num0; i++) {
+ BN_ULONG s;
+ do {
+ if (!BN_rand(a.get(), 512, -1, 0) ||
+ !BN_rand(b.get(), BN_BITS2, -1, 0)) {
+ return false;
+ }
+ s = b->d[0];
+ } while (!s);
+
+ if (!BN_copy(b.get(), a.get())) {
+ return false;
+ }
+ BN_ULONG r = BN_div_word(b.get(), s);
+ if (r == (BN_ULONG)-1) {
+ return false;
+ }
+
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " / ");
+ print_word(fp, s);
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, "\n");
+
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " % ");
+ print_word(fp, s);
+ puts_fp(fp, " - ");
+ }
+ print_word(fp, r);
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mul_word(b.get(), s) ||
+ !BN_add_word(b.get(), r) ||
+ !BN_sub(b.get(), a.get(), b.get())) {
+ return false;
+ }
+ if (!BN_is_zero(b.get())) {
+ fprintf(stderr, "Division (word) test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_mont(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM A(BN_new());
+ ScopedBIGNUM B(BN_new());
+ ScopedBIGNUM n(BN_new());
+ ScopedBN_MONT_CTX mont(BN_MONT_CTX_new());
+ if (!a || !b || !c || !d || !A || !B || !n || !mont ||
+ !BN_rand(a.get(), 100, 0, 0) ||
+ !BN_rand(b.get(), 100, 0, 0)) {
+ return false;
+ }
+
+ for (int i = 0; i < num2; i++) {
+ int bits = (200 * (i + 1)) / num2;
+
+ if (bits == 0) {
+ continue;
+ }
+ if (!BN_rand(n.get(), bits, 0, 1) ||
+ !BN_MONT_CTX_set(mont.get(), n.get(), ctx) ||
+ !BN_nnmod(a.get(), a.get(), n.get(), ctx) ||
+ !BN_nnmod(b.get(), b.get(), n.get(), ctx) ||
+ !BN_to_montgomery(A.get(), a.get(), mont.get(), ctx) ||
+ !BN_to_montgomery(B.get(), b.get(), mont.get(), ctx) ||
+ !BN_mod_mul_montgomery(c.get(), A.get(), B.get(), mont.get(), ctx) ||
+ !BN_from_montgomery(A.get(), c.get(), mont.get(), ctx)) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " % ");
+ BN_print_fp(fp, &mont->N);
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, A.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mod_mul(d.get(), a.get(), b.get(), n.get(), ctx) ||
+ !BN_sub(d.get(), d.get(), A.get())) {
+ return false;
+ }
+ if (!BN_is_zero(d.get())) {
+ fprintf(stderr, "Montgomery multiplication test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_mod(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !c || !d || !e ||
+ !BN_rand(a.get(), 1024, 0, 0)) {
+ return false;
+ }
+
+ for (int i = 0; i < num0; i++) {
+ if (!BN_rand(b.get(), 450 + i * 10, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ b->neg = rand_neg();
+ if (!BN_mod(c.get(), a.get(), b.get(), ctx)) {
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " % ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_div(d.get(), e.get(), a.get(), b.get(), ctx) ||
+ !BN_sub(e.get(), e.get(), c.get())) {
+ return false;
+ }
+ if (!BN_is_zero(e.get())) {
+ fprintf(stderr, "Modulo test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_mod_mul(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !c || !d || !e) {
+ return false;
+ }
+
+ for (int j = 0; j < 3; j++) {
+ if (!BN_rand(c.get(), 1024, 0, 0)) {
+ return false;
+ }
+ for (int i = 0; i < num0; i++) {
+ if (!BN_rand(a.get(), 475 + i * 10, 0, 0) ||
+ !BN_rand(b.get(), 425 + i * 11, 0, 0)) {
+ return false;
+ }
+ a->neg = rand_neg();
+ b->neg = rand_neg();
+ if (!BN_mod_mul(e.get(), a.get(), b.get(), c.get(), ctx)) {
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " * ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " % ");
+ BN_print_fp(fp, c.get());
+ if (a->neg != b->neg && !BN_is_zero(e.get())) {
+ // If (a*b) % c is negative, c must be added
+ // in order to obtain the normalized remainder
+ // (new with OpenSSL 0.9.7, previous versions of
+ // BN_mod_mul could generate negative results)
+ puts_fp(fp, " + ");
+ BN_print_fp(fp, c.get());
+ }
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, e.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_mul(d.get(), a.get(), b.get(), ctx) ||
+ !BN_sub(d.get(), d.get(), e.get()) ||
+ !BN_div(a.get(), b.get(), d.get(), c.get(), ctx)) {
+ return false;
+ }
+ if (!BN_is_zero(b.get())) {
+ fprintf(stderr, "Modulo multiply test failed!\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+ }
+ }
+ return true;
+}
+
+static bool test_mod_exp(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !c || !d || !e ||
+ !BN_rand(c.get(), 30, 0, 1)) { // must be odd for montgomery
+ return false;
+ }
+ for (int i = 0; i < num2; i++) {
+ if (!BN_rand(a.get(), 20 + i * 5, 0, 0) ||
+ !BN_rand(b.get(), 2 + i, 0, 0) ||
+ !BN_mod_exp(d.get(), a.get(), b.get(), c.get(), ctx)) {
+ return false;
+ }
+
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " ^ ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " % ");
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, d.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_exp(e.get(), a.get(), b.get(), ctx) ||
+ !BN_sub(e.get(), e.get(), d.get()) ||
+ !BN_div(a.get(), b.get(), e.get(), c.get(), ctx)) {
+ return false;
+ }
+ if (!BN_is_zero(b.get())) {
+ fprintf(stderr, "Modulo exponentiation test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+static bool test_mod_exp_mont_consttime(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM c(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !c || !d || !e ||
+ !BN_rand(c.get(), 30, 0, 1)) { // must be odd for montgomery
+ return false;
+ }
+ for (int i = 0; i < num2; i++) {
+ if (!BN_rand(a.get(), 20 + i * 5, 0, 0) ||
+ !BN_rand(b.get(), 2 + i, 0, 0) ||
+ !BN_mod_exp_mont_consttime(d.get(), a.get(), b.get(), c.get(), ctx,
+ NULL)) {
+ return false;
+ }
+
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " ^ ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " % ");
+ BN_print_fp(fp, c.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, d.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_exp(e.get(), a.get(), b.get(), ctx) ||
+ !BN_sub(e.get(), e.get(), d.get()) ||
+ !BN_div(a.get(), b.get(), e.get(), c.get(), ctx)) {
+ return false;
+ }
+ if (!BN_is_zero(b.get())) {
+ fprintf(stderr, "Modulo exponentiation test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+// Test constant-time modular exponentiation with 1024-bit inputs,
+// which on x86_64 cause a different code branch to be taken.
+static bool test_mod_exp_mont5(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM p(BN_new());
+ ScopedBIGNUM m(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !p || !m || !d || !e ||
+ !BN_rand(m.get(), 1024, 0, 1) || // must be odd for montgomery
+ !BN_rand(a.get(), 1024, 0, 0)) {
+ return false;
+ }
+ // Zero exponent.
+ BN_zero(p.get());
+ if (!BN_mod_exp_mont_consttime(d.get(), a.get(), p.get(), m.get(), ctx,
+ NULL)) {
+ return false;
+ }
+ if (!BN_is_one(d.get())) {
+ fprintf(stderr, "Modular exponentiation test failed!\n");
+ return false;
+ }
+ if (!BN_rand(p.get(), 1024, 0, 0)) {
+ return false;
+ }
+ // Zero input.
+ BN_zero(a.get());
+ if (!BN_mod_exp_mont_consttime(d.get(), a.get(), p.get(), m.get(), ctx,
+ NULL)) {
+ return false;
+ }
+ if (!BN_is_zero(d.get())) {
+ fprintf(stderr, "Modular exponentiation test failed!\n");
+ return false;
+ }
+ // Craft an input whose Montgomery representation is 1, i.e., shorter than the
+ // modulus m, in order to test the const time precomputation
+ // scattering/gathering.
+ ScopedBN_MONT_CTX mont(BN_MONT_CTX_new());
+ if (!mont || !BN_one(a.get()) ||
+ !BN_MONT_CTX_set(mont.get(), m.get(), ctx) ||
+ !BN_from_montgomery(e.get(), a.get(), mont.get(), ctx) ||
+ !BN_mod_exp_mont_consttime(d.get(), e.get(), p.get(), m.get(), ctx,
+ NULL) ||
+ !BN_mod_exp(a.get(), e.get(), p.get(), m.get(), ctx)) {
+ return false;
+ }
+ if (BN_cmp(a.get(), d.get()) != 0) {
+ fprintf(stderr, "Modular exponentiation test failed!\n");
+ return false;
+ }
+ // Finally, some regular test vectors.
+ if (!BN_rand(e.get(), 1024, 0, 0) ||
+ !BN_mod_exp_mont_consttime(d.get(), e.get(), p.get(), m.get(), ctx,
+ NULL) ||
+ !BN_mod_exp(a.get(), e.get(), p.get(), m.get(), ctx)) {
+ return false;
+ }
+ if (BN_cmp(a.get(), d.get()) != 0) {
+ fprintf(stderr, "Modular exponentiation test failed!\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_exp(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM b(BN_new());
+ ScopedBIGNUM d(BN_new());
+ ScopedBIGNUM e(BN_new());
+ if (!a || !b || !d || !e) {
+ return false;
+ }
+
+ for (int i = 0; i < num2; i++) {
+ if (!BN_rand(a.get(), 20 + i * 5, 0, 0) ||
+ !BN_rand(b.get(), 2 + i, 0, 0) ||
+ !BN_exp(d.get(), a.get(), b.get(), ctx)) {
+ return false;
+ }
+
+ if (fp != NULL) {
+ if (!g_results) {
+ BN_print_fp(fp, a.get());
+ puts_fp(fp, " ^ ");
+ BN_print_fp(fp, b.get());
+ puts_fp(fp, " - ");
+ }
+ BN_print_fp(fp, d.get());
+ puts_fp(fp, "\n");
+ }
+ if (!BN_one(e.get())) {
+ return false;
+ }
+ for (; !BN_is_zero(b.get()); BN_sub(b.get(), b.get(), BN_value_one())) {
+ if (!BN_mul(e.get(), e.get(), a.get(), ctx)) {
+ return false;
+ }
+ }
+ if (!BN_sub(e.get(), e.get(), d.get())) {
+ return false;
+ }
+ if (!BN_is_zero(e.get())) {
+ fprintf(stderr, "Exponentiation test failed!\n");
+ return false;
+ }
+ }
+ return true;
+}
+
+// test_exp_mod_zero tests that 1**0 mod 1 == 0.
+static bool test_exp_mod_zero(void) {
+ ScopedBIGNUM zero(BN_new());
+ if (!zero) {
+ return false;
+ }
+ BN_zero(zero.get());
+
+ ScopedBN_CTX ctx(BN_CTX_new());
+ ScopedBIGNUM r(BN_new());
+ if (!ctx || !r ||
+ !BN_mod_exp(r.get(), BN_value_one(), zero.get(), BN_value_one(), ctx.get())) {
+ return false;
+ }
+
+ if (!BN_is_zero(r.get())) {
+ printf("1**0 mod 1 = ");
+ BN_print_fp(stdout, r.get());
+ printf(", should be 0\n");
+ return false;
+ }
+
+ return true;
+}
+
+static int genprime_cb(int p, int n, BN_GENCB *arg) {
+ char c = '*';
+
+ if (p == 0) {
+ c = '.';
+ } else if (p == 1) {
+ c = '+';
+ } else if (p == 2) {
+ c = '*';
+ } else if (p == 3) {
+ c = '\n';
+ }
+ putc(c, stdout);
+ fflush(stdout);
+ return 1;
+}
+
+static bool test_mod_sqrt(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM a(BN_new());
+ ScopedBIGNUM p(BN_new());
+ ScopedBIGNUM r(BN_new());
+ if (!a || !p || !r) {
+ return false;
+ }
+
+ BN_GENCB cb;
+ BN_GENCB_set(&cb, genprime_cb, NULL);
+
+ for (int i = 0; i < 16; i++) {
+ if (i < 8) {
+ const unsigned kPrimes[8] = {2, 3, 5, 7, 11, 13, 17, 19};
+ if (!BN_set_word(p.get(), kPrimes[i])) {
+ return false;
+ }
+ } else {
+ if (!BN_set_word(a.get(), 32) ||
+ !BN_set_word(r.get(), 2 * i + 1) ||
+ !BN_generate_prime_ex(p.get(), 256, 0, a.get(), r.get(), &cb)) {
+ return false;
+ }
+ putc('\n', stdout);
+ }
+ p->neg = rand_neg();
+
+ for (int j = 0; j < num2; j++) {
+ // construct 'a' such that it is a square modulo p, but in general not a
+ // proper square and not reduced modulo p
+ if (!BN_rand(r.get(), 256, 0, 3) ||
+ !BN_nnmod(r.get(), r.get(), p.get(), ctx) ||
+ !BN_mod_sqr(r.get(), r.get(), p.get(), ctx) ||
+ !BN_rand(a.get(), 256, 0, 3) ||
+ !BN_nnmod(a.get(), a.get(), p.get(), ctx) ||
+ !BN_mod_sqr(a.get(), a.get(), p.get(), ctx) ||
+ !BN_mul(a.get(), a.get(), r.get(), ctx)) {
+ return false;
+ }
+ if (rand_neg() && !BN_sub(a.get(), a.get(), p.get())) {
+ return false;
+ }
+
+ if (!BN_mod_sqrt(r.get(), a.get(), p.get(), ctx) ||
+ !BN_mod_sqr(r.get(), r.get(), p.get(), ctx) ||
+ !BN_nnmod(a.get(), a.get(), p.get(), ctx)) {
+ return false;
+ }
+
+ if (BN_cmp(a.get(), r.get()) != 0) {
+ fprintf(stderr, "BN_mod_sqrt failed: a = ");
+ BN_print_fp(stderr, a.get());
+ fprintf(stderr, ", r = ");
+ BN_print_fp(stderr, r.get());
+ fprintf(stderr, ", p = ");
+ BN_print_fp(stderr, p.get());
+ fprintf(stderr, "\n");
+ return false;
+ }
+
+ putc('.', stdout);
+ fflush(stdout);
+ }
+
+ putc('\n', stdout);
+ fflush(stderr);
+ }
+ return true;
+}
+
+static bool test_small_prime(FILE *fp, BN_CTX *ctx) {
+ static const int kBits = 10;
+
+ ScopedBIGNUM r(BN_new());
+ if (!r || !BN_generate_prime_ex(r.get(), kBits, 0, NULL, NULL, NULL)) {
+ return false;
+ }
+ if (BN_num_bits(r.get()) != kBits) {
+ fprintf(fp, "Expected %d bit prime, got %d bit number\n", kBits,
+ BN_num_bits(r.get()));
+ return false;
+ }
+
+ return true;
+}
+
+static bool test_sqrt(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM n(BN_new());
+ ScopedBIGNUM nn(BN_new());
+ ScopedBIGNUM sqrt(BN_new());
+ if (!n || !nn || !sqrt) {
+ return false;
+ }
+
+ // Test some random squares.
+ for (int i = 0; i < 100; i++) {
+ if (!BN_rand(n.get(), 1024 /* bit length */,
+ -1 /* no modification of top bits */,
+ 0 /* don't modify bottom bit */) ||
+ !BN_mul(nn.get(), n.get(), n.get(), ctx) ||
+ !BN_sqrt(sqrt.get(), nn.get(), ctx)) {
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+ if (BN_cmp(n.get(), sqrt.get()) != 0) {
+ fprintf(stderr, "Bad result from BN_sqrt.\n");
+ return false;
+ }
+ }
+
+ // Test some non-squares.
+ for (int i = 0; i < 100; i++) {
+ if (!BN_rand(n.get(), 1024 /* bit length */,
+ -1 /* no modification of top bits */,
+ 0 /* don't modify bottom bit */) ||
+ !BN_mul(nn.get(), n.get(), n.get(), ctx) ||
+ !BN_add(nn.get(), nn.get(), BN_value_one())) {
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ if (BN_sqrt(sqrt.get(), nn.get(), ctx)) {
+ char *nn_str = BN_bn2dec(nn.get());
+ fprintf(stderr, "BIO_sqrt didn't fail on a non-square: %s\n", nn_str);
+ OPENSSL_free(nn_str);
+ }
+ }
+
+ return true;
+}
+
+static bool test_bn2bin_padded(FILE *fp, BN_CTX *ctx) {
+ uint8_t zeros[256], out[256], reference[128];
+
+ memset(zeros, 0, sizeof(zeros));
+
+ // Test edge case at 0.
+ ScopedBIGNUM n(BN_new());
+ if (!n || !BN_bn2bin_padded(NULL, 0, n.get())) {
+ fprintf(stderr,
+ "BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");
+ return false;
+ }
+ memset(out, -1, sizeof(out));
+ if (!BN_bn2bin_padded(out, sizeof(out), n.get())) {
+ fprintf(stderr,
+ "BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");
+ return false;
+ }
+ if (memcmp(zeros, out, sizeof(out))) {
+ fprintf(stderr, "BN_bn2bin_padded did not zero buffer.\n");
+ return false;
+ }
+
+ // Test a random numbers at various byte lengths.
+ for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
+ if (!BN_rand(n.get(), bytes * 8, 0 /* make sure top bit is 1 */,
+ 0 /* don't modify bottom bit */)) {
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+ if (BN_num_bytes(n.get()) != bytes ||
+ BN_bn2bin(n.get(), reference) != bytes) {
+ fprintf(stderr, "Bad result from BN_rand; bytes.\n");
+ return false;
+ }
+ // Empty buffer should fail.
+ if (BN_bn2bin_padded(NULL, 0, n.get())) {
+ fprintf(stderr,
+ "BN_bn2bin_padded incorrectly succeeded on empty buffer.\n");
+ return false;
+ }
+ // One byte short should fail.
+ if (BN_bn2bin_padded(out, bytes - 1, n.get())) {
+ fprintf(stderr, "BN_bn2bin_padded incorrectly succeeded on short.\n");
+ return false;
+ }
+ // Exactly right size should encode.
+ if (!BN_bn2bin_padded(out, bytes, n.get()) ||
+ memcmp(out, reference, bytes) != 0) {
+ fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
+ return false;
+ }
+ // Pad up one byte extra.
+ if (!BN_bn2bin_padded(out, bytes + 1, n.get()) ||
+ memcmp(out + 1, reference, bytes) || memcmp(out, zeros, 1)) {
+ fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
+ return false;
+ }
+ // Pad up to 256.
+ if (!BN_bn2bin_padded(out, sizeof(out), n.get()) ||
+ memcmp(out + sizeof(out) - bytes, reference, bytes) ||
+ memcmp(out, zeros, sizeof(out) - bytes)) {
+ fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static int DecimalToBIGNUM(ScopedBIGNUM *out, const char *in) {
+ BIGNUM *raw = NULL;
+ int ret = BN_dec2bn(&raw, in);
+ out->reset(raw);
+ return ret;
+}
+
+static bool test_dec2bn(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM bn;
+ int ret = DecimalToBIGNUM(&bn, "0");
+ if (ret != 1 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = DecimalToBIGNUM(&bn, "256");
+ if (ret != 3 || !BN_is_word(bn.get(), 256) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = DecimalToBIGNUM(&bn, "-42");
+ if (ret != 3 || !BN_abs_is_word(bn.get(), 42) || !BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = DecimalToBIGNUM(&bn, "-0");
+ if (ret != 2 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = DecimalToBIGNUM(&bn, "42trailing garbage is ignored");
+ if (ret != 2 || !BN_abs_is_word(bn.get(), 42) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_dec2bn gave a bad result.\n");
+ return false;
+ }
+
+ return true;
+}
+
+static int HexToBIGNUM(ScopedBIGNUM *out, const char *in) {
+ BIGNUM *raw = NULL;
+ int ret = BN_hex2bn(&raw, in);
+ out->reset(raw);
+ return ret;
+}
+
+static bool test_hex2bn(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM bn;
+ int ret = HexToBIGNUM(&bn, "0");
+ if (ret != 1 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = HexToBIGNUM(&bn, "256");
+ if (ret != 3 || !BN_is_word(bn.get(), 0x256) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = HexToBIGNUM(&bn, "-42");
+ if (ret != 3 || !BN_abs_is_word(bn.get(), 0x42) || !BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = HexToBIGNUM(&bn, "-0");
+ if (ret != 2 || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+ return false;
+ }
+
+ ret = HexToBIGNUM(&bn, "abctrailing garbage is ignored");
+ if (ret != 3 || !BN_is_word(bn.get(), 0xabc) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_hex2bn gave a bad result.\n");
+ return false;
+ }
+
+ return true;
+}
+
+static ScopedBIGNUM ASCIIToBIGNUM(const char *in) {
+ BIGNUM *raw = NULL;
+ if (!BN_asc2bn(&raw, in)) {
+ return nullptr;
+ }
+ return ScopedBIGNUM(raw);
+}
+
+static bool test_asc2bn(FILE *fp, BN_CTX *ctx) {
+ ScopedBIGNUM bn = ASCIIToBIGNUM("0");
+ if (!bn || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("256");
+ if (!bn || !BN_is_word(bn.get(), 256) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("-42");
+ if (!bn || !BN_abs_is_word(bn.get(), 42) || !BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("0x1234");
+ if (!bn || !BN_is_word(bn.get(), 0x1234) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("0X1234");
+ if (!bn || !BN_is_word(bn.get(), 0x1234) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("-0xabcd");
+ if (!bn || !BN_abs_is_word(bn.get(), 0xabcd) || !BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("-0");
+ if (!bn || !BN_is_zero(bn.get()) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ bn = ASCIIToBIGNUM("123trailing garbage is ignored");
+ if (!bn || !BN_is_word(bn.get(), 123) || BN_is_negative(bn.get())) {
+ fprintf(stderr, "BN_asc2bn gave a bad result.\n");
+ return false;
+ }
+
+ return true;
+}
diff --git a/src/crypto/bn/convert.c b/src/crypto/bn/convert.c
index 9c7b9be..531b661 100644
--- a/src/crypto/bn/convert.c
+++ b/src/crypto/bn/convert.c
@@ -407,13 +407,9 @@
ok = 1;
err:
- if (bn_data != NULL) {
- OPENSSL_free(bn_data);
- }
- if (t != NULL) {
- BN_free(t);
- }
- if (!ok && buf) {
+ OPENSSL_free(bn_data);
+ BN_free(t);
+ if (!ok) {
OPENSSL_free(buf);
buf = NULL;
}
diff --git a/src/crypto/bn/ctx.c b/src/crypto/bn/ctx.c
index e54007b..0578376 100644
--- a/src/crypto/bn/ctx.c
+++ b/src/crypto/bn/ctx.c
@@ -205,14 +205,12 @@
}
static void BN_STACK_finish(BN_STACK *st) {
- if (st->size)
- OPENSSL_free(st->indexes);
+ OPENSSL_free(st->indexes);
}
static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
- if (st->depth == st->size)
- /* Need to expand */
- {
+ if (st->depth == st->size) {
+ /* Need to expand */
unsigned int newsize =
(st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES);
unsigned int *newitems = OPENSSL_malloc(newsize * sizeof(unsigned int));
@@ -222,9 +220,7 @@
if (st->depth) {
memcpy(newitems, st->indexes, st->depth * sizeof(unsigned int));
}
- if (st->size) {
- OPENSSL_free(st->indexes);
- }
+ OPENSSL_free(st->indexes);
st->indexes = newitems;
st->size = newsize;
}
diff --git a/src/crypto/bn/div.c b/src/crypto/bn/div.c
index d65957a..3588ea1 100644
--- a/src/crypto/bn/div.c
+++ b/src/crypto/bn/div.c
@@ -278,12 +278,14 @@
t2 = (BN_ULLONG)d1 * q;
for (;;) {
- if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2]))
+ if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | wnump[-2])) {
break;
+ }
q--;
rem += d0;
- if (rem < d0)
+ if (rem < d0) {
break; /* don't let rem overflow */
+ }
t2 -= d1;
}
#else /* !BN_LLONG */
@@ -316,14 +318,17 @@
#endif
for (;;) {
- if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
+ if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2]))) {
break;
+ }
q--;
rem += d0;
- if (rem < d0)
+ if (rem < d0) {
break; /* don't let rem overflow */
- if (t2l < d1)
+ }
+ if (t2l < d1) {
t2h--;
+ }
t2l -= d1;
}
#endif /* !BN_LLONG */
@@ -357,7 +362,9 @@
* BN_rshift() will overwrite it.
*/
int neg = num->neg;
- BN_rshift(rm, snum, norm_shift);
+ if (!BN_rshift(rm, snum, norm_shift)) {
+ goto err;
+ }
if (!BN_is_zero(rm)) {
rm->neg = neg;
}
@@ -485,9 +492,7 @@
ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m));
- if (abs_m) {
- BN_free(abs_m);
- }
+ BN_free(abs_m);
return ret;
}
diff --git a/src/crypto/bn/exponentiation.c b/src/crypto/bn/exponentiation.c
index 53f3e9c..d3063c9 100644
--- a/src/crypto/bn/exponentiation.c
+++ b/src/crypto/bn/exponentiation.c
@@ -172,12 +172,13 @@
}
}
}
- ret = 1;
-err:
if (r != rr) {
BN_copy(r, rr);
}
+ ret = 1;
+
+err:
BN_CTX_end(ctx);
return ret;
}
@@ -685,12 +686,14 @@
j = m->top; /* borrow j */
if (m->d[j - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
- if (bn_wexpand(r, j) == NULL)
+ if (bn_wexpand(r, j) == NULL) {
goto err;
+ }
/* 2^(top*BN_BITS2) - m */
r->d[0] = (0 - m->d[0]) & BN_MASK2;
- for (i = 1; i < j; i++)
+ for (i = 1; i < j; i++) {
r->d[i] = (~m->d[i]) & BN_MASK2;
+ }
r->top = j;
/* Upper words will be zero if the corresponding words of 'm'
* were 0xfff[...], so decrement r->top accordingly. */
@@ -704,9 +707,8 @@
int wend; /* The bottom bit of the window */
if (BN_is_bit_set(p, wstart) == 0) {
- if (!start) {
- if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
- goto err;
+ if (!start && !BN_mod_mul_montgomery(r, r, r, mont, ctx)) {
+ goto err;
}
if (wstart == 0) {
break;
@@ -761,7 +763,7 @@
ret = 1;
err:
- if (in_mont == NULL && mont != NULL) {
+ if (in_mont == NULL) {
BN_MONT_CTX_free(mont);
}
BN_CTX_end(ctx);
@@ -876,15 +878,14 @@
BN_CTX_start(ctx);
/* Allocate a montgomery context if it was not supplied by the caller.
- * If this is not done, things will break in the montgomery part.
- */
- if (in_mont != NULL)
+ * If this is not done, things will break in the montgomery part. */
+ if (in_mont != NULL) {
mont = in_mont;
- else {
- if ((mont = BN_MONT_CTX_new()) == NULL)
+ } else {
+ mont = BN_MONT_CTX_new();
+ if (mont == NULL || !BN_MONT_CTX_set(mont, m, ctx)) {
goto err;
- if (!BN_MONT_CTX_set(mont, m, ctx))
- goto err;
+ }
}
#ifdef RSAZ_ENABLED
@@ -893,8 +894,9 @@
* crypto/bn/rsaz_exp.c and accompanying assembly modules. */
if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024) &&
rsaz_avx2_eligible()) {
- if (NULL == bn_wexpand(rr, 16))
+ if (NULL == bn_wexpand(rr, 16)) {
goto err;
+ }
RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d, mont->n0[0]);
rr->top = 16;
rr->neg = 0;
@@ -902,8 +904,9 @@
ret = 1;
goto err;
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
- if (NULL == bn_wexpand(rr, 8))
+ if (NULL == bn_wexpand(rr, 8)) {
goto err;
+ }
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
rr->top = 8;
rr->neg = 0;
@@ -918,8 +921,9 @@
#if defined(OPENSSL_BN_ASM_MONT5)
if (window >= 5) {
window = 5; /* ~5% improvement for RSA2048 sign, and even for RSA4096 */
- if ((top & 7) == 0)
+ if ((top & 7) == 0) {
powerbufLen += 2 * top * sizeof(m->d[0]);
+ }
}
#endif
(void)0;
@@ -932,20 +936,24 @@
sizeof(m->d[0]) *
(top * numPowers + ((2 * top) > numPowers ? (2 * top) : numPowers));
#ifdef alloca
- if (powerbufLen < 3072)
+ if (powerbufLen < 3072) {
powerbufFree = alloca(powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH);
- else
+ } else
#endif
- if ((powerbufFree = (unsigned char *)OPENSSL_malloc(
- powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL)
- goto err;
+ {
+ if ((powerbufFree = (unsigned char *)OPENSSL_malloc(
+ powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL) {
+ goto err;
+ }
+ }
powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
memset(powerbuf, 0, powerbufLen);
#ifdef alloca
- if (powerbufLen < 3072)
+ if (powerbufLen < 3072) {
powerbufFree = NULL;
+ }
#endif
/* lay down tmp and am right after powers table */
@@ -961,20 +969,23 @@
if (m->d[top - 1] & (((BN_ULONG)1) << (BN_BITS2 - 1))) {
/* 2^(top*BN_BITS2) - m */
tmp.d[0] = (0 - m->d[0]) & BN_MASK2;
- for (i = 1; i < top; i++)
+ for (i = 1; i < top; i++) {
tmp.d[i] = (~m->d[i]) & BN_MASK2;
+ }
tmp.top = top;
- } else if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx))
+ } else if (!BN_to_montgomery(&tmp, BN_value_one(), mont, ctx)) {
goto err;
+ }
/* prepare a^1 in Montgomery domain */
if (a->neg || BN_ucmp(a, m) >= 0) {
- if (!BN_mod(&am, a, m, ctx))
+ if (!BN_mod(&am, a, m, ctx) ||
+ !BN_to_montgomery(&am, &am, mont, ctx)) {
goto err;
- if (!BN_to_montgomery(&am, &am, mont, ctx))
- goto err;
- } else if (!BN_to_montgomery(&am, a, mont, ctx))
+ }
+ } else if (!BN_to_montgomery(&am, a, mont, ctx)) {
goto err;
+ }
#if defined(OPENSSL_BN_ASM_MONT5)
/* This optimization uses ideas from http://eprint.iacr.org/2011/239,
@@ -1001,16 +1012,20 @@
/* BN_to_montgomery can contaminate words above .top
* [in BN_DEBUG[_DEBUG] build]... */
- for (i = am.top; i < top; i++)
+ for (i = am.top; i < top; i++) {
am.d[i] = 0;
- for (i = tmp.top; i < top; i++)
+ }
+ for (i = tmp.top; i < top; i++) {
tmp.d[i] = 0;
+ }
- if (top & 7)
+ if (top & 7) {
np2 = np;
- else
- for (np2 = am.d + top, i = 0; i < top; i++)
+ } else {
+ for (np2 = am.d + top, i = 0; i < top; i++) {
np2[2 * i] = np[i];
+ }
+ }
bn_scatter5(tmp.d, top, powerbuf, 0);
bn_scatter5(am.d, am.top, powerbuf, 1);
@@ -1043,8 +1058,9 @@
}
bits--;
- for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
+ for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) {
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+ }
bn_gather5(tmp.d, top, powerbuf, wvalue);
/* At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit
@@ -1056,8 +1072,9 @@
*/
if (top & 7) {
while (bits >= 0) {
- for (wvalue = 0, i = 0; i < 5; i++, bits--)
+ for (wvalue = 0, i = 0; i < 5; i++, bits--) {
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
+ }
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
@@ -1101,17 +1118,18 @@
tmp.top = top;
bn_correct_top(&tmp);
if (ret) {
- if (!BN_copy(rr, &tmp))
+ if (!BN_copy(rr, &tmp)) {
ret = 0;
+ }
goto err; /* non-zero ret means it's not error */
}
} else
#endif
{
- if (!copy_to_prebuf(&tmp, top, powerbuf, 0, numPowers))
+ if (!copy_to_prebuf(&tmp, top, powerbuf, 0, numPowers) ||
+ !copy_to_prebuf(&am, top, powerbuf, 1, numPowers)) {
goto err;
- if (!copy_to_prebuf(&am, top, powerbuf, 1, numPowers))
- goto err;
+ }
/* If the window size is greater than 1, then calculate
* val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
@@ -1119,24 +1137,26 @@
* to use the slight performance advantage of sqr over mul).
*/
if (window > 1) {
- if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
+ if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx) ||
+ !copy_to_prebuf(&tmp, top, powerbuf, 2, numPowers)) {
goto err;
- if (!copy_to_prebuf(&tmp, top, powerbuf, 2, numPowers))
- goto err;
+ }
for (i = 3; i < numPowers; i++) {
/* Calculate a^i = a^(i-1) * a */
- if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
+ if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx) ||
+ !copy_to_prebuf(&tmp, top, powerbuf, i, numPowers)) {
goto err;
- if (!copy_to_prebuf(&tmp, top, powerbuf, i, numPowers))
- goto err;
+ }
}
}
bits--;
- for (wvalue = 0, i = bits % window; i >= 0; i--, bits--)
+ for (wvalue = 0, i = bits % window; i >= 0; i--, bits--) {
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
- if (!copy_from_prebuf(&tmp, top, powerbuf, wvalue, numPowers))
+ }
+ if (!copy_from_prebuf(&tmp, top, powerbuf, wvalue, numPowers)) {
goto err;
+ }
/* Scan the exponent one window at a time starting from the most
* significant bits.
@@ -1146,32 +1166,36 @@
/* Scan the window, squaring the result as we go */
for (i = 0; i < window; i++, bits--) {
- if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx))
+ if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) {
goto err;
+ }
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
}
/* Fetch the appropriate pre-computed value from the pre-buf */
- if (!copy_from_prebuf(&am, top, powerbuf, wvalue, numPowers))
+ if (!copy_from_prebuf(&am, top, powerbuf, wvalue, numPowers)) {
goto err;
+ }
/* Multiply the result into the intermediate result */
- if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx))
+ if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) {
goto err;
+ }
}
}
/* Convert the final result from montgomery to standard format */
- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+ if (!BN_from_montgomery(rr, &tmp, mont, ctx)) {
goto err;
+ }
ret = 1;
err:
- if ((in_mont == NULL) && (mont != NULL))
+ if (in_mont == NULL) {
BN_MONT_CTX_free(mont);
+ }
if (powerbuf != NULL) {
OPENSSL_cleanse(powerbuf, powerbufLen);
- if (powerbufFree)
- OPENSSL_free(powerbufFree);
+ OPENSSL_free(powerbufFree);
}
BN_CTX_end(ctx);
return (ret);
@@ -1238,13 +1262,11 @@
goto err;
}
- if (in_mont != NULL)
+ if (in_mont != NULL) {
mont = in_mont;
- else {
- if ((mont = BN_MONT_CTX_new()) == NULL) {
- goto err;
- }
- if (!BN_MONT_CTX_set(mont, m, ctx)) {
+ } else {
+ mont = BN_MONT_CTX_new();
+ if (mont == NULL || !BN_MONT_CTX_set(mont, m, ctx)) {
goto err;
}
}
@@ -1328,7 +1350,7 @@
ret = 1;
err:
- if (in_mont == NULL && mont != NULL) {
+ if (in_mont == NULL) {
BN_MONT_CTX_free(mont);
}
BN_CTX_end(ctx);
@@ -1477,28 +1499,33 @@
if (!wvalue1 && BN_is_bit_set(p1, b)) {
/* consider bits b-window1+1 .. b for this window */
i = b - window1 + 1;
- while (!BN_is_bit_set(p1, i)) /* works for i<0 */
+ /* works for i<0 */
+ while (!BN_is_bit_set(p1, i)) {
i++;
+ }
wpos1 = i;
wvalue1 = 1;
for (i = b - 1; i >= wpos1; i--) {
wvalue1 <<= 1;
- if (BN_is_bit_set(p1, i))
+ if (BN_is_bit_set(p1, i)) {
wvalue1++;
+ }
}
}
if (!wvalue2 && BN_is_bit_set(p2, b)) {
/* consider bits b-window2+1 .. b for this window */
i = b - window2 + 1;
- while (!BN_is_bit_set(p2, i))
+ while (!BN_is_bit_set(p2, i)) {
i++;
+ }
wpos2 = i;
wvalue2 = 1;
for (i = b - 1; i >= wpos2; i--) {
wvalue2 <<= 1;
- if (BN_is_bit_set(p2, i))
+ if (BN_is_bit_set(p2, i)) {
wvalue2++;
+ }
}
}
@@ -1527,7 +1554,7 @@
ret = 1;
err:
- if (in_mont == NULL && mont != NULL) {
+ if (in_mont == NULL) {
BN_MONT_CTX_free(mont);
}
BN_CTX_end(ctx);
diff --git a/src/crypto/bn/gcd.c b/src/crypto/bn/gcd.c
index 2dce296..3132c29 100644
--- a/src/crypto/bn/gcd.c
+++ b/src/crypto/bn/gcd.c
@@ -258,12 +258,8 @@
goto err;
}
- BN_one(X);
BN_zero(Y);
- if (BN_copy(B, a) == NULL) {
- goto err;
- }
- if (BN_copy(A, n) == NULL) {
+ if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
goto err;
}
A->neg = 0;
@@ -570,12 +566,8 @@
goto err;
}
- BN_one(X);
BN_zero(Y);
- if (BN_copy(B, a) == NULL) {
- goto err;
- }
- if (BN_copy(A, n) == NULL) {
+ if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
goto err;
}
A->neg = 0;
@@ -586,8 +578,9 @@
*/
pB = &local_B;
BN_with_flags(pB, B, BN_FLG_CONSTTIME);
- if (!BN_nnmod(B, pB, A, ctx))
+ if (!BN_nnmod(B, pB, A, ctx)) {
goto err;
+ }
}
sign = -1;
/* From B = a mod |n|, A = |n| it follows that
diff --git a/src/crypto/bn/generic.c b/src/crypto/bn/generic.c
index 224a47c..0e7d867 100644
--- a/src/crypto/bn/generic.c
+++ b/src/crypto/bn/generic.c
@@ -585,23 +585,27 @@
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
+ }
t1 = a[1];
t2 = b[1];
r[1] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
+ }
t1 = a[2];
t2 = b[2];
r[2] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
+ }
t1 = a[3];
t2 = b[3];
r[3] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
+ }
a += 4;
b += 4;
r += 4;
@@ -611,8 +615,9 @@
t1 = a[0];
t2 = b[0];
r[0] = (t1 - t2 - c) & BN_MASK2;
- if (t1 != t2)
+ if (t1 != t2) {
c = (t1 < t2);
+ }
a++;
b++;
r++;
@@ -1050,11 +1055,13 @@
#ifdef mul64
mh = HBITS(ml);
ml = LBITS(ml);
- for (j = 0; j < num; ++j)
+ for (j = 0; j < num; ++j) {
mul(tp[j], ap[j], ml, mh, c0);
+ }
#else
- for (j = 0; j < num; ++j)
+ for (j = 0; j < num; ++j) {
mul(tp[j], ap[j], ml, c0);
+ }
#endif
tp[num] = c0;
@@ -1067,11 +1074,13 @@
#ifdef mul64
mh = HBITS(ml);
ml = LBITS(ml);
- for (j = 0; j < num; ++j)
+ for (j = 0; j < num; ++j) {
mul_add(tp[j], ap[j], ml, mh, c0);
+ }
#else
- for (j = 0; j < num; ++j)
+ for (j = 0; j < num; ++j) {
mul_add(tp[j], ap[j], ml, c0);
+ }
#endif
c1 = (tp[num] + c0) & BN_MASK2;
tp[num] = c1;
@@ -1104,13 +1113,15 @@
if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) {
c0 = bn_sub_words(rp, tp, np, num);
if (tp[num] != 0 || c0 == 0) {
- for (i = 0; i < num + 2; i++)
+ for (i = 0; i < num + 2; i++) {
vp[i] = 0;
+ }
return 1;
}
}
- for (i = 0; i < num; i++)
+ for (i = 0; i < num; i++) {
rp[i] = tp[i], vp[i] = 0;
+ }
vp[num] = 0;
vp[num + 1] = 0;
return 1;
diff --git a/src/crypto/bn/internal.h b/src/crypto/bn/internal.h
index d421cf3..2674b3c 100644
--- a/src/crypto/bn/internal.h
+++ b/src/crypto/bn/internal.h
@@ -125,10 +125,10 @@
#include <openssl/base.h>
-#include <inttypes.h>
-
#if defined(OPENSSL_X86_64) && defined(_MSC_VER) && _MSC_VER >= 1400
+#pragma warning(push, 3)
#include <intrin.h>
+#pragma warning(pop)
#pragma intrinsic(__umulh, _umul128)
#endif
@@ -159,10 +159,7 @@
#define BN_MASK2h1 (0xffffffff80000000L)
#define BN_TBIT (0x8000000000000000L)
#define BN_DEC_CONV (10000000000000000000UL)
-#define BN_DEC_FMT1 "%" PRIu64
-#define BN_DEC_FMT2 "%019" PRIu64
#define BN_DEC_NUM 19
-#define BN_HEX_FMT1 "%" PRIx64
#elif defined(OPENSSL_32_BIT)
@@ -179,10 +176,7 @@
#define BN_MASK2h (0xffff0000L)
#define BN_TBIT (0x80000000L)
#define BN_DEC_CONV (1000000000L)
-#define BN_DEC_FMT1 "%" PRIu32
-#define BN_DEC_FMT2 "%09" PRIu32
#define BN_DEC_NUM 9
-#define BN_HEX_FMT1 "%" PRIx32
#else
#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
diff --git a/src/crypto/bn/montgomery.c b/src/crypto/bn/montgomery.c
index 65e177c..152cf2d 100644
--- a/src/crypto/bn/montgomery.c
+++ b/src/crypto/bn/montgomery.c
@@ -114,6 +114,7 @@
#include <openssl/thread.h>
#include "internal.h"
+#include "../internal.h"
#if !defined(OPENSSL_NO_ASM) && \
@@ -292,44 +293,36 @@
return ret;
}
-BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
- const BIGNUM *mod, BN_CTX *ctx) {
- BN_MONT_CTX *ret;
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
+ const BIGNUM *mod, BN_CTX *bn_ctx) {
+ CRYPTO_MUTEX_lock_read(lock);
+ BN_MONT_CTX *ctx = *pmont;
+ CRYPTO_MUTEX_unlock(lock);
- CRYPTO_r_lock(lock);
- ret = *pmont;
- CRYPTO_r_unlock(lock);
- if (ret) {
- return ret;
+ if (ctx) {
+ return ctx;
}
- /* We don't want to serialise globally while doing our lazy-init math in
- * BN_MONT_CTX_set. That punishes threads that are doing independent
- * things. Instead, punish the case where more than one thread tries to
- * lazy-init the same 'pmont', by having each do the lazy-init math work
- * independently and only use the one from the thread that wins the race
- * (the losers throw away the work they've done). */
- ret = BN_MONT_CTX_new();
- if (!ret) {
- return NULL;
- }
- if (!BN_MONT_CTX_set(ret, mod, ctx)) {
- BN_MONT_CTX_free(ret);
- return NULL;
+ CRYPTO_MUTEX_lock_write(lock);
+ ctx = *pmont;
+ if (ctx) {
+ goto out;
}
- /* The locked compare-and-set, after the local work is done. */
- CRYPTO_w_lock(lock);
- if (*pmont) {
- BN_MONT_CTX_free(ret);
- ret = *pmont;
- } else {
- *pmont = ret;
+ ctx = BN_MONT_CTX_new();
+ if (ctx == NULL) {
+ goto out;
}
+ if (!BN_MONT_CTX_set(ctx, mod, bn_ctx)) {
+ BN_MONT_CTX_free(ctx);
+ ctx = NULL;
+ goto out;
+ }
+ *pmont = ctx;
- CRYPTO_w_unlock(lock);
-
- return ret;
+out:
+ CRYPTO_MUTEX_unlock(lock);
+ return ctx;
}
int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,
@@ -514,8 +507,9 @@
return 0;
}
- if (BN_copy(t, a))
+ if (BN_copy(t, a)) {
retn = BN_from_montgomery_word(ret, t, mont);
+ }
BN_CTX_end(ctx);
return retn;
diff --git a/src/crypto/bn/mul.c b/src/crypto/bn/mul.c
index 80c6288..a17d766 100644
--- a/src/crypto/bn/mul.c
+++ b/src/crypto/bn/mul.c
@@ -150,8 +150,9 @@
assert(cl >= 0);
c = bn_sub_words(r, a, b, cl);
- if (dl == 0)
+ if (dl == 0) {
return c;
+ }
r += cl;
a += cl;
@@ -330,8 +331,9 @@
/* Else do normal multiply */
if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
- if ((dna + dnb) < 0)
+ if ((dna + dnb) < 0) {
memset(&r[2 * n2 + dna + dnb], 0, sizeof(BN_ULONG) * -(dna + dnb));
+ }
return;
}
diff --git a/src/crypto/bn/prime.c b/src/crypto/bn/prime.c
index fc9a3d5..cf3afcf 100644
--- a/src/crypto/bn/prime.c
+++ b/src/crypto/bn/prime.c
@@ -659,7 +659,13 @@
/* If bits is so small that it fits into a single word then we
* additionally don't want to exceed that many bits. */
if (is_single_word) {
- BN_ULONG size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
+ BN_ULONG size_limit;
+ if (bits == BN_BITS2) {
+ /* Avoid undefined behavior. */
+ size_limit = ~((BN_ULONG)0) - get_word(rnd);
+ } else {
+ size_limit = (((BN_ULONG)1) << bits) - get_word(rnd) - 1;
+ }
if (size_limit < maxdelta) {
maxdelta = size_limit;
}
@@ -682,8 +688,9 @@
for (i = 1; i < NUMPRIMES && primes[i] < rnd_word; i++) {
if ((mods[i] + delta) % primes[i] == 0) {
delta += 2;
- if (delta > maxdelta)
+ if (delta > maxdelta) {
goto again;
+ }
goto loop;
}
}
@@ -693,8 +700,9 @@
* that gcd(rnd-1,primes) == 1 (except for 2) */
if (((mods[i] + delta) % primes[i]) <= 1) {
delta += 2;
- if (delta > maxdelta)
+ if (delta > maxdelta) {
goto again;
+ }
goto loop;
}
}
diff --git a/src/crypto/bn/random.c b/src/crypto/bn/random.c
index 285bf26..3be7510 100644
--- a/src/crypto/bn/random.c
+++ b/src/crypto/bn/random.c
@@ -321,8 +321,6 @@
ret = 1;
err:
- if (k_bytes) {
- OPENSSL_free(k_bytes);
- }
+ OPENSSL_free(k_bytes);
return ret;
}
diff --git a/src/crypto/bn/sqrt.c b/src/crypto/bn/sqrt.c
index 07041f9..e71a818 100644
--- a/src/crypto/bn/sqrt.c
+++ b/src/crypto/bn/sqrt.c
@@ -420,7 +420,7 @@
end:
if (err) {
- if (ret != NULL && ret != in) {
+ if (ret != in) {
BN_clear_free(ret);
}
ret = NULL;
diff --git a/src/crypto/buf/CMakeLists.txt b/src/crypto/buf/CMakeLists.txt
index dabf8d1..19edf7d 100644
--- a/src/crypto/buf/CMakeLists.txt
+++ b/src/crypto/buf/CMakeLists.txt
@@ -6,5 +6,4 @@
OBJECT
buf.c
- buf_error.c
)
diff --git a/src/crypto/buf/buf_error.c b/src/crypto/buf/buf_error.c
deleted file mode 100644
index fac6011..0000000
--- a/src/crypto/buf/buf_error.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/buf.h>
-
-const ERR_STRING_DATA BUF_error_string_data[] = {
- {ERR_PACK(ERR_LIB_BUF, BUF_F_BUF_MEM_new, 0), "BUF_MEM_new"},
- {ERR_PACK(ERR_LIB_BUF, BUF_F_BUF_memdup, 0), "BUF_memdup"},
- {ERR_PACK(ERR_LIB_BUF, BUF_F_BUF_strndup, 0), "BUF_strndup"},
- {ERR_PACK(ERR_LIB_BUF, BUF_F_buf_mem_grow, 0), "buf_mem_grow"},
- {0, NULL},
-};
diff --git a/src/crypto/bytestring/CMakeLists.txt b/src/crypto/bytestring/CMakeLists.txt
index 8d6be7b..d1f0441 100644
--- a/src/crypto/bytestring/CMakeLists.txt
+++ b/src/crypto/bytestring/CMakeLists.txt
@@ -13,7 +13,7 @@
add_executable(
bytestring_test
- bytestring_test.c
+ bytestring_test.cc
)
target_link_libraries(bytestring_test crypto)
diff --git a/src/crypto/bytestring/bytestring_test.c b/src/crypto/bytestring/bytestring_test.cc
similarity index 65%
rename from src/crypto/bytestring/bytestring_test.c
rename to src/crypto/bytestring/bytestring_test.cc
index cd0155e..66e9c1e 100644
--- a/src/crypto/bytestring/bytestring_test.c
+++ b/src/crypto/bytestring/bytestring_test.cc
@@ -16,14 +16,17 @@
#include <stdlib.h>
#include <string.h>
+#include <vector>
+
#include <openssl/crypto.h>
#include <openssl/bytestring.h>
#include "internal.h"
#include "../internal.h"
+#include "../test/scoped_types.h"
-static int test_skip(void) {
+static bool TestSkip() {
static const uint8_t kData[] = {1, 2, 3};
CBS data;
@@ -36,7 +39,7 @@
!CBS_skip(&data, 1);
}
-static int test_get_u(void) {
+static bool TestGetUint() {
static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
uint8_t u8;
uint16_t u16;
@@ -55,7 +58,7 @@
!CBS_get_u8(&data, &u8);
}
-static int test_get_prefixed(void) {
+static bool TestGetPrefixed() {
static const uint8_t kData[] = {1, 2, 0, 2, 3, 4, 0, 0, 3, 3, 2, 1};
uint8_t u8;
uint16_t u16;
@@ -77,7 +80,7 @@
u32 == 0x30201;
}
-static int test_get_prefixed_bad(void) {
+static bool TestGetPrefixedBad() {
static const uint8_t kData1[] = {2, 1};
static const uint8_t kData2[] = {0, 2, 1};
static const uint8_t kData3[] = {0, 0, 2, 1};
@@ -85,23 +88,23 @@
CBS_init(&data, kData1, sizeof(kData1));
if (CBS_get_u8_length_prefixed(&data, &prefixed)) {
- return 0;
+ return false;
}
CBS_init(&data, kData2, sizeof(kData2));
if (CBS_get_u16_length_prefixed(&data, &prefixed)) {
- return 0;
+ return false;
}
CBS_init(&data, kData3, sizeof(kData3));
if (CBS_get_u24_length_prefixed(&data, &prefixed)) {
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_get_asn1(void) {
+static bool TestGetASN1() {
static const uint8_t kData1[] = {0x30, 2, 1, 2};
static const uint8_t kData2[] = {0x30, 3, 1, 2};
static const uint8_t kData3[] = {0x30, 0x80};
@@ -119,52 +122,52 @@
CBS_init(&data, kData1, sizeof(kData1));
if (CBS_peek_asn1_tag(&data, 0x1) ||
!CBS_peek_asn1_tag(&data, 0x30)) {
- return 0;
+ return false;
}
if (!CBS_get_asn1(&data, &contents, 0x30) ||
CBS_len(&contents) != 2 ||
memcmp(CBS_data(&contents), "\x01\x02", 2) != 0) {
- return 0;
+ return false;
}
CBS_init(&data, kData2, sizeof(kData2));
- /* data is truncated */
+ // data is truncated
if (CBS_get_asn1(&data, &contents, 0x30)) {
- return 0;
+ return false;
}
CBS_init(&data, kData3, sizeof(kData3));
- /* zero byte length of length */
+ // zero byte length of length
if (CBS_get_asn1(&data, &contents, 0x30)) {
- return 0;
+ return false;
}
CBS_init(&data, kData4, sizeof(kData4));
- /* long form mistakenly used. */
+ // long form mistakenly used.
if (CBS_get_asn1(&data, &contents, 0x30)) {
- return 0;
+ return false;
}
CBS_init(&data, kData5, sizeof(kData5));
- /* length takes too many bytes. */
+ // length takes too many bytes.
if (CBS_get_asn1(&data, &contents, 0x30)) {
- return 0;
+ return false;
}
CBS_init(&data, kData1, sizeof(kData1));
- /* wrong tag. */
+ // wrong tag.
if (CBS_get_asn1(&data, &contents, 0x31)) {
- return 0;
+ return false;
}
CBS_init(&data, NULL, 0);
- /* peek at empty data. */
+ // peek at empty data.
if (CBS_peek_asn1_tag(&data, 0x30)) {
- return 0;
+ return false;
}
CBS_init(&data, NULL, 0);
- /* optional elements at empty data. */
+ // optional elements at empty data.
if (!CBS_get_optional_asn1(&data, &contents, &present, 0xa0) ||
present ||
!CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa0) ||
@@ -174,22 +177,22 @@
CBS_len(&contents) != 0 ||
!CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42) ||
value != 42) {
- return 0;
+ return false;
}
CBS_init(&data, kData6, sizeof(kData6));
- /* optional element. */
+ // optional element.
if (!CBS_get_optional_asn1(&data, &contents, &present, 0xa0) ||
present ||
!CBS_get_optional_asn1(&data, &contents, &present, 0xa1) ||
!present ||
CBS_len(&contents) != 3 ||
memcmp(CBS_data(&contents), "\x04\x01\x01", 3) != 0) {
- return 0;
+ return false;
}
CBS_init(&data, kData6, sizeof(kData6));
- /* optional octet string. */
+ // optional octet string.
if (!CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa0) ||
present ||
CBS_len(&contents) != 0 ||
@@ -197,97 +200,96 @@
!present ||
CBS_len(&contents) != 1 ||
CBS_data(&contents)[0] != 1) {
- return 0;
+ return false;
}
CBS_init(&data, kData7, sizeof(kData7));
- /* invalid optional octet string. */
+ // invalid optional octet string.
if (CBS_get_optional_asn1_octet_string(&data, &contents, &present, 0xa1)) {
- return 0;
+ return false;
}
CBS_init(&data, kData8, sizeof(kData8));
- /* optional octet string. */
+ // optional octet string.
if (!CBS_get_optional_asn1_uint64(&data, &value, 0xa0, 42) ||
value != 42 ||
!CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42) ||
value != 1) {
- return 0;
+ return false;
}
CBS_init(&data, kData9, sizeof(kData9));
- /* invalid optional integer. */
+ // invalid optional integer.
if (CBS_get_optional_asn1_uint64(&data, &value, 0xa1, 42)) {
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_get_optional_asn1_bool(void) {
- CBS data;
- int val;
-
+static bool TestGetOptionalASN1Bool() {
static const uint8_t kTrue[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0xff};
static const uint8_t kFalse[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x00};
static const uint8_t kInvalid[] = {0x0a, 3, CBS_ASN1_BOOLEAN, 1, 0x01};
+ CBS data;
CBS_init(&data, NULL, 0);
- val = 2;
+ int val = 2;
if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0) ||
val != 0) {
- return 0;
+ return false;
}
CBS_init(&data, kTrue, sizeof(kTrue));
val = 2;
if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 0) ||
val != 1) {
- return 0;
+ return false;
}
CBS_init(&data, kFalse, sizeof(kFalse));
val = 2;
if (!CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1) ||
val != 0) {
- return 0;
+ return false;
}
CBS_init(&data, kInvalid, sizeof(kInvalid));
if (CBS_get_optional_asn1_bool(&data, &val, 0x0a, 1)) {
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_cbb_basic(void) {
+static bool TestCBBBasic() {
static const uint8_t kExpected[] = {1, 2, 3, 4, 5, 6, 7, 8};
uint8_t *buf;
size_t buf_len;
- int ok;
CBB cbb;
if (!CBB_init(&cbb, 100)) {
- return 0;
+ return false;
}
CBB_cleanup(&cbb);
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_u8(&cbb, 1) ||
+ if (!CBB_init(&cbb, 0)) {
+ return false;
+ }
+ if (!CBB_add_u8(&cbb, 1) ||
!CBB_add_u16(&cbb, 0x203) ||
!CBB_add_u24(&cbb, 0x40506) ||
!CBB_add_bytes(&cbb, (const uint8_t*) "\x07\x08", 2) ||
!CBB_finish(&cbb, &buf, &buf_len)) {
- return 0;
+ CBB_cleanup(&cbb);
+ return false;
}
- ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
- free(buf);
- return ok;
+ ScopedOpenSSLBytes scoper(buf);
+ return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
}
-static int test_cbb_fixed(void) {
+static bool TestCBBFixed() {
CBB cbb;
uint8_t buf[1];
uint8_t *out_buf;
@@ -298,7 +300,7 @@
!CBB_finish(&cbb, &out_buf, &out_size) ||
out_buf != NULL ||
out_size != 0) {
- return 0;
+ return false;
}
if (!CBB_init_fixed(&cbb, buf, 1) ||
@@ -308,40 +310,41 @@
out_buf != buf ||
out_size != 1 ||
buf[0] != 1) {
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_cbb_finish_child(void) {
+static bool TestCBBFinishChild() {
CBB cbb, child;
uint8_t *out_buf;
size_t out_size;
- if (!CBB_init(&cbb, 16) ||
- !CBB_add_u8_length_prefixed(&cbb, &child) ||
- CBB_finish(&child, &out_buf, &out_size) ||
- !CBB_finish(&cbb, &out_buf, &out_size) ||
- out_size != 1 ||
- out_buf[0] != 0) {
- return 0;
+ if (!CBB_init(&cbb, 16)) {
+ return false;
}
-
- free(out_buf);
- return 1;
+ if (!CBB_add_u8_length_prefixed(&cbb, &child) ||
+ CBB_finish(&child, &out_buf, &out_size) ||
+ !CBB_finish(&cbb, &out_buf, &out_size)) {
+ CBB_cleanup(&cbb);
+ return false;
+ }
+ ScopedOpenSSLBytes scoper(out_buf);
+ return out_size == 1 && out_buf[0] == 0;
}
-static int test_cbb_prefixed(void) {
+static bool TestCBBPrefixed() {
static const uint8_t kExpected[] = {0, 1, 1, 0, 2, 2, 3, 0, 0, 3,
4, 5, 6, 5, 4, 1, 0, 1, 2};
uint8_t *buf;
size_t buf_len;
CBB cbb, contents, inner_contents, inner_inner_contents;
- int ok;
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_u8_length_prefixed(&cbb, &contents) ||
+ if (!CBB_init(&cbb, 0)) {
+ return false;
+ }
+ if (!CBB_add_u8_length_prefixed(&cbb, &contents) ||
!CBB_add_u8_length_prefixed(&cbb, &contents) ||
!CBB_add_u8(&contents, 1) ||
!CBB_add_u16_length_prefixed(&cbb, &contents) ||
@@ -354,28 +357,31 @@
!CBB_add_u16_length_prefixed(&inner_contents, &inner_inner_contents) ||
!CBB_add_u8(&inner_inner_contents, 2) ||
!CBB_finish(&cbb, &buf, &buf_len)) {
- return 0;
+ CBB_cleanup(&cbb);
+ return false;
}
- ok = buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
- free(buf);
- return ok;
+ ScopedOpenSSLBytes scoper(buf);
+ return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
}
-static int test_cbb_misuse(void) {
+static bool TestCBBMisuse() {
CBB cbb, child, contents;
uint8_t *buf;
size_t buf_len;
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_u8_length_prefixed(&cbb, &child) ||
+ if (!CBB_init(&cbb, 0)) {
+ return false;
+ }
+ if (!CBB_add_u8_length_prefixed(&cbb, &child) ||
!CBB_add_u8(&child, 1) ||
!CBB_add_u8(&cbb, 2)) {
- return 0;
+ CBB_cleanup(&cbb);
+ return false;
}
- /* Since we wrote to |cbb|, |child| is now invalid and attempts to write to
- * it should fail. */
+ // Since we wrote to |cbb|, |child| is now invalid and attempts to write to
+ // it should fail.
if (CBB_add_u8(&child, 1) ||
CBB_add_u16(&child, 1) ||
CBB_add_u24(&child, 1) ||
@@ -384,91 +390,104 @@
CBB_add_asn1(&child, &contents, 1) ||
CBB_add_bytes(&child, (const uint8_t*) "a", 1)) {
fprintf(stderr, "CBB operation on invalid CBB did not fail.\n");
- return 0;
+ CBB_cleanup(&cbb);
+ return false;
}
- if (!CBB_finish(&cbb, &buf, &buf_len) ||
- buf_len != 3 ||
+ if (!CBB_finish(&cbb, &buf, &buf_len)) {
+ CBB_cleanup(&cbb);
+ return false;
+ }
+ ScopedOpenSSLBytes scoper(buf);
+
+ if (buf_len != 3 ||
memcmp(buf, "\x01\x01\x02", 3) != 0) {
- return 0;
+ return false;
}
-
- free(buf);
-
- return 1;
+ return true;
}
-static int test_cbb_asn1(void) {
+static bool TestCBBASN1() {
static const uint8_t kExpected[] = {0x30, 3, 1, 2, 3};
- uint8_t *buf, *test_data;
+ uint8_t *buf;
size_t buf_len;
CBB cbb, contents, inner_contents;
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_asn1(&cbb, &contents, 0x30) ||
+ if (!CBB_init(&cbb, 0)) {
+ return false;
+ }
+ if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
!CBB_add_bytes(&contents, (const uint8_t*) "\x01\x02\x03", 3) ||
!CBB_finish(&cbb, &buf, &buf_len)) {
- return 0;
+ CBB_cleanup(&cbb);
+ return false;
}
+ ScopedOpenSSLBytes scoper(buf);
if (buf_len != sizeof(kExpected) || memcmp(buf, kExpected, buf_len) != 0) {
- return 0;
+ return false;
}
- free(buf);
- test_data = malloc(100000);
- memset(test_data, 0x42, 100000);
+ std::vector<uint8_t> test_data(100000, 0x42);
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_asn1(&cbb, &contents, 0x30) ||
- !CBB_add_bytes(&contents, test_data, 130) ||
+ if (!CBB_init(&cbb, 0)) {
+ return false;
+ }
+ if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
+ !CBB_add_bytes(&contents, bssl::vector_data(&test_data), 130) ||
!CBB_finish(&cbb, &buf, &buf_len)) {
- return 0;
+ CBB_cleanup(&cbb);
+ return false;
}
+ scoper.reset(buf);
if (buf_len != 3 + 130 ||
memcmp(buf, "\x30\x81\x82", 3) != 0 ||
- memcmp(buf + 3, test_data, 130) != 0) {
- return 0;
+ memcmp(buf + 3, bssl::vector_data(&test_data), 130) != 0) {
+ return false;
}
- free(buf);
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_asn1(&cbb, &contents, 0x30) ||
- !CBB_add_bytes(&contents, test_data, 1000) ||
- !CBB_finish(&cbb, &buf, &buf_len)) {
- return 0;
+ if (!CBB_init(&cbb, 0)) {
+ return false;
}
+ if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
+ !CBB_add_bytes(&contents, bssl::vector_data(&test_data), 1000) ||
+ !CBB_finish(&cbb, &buf, &buf_len)) {
+ CBB_cleanup(&cbb);
+ return false;
+ }
+ scoper.reset(buf);
if (buf_len != 4 + 1000 ||
memcmp(buf, "\x30\x82\x03\xe8", 4) != 0 ||
- memcmp(buf + 4, test_data, 1000)) {
- return 0;
+ memcmp(buf + 4, bssl::vector_data(&test_data), 1000)) {
+ return false;
}
- free(buf);
- if (!CBB_init(&cbb, 0) ||
- !CBB_add_asn1(&cbb, &contents, 0x30) ||
- !CBB_add_asn1(&contents, &inner_contents, 0x30) ||
- !CBB_add_bytes(&inner_contents, test_data, 100000) ||
- !CBB_finish(&cbb, &buf, &buf_len)) {
- return 0;
+ if (!CBB_init(&cbb, 0)) {
+ return false;
}
+ if (!CBB_add_asn1(&cbb, &contents, 0x30) ||
+ !CBB_add_asn1(&contents, &inner_contents, 0x30) ||
+ !CBB_add_bytes(&inner_contents, bssl::vector_data(&test_data), 100000) ||
+ !CBB_finish(&cbb, &buf, &buf_len)) {
+ CBB_cleanup(&cbb);
+ return false;
+ }
+ scoper.reset(buf);
if (buf_len != 5 + 5 + 100000 ||
memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) != 0 ||
- memcmp(buf + 10, test_data, 100000)) {
- return 0;
+ memcmp(buf + 10, bssl::vector_data(&test_data), 100000)) {
+ return false;
}
- free(buf);
- free(test_data);
- return 1;
+ return true;
}
-static int do_ber_convert(const char *name,
- const uint8_t *der_expected, size_t der_len,
- const uint8_t *ber, size_t ber_len) {
+static bool DoBerConvert(const char *name,
+ const uint8_t *der_expected, size_t der_len,
+ const uint8_t *ber, size_t ber_len) {
CBS in;
uint8_t *out;
size_t out_len;
@@ -476,44 +495,44 @@
CBS_init(&in, ber, ber_len);
if (!CBS_asn1_ber_to_der(&in, &out, &out_len)) {
fprintf(stderr, "%s: CBS_asn1_ber_to_der failed.\n", name);
- return 0;
+ return false;
}
+ ScopedOpenSSLBytes scoper(out);
if (out == NULL) {
if (ber_len != der_len ||
memcmp(der_expected, ber, ber_len) != 0) {
fprintf(stderr, "%s: incorrect unconverted result.\n", name);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
if (out_len != der_len ||
memcmp(out, der_expected, der_len) != 0) {
fprintf(stderr, "%s: incorrect converted result.\n", name);
- return 0;
+ return false;
}
- free(out);
- return 1;
+ return true;
}
-static int test_ber_convert(void) {
+static bool TestBerConvert() {
static const uint8_t kSimpleBER[] = {0x01, 0x01, 0x00};
- /* kIndefBER contains a SEQUENCE with an indefinite length. */
+ // kIndefBER contains a SEQUENCE with an indefinite length.
static const uint8_t kIndefBER[] = {0x30, 0x80, 0x01, 0x01, 0x02, 0x00, 0x00};
static const uint8_t kIndefDER[] = {0x30, 0x03, 0x01, 0x01, 0x02};
- /* kOctetStringBER contains an indefinite length OCTETSTRING with two parts.
- * These parts need to be concatenated in DER form. */
+ // kOctetStringBER contains an indefinite length OCTETSTRING with two parts.
+ // These parts need to be concatenated in DER form.
static const uint8_t kOctetStringBER[] = {0x24, 0x80, 0x04, 0x02, 0, 1,
0x04, 0x02, 2, 3, 0x00, 0x00};
static const uint8_t kOctetStringDER[] = {0x04, 0x04, 0, 1, 2, 3};
- /* kNSSBER is part of a PKCS#12 message generated by NSS that uses indefinite
- * length elements extensively. */
+ // kNSSBER is part of a PKCS#12 message generated by NSS that uses indefinite
+ // length elements extensively.
static const uint8_t kNSSBER[] = {
0x30, 0x80, 0x02, 0x01, 0x03, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x80, 0x24, 0x80, 0x04, 0x04,
@@ -536,56 +555,57 @@
0x6e, 0x10, 0x9b, 0xb8, 0x02, 0x02, 0x07, 0xd0,
};
- return do_ber_convert("kSimpleBER", kSimpleBER, sizeof(kSimpleBER),
- kSimpleBER, sizeof(kSimpleBER)) &&
- do_ber_convert("kIndefBER", kIndefDER, sizeof(kIndefDER), kIndefBER,
- sizeof(kIndefBER)) &&
- do_ber_convert("kOctetStringBER", kOctetStringDER,
- sizeof(kOctetStringDER), kOctetStringBER,
- sizeof(kOctetStringBER)) &&
- do_ber_convert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER,
- sizeof(kNSSBER));
+ return DoBerConvert("kSimpleBER", kSimpleBER, sizeof(kSimpleBER),
+ kSimpleBER, sizeof(kSimpleBER)) &&
+ DoBerConvert("kIndefBER", kIndefDER, sizeof(kIndefDER), kIndefBER,
+ sizeof(kIndefBER)) &&
+ DoBerConvert("kOctetStringBER", kOctetStringDER,
+ sizeof(kOctetStringDER), kOctetStringBER,
+ sizeof(kOctetStringBER)) &&
+ DoBerConvert("kNSSBER", kNSSDER, sizeof(kNSSDER), kNSSBER,
+ sizeof(kNSSBER));
}
-typedef struct {
+struct ASN1Uint64Test {
uint64_t value;
const char *encoding;
size_t encoding_len;
-} ASN1_UINT64_TEST;
-
-static const ASN1_UINT64_TEST kAsn1Uint64Tests[] = {
- {0, "\x02\x01\x00", 3},
- {1, "\x02\x01\x01", 3},
- {127, "\x02\x01\x7f", 3},
- {128, "\x02\x02\x00\x80", 4},
- {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7},
- {OPENSSL_U64(0x0102030405060708),
- "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10},
- {OPENSSL_U64(0xffffffffffffffff),
- "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11},
};
-typedef struct {
+static const ASN1Uint64Test kASN1Uint64Tests[] = {
+ {0, "\x02\x01\x00", 3},
+ {1, "\x02\x01\x01", 3},
+ {127, "\x02\x01\x7f", 3},
+ {128, "\x02\x02\x00\x80", 4},
+ {0xdeadbeef, "\x02\x05\x00\xde\xad\xbe\xef", 7},
+ {OPENSSL_U64(0x0102030405060708),
+ "\x02\x08\x01\x02\x03\x04\x05\x06\x07\x08", 10},
+ {OPENSSL_U64(0xffffffffffffffff),
+ "\x02\x09\x00\xff\xff\xff\xff\xff\xff\xff\xff", 11},
+};
+
+struct ASN1InvalidUint64Test {
const char *encoding;
size_t encoding_len;
-} ASN1_INVALID_UINT64_TEST;
-
-static const ASN1_INVALID_UINT64_TEST kAsn1InvalidUint64Tests[] = {
- /* Bad tag. */
- {"\x03\x01\x00", 3},
- /* Empty contents. */
- {"\x02\x00", 2},
- /* Negative number. */
- {"\x02\x01\x80", 3},
- /* Overflow */
- {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
};
-static int test_asn1_uint64(void) {
- size_t i;
+static const ASN1InvalidUint64Test kASN1InvalidUint64Tests[] = {
+ // Bad tag.
+ {"\x03\x01\x00", 3},
+ // Empty contents.
+ {"\x02\x00", 2},
+ // Negative number.
+ {"\x02\x01\x80", 3},
+ // Overflow.
+ {"\x02\x09\x01\x00\x00\x00\x00\x00\x00\x00\x00", 11},
+ // Leading zeros.
+ {"\x02\x02\x00\x01", 4},
+};
- for (i = 0; i < sizeof(kAsn1Uint64Tests) / sizeof(kAsn1Uint64Tests[0]); i++) {
- const ASN1_UINT64_TEST *test = &kAsn1Uint64Tests[i];
+static bool TestASN1Uint64() {
+ for (size_t i = 0; i < sizeof(kASN1Uint64Tests) / sizeof(kASN1Uint64Tests[0]);
+ i++) {
+ const ASN1Uint64Test *test = &kASN1Uint64Tests[i];
CBS cbs;
uint64_t value;
CBB cbb;
@@ -596,57 +616,56 @@
if (!CBS_get_asn1_uint64(&cbs, &value) ||
CBS_len(&cbs) != 0 ||
value != test->value) {
- return 0;
+ return false;
}
if (!CBB_init(&cbb, 0)) {
- return 0;
+ return false;
}
if (!CBB_add_asn1_uint64(&cbb, test->value) ||
!CBB_finish(&cbb, &out, &len)) {
CBB_cleanup(&cbb);
- return 0;
+ return false;
}
+ ScopedOpenSSLBytes scoper(out);
if (len != test->encoding_len || memcmp(out, test->encoding, len) != 0) {
- free(out);
- return 0;
+ return false;
}
- free(out);
}
- for (i = 0;
- i < sizeof(kAsn1InvalidUint64Tests) / sizeof(kAsn1InvalidUint64Tests[0]);
+ for (size_t i = 0;
+ i < sizeof(kASN1InvalidUint64Tests) / sizeof(kASN1InvalidUint64Tests[0]);
i++) {
- const ASN1_INVALID_UINT64_TEST *test = &kAsn1InvalidUint64Tests[i];
+ const ASN1InvalidUint64Test *test = &kASN1InvalidUint64Tests[i];
CBS cbs;
uint64_t value;
CBS_init(&cbs, (const uint8_t *)test->encoding, test->encoding_len);
if (CBS_get_asn1_uint64(&cbs, &value)) {
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
int main(void) {
CRYPTO_library_init();
- if (!test_skip() ||
- !test_get_u() ||
- !test_get_prefixed() ||
- !test_get_prefixed_bad() ||
- !test_get_asn1() ||
- !test_cbb_basic() ||
- !test_cbb_fixed() ||
- !test_cbb_finish_child() ||
- !test_cbb_misuse() ||
- !test_cbb_prefixed() ||
- !test_cbb_asn1() ||
- !test_ber_convert() ||
- !test_asn1_uint64() ||
- !test_get_optional_asn1_bool()) {
+ if (!TestSkip() ||
+ !TestGetUint() ||
+ !TestGetPrefixed() ||
+ !TestGetPrefixedBad() ||
+ !TestGetASN1() ||
+ !TestCBBBasic() ||
+ !TestCBBFixed() ||
+ !TestCBBFinishChild() ||
+ !TestCBBMisuse() ||
+ !TestCBBPrefixed() ||
+ !TestCBBASN1() ||
+ !TestBerConvert() ||
+ !TestASN1Uint64() ||
+ !TestGetOptionalASN1Bool()) {
return 1;
}
diff --git a/src/crypto/bytestring/cbb.c b/src/crypto/bytestring/cbb.c
index 4428836..f1e09a2 100644
--- a/src/crypto/bytestring/cbb.c
+++ b/src/crypto/bytestring/cbb.c
@@ -25,7 +25,6 @@
base = OPENSSL_malloc(sizeof(struct cbb_buffer_st));
if (base == NULL) {
- OPENSSL_free(buf);
return 0;
}
@@ -48,7 +47,12 @@
return 0;
}
- return cbb_init(cbb, buf, initial_capacity);
+ if (!cbb_init(cbb, buf, initial_capacity)) {
+ OPENSSL_free(buf);
+ return 0;
+ }
+
+ return 1;
}
int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {
@@ -62,7 +66,7 @@
void CBB_cleanup(CBB *cbb) {
if (cbb->base) {
- if (cbb->base->buf && cbb->base->can_resize) {
+ if (cbb->base->can_resize) {
OPENSSL_free(cbb->base->buf);
}
OPENSSL_free(cbb->base);
@@ -276,6 +280,11 @@
}
int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag) {
+ if ((tag & 0x1f) == 0x1f) {
+ /* Long form identifier octets are not supported. */
+ return 0;
+ }
+
if (!CBB_flush(cbb) ||
!CBB_add_u8(cbb, tag)) {
return 0;
diff --git a/src/crypto/bytestring/cbs.c b/src/crypto/bytestring/cbs.c
index b417716..10f1a99 100644
--- a/src/crypto/bytestring/cbs.c
+++ b/src/crypto/bytestring/cbs.c
@@ -52,10 +52,8 @@
}
int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) {
- if (*out_ptr != NULL) {
- OPENSSL_free(*out_ptr);
- *out_ptr = NULL;
- }
+ OPENSSL_free(*out_ptr);
+ *out_ptr = NULL;
*out_len = 0;
if (cbs->len == 0) {
@@ -82,8 +80,9 @@
}
int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) {
- if (len != cbs->len)
+ if (len != cbs->len) {
return 0;
+ }
return CRYPTO_memcmp(cbs->data, data, len) == 0;
}
@@ -290,7 +289,12 @@
}
if ((data[0] & 0x80) != 0) {
- /* negative number */
+ /* Negative number. */
+ return 0;
+ }
+
+ if (data[0] == 0 && len > 1 && (data[1] & 0x80) == 0) {
+ /* Extra leading zeros. */
return 0;
}
diff --git a/src/crypto/chacha/chacha_vec.c b/src/crypto/chacha/chacha_vec.c
index 88830bc..14b54a7 100644
--- a/src/crypto/chacha/chacha_vec.c
+++ b/src/crypto/chacha/chacha_vec.c
@@ -40,6 +40,7 @@
* This implementation supports parallel processing of multiple blocks,
* including potentially using general-purpose registers. */
#if __ARM_NEON__
+#include <string.h>
#include <arm_neon.h>
#define GPR_TOO 1
#define VBPI 2
@@ -158,33 +159,19 @@
{
unsigned iters, i, *op=(unsigned *)out, *ip=(unsigned *)in, *kp;
#if defined(__ARM_NEON__)
- unsigned *np;
+ uint32_t np[2];
uint8_t alignment_buffer[16] __attribute__((aligned(16)));
#endif
vec s0, s1, s2, s3;
-#if !defined(__ARM_NEON__) && !defined(__SSE2__)
- __attribute__ ((aligned (16))) unsigned key[8], nonce[4];
-#endif
__attribute__ ((aligned (16))) unsigned chacha_const[] =
{0x61707865,0x3320646E,0x79622D32,0x6B206574};
-#if defined(__ARM_NEON__) || defined(__SSE2__)
kp = (unsigned *)key;
-#else
- ((vec *)key)[0] = REVV_BE(((vec *)key)[0]);
- ((vec *)key)[1] = REVV_BE(((vec *)key)[1]);
- nonce[0] = REVW_BE(((unsigned *)nonce)[0]);
- nonce[1] = REVW_BE(((unsigned *)nonce)[1]);
- nonce[2] = REVW_BE(((unsigned *)nonce)[2]);
- nonce[3] = REVW_BE(((unsigned *)nonce)[3]);
- kp = (unsigned *)key;
- np = (unsigned *)nonce;
-#endif
#if defined(__ARM_NEON__)
- np = (unsigned*) nonce;
+ memcpy(np, nonce, 8);
#endif
s0 = LOAD_ALIGNED(chacha_const);
- s1 = LOAD_ALIGNED(&((vec*)kp)[0]);
- s2 = LOAD_ALIGNED(&((vec*)kp)[1]);
+ s1 = LOAD(&((vec*)kp)[0]);
+ s2 = LOAD(&((vec*)kp)[1]);
s3 = (vec){
counter & 0xffffffff,
#if __ARM_NEON__ || defined(OPENSSL_X86)
diff --git a/src/crypto/chacha/chacha_vec_arm.S b/src/crypto/chacha/chacha_vec_arm.S
index 15d4556..ddc374e 100644
--- a/src/crypto/chacha/chacha_vec_arm.S
+++ b/src/crypto/chacha/chacha_vec_arm.S
@@ -59,131 +59,147 @@
.thumb_func
.type CRYPTO_chacha_20_neon, %function
CRYPTO_chacha_20_neon:
- @ args = 8, pretend = 0, frame = 128
+ @ args = 8, pretend = 0, frame = 152
@ frame_needed = 1, uses_anonymous_args = 0
push {r4, r5, r6, r7, r8, r9, r10, fp, lr}
- mov r4, r2
+ mov r8, r3
vpush.64 {d8, d9, d10, d11, d12, d13, d14, d15}
- movw r8, #43691
- movt r8, 43690
- mov ip, r3
- umull r8, r9, r4, r8
- sub sp, sp, #132
- add r7, sp, #0
- sub sp, sp, #112
+ mov r9, r2
+ ldr r4, .L91+16
mov fp, r0
mov r10, r1
- str r2, [r7, #8]
- add r4, sp, #15
- ldr r2, .L92+16
- bic r4, r4, #15
- ldr r5, [r7, #232]
- add lr, r4, #64
+ mov lr, r8
.LPIC16:
- add r2, pc
- str r0, [r7, #60]
+ add r4, pc
+ sub sp, sp, #156
+ add r7, sp, #0
+ sub sp, sp, #112
+ add r6, r7, #144
+ str r0, [r7, #88]
str r1, [r7, #12]
- str r3, [r7, #44]
- ldmia r2, {r0, r1, r2, r3}
- ldr r6, [r5]
- str r4, [r7, #72]
- ldr r5, [r5, #4]
- ldr r4, [r7, #236]
- str r6, [r7, #120]
- str r5, [r7, #124]
- str r4, [r7, #112]
- stmia lr, {r0, r1, r2, r3}
- movs r3, #0
- ldr r0, [r7, #72]
- str r3, [r7, #116]
- lsrs r3, r9, #7
- vldr d22, [r7, #112]
- vldr d23, [r7, #120]
- vldr d24, [r0, #64]
- vldr d25, [r0, #72]
- vld1.64 {d26-d27}, [ip:64]
- vldr d28, [ip, #16]
- vldr d29, [ip, #24]
+ str r2, [r7, #8]
+ ldmia r4, {r0, r1, r2, r3}
+ add r4, sp, #15
+ bic r4, r4, #15
+ ldr ip, [r7, #256]
+ str r4, [r7, #84]
+ mov r5, r4
+ adds r4, r4, #64
+ adds r5, r5, #80
+ str r8, [r7, #68]
+ stmia r4, {r0, r1, r2, r3}
+ movw r4, #43691
+ ldr r0, [ip] @ unaligned
+ movt r4, 43690
+ ldr r1, [ip, #4] @ unaligned
+ ldr r3, [r7, #84]
+ ldr r2, [r8, #8] @ unaligned
+ mov r8, #0
+ stmia r6!, {r0, r1}
+ mov r6, r5
+ ldr r1, [lr, #4] @ unaligned
+ ldr r0, [lr] @ unaligned
+ vldr d24, [r3, #64]
+ vldr d25, [r3, #72]
+ ldr r3, [lr, #12] @ unaligned
+ str r5, [r7, #80]
+ stmia r5!, {r0, r1, r2, r3}
+ ldr r0, [lr, #16]! @ unaligned
+ ldr r2, [r7, #84]
+ umull r4, r5, r9, r4
+ vldr d26, [r2, #80]
+ vldr d27, [r2, #88]
+ ldr r1, [lr, #4] @ unaligned
+ ldr r2, [lr, #8] @ unaligned
+ ldr r3, [lr, #12] @ unaligned
+ ldr r4, [r7, #260]
+ stmia r6!, {r0, r1, r2, r3}
+ ldr r3, [ip]
+ ldr r1, [r7, #84]
+ ldr r2, [ip, #4]
+ str r3, [r7, #64]
+ vldr d28, [r1, #80]
+ vldr d29, [r1, #88]
+ str r3, [r7, #136]
+ lsrs r3, r5, #7
+ str r4, [r7, #128]
+ str r2, [r7, #140]
+ str r8, [r7, #132]
+ str r2, [r7, #60]
+ vldr d22, [r7, #128]
+ vldr d23, [r7, #136]
beq .L26
- ldr r1, [r0, #64]
lsls r2, r3, #8
+ ldr r5, [r1, #64]
sub r3, r2, r3, lsl #6
+ ldr r2, [r1, #68]
+ vldr d0, .L91
+ vldr d1, .L91+8
+ adds r4, r4, #2
+ str r5, [r7, #56]
+ str r2, [r7, #52]
+ ldr r5, [r1, #72]
+ ldr r2, [r1, #76]
str r3, [r7, #4]
- ldr r2, [r0, #72]
- str r1, [r7, #40]
- mov r1, r3
- ldr r3, [r0, #68]
- vldr d0, .L92
- vldr d1, .L92+8
- str r2, [r7, #32]
- adds r2, r4, #2
- str r3, [r7, #36]
- ldr r3, [r0, #76]
- str r2, [r7, #48]
- mov r2, r0
- mov r0, fp
- str r10, [r7, #64]
- str r3, [r7, #28]
- adds r3, r0, r1
- mov r1, r6
+ str r5, [r7, #48]
+ str r2, [r7, #44]
+ mov r2, fp
+ str r4, [r7, #72]
+ adds r3, r2, r3
+ str r10, [r7, #76]
str r3, [r7, #16]
- add r3, r2, #80
- mov r2, r5
- str r3, [r7, #68]
.L4:
- ldr r0, [r7, #44]
- add r8, r7, #28
- str r2, [r7, #108]
+ ldr r5, [r7, #68]
+ add r8, r7, #44
+ ldr r4, [r7, #72]
vadd.i32 q3, q11, q0
ldmia r8, {r8, r9, r10, fp}
vmov q8, q14 @ v4si
- ldr r3, [r0]
+ ldr r2, [r5, #4]
vmov q1, q13 @ v4si
+ ldr r3, [r5]
vmov q9, q12 @ v4si
+ ldr lr, [r5, #20]
vmov q2, q11 @ v4si
- str r3, [r7, #52]
- mov r3, r0
- ldr r5, [r3, #8]
+ mov r0, r2
+ ldr r2, [r5, #8]
+ str r3, [r7, #108]
+ mov r3, r5
+ ldr ip, [r5, #16]
vmov q15, q14 @ v4si
- ldr lr, [r3, #20]
+ mov r1, r2
+ ldr r2, [r5, #12]
+ ldr r5, [r5, #24]
vmov q5, q13 @ v4si
- ldr r6, [r3, #12]
+ ldr r6, [r3, #28]
vmov q10, q12 @ v4si
- str r5, [r7, #92]
- mov r5, r3
- ldr r4, [r5, #28]
+ ldr r3, [r7, #64]
+ str r5, [r7, #116]
movs r5, #10
- ldr ip, [r3, #16]
- ldr r3, [r3, #24]
- str r4, [r7, #104]
- ldr r4, [r7, #48]
- str r3, [r7, #100]
- mov r3, r1
- str r6, [r7, #56]
- str r4, [r7, #96]
- str r8, [r7, #80]
+ str r6, [r7, #120]
+ str r4, [r7, #112]
+ ldr r6, [r7, #60]
+ str r8, [r7, #96]
mov r8, r10
- ldr r0, [r0, #4]
+ ldr r4, [r7, #108]
mov r10, r9
- ldr r1, [r7, #92]
- ldr r2, [r7, #56]
- ldr r9, [r7, #100]
- ldr r4, [r7, #52]
- str lr, [r7, #88]
+ ldr r9, [r7, #116]
+ str lr, [r7, #104]
mov lr, r3
- str r5, [r7, #76]
+ str r5, [r7, #92]
movs r5, #0
- str r5, [r7, #84]
- b .L93
-.L94:
+ str r6, [r7, #124]
+ str r5, [r7, #100]
+ b .L92
+.L93:
.align 3
-.L92:
+.L91:
.word 1
.word 0
.word 0
.word 0
.word .LANCHOR0-(.LPIC16+4)
-.L93:
+.L92:
.L3:
vadd.i32 q9, q9, q1
add r3, r8, r0
@@ -192,8 +208,8 @@
veor q3, q3, q9
mov r6, r3
veor q2, q2, q10
- ldr r3, [r7, #80]
- str r5, [r7, #100]
+ ldr r3, [r7, #96]
+ str r5, [r7, #116]
add r10, r10, r1
vrev32.16 q3, q3
eor lr, lr, r10
@@ -201,13 +217,13 @@
vrev32.16 q2, q2
vadd.i32 q15, q15, q2
mov fp, r3
- ldr r3, [r7, #96]
+ ldr r3, [r7, #112]
veor q4, q8, q1
- str r6, [r7, #96]
+ str r6, [r7, #112]
veor q6, q15, q5
eors r3, r3, r5
mov r5, r6
- ldr r6, [r7, #84]
+ ldr r6, [r7, #100]
vshl.i32 q1, q4, #12
vshl.i32 q5, q6, #12
add fp, fp, r2
@@ -216,33 +232,33 @@
vsri.32 q1, q4, #20
ror lr, lr, #16
mov r5, r6
- ldr r6, [r7, #108]
+ ldr r6, [r7, #124]
vsri.32 q5, q6, #20
- str r3, [r7, #108]
+ str r3, [r7, #124]
eor r6, r6, fp
ror r5, r5, #16
vadd.i32 q9, q9, q1
add r9, r9, lr
ror r3, r6, #16
- ldr r6, [r7, #108]
+ ldr r6, [r7, #124]
vadd.i32 q10, q10, q5
- str r3, [r7, #92]
+ str r3, [r7, #108]
veor q4, q9, q3
add ip, ip, r6
- ldr r6, [r7, #88]
+ ldr r6, [r7, #104]
veor q6, q10, q2
eor r4, ip, r4
eor r1, r9, r1
vshl.i32 q3, q4, #8
mov r8, r6
- ldr r6, [r7, #104]
+ ldr r6, [r7, #120]
vshl.i32 q2, q6, #8
ror r4, r4, #20
add r6, r6, r3
vsri.32 q3, q4, #24
- str r6, [r7, #88]
+ str r6, [r7, #104]
eors r2, r2, r6
- ldr r6, [r7, #100]
+ ldr r6, [r7, #116]
vsri.32 q2, q6, #24
add r8, r8, r5
ror r2, r2, #20
@@ -251,42 +267,42 @@
eor r0, r8, r0
vadd.i32 q15, q15, q2
mov r3, r6
- ldr r6, [r7, #96]
+ ldr r6, [r7, #112]
veor q6, q4, q1
ror r0, r0, #20
- str r3, [r7, #96]
+ str r3, [r7, #112]
veor q5, q15, q5
adds r6, r0, r6
- str r6, [r7, #104]
+ str r6, [r7, #120]
mov r6, r3
- ldr r3, [r7, #108]
+ ldr r3, [r7, #124]
vshl.i32 q8, q6, #7
add fp, fp, r2
eors r3, r3, r6
- ldr r6, [r7, #104]
+ ldr r6, [r7, #120]
vshl.i32 q1, q5, #7
ror r1, r1, #20
eors r5, r5, r6
vsri.32 q8, q6, #25
- ldr r6, [r7, #92]
+ ldr r6, [r7, #108]
ror r3, r3, #24
ror r5, r5, #24
vsri.32 q1, q5, #25
- str r5, [r7, #100]
+ str r5, [r7, #116]
eor r6, fp, r6
- ldr r5, [r7, #100]
+ ldr r5, [r7, #116]
add r10, r10, r1
add ip, r3, ip
vext.32 q8, q8, q8, #1
- str ip, [r7, #108]
+ str ip, [r7, #124]
add ip, r5, r8
- ldr r5, [r7, #88]
+ ldr r5, [r7, #104]
eor lr, r10, lr
ror r6, r6, #24
vext.32 q1, q1, q1, #1
add r8, r6, r5
vadd.i32 q9, q9, q8
- ldr r5, [r7, #108]
+ ldr r5, [r7, #124]
vext.32 q3, q3, q3, #3
vadd.i32 q10, q10, q1
ror lr, lr, #24
@@ -295,14 +311,14 @@
add r9, r9, lr
eors r4, r4, r5
veor q3, q9, q3
- ldr r5, [r7, #96]
+ ldr r5, [r7, #112]
eor r1, r9, r1
ror r0, r0, #25
veor q2, q10, q2
adds r5, r0, r5
vext.32 q4, q4, q4, #2
- str r5, [r7, #96]
- ldr r5, [r7, #104]
+ str r5, [r7, #112]
+ ldr r5, [r7, #120]
ror r1, r1, #25
vrev32.16 q3, q3
eor r2, r8, r2
@@ -311,10 +327,10 @@
vadd.i32 q4, q4, q3
ror r4, r4, #25
vrev32.16 q2, q2
- str r5, [r7, #84]
+ str r5, [r7, #100]
vadd.i32 q15, q15, q2
eors r3, r3, r5
- ldr r5, [r7, #96]
+ ldr r5, [r7, #112]
add fp, fp, r4
veor q8, q4, q8
ror r2, r2, #25
@@ -322,174 +338,182 @@
eor lr, fp, lr
eors r6, r6, r5
ror r3, r3, #16
- ldr r5, [r7, #100]
+ ldr r5, [r7, #116]
add r10, r10, r2
- str r3, [r7, #104]
+ str r3, [r7, #120]
ror lr, lr, #16
- ldr r3, [r7, #104]
+ ldr r3, [r7, #120]
eor r5, r10, r5
vshl.i32 q5, q8, #12
add ip, lr, ip
vshl.i32 q6, q1, #12
- str ip, [r7, #88]
+ str ip, [r7, #104]
add ip, r3, r8
- str ip, [r7, #100]
- ldr r3, [r7, #108]
+ str ip, [r7, #116]
+ ldr r3, [r7, #124]
ror r5, r5, #16
vsri.32 q5, q8, #20
ror r6, r6, #16
add ip, r5, r3
- ldr r3, [r7, #88]
+ ldr r3, [r7, #104]
vsri.32 q6, q1, #20
add r9, r9, r6
eor r2, ip, r2
eors r4, r4, r3
- ldr r3, [r7, #100]
+ ldr r3, [r7, #116]
eor r0, r9, r0
vadd.i32 q9, q9, q5
ror r4, r4, #20
eors r1, r1, r3
vadd.i32 q10, q10, q6
ror r3, r2, #20
- str r3, [r7, #92]
- ldr r3, [r7, #96]
+ str r3, [r7, #108]
+ ldr r3, [r7, #112]
veor q3, q9, q3
ror r0, r0, #20
add r8, r4, fp
veor q2, q10, q2
add fp, r0, r3
- ldr r3, [r7, #84]
+ ldr r3, [r7, #100]
ror r1, r1, #20
mov r2, r8
vshl.i32 q8, q3, #8
- str r8, [r7, #80]
+ str r8, [r7, #96]
add r8, r1, r3
- ldr r3, [r7, #92]
+ ldr r3, [r7, #108]
vmov q1, q6 @ v4si
vshl.i32 q6, q2, #8
eor r6, fp, r6
add r10, r10, r3
- ldr r3, [r7, #104]
+ ldr r3, [r7, #120]
vsri.32 q8, q3, #24
eor lr, r2, lr
eor r3, r8, r3
ror r2, r6, #24
vsri.32 q6, q2, #24
eor r5, r10, r5
- str r2, [r7, #108]
+ str r2, [r7, #124]
ror r2, r3, #24
- ldr r3, [r7, #88]
+ ldr r3, [r7, #104]
vmov q3, q8 @ v4si
vadd.i32 q15, q15, q6
ror lr, lr, #24
vadd.i32 q8, q4, q8
ror r6, r5, #24
add r5, lr, r3
- ldr r3, [r7, #108]
+ ldr r3, [r7, #124]
veor q4, q8, q5
add ip, ip, r6
vmov q2, q6 @ v4si
add r9, r9, r3
veor q6, q15, q1
- ldr r3, [r7, #100]
+ ldr r3, [r7, #116]
vshl.i32 q1, q4, #7
- str r2, [r7, #96]
+ str r2, [r7, #112]
add r3, r3, r2
- str r3, [r7, #104]
+ str r3, [r7, #120]
vshl.i32 q5, q6, #7
eors r1, r1, r3
- ldr r3, [r7, #92]
+ ldr r3, [r7, #108]
vsri.32 q1, q4, #25
eors r4, r4, r5
eor r0, r9, r0
eor r2, ip, r3
vsri.32 q5, q6, #25
- ldr r3, [r7, #76]
+ ldr r3, [r7, #92]
ror r4, r4, #25
- str r6, [r7, #84]
+ str r6, [r7, #100]
ror r0, r0, #25
subs r3, r3, #1
- str r5, [r7, #88]
+ str r5, [r7, #104]
ror r1, r1, #25
ror r2, r2, #25
vext.32 q15, q15, q15, #2
- str r3, [r7, #76]
+ str r3, [r7, #92]
vext.32 q2, q2, q2, #1
vext.32 q8, q8, q8, #2
vext.32 q3, q3, q3, #1
vext.32 q5, q5, q5, #3
vext.32 q1, q1, q1, #3
bne .L3
- ldr r3, [r7, #68]
+ ldr r3, [r7, #80]
vadd.i32 q4, q12, q10
- str r9, [r7, #100]
+ str r9, [r7, #116]
mov r9, r10
mov r10, r8
- ldr r8, [r7, #80]
- str lr, [r7, #80]
+ ldr r8, [r7, #96]
+ str lr, [r7, #96]
mov lr, r5
- ldr r5, [r7, #40]
+ ldr r5, [r7, #56]
vadd.i32 q5, q13, q5
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
vadd.i32 q15, q14, q15
add fp, fp, r5
- ldr r5, [r7, #36]
- str r4, [r7, #52]
+ ldr r5, [r7, #52]
+ str r4, [r7, #108]
vadd.i32 q7, q14, q8
- ldr r4, [r7, #96]
+ ldr r4, [r7, #112]
add r5, r10, r5
- str r3, [r7, #96]
+ str r3, [r7, #112]
vadd.i32 q2, q11, q2
ldr r3, [r6, #12] @ unaligned
vadd.i32 q6, q12, q9
- str r0, [r7, #76]
+ str r0, [r7, #92]
vadd.i32 q1, q13, q1
ldr r0, [r6] @ unaligned
vadd.i32 q11, q11, q0
- str r1, [r7, #92]
- str r2, [r7, #56]
+ str r1, [r7, #40]
+ str r2, [r7, #36]
vadd.i32 q3, q11, q3
ldr r1, [r6, #4] @ unaligned
vadd.i32 q11, q11, q0
ldr r2, [r6, #8] @ unaligned
- str r5, [r7, #88]
+ str r5, [r7, #104]
vadd.i32 q11, q11, q0
- ldr r5, [r7, #96]
- ldr r10, [r7, #68]
+ ldr r5, [r7, #112]
+ ldr r10, [r7, #80]
stmia r5!, {r0, r1, r2, r3}
mov r5, r10
- ldr r2, [r7, #72]
- ldr r1, [r7, #32]
- ldr r3, [r7, #48]
- vldr d20, [r2, #80]
- vldr d21, [r2, #88]
- add r9, r9, r1
+ ldr r0, [r7, #84]
+ ldr r2, [r7, #48]
+ ldr r3, [r7, #72]
+ vldr d20, [r0, #80]
+ vldr d21, [r0, #88]
+ add r9, r9, r2
veor q10, q10, q4
- ldr r1, [r7, #28]
- add r0, r8, r1
- str r0, [r7, #24]
- vstr d20, [r2, #80]
- vstr d21, [r2, #88]
- adds r0, r4, r3
- str r0, [r7, #20]
+ ldr r2, [r7, #44]
+ adds r1, r4, r3
+ str r1, [r7, #28]
+ add r2, r8, r2
+ str r2, [r7, #32]
+ vstr d20, [r0, #80]
+ vstr d21, [r0, #88]
ldmia r5!, {r0, r1, r2, r3}
- mov r5, r10
+ ldr r4, [r7, #96]
+ ldr r5, [r7, #64]
+ add r4, r4, r5
+ ldr r5, [r7, #124]
+ str r4, [r7, #96]
ldr r4, [r7, #60]
+ add r5, r5, r4
+ ldr r4, [r7, #88]
+ str r5, [r7, #24]
+ mov r5, r10
str r0, [r4] @ unaligned
- mov r4, r10
- ldr r0, [r7, #60]
- str r1, [r0, #4] @ unaligned
+ mov r0, r4
+ str r1, [r4, #4] @ unaligned
mov r8, r0
str r2, [r0, #8] @ unaligned
+ mov r4, r10
str r3, [r0, #12] @ unaligned
ldr r0, [r6, #16]! @ unaligned
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
stmia r5!, {r0, r1, r2, r3}
mov r5, r10
- ldr r3, [r7, #72]
+ ldr r3, [r7, #84]
vldr d20, [r3, #80]
vldr d21, [r3, #88]
veor q10, q10, q5
@@ -501,21 +525,22 @@
str r1, [r8, #20] @ unaligned
str r2, [r8, #24] @ unaligned
str r3, [r8, #28] @ unaligned
+ mov r8, r4
ldr r0, [r6, #32]! @ unaligned
+ str r10, [r7, #124]
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
stmia r5!, {r0, r1, r2, r3}
mov r5, r10
- ldr r0, [r7, #72]
- vldr d16, [r0, #80]
- vldr d17, [r0, #88]
+ ldr r2, [r7, #84]
+ vldr d16, [r2, #80]
+ vldr d17, [r2, #88]
veor q15, q8, q15
- vstr d30, [r0, #80]
- vstr d31, [r0, #88]
+ vstr d30, [r2, #80]
+ vstr d31, [r2, #88]
ldmia r10!, {r0, r1, r2, r3}
- mov r10, r5
str r0, [r4, #32] @ unaligned
str r1, [r4, #36] @ unaligned
str r2, [r4, #40] @ unaligned
@@ -524,17 +549,18 @@
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
stmia r5!, {r0, r1, r2, r3}
- mov r5, r10
- ldr r2, [r7, #72]
- vldr d18, [r2, #80]
- vldr d19, [r2, #88]
+ ldr r1, [r7, #84]
+ vldr d18, [r1, #80]
+ vldr d19, [r1, #88]
veor q9, q9, q2
- vstr d18, [r2, #80]
- vstr d19, [r2, #88]
+ vstr d18, [r1, #80]
+ vstr d19, [r1, #88]
+ ldr r3, [r7, #112]
+ ldr r5, [r7, #80]
+ mov r10, r3
ldmia r10!, {r0, r1, r2, r3}
- mov r10, r5
str r0, [r4, #48] @ unaligned
str r1, [r4, #52] @ unaligned
str r2, [r4, #56] @ unaligned
@@ -543,34 +569,38 @@
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
stmia r5!, {r0, r1, r2, r3}
- mov r5, r10
- ldr r2, [r7, #72]
- vldr d18, [r2, #80]
- vldr d19, [r2, #88]
+ ldr r1, [r7, #84]
+ ldr r3, [r7, #112]
+ ldr r5, [r7, #80]
+ vldr d18, [r1, #80]
+ vldr d19, [r1, #88]
veor q9, q9, q6
- vstr d18, [r2, #80]
- vstr d19, [r2, #88]
+ mov r10, r3
+ str r5, [r7, #20]
+ vstr d18, [r1, #80]
+ vstr d19, [r1, #88]
ldmia r10!, {r0, r1, r2, r3}
- mov r10, r5
- str r0, [r4, #64] @ unaligned
str r1, [r4, #68] @ unaligned
str r2, [r4, #72] @ unaligned
str r3, [r4, #76] @ unaligned
+ str r0, [r4, #64] @ unaligned
ldr r0, [r6, #80]! @ unaligned
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
stmia r5!, {r0, r1, r2, r3}
- mov r5, r10
- ldr r2, [r7, #72]
- vldr d18, [r2, #80]
- vldr d19, [r2, #88]
+ ldr r1, [r7, #84]
+ ldr r3, [r7, #20]
+ ldr r5, [r7, #80]
+ vldr d18, [r1, #80]
+ vldr d19, [r1, #88]
veor q1, q9, q1
- vstr d2, [r2, #80]
- vstr d3, [r2, #88]
+ mov r10, r3
+ vstr d2, [r1, #80]
+ vstr d3, [r1, #88]
ldmia r10!, {r0, r1, r2, r3}
mov r10, r5
str r0, [r4, #80] @ unaligned
@@ -581,17 +611,16 @@
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- ldr r6, [r7, #64]
+ ldr r6, [r7, #76]
stmia r5!, {r0, r1, r2, r3}
mov r5, r10
- ldr r3, [r7, #72]
+ ldr r3, [r7, #84]
vldr d16, [r3, #80]
vldr d17, [r3, #88]
veor q8, q8, q7
vstr d16, [r3, #80]
vstr d17, [r3, #88]
ldmia r10!, {r0, r1, r2, r3}
- mov r10, r5
str r0, [r4, #96] @ unaligned
str r1, [r4, #100] @ unaligned
str r2, [r4, #104] @ unaligned
@@ -600,140 +629,116 @@
ldr r1, [r6, #4] @ unaligned
ldr r2, [r6, #8] @ unaligned
ldr r3, [r6, #12] @ unaligned
- stmia r5!, {r0, r1, r2, r3}
- mov r5, r10
- ldr r0, [r7, #72]
- ldr r6, [r7, #44]
- vldr d16, [r0, #80]
- vldr d17, [r0, #88]
+ mov r6, r5
+ stmia r6!, {r0, r1, r2, r3}
+ ldr r3, [r7, #84]
+ vldr d16, [r3, #80]
+ vldr d17, [r3, #88]
veor q8, q8, q3
- vstr d16, [r0, #80]
- vstr d17, [r0, #88]
+ vstr d16, [r3, #80]
+ vstr d17, [r3, #88]
ldmia r5!, {r0, r1, r2, r3}
- mov r5, r4
- mov r8, r5
str r1, [r4, #116] @ unaligned
- ldr r1, [r7, #64]
+ ldr r1, [r7, #76]
str r0, [r4, #112] @ unaligned
- mov r0, r5
str r2, [r4, #120] @ unaligned
str r3, [r4, #124] @ unaligned
ldr r3, [r1, #128]
- ldr r2, [r7, #88]
+ ldr r2, [r7, #104]
eor r3, fp, r3
str r3, [r4, #128]
ldr r3, [r1, #132]
- mov r4, r1
- mov r1, r5
eors r2, r2, r3
str r2, [r8, #132]
- ldr r3, [r4, #136]
- ldr r2, [r7, #24]
+ ldr r3, [r1, #136]
+ ldr r5, [r7, #68]
+ ldr r6, [r7, #32]
eor r3, r9, r3
- str r3, [r5, #136]
- ldr r3, [r4, #140]
- eors r3, r3, r2
- str r3, [r5, #140]
- mov r5, r4
- ldr r3, [r6]
- ldr r2, [r4, #144]
- ldr r4, [r7, #52]
- add r4, r4, r3
- eors r2, r2, r4
- mov r4, r1
- str r2, [r1, #144]
- ldr r1, [r7, #76]
- ldr r2, [r6, #4]
- ldr r3, [r5, #148]
- mov r8, r1
- add r8, r8, r2
- mov r2, r8
- eors r3, r3, r2
- str r3, [r0, #148]
- mov r0, r4
- ldr r2, [r6, #8]
- ldr r1, [r7, #92]
- ldr r3, [r5, #152]
- mov r8, r1
- add r8, r8, r2
- ldr r1, [r7, #56]
- mov r2, r8
- eors r3, r3, r2
+ str r3, [r4, #136]
+ ldr r3, [r1, #140]
+ ldr r0, [r7, #92]
+ eors r3, r3, r6
+ ldr r6, [r7, #108]
+ str r3, [r4, #140]
+ ldr r3, [r5]
+ ldr r2, [r1, #144]
+ add r6, r6, r3
+ eors r2, r2, r6
+ str r2, [r4, #144]
+ ldr r2, [r5, #4]
+ ldr r3, [r1, #148]
+ add r0, r0, r2
+ ldr r6, [r7, #36]
+ eors r3, r3, r0
+ ldr r0, [r7, #40]
+ str r3, [r4, #148]
+ ldr r2, [r5, #8]
+ ldr r3, [r1, #152]
+ add r0, r0, r2
+ eors r3, r3, r0
str r3, [r4, #152]
- mov r8, r6
- ldr r2, [r6, #12]
- mov r4, r5
- ldr r3, [r5, #156]
- add r1, r1, r2
- eors r3, r3, r1
- str r3, [r0, #156]
- ldr r2, [r6, #16]
+ ldr r2, [r5, #12]
+ mov r0, r4
+ ldr r3, [r1, #156]
+ mov r4, r1
+ add r6, r6, r2
mov r1, r0
- ldr r3, [r5, #160]
+ eors r3, r3, r6
+ str r3, [r0, #156]
+ ldr r2, [r5, #16]
+ ldr r3, [r4, #160]
add ip, ip, r2
eor r3, ip, r3
- str r3, [r0, #160]
- ldr r2, [r6, #20]
- mov ip, r0
- ldr r3, [r5, #164]
+ str r3, [r1, #160]
+ ldr r2, [r5, #20]
+ ldr r3, [r4, #164]
add lr, lr, r2
- ldr r2, [r7, #100]
+ ldr r2, [r7, #116]
eor r3, lr, r3
str r3, [r1, #164]
- ldr r6, [r6, #24]
+ ldr r6, [r5, #24]
+ mov lr, r4
ldr r3, [r4, #168]
add r2, r2, r6
+ mov r6, r4
eors r3, r3, r2
- ldr r2, [r7, #104]
- str r3, [r0, #168]
- ldr r5, [r8, #28]
+ str r3, [r1, #168]
+ ldr r5, [r5, #28]
+ mov r2, r1
ldr r3, [r4, #172]
- add r2, r2, r5
- mov r5, r4
- eors r3, r3, r2
- mov r2, r0
- str r3, [r0, #172]
- ldr r3, [r7, #48]
+ ldr r0, [r7, #120]
+ add r0, r0, r5
+ ldr r5, [r7, #24]
+ eors r3, r3, r0
+ str r3, [r1, #172]
+ ldr r3, [r7, #72]
ldr r4, [r4, #176]
- ldr r0, [r7, #20]
+ ldr r1, [r7, #28]
+ eors r4, r4, r1
adds r1, r3, #3
- ldr r3, [r7, #84]
- eors r4, r4, r0
str r4, [r2, #176]
- ldr r0, [r5, #180]
- mov r4, r2
- str r1, [r7, #48]
+ ldr r3, [r7, #100]
+ ldr r0, [lr, #180]
+ str r1, [r7, #72]
eors r3, r3, r0
mov r0, r3
- ldr r3, [r7, #232]
+ mov r3, r2
str r0, [r2, #180]
- ldr r1, [r3]
- ldr r3, [r5, #184]
- ldr r2, [r7, #80]
- add r2, r2, r1
- mov r1, r5
- eors r3, r3, r2
- str r3, [ip, #184]
- ldr r3, [r7, #232]
- adds r1, r1, #192
- str r1, [r7, #64]
- ldr r1, [r7, #108]
- ldr r2, [r3, #4]
- ldr r3, [r5, #188]
- add r1, r1, r2
- mov r2, r1
- eors r2, r2, r3
- str r2, [ip, #188]
- mov r3, r4
- ldr r2, [r7, #16]
adds r3, r3, #192
- str r3, [r7, #60]
+ ldr r1, [lr, #184]
+ ldr r2, [r7, #96]
+ eors r1, r1, r2
+ str r1, [r3, #-8]
+ ldr r2, [lr, #188]
+ mov r1, r6
+ adds r1, r1, #192
+ str r1, [r7, #76]
+ eors r2, r2, r5
+ str r2, [r3, #-4]
+ ldr r2, [r7, #16]
+ str r3, [r7, #88]
cmp r2, r3
- beq .L85
- ldr r3, [r7, #232]
- ldmia r3, {r1, r2}
- b .L4
-.L85:
+ bne .L4
ldr r3, [r7, #12]
ldr r2, [r7, #4]
add r3, r3, r2
@@ -749,16 +754,14 @@
rsb fp, fp, r1
lsrs fp, fp, #6
beq .L6
- ldr r6, [r7, #72]
ldr r5, [r7, #12]
ldr r4, [r7, #16]
- mov r3, r6
- adds r3, r3, #80
- vldr d30, .L95
- vldr d31, .L95+8
- mov lr, r3
- str fp, [r7, #104]
- str fp, [r7, #108]
+ ldr r6, [r7, #84]
+ ldr lr, [r7, #80]
+ vldr d30, .L94
+ vldr d31, .L94+8
+ str fp, [r7, #120]
+ str fp, [r7, #124]
.L8:
vmov q2, q11 @ v4si
movs r3, #10
@@ -883,22 +886,22 @@
str r0, [r4, #-16] @ unaligned
str r1, [r4, #-12] @ unaligned
str r3, [r10, #12] @ unaligned
- ldr r3, [r7, #108]
+ ldr r3, [r7, #124]
str r2, [r10, #8] @ unaligned
cmp r3, #1
- beq .L88
+ beq .L87
movs r3, #1
- str r3, [r7, #108]
+ str r3, [r7, #124]
b .L8
-.L96:
- .align 3
.L95:
+ .align 3
+.L94:
.word 1
.word 0
.word 0
.word 0
-.L88:
- ldr fp, [r7, #104]
+.L87:
+ ldr fp, [r7, #120]
ldr r3, [r7, #12]
lsl fp, fp, #6
add r3, r3, fp
@@ -958,9 +961,9 @@
bne .L10
cmp r5, #15
mov r9, r5
- bhi .L89
+ bhi .L88
vadd.i32 q12, q12, q10
- ldr r3, [r7, #72]
+ ldr r3, [r7, #84]
vst1.64 {d24-d25}, [r3:128]
.L14:
ldr r3, [r7, #8]
@@ -997,7 +1000,7 @@
movcs r1, ip
cmp r1, #0
beq .L17
- ldr r5, [r7, #72]
+ ldr r5, [r7, #84]
cmp r1, #1
ldrb r0, [r0] @ zero_extendqisi2
add r3, r2, #1
@@ -1132,7 +1135,7 @@
ldr r5, [r7, #16]
cmp r6, #1
add r0, r1, r2
- ldr r1, [r7, #72]
+ ldr r1, [r7, #84]
add r1, r1, r2
vld1.64 {d18-d19}, [r0:64]
add r2, r2, r5
@@ -1170,7 +1173,7 @@
add r3, r3, lr
beq .L1
.L19:
- ldr r4, [r7, #72]
+ ldr r4, [r7, #84]
adds r2, r3, #1
ldr r1, [r7, #12]
cmp r2, r9
@@ -1285,7 +1288,7 @@
eor r1, r1, r0
strb r1, [r5, r2]
bls .L1
- ldr r2, [r7, #72]
+ ldr r2, [r7, #84]
ldrb r1, [r2, r3] @ zero_extendqisi2
ldr r2, [r7, #12]
ldrb r2, [r2, r3] @ zero_extendqisi2
@@ -1293,26 +1296,23 @@
ldr r1, [r7, #16]
strb r2, [r1, r3]
.L1:
- adds r7, r7, #132
+ adds r7, r7, #156
mov sp, r7
@ sp needed
vldm sp!, {d8-d15}
pop {r4, r5, r6, r7, r8, r9, r10, fp, pc}
-.L89:
- ldr r4, [r7, #12]
+.L88:
+ ldr r5, [r7, #12]
vadd.i32 q12, q12, q10
- ldr r5, [r7, #72]
+ ldr r4, [r7, #80]
cmp r9, #31
- ldr r0, [r4] @ unaligned
- add r6, r5, #80
- ldr r1, [r4, #4] @ unaligned
- ldr r2, [r4, #8] @ unaligned
- mov r5, r6
- ldr r3, [r4, #12] @ unaligned
- mov r4, r6
- str r6, [r7, #68]
+ ldr r0, [r5] @ unaligned
+ ldr r1, [r5, #4] @ unaligned
+ mov r6, r4
+ ldr r2, [r5, #8] @ unaligned
+ ldr r3, [r5, #12] @ unaligned
stmia r6!, {r0, r1, r2, r3}
- ldr r2, [r7, #72]
+ ldr r2, [r7, #84]
ldr r6, [r7, #16]
vldr d18, [r2, #80]
vldr d19, [r2, #88]
@@ -1325,9 +1325,9 @@
str r0, [r6] @ unaligned
str r2, [r6, #8] @ unaligned
str r3, [r6, #12] @ unaligned
- bhi .L90
+ bhi .L89
vadd.i32 q13, q13, q15
- ldr r3, [r7, #72]
+ ldr r3, [r7, #84]
vstr d26, [r3, #16]
vstr d27, [r3, #24]
b .L14
@@ -1336,7 +1336,7 @@
ldr r2, [r7, #12]
add r2, r2, r9
mov r5, r2
- ldr r2, [r7, #72]
+ ldr r2, [r7, #84]
add r2, r2, r3
mov r3, r2
.L24:
@@ -1346,7 +1346,7 @@
eor r2, r2, r1
strb r2, [r4], #1
bne .L24
- adds r7, r7, #132
+ adds r7, r7, #156
mov sp, r7
@ sp needed
vldm sp!, {d8-d15}
@@ -1354,20 +1354,20 @@
.L26:
str fp, [r7, #16]
b .L2
-.L90:
- ldr r3, [r7, #12]
+.L89:
+ mov r3, r5
+ ldr r4, [r7, #80]
+ ldr r0, [r3, #16]! @ unaligned
add lr, r1, #16
- mov r4, r5
- mov r6, r5
mov r5, r1
vadd.i32 q13, q13, q15
- ldr r0, [r3, #16]! @ unaligned
+ mov r6, r4
cmp r9, #47
ldr r1, [r3, #4] @ unaligned
ldr r2, [r3, #8] @ unaligned
ldr r3, [r3, #12] @ unaligned
stmia r6!, {r0, r1, r2, r3}
- ldr r2, [r7, #72]
+ ldr r2, [r7, #84]
vldr d18, [r2, #80]
vldr d19, [r2, #88]
veor q13, q9, q13
@@ -1378,18 +1378,18 @@
str r1, [lr, #4] @ unaligned
str r2, [lr, #8] @ unaligned
str r3, [lr, #12] @ unaligned
- bhi .L91
+ bhi .L90
vadd.i32 q8, q14, q8
- ldr r3, [r7, #72]
+ ldr r3, [r7, #84]
vstr d16, [r3, #32]
vstr d17, [r3, #40]
b .L14
-.L91:
+.L90:
ldr r3, [r7, #12]
add lr, r5, #32
- ldr r4, [r7, #68]
+ ldr r4, [r7, #80]
vadd.i32 q8, q14, q8
- ldr r5, [r7, #72]
+ ldr r5, [r7, #84]
vadd.i32 q11, q11, q3
ldr r0, [r3, #32]! @ unaligned
mov r6, r4
diff --git a/src/crypto/chacha/chacha_vec_arm_generate.go b/src/crypto/chacha/chacha_vec_arm_generate.go
new file mode 100644
index 0000000..d681e8a
--- /dev/null
+++ b/src/crypto/chacha/chacha_vec_arm_generate.go
@@ -0,0 +1,148 @@
+// Copyright (c) 2014, Google Inc.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// This package generates chacha_vec_arm.S from chacha_vec.c.
+package main
+
+import (
+ "bufio"
+ "bytes"
+ "os"
+ "os/exec"
+ "strings"
+)
+
+const defaultCompiler = "/opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-gcc"
+
+func main() {
+ compiler := defaultCompiler
+ if len(os.Args) > 1 {
+ compiler = os.Args[1]
+ }
+
+ args := []string{
+ "-O3",
+ "-mcpu=cortex-a8",
+ "-mfpu=neon",
+ "-fpic",
+ "-DASM_GEN",
+ "-I", "../../include",
+ "-S", "chacha_vec.c",
+ "-o", "-",
+ }
+
+ output, err := os.OpenFile("chacha_vec_arm.S", os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0644)
+ if err != nil {
+ panic(err)
+ }
+ defer output.Close()
+
+ output.WriteString(preamble)
+ output.WriteString(compiler)
+ output.WriteString(" ")
+ output.WriteString(strings.Join(args, " "))
+ output.WriteString("\n\n#if !defined(OPENSSL_NO_ASM)\n\n")
+
+ cmd := exec.Command(compiler, args...)
+ cmd.Stderr = os.Stderr
+ asm, err := cmd.StdoutPipe()
+ if err != nil {
+ panic(err)
+ }
+ if err := cmd.Start(); err != nil {
+ panic(err)
+ }
+
+ attr28 := []byte(".eabi_attribute 28,")
+ globalDirective := []byte(".global\t")
+ newLine := []byte("\n")
+ attr28Handled := false
+
+ scanner := bufio.NewScanner(asm)
+ for scanner.Scan() {
+ line := scanner.Bytes()
+
+ if bytes.Contains(line, attr28) {
+ output.WriteString(attr28Block)
+ attr28Handled = true
+ continue
+ }
+
+ output.Write(line)
+ output.Write(newLine)
+
+ if i := bytes.Index(line, globalDirective); i >= 0 {
+ output.Write(line[:i])
+ output.WriteString(".hidden\t")
+ output.Write(line[i+len(globalDirective):])
+ output.Write(newLine)
+ }
+ }
+
+ if err := scanner.Err(); err != nil {
+ panic(err)
+ }
+
+ if !attr28Handled {
+ panic("EABI attribute 28 not seen in processing")
+ }
+
+ if err := cmd.Wait(); err != nil {
+ panic(err)
+ }
+
+ output.WriteString(trailer)
+}
+
+const preamble = `# Copyright (c) 2014, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# This file contains a pre-compiled version of chacha_vec.c for ARM. This is
+# needed to support switching on NEON code at runtime. If the whole of OpenSSL
+# were to be compiled with the needed flags to build chacha_vec.c, then it
+# wouldn't be possible to run on non-NEON systems.
+#
+# This file was generated by chacha_vec_arm_generate.go using the following
+# compiler command:
+#
+# `
+
+const attr28Block = `
+# EABI attribute 28 sets whether VFP register arguments were used to build this
+# file. If object files are inconsistent on this point, the linker will refuse
+# to link them. Thus we report whatever the compiler expects since we don't use
+# VFP arguments.
+
+#if defined(__ARM_PCS_VFP)
+ .eabi_attribute 28, 1
+#else
+ .eabi_attribute 28, 0
+#endif
+
+`
+
+const trailer = `
+#endif /* !OPENSSL_NO_ASM */
+`
diff --git a/src/crypto/cipher/CMakeLists.txt b/src/crypto/cipher/CMakeLists.txt
index bb62b72..f428e25 100644
--- a/src/crypto/cipher/CMakeLists.txt
+++ b/src/crypto/cipher/CMakeLists.txt
@@ -6,7 +6,6 @@
OBJECT
cipher.c
- cipher_error.c
derive_key.c
aead.c
@@ -31,7 +30,8 @@
add_executable(
aead_test
- aead_test.c
+ aead_test.cc
+ $<TARGET_OBJECTS:test_support>
)
target_link_libraries(cipher_test crypto)
diff --git a/src/crypto/cipher/aead.c b/src/crypto/cipher/aead.c
index 263e398..20d699d 100644
--- a/src/crypto/cipher/aead.c
+++ b/src/crypto/cipher/aead.c
@@ -33,12 +33,40 @@
int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
const uint8_t *key, size_t key_len, size_t tag_len,
ENGINE *impl) {
- ctx->aead = aead;
- if (key_len != aead->key_len) {
- OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_UNSUPPORTED_KEY_SIZE);
+ if (!aead->init) {
+ OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init, CIPHER_R_NO_DIRECTION_SET);
+ ctx->aead = NULL;
return 0;
}
- return aead->init(ctx, key, key_len, tag_len);
+ return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, tag_len,
+ evp_aead_open);
+}
+
+int EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
+ const uint8_t *key, size_t key_len,
+ size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ if (key_len != aead->key_len) {
+ OPENSSL_PUT_ERROR(CIPHER, EVP_AEAD_CTX_init_with_direction,
+ CIPHER_R_UNSUPPORTED_KEY_SIZE);
+ ctx->aead = NULL;
+ return 0;
+ }
+
+ ctx->aead = aead;
+
+ int ok;
+ if (aead->init) {
+ ok = aead->init(ctx, key, key_len, tag_len);
+ } else {
+ ok = aead->init_with_direction(ctx, key, key_len, tag_len, dir);
+ }
+
+ if (!ok) {
+ ctx->aead = NULL;
+ }
+
+ return ok;
}
void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) {
@@ -117,3 +145,11 @@
*out_len = 0;
return 0;
}
+
+int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) {
+ if (ctx->aead->get_rc4_state == NULL) {
+ return 0;
+ }
+
+ return ctx->aead->get_rc4_state(ctx, out_key);
+}
diff --git a/src/crypto/cipher/aead_test.c b/src/crypto/cipher/aead_test.c
deleted file mode 100644
index 310c90c..0000000
--- a/src/crypto/cipher/aead_test.c
+++ /dev/null
@@ -1,387 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/aead.h>
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-
-/* This program tests an AEAD against a series of test vectors from a file. The
- * test vector file consists of key-value lines where the key and value are
- * separated by a colon and optional whitespace. The keys are listed in
- * |NAMES|, below. The values are hex-encoded data.
- *
- * After a number of key-value lines, a blank line or EOF indicates the end of
- * the test case.
- *
- * For example, here's a valid test case:
- *
- * KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
- * NONCE: 978105dfce667bf4
- * IN: 6a4583908d
- * AD: b654574932
- * CT: 5294265a60
- * TAG: 1d45758621762e061368e68868e2f929
- */
-
-#define BUF_MAX 512
-
-/* These are the different types of line that are found in the input file. */
-enum {
- KEY = 0, /* hex encoded key. */
- NONCE, /* hex encoded nonce. */
- IN, /* hex encoded plaintext. */
- AD, /* hex encoded additional data. */
- CT, /* hex encoded ciphertext (not including the authenticator,
- which is next). */
- TAG, /* hex encoded authenticator. */
- NO_SEAL, /* non-zero length if seal(IN) is not expected to be CT+TAG,
- however open(CT+TAG) should still be IN. */
- FAILS, /* non-zero length if open(CT+TAG) is expected to fail. */
- NUM_TYPES,
-};
-
-static const char NAMES[8][NUM_TYPES] = {
- "KEY", "NONCE", "IN", "AD", "CT", "TAG", "NO_SEAL", "FAILS",
-};
-
-static unsigned char hex_digit(char h) {
- if (h >= '0' && h <= '9') {
- return h - '0';
- } else if (h >= 'a' && h <= 'f') {
- return h - 'a' + 10;
- } else if (h >= 'A' && h <= 'F') {
- return h - 'A' + 10;
- } else {
- return 16;
- }
-}
-
-static int run_test_case(const EVP_AEAD *aead,
- uint8_t bufs[NUM_TYPES][BUF_MAX],
- const unsigned int lengths[NUM_TYPES],
- unsigned int line_no) {
- EVP_AEAD_CTX ctx;
- size_t ciphertext_len, plaintext_len;
- uint8_t out[BUF_MAX + EVP_AEAD_MAX_OVERHEAD + 1];
- /* Note: When calling |EVP_AEAD_CTX_open|, the "stateful" AEADs require
- * |max_out| be at least |in_len| despite the final output always being
- * smaller by at least tag length. */
- uint8_t out2[sizeof(out)];
-
- if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
- NULL)) {
- fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
- return 0;
- }
-
- if (!lengths[NO_SEAL]) {
- if (!EVP_AEAD_CTX_seal(&ctx, out, &ciphertext_len, sizeof(out), bufs[NONCE],
- lengths[NONCE], bufs[IN], lengths[IN], bufs[AD],
- lengths[AD])) {
- fprintf(stderr, "Failed to run AEAD on line %u\n", line_no);
- return 0;
- }
-
- if (ciphertext_len != lengths[CT] + lengths[TAG]) {
- fprintf(stderr, "Bad output length on line %u: %u vs %u\n", line_no,
- (unsigned)ciphertext_len, (unsigned)(lengths[CT] + lengths[TAG]));
- return 0;
- }
-
- if (memcmp(out, bufs[CT], lengths[CT]) != 0) {
- fprintf(stderr, "Bad output on line %u\n", line_no);
- return 0;
- }
-
- if (memcmp(out + lengths[CT], bufs[TAG], lengths[TAG]) != 0) {
- fprintf(stderr, "Bad tag on line %u\n", line_no);
- return 0;
- }
- } else {
- memcpy(out, bufs[CT], lengths[CT]);
- memcpy(out + lengths[CT], bufs[TAG], lengths[TAG]);
- ciphertext_len = lengths[CT] + lengths[TAG];
- }
-
- /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
- * reset after each operation. */
- EVP_AEAD_CTX_cleanup(&ctx);
- if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
- NULL)) {
- fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
- return 0;
- }
-
- int ret = EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2),
- bufs[NONCE], lengths[NONCE], out, ciphertext_len,
- bufs[AD], lengths[AD]);
- if (lengths[FAILS]) {
- if (ret) {
- fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
- return 0;
- }
- ERR_clear_error();
- } else {
- if (!ret) {
- fprintf(stderr, "Failed to decrypt on line %u\n", line_no);
- return 0;
- }
-
- if (plaintext_len != lengths[IN]) {
- fprintf(stderr, "Bad decrypt on line %u: %u\n", line_no,
- (unsigned)ciphertext_len);
- return 0;
- }
-
- /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
- * reset after each operation. */
- EVP_AEAD_CTX_cleanup(&ctx);
- if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
- NULL)) {
- fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
- return 0;
- }
-
- /* Garbage at the end isn't ignored. */
- out[ciphertext_len] = 0;
- if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2),
- bufs[NONCE], lengths[NONCE], out, ciphertext_len + 1,
- bufs[AD], lengths[AD])) {
- fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
- return 0;
- }
- ERR_clear_error();
-
- /* The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
- * reset after each operation. */
- EVP_AEAD_CTX_cleanup(&ctx);
- if (!EVP_AEAD_CTX_init(&ctx, aead, bufs[KEY], lengths[KEY], lengths[TAG],
- NULL)) {
- fprintf(stderr, "Failed to init AEAD on line %u\n", line_no);
- return 0;
- }
-
- /* Verify integrity is checked. */
- out[0] ^= 0x80;
- if (EVP_AEAD_CTX_open(&ctx, out2, &plaintext_len, sizeof(out2), bufs[NONCE],
- lengths[NONCE], out, ciphertext_len, bufs[AD],
- lengths[AD])) {
- fprintf(stderr, "Decrypted bad data on line %u\n", line_no);
- return 0;
- }
- ERR_clear_error();
- }
-
- EVP_AEAD_CTX_cleanup(&ctx);
- return 1;
-}
-
-int main(int argc, char **argv) {
- FILE *f;
- const EVP_AEAD *aead = NULL;
- unsigned int line_no = 0, num_tests = 0, j;
-
- unsigned char bufs[NUM_TYPES][BUF_MAX];
- unsigned int lengths[NUM_TYPES];
-
- CRYPTO_library_init();
- ERR_load_crypto_strings();
-
- if (argc != 3) {
- fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
- return 1;
- }
-
- if (strcmp(argv[1], "aes-128-gcm") == 0) {
- aead = EVP_aead_aes_128_gcm();
- } else if (strcmp(argv[1], "aes-256-gcm") == 0) {
- aead = EVP_aead_aes_256_gcm();
- } else if (strcmp(argv[1], "chacha20-poly1305") == 0) {
- aead = EVP_aead_chacha20_poly1305();
- } else if (strcmp(argv[1], "rc4-md5-tls") == 0) {
- aead = EVP_aead_rc4_md5_tls();
- } else if (strcmp(argv[1], "rc4-sha1-tls") == 0) {
- aead = EVP_aead_rc4_sha1_tls();
- } else if (strcmp(argv[1], "aes-128-cbc-sha1-tls") == 0) {
- aead = EVP_aead_aes_128_cbc_sha1_tls();
- } else if (strcmp(argv[1], "aes-128-cbc-sha1-tls-implicit-iv") == 0) {
- aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();
- } else if (strcmp(argv[1], "aes-128-cbc-sha256-tls") == 0) {
- aead = EVP_aead_aes_128_cbc_sha256_tls();
- } else if (strcmp(argv[1], "aes-256-cbc-sha1-tls") == 0) {
- aead = EVP_aead_aes_256_cbc_sha1_tls();
- } else if (strcmp(argv[1], "aes-256-cbc-sha1-tls-implicit-iv") == 0) {
- aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();
- } else if (strcmp(argv[1], "aes-256-cbc-sha256-tls") == 0) {
- aead = EVP_aead_aes_256_cbc_sha256_tls();
- } else if (strcmp(argv[1], "aes-256-cbc-sha384-tls") == 0) {
- aead = EVP_aead_aes_256_cbc_sha384_tls();
- } else if (strcmp(argv[1], "des-ede3-cbc-sha1-tls") == 0) {
- aead = EVP_aead_des_ede3_cbc_sha1_tls();
- } else if (strcmp(argv[1], "des-ede3-cbc-sha1-tls-implicit-iv") == 0) {
- aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();
- } else if (strcmp(argv[1], "rc4-md5-ssl3") == 0) {
- aead = EVP_aead_rc4_md5_ssl3();
- } else if (strcmp(argv[1], "rc4-sha1-ssl3") == 0) {
- aead = EVP_aead_rc4_sha1_ssl3();
- } else if (strcmp(argv[1], "aes-128-cbc-sha1-ssl3") == 0) {
- aead = EVP_aead_aes_128_cbc_sha1_ssl3();
- } else if (strcmp(argv[1], "aes-256-cbc-sha1-ssl3") == 0) {
- aead = EVP_aead_aes_256_cbc_sha1_ssl3();
- } else if (strcmp(argv[1], "des-ede3-cbc-sha1-ssl3") == 0) {
- aead = EVP_aead_des_ede3_cbc_sha1_ssl3();
- } else if (strcmp(argv[1], "aes-128-key-wrap") == 0) {
- aead = EVP_aead_aes_128_key_wrap();
- } else if (strcmp(argv[1], "aes-256-key-wrap") == 0) {
- aead = EVP_aead_aes_256_key_wrap();
- } else {
- fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
- return 2;
- }
-
- f = fopen(argv[2], "r");
- if (f == NULL) {
- perror("failed to open input");
- return 1;
- }
-
- for (j = 0; j < NUM_TYPES; j++) {
- lengths[j] = 0;
- }
-
- for (;;) {
- char line[4096];
- unsigned int i, type_len = 0;
-
- unsigned char *buf = NULL;
- unsigned int *buf_len = NULL;
-
- if (!fgets(line, sizeof(line), f)) {
- line[0] = 0;
- }
-
- line_no++;
- if (line[0] == '#') {
- continue;
- }
-
- if (line[0] == '\n' || line[0] == 0) {
- /* Run a test, if possible. */
- char any_values_set = 0;
- for (j = 0; j < NUM_TYPES; j++) {
- if (lengths[j] != 0) {
- any_values_set = 1;
- break;
- }
- }
-
- if (any_values_set) {
- if (!run_test_case(aead, bufs, lengths, line_no)) {
- BIO_print_errors_fp(stderr);
- return 4;
- }
-
- for (j = 0; j < NUM_TYPES; j++) {
- lengths[j] = 0;
- }
-
- num_tests++;
- }
-
- if (line[0] == 0) {
- break;
- }
- continue;
- }
-
- /* Each line looks like:
- * TYPE: 0123abc
- * Where "TYPE" is the type of the data on the line,
- * e.g. "KEY". */
- for (i = 0; line[i] != 0 && line[i] != '\n'; i++) {
- if (line[i] == ':') {
- type_len = i;
- break;
- }
- }
- i++;
-
- if (type_len == 0) {
- fprintf(stderr, "Parse error on line %u\n", line_no);
- return 3;
- }
-
- /* After the colon, there's optional whitespace. */
- for (; line[i] != 0 && line[i] != '\n'; i++) {
- if (line[i] != ' ' && line[i] != '\t') {
- break;
- }
- }
-
- line[type_len] = 0;
- for (j = 0; j < NUM_TYPES; j++) {
- if (strcmp(line, NAMES[j]) != 0) {
- continue;
- }
- if (lengths[j] != 0) {
- fprintf(stderr, "Duplicate value on line %u\n", line_no);
- return 3;
- }
- buf = bufs[j];
- buf_len = &lengths[j];
- }
-
- if (buf == NULL) {
- fprintf(stderr, "Unknown line type on line %u\n", line_no);
- return 3;
- }
-
- j = 0;
- for (; line[i] != 0 && line[i] != '\n'; i++) {
- unsigned char v, v2;
- v = hex_digit(line[i++]);
- if (line[i] == 0 || line[i] == '\n') {
- fprintf(stderr, "Odd-length hex data on line %u\n", line_no);
- return 3;
- }
- v2 = hex_digit(line[i]);
- if (v > 15 || v2 > 15) {
- fprintf(stderr, "Invalid hex char on line %u\n", line_no);
- return 3;
- }
- v <<= 4;
- v |= v2;
-
- if (j == BUF_MAX) {
- fprintf(stderr, "Too much hex data on line %u (max is %u bytes)\n",
- line_no, (unsigned)BUF_MAX);
- return 3;
- }
- buf[j++] = v;
- *buf_len = *buf_len + 1;
- }
- }
-
- printf("Completed %u test cases\n", num_tests);
- printf("PASS\n");
- fclose(f);
-
- return 0;
-}
diff --git a/src/crypto/cipher/aead_test.cc b/src/crypto/cipher/aead_test.cc
new file mode 100644
index 0000000..e4b75d6
--- /dev/null
+++ b/src/crypto/cipher/aead_test.cc
@@ -0,0 +1,276 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdint.h>
+#include <string.h>
+
+#include <vector>
+
+#include <openssl/aead.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include "../test/file_test.h"
+#include "../test/stl_compat.h"
+
+
+// This program tests an AEAD against a series of test vectors from a file,
+// using the FileTest format. As an example, here's a valid test case:
+//
+// KEY: 5a19f3173586b4c42f8412f4d5a786531b3231753e9e00998aec12fda8df10e4
+// NONCE: 978105dfce667bf4
+// IN: 6a4583908d
+// AD: b654574932
+// CT: 5294265a60
+// TAG: 1d45758621762e061368e68868e2f929
+
+// EVP_AEAD_CTX lacks a zero state, so it doesn't fit easily into
+// ScopedOpenSSLContext.
+class EVP_AEAD_CTXScoper {
+ public:
+ EVP_AEAD_CTXScoper(EVP_AEAD_CTX *ctx) : ctx_(ctx) {}
+ ~EVP_AEAD_CTXScoper() {
+ EVP_AEAD_CTX_cleanup(ctx_);
+ }
+ private:
+ EVP_AEAD_CTX *ctx_;
+};
+
+static bool TestAEAD(FileTest *t, void *arg) {
+ const EVP_AEAD *aead = reinterpret_cast<const EVP_AEAD*>(arg);
+
+ std::vector<uint8_t> key, nonce, in, ad, ct, tag;
+ if (!t->GetBytes(&key, "KEY") ||
+ !t->GetBytes(&nonce, "NONCE") ||
+ !t->GetBytes(&in, "IN") ||
+ !t->GetBytes(&ad, "AD") ||
+ !t->GetBytes(&ct, "CT") ||
+ !t->GetBytes(&tag, "TAG")) {
+ return false;
+ }
+
+ EVP_AEAD_CTX ctx;
+ if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+ key.size(), tag.size(),
+ evp_aead_seal)) {
+ t->PrintLine("Failed to init AEAD.");
+ return false;
+ }
+ EVP_AEAD_CTXScoper cleanup(&ctx);
+
+ std::vector<uint8_t> out(in.size() + EVP_AEAD_max_overhead(aead));
+ if (!t->HasAttribute("NO_SEAL")) {
+ size_t out_len;
+ if (!EVP_AEAD_CTX_seal(&ctx, bssl::vector_data(&out), &out_len, out.size(),
+ bssl::vector_data(&nonce), nonce.size(),
+ bssl::vector_data(&in), in.size(),
+ bssl::vector_data(&ad), ad.size())) {
+ t->PrintLine("Failed to run AEAD.");
+ return false;
+ }
+ out.resize(out_len);
+
+ if (out.size() != ct.size() + tag.size()) {
+ t->PrintLine("Bad output length: %u vs %u.", (unsigned)out_len,
+ (unsigned)(ct.size() + tag.size()));
+ return false;
+ }
+ if (!t->ExpectBytesEqual(bssl::vector_data(&ct), ct.size(),
+ bssl::vector_data(&out), ct.size()) ||
+ !t->ExpectBytesEqual(bssl::vector_data(&tag), tag.size(),
+ bssl::vector_data(&out) + ct.size(), tag.size())) {
+ return false;
+ }
+ } else {
+ out.resize(ct.size() + tag.size());
+ memcpy(bssl::vector_data(&out), bssl::vector_data(&ct), ct.size());
+ memcpy(bssl::vector_data(&out) + ct.size(), bssl::vector_data(&tag),
+ tag.size());
+ }
+
+ // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+ // reset after each operation.
+ EVP_AEAD_CTX_cleanup(&ctx);
+ if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+ key.size(), tag.size(),
+ evp_aead_open)) {
+ t->PrintLine("Failed to init AEAD.");
+ return false;
+ }
+
+ std::vector<uint8_t> out2(out.size());
+ size_t out2_len;
+ int ret = EVP_AEAD_CTX_open(&ctx,
+ bssl::vector_data(&out2), &out2_len, out2.size(),
+ bssl::vector_data(&nonce), nonce.size(),
+ bssl::vector_data(&out), out.size(),
+ bssl::vector_data(&ad), ad.size());
+ if (t->HasAttribute("FAILS")) {
+ if (ret) {
+ t->PrintLine("Decrypted bad data.");
+ return false;
+ }
+ ERR_clear_error();
+ return true;
+ }
+
+ if (!ret) {
+ t->PrintLine("Failed to decrypt.");
+ return false;
+ }
+ out2.resize(out2_len);
+ if (!t->ExpectBytesEqual(bssl::vector_data(&in), in.size(),
+ bssl::vector_data(&out2), out2.size())) {
+ return false;
+ }
+
+ // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+ // reset after each operation.
+ EVP_AEAD_CTX_cleanup(&ctx);
+ if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+ key.size(), tag.size(),
+ evp_aead_open)) {
+ t->PrintLine("Failed to init AEAD.");
+ return false;
+ }
+
+ // Garbage at the end isn't ignored.
+ out.push_back(0);
+ out2.resize(out.size());
+ if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(),
+ bssl::vector_data(&nonce), nonce.size(),
+ bssl::vector_data(&out), out.size(),
+ bssl::vector_data(&ad), ad.size())) {
+ t->PrintLine("Decrypted bad data with trailing garbage.");
+ return false;
+ }
+ ERR_clear_error();
+
+ // The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
+ // reset after each operation.
+ EVP_AEAD_CTX_cleanup(&ctx);
+ if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, bssl::vector_data(&key),
+ key.size(), tag.size(),
+ evp_aead_open)) {
+ t->PrintLine("Failed to init AEAD.");
+ return false;
+ }
+
+ // Verify integrity is checked.
+ out[0] ^= 0x80;
+ out.resize(out.size() - 1);
+ out2.resize(out.size());
+ if (EVP_AEAD_CTX_open(&ctx, bssl::vector_data(&out2), &out2_len, out2.size(),
+ bssl::vector_data(&nonce), nonce.size(),
+ bssl::vector_data(&out), out.size(),
+ bssl::vector_data(&ad), ad.size())) {
+ t->PrintLine("Decrypted bad data with corrupted byte.");
+ return false;
+ }
+ ERR_clear_error();
+
+ return true;
+}
+
+static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
+ EVP_AEAD_CTX ctx;
+ uint8_t key[128];
+
+ memset(key, 0, sizeof(key));
+ const size_t key_len = EVP_AEAD_key_length(aead);
+ if (key_len > sizeof(key)) {
+ fprintf(stderr, "Key length of AEAD too long.\n");
+ return 0;
+ }
+
+ if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
+ 9999 /* a silly tag length to trigger an error */,
+ NULL /* ENGINE */) != 0) {
+ fprintf(stderr, "A silly tag length didn't trigger an error!\n");
+ return 0;
+ }
+
+ /* Running a second, failed _init should not cause a memory leak. */
+ if (EVP_AEAD_CTX_init(&ctx, aead, key, key_len,
+ 9999 /* a silly tag length to trigger an error */,
+ NULL /* ENGINE */) != 0) {
+ fprintf(stderr, "A silly tag length didn't trigger an error!\n");
+ return 0;
+ }
+
+ /* Calling _cleanup on an |EVP_AEAD_CTX| after a failed _init should be a
+ * no-op. */
+ EVP_AEAD_CTX_cleanup(&ctx);
+ return 1;
+}
+
+struct AEADName {
+ const char name[40];
+ const EVP_AEAD *(*func)(void);
+};
+
+static const struct AEADName kAEADs[] = {
+ { "aes-128-gcm", EVP_aead_aes_128_gcm },
+ { "aes-256-gcm", EVP_aead_aes_256_gcm },
+ { "chacha20-poly1305", EVP_aead_chacha20_poly1305 },
+ { "rc4-md5-tls", EVP_aead_rc4_md5_tls },
+ { "rc4-sha1-tls", EVP_aead_rc4_sha1_tls },
+ { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls },
+ { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv },
+ { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls },
+ { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls },
+ { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv },
+ { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls },
+ { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls },
+ { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls },
+ { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv },
+ { "rc4-md5-ssl3", EVP_aead_rc4_md5_ssl3 },
+ { "rc4-sha1-ssl3", EVP_aead_rc4_sha1_ssl3 },
+ { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3 },
+ { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3 },
+ { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3 },
+ { "aes-128-key-wrap", EVP_aead_aes_128_key_wrap },
+ { "aes-256-key-wrap", EVP_aead_aes_256_key_wrap },
+ { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256 },
+ { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256 },
+ { "", NULL },
+};
+
+int main(int argc, char **argv) {
+ CRYPTO_library_init();
+
+ if (argc != 3) {
+ fprintf(stderr, "%s <aead> <test file.txt>\n", argv[0]);
+ return 1;
+ }
+
+ const EVP_AEAD *aead;
+ for (unsigned i = 0;; i++) {
+ const struct AEADName &aead_name = kAEADs[i];
+ if (aead_name.func == NULL) {
+ fprintf(stderr, "Unknown AEAD: %s\n", argv[1]);
+ return 2;
+ }
+ if (strcmp(aead_name.name, argv[1]) == 0) {
+ aead = aead_name.func();
+ break;
+ }
+ }
+
+ if (!TestCleanupAfterInitFailure(aead)) {
+ return 1;
+ }
+
+ return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
+}
diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c
index 4bb4196..1dcfd06 100644
--- a/src/crypto/cipher/cipher.c
+++ b/src/crypto/cipher/cipher.c
@@ -94,8 +94,8 @@
}
int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) {
- if (c->cipher != NULL && c->cipher->cleanup && !c->cipher->cleanup(c)) {
- return 0;
+ if (c->cipher != NULL && c->cipher->cleanup) {
+ c->cipher->cleanup(c);
}
if (c->cipher_data) {
@@ -197,7 +197,6 @@
break;
case EVP_CIPH_CFB_MODE:
- case EVP_CIPH_OFB_MODE:
ctx->num = 0;
/* fall-through */
@@ -210,6 +209,7 @@
break;
case EVP_CIPH_CTR_MODE:
+ case EVP_CIPH_OFB_MODE:
ctx->num = 0;
/* Don't reuse IV for CTR mode */
if (iv) {
@@ -582,10 +582,6 @@
int EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; }
-const char *EVP_CIPHER_name(const EVP_CIPHER *cipher) {
- return OBJ_nid2sn(cipher->nid);
-}
-
unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) {
return cipher->block_size;
}
diff --git a/src/crypto/cipher/cipher_error.c b/src/crypto/cipher/cipher_error.c
deleted file mode 100644
index 95230f6..0000000
--- a/src/crypto/cipher/cipher_error.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/cipher.h>
-
-const ERR_STRING_DATA CIPHER_error_string_data[] = {
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_AEAD_CTX_init, 0), "EVP_AEAD_CTX_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_AEAD_CTX_open, 0), "EVP_AEAD_CTX_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_AEAD_CTX_seal, 0), "EVP_AEAD_CTX_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CIPHER_CTX_copy, 0), "EVP_CIPHER_CTX_copy"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CIPHER_CTX_ctrl, 0), "EVP_CIPHER_CTX_ctrl"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CIPHER_CTX_set_key_length, 0), "EVP_CIPHER_CTX_set_key_length"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_CipherInit_ex, 0), "EVP_CipherInit_ex"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_DecryptFinal_ex, 0), "EVP_DecryptFinal_ex"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_EVP_EncryptFinal_ex, 0), "EVP_EncryptFinal_ex"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_gcm_init, 0), "aead_aes_gcm_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_gcm_open, 0), "aead_aes_gcm_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_gcm_seal, 0), "aead_aes_gcm_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_key_wrap_init, 0), "aead_aes_key_wrap_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_key_wrap_open, 0), "aead_aes_key_wrap_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_aes_key_wrap_seal, 0), "aead_aes_key_wrap_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_chacha20_poly1305_init, 0), "aead_chacha20_poly1305_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_chacha20_poly1305_open, 0), "aead_chacha20_poly1305_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_chacha20_poly1305_seal, 0), "aead_chacha20_poly1305_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_rc4_md5_tls_init, 0), "aead_rc4_md5_tls_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_rc4_md5_tls_open, 0), "aead_rc4_md5_tls_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_rc4_md5_tls_seal, 0), "aead_rc4_md5_tls_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_ensure_cipher_init, 0), "aead_ssl3_ensure_cipher_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_init, 0), "aead_ssl3_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_open, 0), "aead_ssl3_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_ssl3_seal, 0), "aead_ssl3_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_ensure_cipher_init, 0), "aead_tls_ensure_cipher_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_init, 0), "aead_tls_init"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_open, 0), "aead_tls_open"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aead_tls_seal, 0), "aead_tls_seal"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aes_init_key, 0), "aes_init_key"},
- {ERR_PACK(ERR_LIB_CIPHER, CIPHER_F_aesni_init_key, 0), "aesni_init_key"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_AES_KEY_SETUP_FAILED), "AES_KEY_SETUP_FAILED"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_BAD_DECRYPT), "BAD_DECRYPT"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_BAD_KEY_LENGTH), "BAD_KEY_LENGTH"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_CTRL_NOT_IMPLEMENTED), "CTRL_NOT_IMPLEMENTED"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED), "CTRL_OPERATION_NOT_IMPLEMENTED"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH), "DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INITIALIZATION_ERROR), "INITIALIZATION_ERROR"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INPUT_NOT_INITIALIZED), "INPUT_NOT_INITIALIZED"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_AD), "INVALID_AD"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_AD_SIZE), "INVALID_AD_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_KEY_LENGTH), "INVALID_KEY_LENGTH"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_NONCE_SIZE), "INVALID_NONCE_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_INVALID_OPERATION), "INVALID_OPERATION"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_IV_TOO_LARGE), "IV_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_NO_CIPHER_SET), "NO_CIPHER_SET"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_OUTPUT_ALIASES_INPUT), "OUTPUT_ALIASES_INPUT"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_TAG_TOO_LARGE), "TAG_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_TOO_LARGE), "TOO_LARGE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_AD_SIZE), "UNSUPPORTED_AD_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_INPUT_SIZE), "UNSUPPORTED_INPUT_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_KEY_SIZE), "UNSUPPORTED_KEY_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_NONCE_SIZE), "UNSUPPORTED_NONCE_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_UNSUPPORTED_TAG_SIZE), "UNSUPPORTED_TAG_SIZE"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_WRAP_MODE_NOT_ALLOWED), "WRAP_MODE_NOT_ALLOWED"},
- {ERR_PACK(ERR_LIB_CIPHER, 0, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH), "WRONG_FINAL_BLOCK_LENGTH"},
- {0, NULL},
-};
diff --git a/src/crypto/cipher/cipher_test.c b/src/crypto/cipher/cipher_test.c
index 2b04ad5..390262f 100644
--- a/src/crypto/cipher/cipher_test.c
+++ b/src/crypto/cipher/cipher_test.c
@@ -54,10 +54,9 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
-#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
-#include <openssl/bio.h>
#include <openssl/cipher.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
@@ -68,8 +67,9 @@
fprintf(f, "%s", title);
for (; n < l; ++n) {
- if ((n % 16) == 0)
+ if ((n % 16) == 0) {
fprintf(f, "\n%04x", n);
+ }
fprintf(f, " %02x", s[n]);
}
fprintf(f, "\n");
@@ -123,15 +123,16 @@
return (uint8_t *)sstrsep(p, sep);
}
-static void test1(const EVP_CIPHER *c, const uint8_t *key, int kn,
- const uint8_t *iv, int in, const uint8_t *plaintext, int pn,
- const uint8_t *ciphertext, int cn, const uint8_t *aad, int an,
- const uint8_t *tag, int tn, int encdec) {
+static void test1(const char* cipher_name, const EVP_CIPHER *c,
+ const uint8_t *key, int kn, const uint8_t *iv, int in,
+ const uint8_t *plaintext, int pn, const uint8_t *ciphertext,
+ int cn, const uint8_t *aad, int an, const uint8_t *tag,
+ int tn, int encdec) {
EVP_CIPHER_CTX ctx;
uint8_t out[4096];
int outl, outl2, mode;
- printf("Testing cipher %s%s\n", EVP_CIPHER_name(c),
+ printf("Testing cipher %s%s\n", cipher_name,
(encdec == 1 ? "(encrypt)"
: (encdec == 0 ? "(decrypt)" : "(encrypt/decrypt)")));
hexdump(stdout, "Key", key, kn);
@@ -157,39 +158,39 @@
if (mode == EVP_CIPH_GCM_MODE) {
if (!EVP_EncryptInit_ex(&ctx, c, NULL, NULL, NULL)) {
fprintf(stderr, "EncryptInit failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(10);
}
if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) {
fprintf(stderr, "IV length set failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(11);
}
if (!EVP_EncryptInit_ex(&ctx, NULL, NULL, key, iv)) {
fprintf(stderr, "Key/IV set failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(12);
}
if (an && !EVP_EncryptUpdate(&ctx, NULL, &outl, aad, an)) {
fprintf(stderr, "AAD set failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(13);
}
} else if (!EVP_EncryptInit_ex(&ctx, c, NULL, key, iv)) {
fprintf(stderr, "EncryptInit failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(10);
}
EVP_CIPHER_CTX_set_padding(&ctx, 0);
if (!EVP_EncryptUpdate(&ctx, out, &outl, plaintext, pn)) {
fprintf(stderr, "Encrypt failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(6);
}
if (!EVP_EncryptFinal_ex(&ctx, out + outl, &outl2)) {
fprintf(stderr, "EncryptFinal failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(7);
}
@@ -212,7 +213,7 @@
*/
if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, tn, rtag)) {
fprintf(stderr, "Get tag failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(14);
}
if (memcmp(rtag, tag, tn)) {
@@ -228,45 +229,45 @@
if (mode == EVP_CIPH_GCM_MODE) {
if (!EVP_DecryptInit_ex(&ctx, c, NULL, NULL, NULL)) {
fprintf(stderr, "EncryptInit failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(10);
}
if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, in, NULL)) {
fprintf(stderr, "IV length set failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(11);
}
if (!EVP_DecryptInit_ex(&ctx, NULL, NULL, key, iv)) {
fprintf(stderr, "Key/IV set failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(12);
}
if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, tn, (void *)tag)) {
fprintf(stderr, "Set tag failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(14);
}
if (an && !EVP_DecryptUpdate(&ctx, NULL, &outl, aad, an)) {
fprintf(stderr, "AAD set failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(13);
}
} else if (!EVP_DecryptInit_ex(&ctx, c, NULL, key, iv)) {
fprintf(stderr, "DecryptInit failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(11);
}
EVP_CIPHER_CTX_set_padding(&ctx, 0);
if (!EVP_DecryptUpdate(&ctx, out, &outl, ciphertext, cn)) {
fprintf(stderr, "Decrypt failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(6);
}
outl2 = 0;
if (!EVP_DecryptFinal_ex(&ctx, out + outl, &outl2)) {
fprintf(stderr, "DecryptFinal failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
exit(7);
}
@@ -310,6 +311,12 @@
c = EVP_aes_128_cbc();
} else if (strcmp(cipher, "AES-128-GCM") == 0) {
c = EVP_aes_128_gcm();
+ } else if (strcmp(cipher, "AES-128-OFB") == 0) {
+ c = EVP_aes_128_ofb();
+ } else if (strcmp(cipher, "AES-192-CBC") == 0) {
+ c = EVP_aes_192_cbc();
+ } else if (strcmp(cipher, "AES-192-ECB") == 0) {
+ c = EVP_aes_192_ecb();
} else if (strcmp(cipher, "AES-256-CBC") == 0) {
c = EVP_aes_256_cbc();
} else if (strcmp(cipher, "AES-128-CTR") == 0) {
@@ -318,13 +325,15 @@
c = EVP_aes_256_ctr();
} else if (strcmp(cipher, "AES-256-GCM") == 0) {
c = EVP_aes_256_gcm();
+ } else if (strcmp(cipher, "AES-256-OFB") == 0) {
+ c = EVP_aes_256_ofb();
} else {
fprintf(stderr, "Unknown cipher type %s\n", cipher);
return 0;
}
- test1(c, key, kn, iv, in, plaintext, pn, ciphertext, cn, aad, an, tag, tn,
- encdec);
+ test1(cipher, c, key, kn, iv, in, plaintext, pn, ciphertext, cn, aad, an,
+ tag, tn, encdec);
return 1;
}
@@ -388,8 +397,9 @@
if (p[-1] == '\n') {
encdec = -1;
p[-1] = '\0';
- } else
+ } else {
encdec = atoi(sstrsep(&p, "\n"));
+ }
}
kn = convert(key);
diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c
index a86e830..eacbd10 100644
--- a/src/crypto/cipher/e_aes.c
+++ b/src/crypto/cipher/e_aes.c
@@ -57,8 +57,10 @@
#include <openssl/modes.h>
#include <openssl/obj.h>
#include <openssl/rand.h>
+#include <openssl/sha.h>
#include "internal.h"
+#include "../internal.h"
#include "../modes/internal.h"
#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
@@ -281,7 +283,8 @@
#endif
static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
- const uint8_t *iv, int enc) {
+ const uint8_t *iv, int enc)
+ OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
int ret, mode;
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
@@ -342,8 +345,8 @@
return 1;
}
-static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, size_t len) {
+static int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+ size_t len) {
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
if (dat->stream.cbc) {
@@ -357,8 +360,8 @@
return 1;
}
-static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, size_t len) {
+static int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+ size_t len) {
size_t bl = ctx->cipher->block_size;
size_t i;
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
@@ -374,8 +377,8 @@
return 1;
}
-static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, size_t len) {
+static int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+ size_t len) {
unsigned int num = ctx->num;
EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
@@ -390,28 +393,71 @@
return 1;
}
-static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
- const uint8_t *key, size_t key_len) {
+static int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
+ size_t len) {
+ EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+
+ CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num, dat->block);
+ return 1;
+}
+
+static char aesni_capable(void);
+
+static ctr128_f aes_ctr_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
+ block128_f *out_block, const uint8_t *key,
+ size_t key_len)
+ OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
+ if (aesni_capable()) {
+ aesni_set_encrypt_key(key, key_len * 8, aes_key);
+ if (gcm_ctx != NULL) {
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aesni_encrypt);
+ }
+ if (out_block) {
+ *out_block = (block128_f) aesni_encrypt;
+ }
+ return (ctr128_f)aesni_ctr32_encrypt_blocks;
+ }
+
if (hwaes_capable()) {
aes_v8_set_encrypt_key(key, key_len * 8, aes_key);
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_v8_encrypt);
+ if (gcm_ctx != NULL) {
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)aes_v8_encrypt);
+ }
+ if (out_block) {
+ *out_block = (block128_f) aes_v8_encrypt;
+ }
return (ctr128_f)aes_v8_ctr32_encrypt_blocks;
}
if (bsaes_capable()) {
AES_set_encrypt_key(key, key_len * 8, aes_key);
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ if (gcm_ctx != NULL) {
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ }
+ if (out_block) {
+ *out_block = (block128_f) AES_encrypt;
+ }
return (ctr128_f)bsaes_ctr32_encrypt_blocks;
}
if (vpaes_capable()) {
vpaes_set_encrypt_key(key, key_len * 8, aes_key);
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
+ if (out_block) {
+ *out_block = (block128_f) vpaes_encrypt;
+ }
+ if (gcm_ctx != NULL) {
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
+ }
return NULL;
}
AES_set_encrypt_key(key, key_len * 8, aes_key);
- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ if (gcm_ctx != NULL) {
+ CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
+ }
+ if (out_block) {
+ *out_block = (block128_f) AES_encrypt;
+ }
return NULL;
}
@@ -422,7 +468,8 @@
return 1;
}
if (key) {
- gctx->ctr = aes_gcm_set_key(&gctx->ks.ks, &gctx->gcm, key, ctx->key_len);
+ gctx->ctr =
+ aes_ctr_set_key(&gctx->ks.ks, &gctx->gcm, NULL, key, ctx->key_len);
/* If we have an iv can set it directly, otherwise use saved IV. */
if (iv == NULL && gctx->iv_set) {
iv = gctx->iv;
@@ -445,13 +492,12 @@
return 1;
}
-static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
+static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) {
EVP_AES_GCM_CTX *gctx = c->cipher_data;
OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));
if (gctx->iv != c->iv) {
OPENSSL_free(gctx->iv);
}
- return 1;
}
/* increment counter (64-bit int) by 1 */
@@ -697,6 +743,12 @@
NULL /* app_data */, aes_init_key, aes_ecb_cipher,
NULL /* cleanup */, NULL /* ctrl */};
+static const EVP_CIPHER aes_128_ofb = {
+ NID_aes_128_ofb128, 1 /* block_size */, 16 /* key_size */,
+ 16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+ NULL /* app_data */, aes_init_key, aes_ofb_cipher,
+ NULL /* cleanup */, NULL /* ctrl */};
+
static const EVP_CIPHER aes_128_gcm = {
NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
sizeof(EVP_AES_GCM_CTX),
@@ -736,25 +788,31 @@
static const EVP_CIPHER aes_256_cbc = {
- NID_aes_128_cbc, 16 /* block_size */, 32 /* key_size */,
+ NID_aes_256_cbc, 16 /* block_size */, 32 /* key_size */,
16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
NULL /* app_data */, aes_init_key, aes_cbc_cipher,
NULL /* cleanup */, NULL /* ctrl */};
static const EVP_CIPHER aes_256_ctr = {
- NID_aes_128_ctr, 1 /* block_size */, 32 /* key_size */,
+ NID_aes_256_ctr, 1 /* block_size */, 32 /* key_size */,
16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
NULL /* app_data */, aes_init_key, aes_ctr_cipher,
NULL /* cleanup */, NULL /* ctrl */};
static const EVP_CIPHER aes_256_ecb = {
- NID_aes_128_ecb, 16 /* block_size */, 32 /* key_size */,
+ NID_aes_256_ecb, 16 /* block_size */, 32 /* key_size */,
0 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
NULL /* app_data */, aes_init_key, aes_ecb_cipher,
NULL /* cleanup */, NULL /* ctrl */};
+static const EVP_CIPHER aes_256_ofb = {
+ NID_aes_256_ofb128, 1 /* block_size */, 32 /* key_size */,
+ 16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+ NULL /* app_data */, aes_init_key, aes_ofb_cipher,
+ NULL /* cleanup */, NULL /* ctrl */};
+
static const EVP_CIPHER aes_256_gcm = {
- NID_aes_128_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
+ NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
sizeof(EVP_AES_GCM_CTX),
EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
@@ -873,6 +931,12 @@
NULL /* app_data */, aesni_init_key, aesni_ecb_cipher,
NULL /* cleanup */, NULL /* ctrl */};
+static const EVP_CIPHER aesni_128_ofb = {
+ NID_aes_128_ofb128, 1 /* block_size */, 16 /* key_size */,
+ 16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+ NULL /* app_data */, aesni_init_key, aes_ofb_cipher,
+ NULL /* cleanup */, NULL /* ctrl */};
+
static const EVP_CIPHER aesni_128_gcm = {
NID_aes_128_gcm, 1 /* block_size */, 16 /* key_size */, 12 /* iv_len */,
sizeof(EVP_AES_GCM_CTX),
@@ -912,23 +976,29 @@
static const EVP_CIPHER aesni_256_cbc = {
- NID_aes_128_cbc, 16 /* block_size */, 32 /* key_size */,
+ NID_aes_256_cbc, 16 /* block_size */, 32 /* key_size */,
16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_CBC_MODE,
NULL /* app_data */, aesni_init_key, aesni_cbc_cipher,
NULL /* cleanup */, NULL /* ctrl */};
static const EVP_CIPHER aesni_256_ctr = {
- NID_aes_128_ctr, 1 /* block_size */, 32 /* key_size */,
+ NID_aes_256_ctr, 1 /* block_size */, 32 /* key_size */,
16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_CTR_MODE,
NULL /* app_data */, aesni_init_key, aes_ctr_cipher,
NULL /* cleanup */, NULL /* ctrl */};
static const EVP_CIPHER aesni_256_ecb = {
- NID_aes_128_ecb, 16 /* block_size */, 32 /* key_size */,
+ NID_aes_256_ecb, 16 /* block_size */, 32 /* key_size */,
0 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_ECB_MODE,
NULL /* app_data */, aesni_init_key, aesni_ecb_cipher,
NULL /* cleanup */, NULL /* ctrl */};
+static const EVP_CIPHER aesni_256_ofb = {
+ NID_aes_256_ofb128, 1 /* block_size */, 32 /* key_size */,
+ 16 /* iv_len */, sizeof(EVP_AES_KEY), EVP_CIPH_OFB_MODE,
+ NULL /* app_data */, aesni_init_key, aes_ofb_cipher,
+ NULL /* cleanup */, NULL /* ctrl */};
+
static const EVP_CIPHER aesni_256_gcm = {
NID_aes_256_gcm, 1 /* block_size */, 32 /* key_size */, 12 /* iv_len */,
sizeof(EVP_AES_GCM_CTX),
@@ -963,6 +1033,7 @@
EVP_CIPHER_FUNCTION(128, cbc)
EVP_CIPHER_FUNCTION(128, ctr)
EVP_CIPHER_FUNCTION(128, ecb)
+EVP_CIPHER_FUNCTION(128, ofb)
EVP_CIPHER_FUNCTION(128, gcm)
EVP_CIPHER_FUNCTION(192, cbc)
@@ -973,6 +1044,7 @@
EVP_CIPHER_FUNCTION(256, cbc)
EVP_CIPHER_FUNCTION(256, ctr)
EVP_CIPHER_FUNCTION(256, ecb)
+EVP_CIPHER_FUNCTION(256, ofb)
EVP_CIPHER_FUNCTION(256, gcm)
@@ -1012,15 +1084,8 @@
return 0;
}
- if (aesni_capable()) {
- aesni_set_encrypt_key(key, key_len * 8, &gcm_ctx->ks.ks);
- CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
- (block128_f)aesni_encrypt);
- gcm_ctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
- } else {
- gcm_ctx->ctr =
- aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, key, key_len);
- }
+ gcm_ctx->ctr =
+ aes_ctr_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm, NULL, key, key_len);
gcm_ctx->tag_len = tag_len;
ctx->aead_state = gcm_ctx;
@@ -1133,8 +1198,12 @@
12, /* nonce len */
EVP_AEAD_AES_GCM_TAG_LEN, /* overhead */
EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
- aead_aes_gcm_init, aead_aes_gcm_cleanup,
- aead_aes_gcm_seal, aead_aes_gcm_open,
+ aead_aes_gcm_init,
+ NULL, /* init_with_direction */
+ aead_aes_gcm_cleanup,
+ aead_aes_gcm_seal,
+ aead_aes_gcm_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_gcm = {
@@ -1142,8 +1211,12 @@
12, /* nonce len */
EVP_AEAD_AES_GCM_TAG_LEN, /* overhead */
EVP_AEAD_AES_GCM_TAG_LEN, /* max tag length */
- aead_aes_gcm_init, aead_aes_gcm_cleanup,
- aead_aes_gcm_seal, aead_aes_gcm_open,
+ aead_aes_gcm_init,
+ NULL, /* init_with_direction */
+ aead_aes_gcm_cleanup,
+ aead_aes_gcm_seal,
+ aead_aes_gcm_open,
+ NULL, /* get_rc4_state */
};
const EVP_AEAD *EVP_aead_aes_128_gcm(void) { return &aead_aes_128_gcm; }
@@ -1347,7 +1420,7 @@
}
if (in_len < 24) {
- OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT);
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT);
return 0;
}
@@ -1384,7 +1457,7 @@
}
if (CRYPTO_memcmp(A, nonce, 8) != 0) {
- OPENSSL_PUT_ERROR(CIPHER, aead_aes_gcm_open, CIPHER_R_BAD_DECRYPT);
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_key_wrap_open, CIPHER_R_BAD_DECRYPT);
return 0;
}
@@ -1397,8 +1470,12 @@
8, /* nonce len */
8, /* overhead */
8, /* max tag length */
- aead_aes_key_wrap_init, aead_aes_key_wrap_cleanup,
- aead_aes_key_wrap_seal, aead_aes_key_wrap_open,
+ aead_aes_key_wrap_init,
+ NULL, /* init_with_direction */
+ aead_aes_key_wrap_cleanup,
+ aead_aes_key_wrap_seal,
+ aead_aes_key_wrap_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_key_wrap = {
@@ -1406,14 +1483,297 @@
8, /* nonce len */
8, /* overhead */
8, /* max tag length */
- aead_aes_key_wrap_init, aead_aes_key_wrap_cleanup,
- aead_aes_key_wrap_seal, aead_aes_key_wrap_open,
+ aead_aes_key_wrap_init,
+ NULL, /* init_with_direction */
+ aead_aes_key_wrap_cleanup,
+ aead_aes_key_wrap_seal,
+ aead_aes_key_wrap_open,
+ NULL, /* get_rc4_state */
};
const EVP_AEAD *EVP_aead_aes_128_key_wrap(void) { return &aead_aes_128_key_wrap; }
const EVP_AEAD *EVP_aead_aes_256_key_wrap(void) { return &aead_aes_256_key_wrap; }
+
+#define EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN SHA256_DIGEST_LENGTH
+#define EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN 12
+
+struct aead_aes_ctr_hmac_sha256_ctx {
+ union {
+ double align;
+ AES_KEY ks;
+ } ks;
+ ctr128_f ctr;
+ block128_f block;
+ SHA256_CTX inner_init_state;
+ SHA256_CTX outer_init_state;
+ uint8_t tag_len;
+};
+
+static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
+ const uint8_t hmac_key[32]) {
+ static const size_t hmac_key_len = 32;
+ uint8_t block[SHA256_CBLOCK];
+ memcpy(block, hmac_key, hmac_key_len);
+ memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);
+
+ unsigned i;
+ for (i = 0; i < hmac_key_len; i++) {
+ block[i] ^= 0x36;
+ }
+
+ SHA256_Init(out_inner);
+ SHA256_Update(out_inner, block, sizeof(block));
+
+ memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);
+ for (i = 0; i < hmac_key_len; i++) {
+ block[i] ^= (0x36 ^ 0x5c);
+ }
+
+ SHA256_Init(out_outer);
+ SHA256_Update(out_outer, block, sizeof(block));
+}
+
+static int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
+ size_t key_len, size_t tag_len) {
+ struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx;
+ static const size_t hmac_key_len = 32;
+
+ if (key_len < hmac_key_len) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+ CIPHER_R_BAD_KEY_LENGTH);
+ return 0; /* EVP_AEAD_CTX_init should catch this. */
+ }
+
+ const size_t aes_key_len = key_len - hmac_key_len;
+ if (aes_key_len != 16 && aes_key_len != 32) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+ CIPHER_R_BAD_KEY_LENGTH);
+ return 0; /* EVP_AEAD_CTX_init should catch this. */
+ }
+
+ if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
+ tag_len = EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN;
+ }
+
+ if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+ CIPHER_R_TAG_TOO_LARGE);
+ return 0;
+ }
+
+ aes_ctx = OPENSSL_malloc(sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
+ if (aes_ctx == NULL) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_init,
+ ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ aes_ctx->ctr =
+ aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);
+ aes_ctx->tag_len = tag_len;
+ hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,
+ key + aes_key_len);
+
+ ctx->aead_state = aes_ctx;
+
+ return 1;
+}
+
+static void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {
+ struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+ OPENSSL_cleanse(aes_ctx, sizeof(struct aead_aes_ctr_hmac_sha256_ctx));
+ OPENSSL_free(aes_ctx);
+}
+
+static void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {
+ unsigned i;
+ uint8_t bytes[8];
+
+ for (i = 0; i < sizeof(bytes); i++) {
+ bytes[i] = value & 0xff;
+ value >>= 8;
+ }
+ SHA256_Update(sha256, bytes, sizeof(bytes));
+}
+
+static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
+ const SHA256_CTX *inner_init_state,
+ const SHA256_CTX *outer_init_state,
+ const uint8_t *ad, size_t ad_len,
+ const uint8_t *nonce, const uint8_t *ciphertext,
+ size_t ciphertext_len) {
+ SHA256_CTX sha256;
+ memcpy(&sha256, inner_init_state, sizeof(sha256));
+ hmac_update_uint64(&sha256, ad_len);
+ hmac_update_uint64(&sha256, ciphertext_len);
+ SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
+ SHA256_Update(&sha256, ad, ad_len);
+
+ /* Pad with zeros to the end of the SHA-256 block. */
+ const unsigned num_padding =
+ (SHA256_CBLOCK - ((sizeof(uint64_t)*2 +
+ EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %
+ SHA256_CBLOCK)) %
+ SHA256_CBLOCK;
+ uint8_t padding[SHA256_CBLOCK];
+ memset(padding, 0, num_padding);
+ SHA256_Update(&sha256, padding, num_padding);
+
+ SHA256_Update(&sha256, ciphertext, ciphertext_len);
+
+ uint8_t inner_digest[SHA256_DIGEST_LENGTH];
+ SHA256_Final(inner_digest, &sha256);
+
+ memcpy(&sha256, outer_init_state, sizeof(sha256));
+ SHA256_Update(&sha256, inner_digest, sizeof(inner_digest));
+ SHA256_Final(out, &sha256);
+}
+
+static void aead_aes_ctr_hmac_sha256_crypt(
+ const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,
+ const uint8_t *in, size_t len, const uint8_t *nonce) {
+ /* Since the AEAD operation is one-shot, keeping a buffer of unused keystream
+ * bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
+ uint8_t partial_block_buffer[AES_BLOCK_SIZE];
+ unsigned partial_block_offset = 0;
+ memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
+
+ uint8_t counter[AES_BLOCK_SIZE];
+ memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
+ memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);
+
+ if (aes_ctx->ctr) {
+ CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter,
+ partial_block_buffer, &partial_block_offset,
+ aes_ctx->ctr);
+ } else {
+ CRYPTO_ctr128_encrypt(in, out, len, &aes_ctx->ks.ks, counter,
+ partial_block_buffer, &partial_block_offset,
+ aes_ctx->block);
+ }
+}
+
+static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
+ size_t *out_len, size_t max_out_len,
+ const uint8_t *nonce, size_t nonce_len,
+ const uint8_t *in, size_t in_len,
+ const uint8_t *ad, size_t ad_len) {
+ const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+ const uint64_t in_len_64 = in_len;
+
+ if (in_len + aes_ctx->tag_len < in_len ||
+ /* This input is so large it would overflow the 32-bit block counter. */
+ in_len_64 >= (OPENSSL_U64(1) << 32) * AES_BLOCK_SIZE) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
+ CIPHER_R_TOO_LARGE);
+ return 0;
+ }
+
+ if (max_out_len < in_len + aes_ctx->tag_len) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
+ CIPHER_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_seal,
+ CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+ return 0;
+ }
+
+ aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);
+
+ uint8_t hmac_result[SHA256_DIGEST_LENGTH];
+ hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
+ &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);
+ memcpy(out + in_len, hmac_result, aes_ctx->tag_len);
+ *out_len = in_len + aes_ctx->tag_len;
+
+ return 1;
+}
+
+static int aead_aes_ctr_hmac_sha256_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
+ size_t *out_len, size_t max_out_len,
+ const uint8_t *nonce, size_t nonce_len,
+ const uint8_t *in, size_t in_len,
+ const uint8_t *ad, size_t ad_len) {
+ const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = ctx->aead_state;
+ size_t plaintext_len;
+
+ if (in_len < aes_ctx->tag_len) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+ CIPHER_R_BAD_DECRYPT);
+ return 0;
+ }
+
+ plaintext_len = in_len - aes_ctx->tag_len;
+
+ if (max_out_len < plaintext_len) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+ CIPHER_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+ CIPHER_R_UNSUPPORTED_NONCE_SIZE);
+ return 0;
+ }
+
+ uint8_t hmac_result[SHA256_DIGEST_LENGTH];
+ hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
+ &aes_ctx->outer_init_state, ad, ad_len, nonce, in,
+ plaintext_len);
+ if (CRYPTO_memcmp(hmac_result, in + plaintext_len, aes_ctx->tag_len) != 0) {
+ OPENSSL_PUT_ERROR(CIPHER, aead_aes_ctr_hmac_sha256_open,
+ CIPHER_R_BAD_DECRYPT);
+ return 0;
+ }
+
+ aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, plaintext_len, nonce);
+
+ *out_len = plaintext_len;
+ return 1;
+}
+
+static const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {
+ 16 /* AES key */ + 32 /* HMAC key */,
+ 12, /* nonce length */
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* overhead */
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* max tag length */
+
+ aead_aes_ctr_hmac_sha256_init,
+ NULL /* init_with_direction */,
+ aead_aes_ctr_hmac_sha256_cleanup,
+ aead_aes_ctr_hmac_sha256_seal,
+ aead_aes_ctr_hmac_sha256_open,
+ NULL /* get_rc4_state */,
+};
+
+static const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {
+ 32 /* AES key */ + 32 /* HMAC key */,
+ 12, /* nonce length */
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* overhead */
+ EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, /* max tag length */
+
+ aead_aes_ctr_hmac_sha256_init,
+ NULL /* init_with_direction */,
+ aead_aes_ctr_hmac_sha256_cleanup,
+ aead_aes_ctr_hmac_sha256_seal,
+ aead_aes_ctr_hmac_sha256_open,
+ NULL /* get_rc4_state */,
+};
+
+const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {
+ return &aead_aes_128_ctr_hmac_sha256;
+}
+
+const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void) {
+ return &aead_aes_256_ctr_hmac_sha256;
+}
+
int EVP_has_aes_hardware(void) {
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
return aesni_capable() && crypto_gcm_clmul_enabled();
diff --git a/src/crypto/cipher/e_chacha20poly1305.c b/src/crypto/cipher/e_chacha20poly1305.c
index 1cdcbca..ebf0088 100644
--- a/src/crypto/cipher/e_chacha20poly1305.c
+++ b/src/crypto/cipher/e_chacha20poly1305.c
@@ -209,8 +209,12 @@
CHACHA20_NONCE_LEN, /* nonce len */
POLY1305_TAG_LEN, /* overhead */
POLY1305_TAG_LEN, /* max tag length */
- aead_chacha20_poly1305_init, aead_chacha20_poly1305_cleanup,
- aead_chacha20_poly1305_seal, aead_chacha20_poly1305_open,
+ aead_chacha20_poly1305_init,
+ NULL, /* init_with_direction */
+ aead_chacha20_poly1305_cleanup,
+ aead_chacha20_poly1305_seal,
+ aead_chacha20_poly1305_open,
+ NULL, /* get_rc4_state */
};
const EVP_AEAD *EVP_aead_chacha20_poly1305(void) {
diff --git a/src/crypto/cipher/e_des.c b/src/crypto/cipher/e_des.c
index d4b04f4..74e1fce 100644
--- a/src/crypto/cipher/e_des.c
+++ b/src/crypto/cipher/e_des.c
@@ -61,8 +61,6 @@
#include "internal.h"
-#define EVP_MAXCHUNK (1<<30)
-
typedef struct {
union {
double align;
@@ -83,18 +81,8 @@
size_t in_len) {
EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data;
- while (in_len >= EVP_MAXCHUNK) {
- DES_ncbc_encrypt(in, out, EVP_MAXCHUNK, &dat->ks.ks, (DES_cblock *)ctx->iv,
- ctx->encrypt);
- in_len -= EVP_MAXCHUNK;
- in += EVP_MAXCHUNK;
- out += EVP_MAXCHUNK;
- }
-
- if (in_len) {
- DES_ncbc_encrypt(in, out, (long)in_len, &dat->ks.ks,
- (DES_cblock *)ctx->iv, ctx->encrypt);
- }
+ DES_ncbc_encrypt(in, out, in_len, &dat->ks.ks, (DES_cblock *)ctx->iv,
+ ctx->encrypt);
return 1;
}
@@ -132,18 +120,8 @@
const uint8_t *in, size_t in_len) {
DES_EDE_KEY *dat = (DES_EDE_KEY*) ctx->cipher_data;
- while (in_len >= EVP_MAXCHUNK) {
- DES_ede3_cbc_encrypt(in, out, EVP_MAXCHUNK, &dat->ks.ks[0], &dat->ks.ks[1],
- &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt);
- in_len -= EVP_MAXCHUNK;
- in += EVP_MAXCHUNK;
- out += EVP_MAXCHUNK;
- }
-
- if (in_len) {
- DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1],
- &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt);
- }
+ DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1],
+ &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt);
return 1;
}
diff --git a/src/crypto/cipher/e_rc4.c b/src/crypto/cipher/e_rc4.c
index 04ddcb6..80dea36 100644
--- a/src/crypto/cipher/e_rc4.c
+++ b/src/crypto/cipher/e_rc4.c
@@ -299,7 +299,9 @@
return 0;
}
- if (max_out_len < plaintext_len) {
+ if (max_out_len < in_len) {
+ /* This requires that the caller provide space for the MAC, even though it
+ * will always be removed on return. */
OPENSSL_PUT_ERROR(CIPHER, aead_rc4_md5_tls_open, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
@@ -372,13 +374,24 @@
return 1;
}
+static int aead_rc4_md5_tls_get_rc4_state(const EVP_AEAD_CTX *ctx,
+ const RC4_KEY **out_key) {
+ struct aead_rc4_md5_tls_ctx *rc4_ctx = ctx->aead_state;
+ *out_key = &rc4_ctx->rc4;
+ return 1;
+}
+
static const EVP_AEAD aead_rc4_md5_tls = {
16 + MD5_DIGEST_LENGTH, /* key len (RC4 + MD5) */
0, /* nonce len */
MD5_DIGEST_LENGTH, /* overhead */
MD5_DIGEST_LENGTH, /* max tag length */
- aead_rc4_md5_tls_init, aead_rc4_md5_tls_cleanup,
- aead_rc4_md5_tls_seal, aead_rc4_md5_tls_open,
+ aead_rc4_md5_tls_init,
+ NULL, /* init_with_direction */
+ aead_rc4_md5_tls_cleanup,
+ aead_rc4_md5_tls_seal,
+ aead_rc4_md5_tls_open,
+ aead_rc4_md5_tls_get_rc4_state,
};
const EVP_AEAD *EVP_aead_rc4_md5_tls(void) { return &aead_rc4_md5_tls; }
diff --git a/src/crypto/cipher/e_ssl3.c b/src/crypto/cipher/e_ssl3.c
index d9dec68..1031d9b 100644
--- a/src/crypto/cipher/e_ssl3.c
+++ b/src/crypto/cipher/e_ssl3.c
@@ -30,17 +30,6 @@
typedef struct {
EVP_CIPHER_CTX cipher_ctx;
EVP_MD_CTX md_ctx;
- /* enc_key is the portion of the key used for the stream or block cipher. It
- * is retained separately to allow the EVP_CIPHER_CTX to be initialized once
- * the direction is known. */
- uint8_t enc_key[EVP_MAX_KEY_LENGTH];
- uint8_t enc_key_len;
- /* iv is the portion of the key used for the fixed IV. It is retained
- * separately to allow the EVP_CIPHER_CTX to be initialized once the direction
- * is known. */
- uint8_t iv[EVP_MAX_IV_LENGTH];
- uint8_t iv_len;
- char initialized;
} AEAD_SSL3_CTX;
static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
@@ -87,15 +76,13 @@
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
EVP_CIPHER_CTX_cleanup(&ssl3_ctx->cipher_ctx);
EVP_MD_CTX_cleanup(&ssl3_ctx->md_ctx);
- OPENSSL_cleanse(&ssl3_ctx->enc_key, sizeof(ssl3_ctx->enc_key));
- OPENSSL_cleanse(&ssl3_ctx->iv, sizeof(ssl3_ctx->iv));
OPENSSL_free(ssl3_ctx);
ctx->aead_state = NULL;
}
static int aead_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
- size_t tag_len, const EVP_CIPHER *cipher,
- const EVP_MD *md) {
+ size_t tag_len, enum evp_aead_direction_t dir,
+ const EVP_CIPHER *cipher, const EVP_MD *md) {
if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
tag_len != EVP_MD_size(md)) {
OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);
@@ -109,11 +96,7 @@
size_t mac_key_len = EVP_MD_size(md);
size_t enc_key_len = EVP_CIPHER_key_length(cipher);
- size_t iv_len = EVP_CIPHER_iv_length(cipher);
- assert(mac_key_len + enc_key_len + iv_len == key_len);
- assert(mac_key_len < 256);
- assert(enc_key_len < 256);
- assert(iv_len < 256);
+ assert(mac_key_len + enc_key_len + EVP_CIPHER_iv_length(cipher) == key_len);
/* Although EVP_rc4() is a variable-length cipher, the default key size is
* correct for SSL3. */
@@ -124,17 +107,15 @@
}
EVP_CIPHER_CTX_init(&ssl3_ctx->cipher_ctx);
EVP_MD_CTX_init(&ssl3_ctx->md_ctx);
- memcpy(ssl3_ctx->enc_key, &key[mac_key_len], enc_key_len);
- ssl3_ctx->enc_key_len = (uint8_t)enc_key_len;
- memcpy(ssl3_ctx->iv, &key[mac_key_len + enc_key_len], iv_len);
- ssl3_ctx->iv_len = (uint8_t)iv_len;
- ssl3_ctx->initialized = 0;
ctx->aead_state = ssl3_ctx;
- if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, NULL, NULL, 0) ||
+ if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
+ &key[mac_key_len + enc_key_len],
+ dir == evp_aead_seal) ||
!EVP_DigestInit_ex(&ssl3_ctx->md_ctx, md, NULL) ||
!EVP_DigestUpdate(&ssl3_ctx->md_ctx, key, mac_key_len)) {
aead_ssl3_cleanup(ctx);
+ ctx->aead_state = NULL;
return 0;
}
EVP_CIPHER_CTX_set_padding(&ssl3_ctx->cipher_ctx, 0);
@@ -142,31 +123,6 @@
return 1;
}
-/* aead_ssl3_ensure_cipher_init initializes |ssl3_ctx| for encryption (or
- * decryption, if |encrypt| is zero). If it has already been initialized, it
- * ensures the direction matches and fails otherwise. It returns one on success
- * and zero on failure.
- *
- * Note that, unlike normal AEADs, legacy SSL3 AEADs may not be used concurrently
- * due to this (and bulk-cipher-internal) statefulness. */
-static int aead_ssl3_ensure_cipher_init(AEAD_SSL3_CTX *ssl3_ctx, int encrypt) {
- if (!ssl3_ctx->initialized) {
- /* Finish initializing the EVP_CIPHER_CTX now that the direction is
- * known. */
- if (!EVP_CipherInit_ex(&ssl3_ctx->cipher_ctx, NULL, NULL, ssl3_ctx->enc_key,
- ssl3_ctx->iv, encrypt)) {
- return 0;
- }
- ssl3_ctx->initialized = 1;
- } else if (ssl3_ctx->cipher_ctx.encrypt != encrypt) {
- /* Unlike a normal AEAD, using an SSL3 AEAD once freezes the direction. */
- OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_ensure_cipher_init,
- CIPHER_R_INVALID_OPERATION);
- return 0;
- }
- return 1;
-}
-
static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
@@ -175,6 +131,12 @@
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
size_t total = 0;
+ if (!ssl3_ctx->cipher_ctx.encrypt) {
+ /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+ OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_seal, CIPHER_R_INVALID_OPERATION);
+ return 0;
+ }
+
if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
in_len > INT_MAX) {
/* EVP_CIPHER takes int as input. */
@@ -197,10 +159,6 @@
return 0;
}
- if (!aead_ssl3_ensure_cipher_init(ssl3_ctx, 1)) {
- return 0;
- }
-
/* Compute the MAC. This must be first in case the operation is being done
* in-place. */
uint8_t mac[EVP_MAX_MD_SIZE];
@@ -257,6 +215,12 @@
const uint8_t *ad, size_t ad_len) {
AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
+ if (ssl3_ctx->cipher_ctx.encrypt) {
+ /* Unlike a normal AEAD, an SSL3 AEAD may only be used in one direction. */
+ OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_INVALID_OPERATION);
+ return 0;
+ }
+
size_t mac_len = EVP_MD_CTX_size(&ssl3_ctx->md_ctx);
if (in_len < mac_len) {
OPENSSL_PUT_ERROR(CIPHER, aead_ssl3_open, CIPHER_R_BAD_DECRYPT);
@@ -286,10 +250,6 @@
return 0;
}
- if (!aead_ssl3_ensure_cipher_init(ssl3_ctx, 0)) {
- return 0;
- }
-
/* Decrypt to get the plaintext + MAC + padding. */
size_t total = 0;
int len;
@@ -337,31 +297,46 @@
return 1;
}
+static int aead_ssl3_get_rc4_state(const EVP_AEAD_CTX *ctx, const RC4_KEY **out_key) {
+ AEAD_SSL3_CTX *ssl3_ctx = (AEAD_SSL3_CTX *)ctx->aead_state;
+ if (EVP_CIPHER_CTX_cipher(&ssl3_ctx->cipher_ctx) != EVP_rc4()) {
+ return 0;
+ }
+
+ *out_key = (RC4_KEY*) ssl3_ctx->cipher_ctx.cipher_data;
+ return 1;
+}
+
static int aead_rc4_md5_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_rc4(), EVP_md5());
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_md5());
}
static int aead_rc4_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_rc4(), EVP_sha1());
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1());
}
static int aead_aes_128_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
EVP_sha1());
}
static int aead_aes_256_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
EVP_sha1());
}
static int aead_des_ede3_cbc_sha1_ssl3_init(EVP_AEAD_CTX *ctx,
- const uint8_t *key, size_t key_len,
- size_t tag_len) {
- return aead_ssl3_init(ctx, key, key_len, tag_len, EVP_des_ede3_cbc(),
+ const uint8_t *key, size_t key_len,
+ size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_ssl3_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
EVP_sha1());
}
@@ -370,10 +345,12 @@
0, /* nonce len */
MD5_DIGEST_LENGTH, /* overhead */
MD5_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_rc4_md5_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_seal,
aead_ssl3_open,
+ aead_ssl3_get_rc4_state,
};
static const EVP_AEAD aead_rc4_sha1_ssl3 = {
@@ -381,10 +358,12 @@
0, /* nonce len */
SHA_DIGEST_LENGTH, /* overhead */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_rc4_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_seal,
aead_ssl3_open,
+ aead_ssl3_get_rc4_state,
};
static const EVP_AEAD aead_aes_128_cbc_sha1_ssl3 = {
@@ -392,10 +371,12 @@
0, /* nonce len */
16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_128_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_seal,
aead_ssl3_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_cbc_sha1_ssl3 = {
@@ -403,10 +384,12 @@
0, /* nonce len */
16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_256_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_seal,
aead_ssl3_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_ssl3 = {
@@ -414,10 +397,12 @@
0, /* nonce len */
8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_des_ede3_cbc_sha1_ssl3_init,
aead_ssl3_cleanup,
aead_ssl3_seal,
aead_ssl3_open,
+ NULL, /* get_rc4_state */
};
const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void) { return &aead_rc4_md5_ssl3; }
diff --git a/src/crypto/cipher/e_tls.c b/src/crypto/cipher/e_tls.c
index 8ac1aae..bed02cb 100644
--- a/src/crypto/cipher/e_tls.c
+++ b/src/crypto/cipher/e_tls.c
@@ -22,6 +22,7 @@
#include <openssl/hmac.h>
#include <openssl/mem.h>
#include <openssl/sha.h>
+#include <openssl/type_check.h>
#include "../crypto/internal.h"
#include "internal.h"
@@ -34,37 +35,26 @@
* separately for the constant-time CBC code. */
uint8_t mac_key[EVP_MAX_MD_SIZE];
uint8_t mac_key_len;
- /* enc_key is the portion of the key used for the stream or block
- * cipher. It is retained separately to allow the EVP_CIPHER_CTX to be
- * initialized once the direction is known. */
- uint8_t enc_key[EVP_MAX_KEY_LENGTH];
- uint8_t enc_key_len;
- /* iv is the portion of the key used for the fixed IV. It is retained
- * separately to allow the EVP_CIPHER_CTX to be initialized once the direction
- * is known. */
- uint8_t iv[EVP_MAX_IV_LENGTH];
- uint8_t iv_len;
/* implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit
* IV. */
char implicit_iv;
- char initialized;
} AEAD_TLS_CTX;
+OPENSSL_COMPILE_ASSERT(EVP_MAX_MD_SIZE < 256, mac_key_len_fits_in_uint8_t);
static void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);
HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);
OPENSSL_cleanse(&tls_ctx->mac_key, sizeof(tls_ctx->mac_key));
- OPENSSL_cleanse(&tls_ctx->enc_key, sizeof(tls_ctx->enc_key));
- OPENSSL_cleanse(&tls_ctx->iv, sizeof(tls_ctx->iv));
OPENSSL_free(tls_ctx);
ctx->aead_state = NULL;
}
static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
- size_t tag_len, const EVP_CIPHER *cipher,
- const EVP_MD *md, char implicit_iv) {
+ size_t tag_len, enum evp_aead_direction_t dir,
+ const EVP_CIPHER *cipher, const EVP_MD *md,
+ char implicit_iv) {
if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&
tag_len != EVP_MD_size(md)) {
OPENSSL_PUT_ERROR(CIPHER, aead_tls_init, CIPHER_R_UNSUPPORTED_TAG_SIZE);
@@ -78,11 +68,8 @@
size_t mac_key_len = EVP_MD_size(md);
size_t enc_key_len = EVP_CIPHER_key_length(cipher);
- size_t iv_len = implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0;
- assert(mac_key_len + enc_key_len + iv_len == key_len);
- assert(mac_key_len < 256);
- assert(enc_key_len < 256);
- assert(iv_len < 256);
+ assert(mac_key_len + enc_key_len +
+ (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);
/* Although EVP_rc4() is a variable-length cipher, the default key size is
* correct for TLS. */
@@ -93,19 +80,18 @@
}
EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
HMAC_CTX_init(&tls_ctx->hmac_ctx);
+ assert(mac_key_len <= EVP_MAX_MD_SIZE);
memcpy(tls_ctx->mac_key, key, mac_key_len);
tls_ctx->mac_key_len = (uint8_t)mac_key_len;
- memcpy(tls_ctx->enc_key, &key[mac_key_len], enc_key_len);
- tls_ctx->enc_key_len = (uint8_t)enc_key_len;
- memcpy(tls_ctx->iv, &key[mac_key_len + enc_key_len], iv_len);
- tls_ctx->iv_len = (uint8_t)iv_len;
tls_ctx->implicit_iv = implicit_iv;
- tls_ctx->initialized = 0;
ctx->aead_state = tls_ctx;
- if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, NULL, NULL, 0) ||
+ if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],
+ implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,
+ dir == evp_aead_seal) ||
!HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {
aead_tls_cleanup(ctx);
+ ctx->aead_state = NULL;
return 0;
}
EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);
@@ -113,32 +99,6 @@
return 1;
}
-/* aead_tls_ensure_cipher_init initializes |tls_ctx| for encryption (or
- * decryption, if |encrypt| is zero). If it has already been initialized, it
- * ensures the direction matches and fails otherwise. It returns one on success
- * and zero on failure.
- *
- * Note that, unlike normal AEADs, legacy TLS AEADs may not be used concurrently
- * due to this (and bulk-cipher-internal) statefulness. */
-static int aead_tls_ensure_cipher_init(AEAD_TLS_CTX *tls_ctx, int encrypt) {
- if (!tls_ctx->initialized) {
- /* Finish initializing the EVP_CIPHER_CTX now that the direction is
- * known. */
- if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, tls_ctx->enc_key,
- tls_ctx->implicit_iv ? tls_ctx->iv : NULL,
- encrypt)) {
- return 0;
- }
- tls_ctx->initialized = 1;
- } else if (tls_ctx->cipher_ctx.encrypt != encrypt) {
- /* Unlike a normal AEAD, using a TLS AEAD once freezes the direction. */
- OPENSSL_PUT_ERROR(CIPHER, aead_tls_ensure_cipher_init,
- CIPHER_R_INVALID_OPERATION);
- return 0;
- }
- return 1;
-}
-
static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
@@ -147,6 +107,13 @@
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
size_t total = 0;
+ if (!tls_ctx->cipher_ctx.encrypt) {
+ /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+ OPENSSL_PUT_ERROR(CIPHER, aead_tls_seal, CIPHER_R_INVALID_OPERATION);
+ return 0;
+
+ }
+
if (in_len + EVP_AEAD_max_overhead(ctx->aead) < in_len ||
in_len > INT_MAX) {
/* EVP_CIPHER takes int as input. */
@@ -169,10 +136,6 @@
return 0;
}
- if (!aead_tls_ensure_cipher_init(tls_ctx, 1)) {
- return 0;
- }
-
/* To allow for CBC mode which changes cipher length, |ad| doesn't include the
* length for legacy ciphers. */
uint8_t ad_extra[2];
@@ -249,6 +212,13 @@
const uint8_t *ad, size_t ad_len) {
AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)ctx->aead_state;
+ if (tls_ctx->cipher_ctx.encrypt) {
+ /* Unlike a normal AEAD, a TLS AEAD may only be used in one direction. */
+ OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_INVALID_OPERATION);
+ return 0;
+
+ }
+
if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {
OPENSSL_PUT_ERROR(CIPHER, aead_tls_open, CIPHER_R_BAD_DECRYPT);
return 0;
@@ -277,10 +247,6 @@
return 0;
}
- if (!aead_tls_ensure_cipher_init(tls_ctx, 0)) {
- return 0;
- }
-
/* Configure the explicit IV. */
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&
!tls_ctx->implicit_iv &&
@@ -394,83 +360,101 @@
}
static int aead_rc4_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_rc4(), EVP_sha1(), 0);
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_rc4(), EVP_sha1(),
+ 0);
}
static int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
EVP_sha1(), 0);
}
-static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX *ctx,
- const uint8_t *key,
- size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+static int aead_aes_128_cbc_sha1_tls_implicit_iv_init(
+ EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
EVP_sha1(), 1);
}
static int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
const uint8_t *key, size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_128_cbc(),
+ size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),
EVP_sha256(), 0);
}
static int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
- size_t key_len, size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
EVP_sha1(), 0);
}
-static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX *ctx,
- const uint8_t *key,
- size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+static int aead_aes_256_cbc_sha1_tls_implicit_iv_init(
+ EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
EVP_sha1(), 1);
}
static int aead_aes_256_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,
const uint8_t *key, size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+ size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
EVP_sha256(), 0);
}
static int aead_aes_256_cbc_sha384_tls_init(EVP_AEAD_CTX *ctx,
const uint8_t *key, size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_aes_256_cbc(),
+ size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),
EVP_sha384(), 0);
}
static int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,
const uint8_t *key, size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_des_ede3_cbc(),
+ size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
EVP_sha1(), 0);
}
-static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(EVP_AEAD_CTX *ctx,
- const uint8_t *key,
- size_t key_len,
- size_t tag_len) {
- return aead_tls_init(ctx, key, key_len, tag_len, EVP_des_ede3_cbc(),
+static int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(
+ EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir) {
+ return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),
EVP_sha1(), 1);
}
+static int aead_rc4_sha1_tls_get_rc4_state(const EVP_AEAD_CTX *ctx,
+ const RC4_KEY **out_key) {
+ const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX*) ctx->aead_state;
+ if (EVP_CIPHER_CTX_cipher(&tls_ctx->cipher_ctx) != EVP_rc4()) {
+ return 0;
+ }
+
+ *out_key = (const RC4_KEY*) tls_ctx->cipher_ctx.cipher_data;
+ return 1;
+}
+
static const EVP_AEAD aead_rc4_sha1_tls = {
SHA_DIGEST_LENGTH + 16, /* key len (SHA1 + RC4) */
0, /* nonce len */
SHA_DIGEST_LENGTH, /* overhead */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_rc4_sha1_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ aead_rc4_sha1_tls_get_rc4_state, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_128_cbc_sha1_tls = {
@@ -478,10 +462,12 @@
16, /* nonce len (IV) */
16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_128_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {
@@ -489,10 +475,12 @@
0, /* nonce len */
16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_128_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_128_cbc_sha256_tls = {
@@ -500,10 +488,12 @@
16, /* nonce len (IV) */
16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_128_cbc_sha256_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_cbc_sha1_tls = {
@@ -511,10 +501,12 @@
16, /* nonce len (IV) */
16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_256_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {
@@ -522,10 +514,12 @@
0, /* nonce len */
16 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_256_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_cbc_sha256_tls = {
@@ -533,10 +527,12 @@
16, /* nonce len (IV) */
16 + SHA256_DIGEST_LENGTH, /* overhead (padding + SHA256) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_256_cbc_sha256_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_aes_256_cbc_sha384_tls = {
@@ -544,10 +540,12 @@
16, /* nonce len (IV) */
16 + SHA384_DIGEST_LENGTH, /* overhead (padding + SHA384) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_aes_256_cbc_sha384_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {
@@ -555,10 +553,12 @@
8, /* nonce len (IV) */
8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_des_ede3_cbc_sha1_tls_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
static const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {
@@ -566,10 +566,12 @@
0, /* nonce len */
8 + SHA_DIGEST_LENGTH, /* overhead (padding + SHA1) */
SHA_DIGEST_LENGTH, /* max tag length */
+ NULL, /* init */
aead_des_ede3_cbc_sha1_tls_implicit_iv_init,
aead_tls_cleanup,
aead_tls_seal,
aead_tls_open,
+ NULL, /* get_rc4_state */
};
const EVP_AEAD *EVP_aead_rc4_sha1_tls(void) { return &aead_rc4_sha1_tls; }
diff --git a/src/crypto/cipher/internal.h b/src/crypto/cipher/internal.h
index bc1e2de..605b8cb 100644
--- a/src/crypto/cipher/internal.h
+++ b/src/crypto/cipher/internal.h
@@ -59,7 +59,7 @@
#include <openssl/base.h>
-#include <openssl/asn1t.h>
+#include <openssl/aead.h>
#if defined(__cplusplus)
extern "C" {
@@ -79,8 +79,13 @@
uint8_t overhead;
uint8_t max_tag_len;
+ /* init initialises an |evp_aead_ctx_st|. If this call returns zero then
+ * |cleanup| will not be called for that context. */
int (*init)(struct evp_aead_ctx_st *, const uint8_t *key,
size_t key_len, size_t tag_len);
+ int (*init_with_direction)(struct evp_aead_ctx_st *, const uint8_t *key,
+ size_t key_len, size_t tag_len,
+ enum evp_aead_direction_t dir);
void (*cleanup)(struct evp_aead_ctx_st *);
int (*seal)(const struct evp_aead_ctx_st *ctx, uint8_t *out,
@@ -92,6 +97,9 @@
size_t *out_len, size_t max_out_len, const uint8_t *nonce,
size_t nonce_len, const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len);
+
+ int (*get_rc4_state)(const struct evp_aead_ctx_st *ctx,
+ const RC4_KEY **out_key);
};
diff --git a/src/crypto/cipher/test/aes_128_ctr_hmac_sha256.txt b/src/crypto/cipher/test/aes_128_ctr_hmac_sha256.txt
new file mode 100644
index 0000000..d4803a0
--- /dev/null
+++ b/src/crypto/cipher/test/aes_128_ctr_hmac_sha256.txt
@@ -0,0 +1,336 @@
+KEY: 067b841a2540cb467b75f2188f5da4b5aeb7e0e44582a2b668b5b1ff39e21c4e65745470fb1be1aa909c62fabcf0e6ac
+NONCE: 10e0ecb00da5345127407150
+IN:
+AD:
+CT:
+TAG: a82a891565e466957ad5a499d45b579d31acaf582f54d518f8f9c128936dac4c
+
+KEY: c9d9ef2c808c3f8b22f659c12147104b08cec2390a84f0c4b887ca4c247c8c9dd45e72f48b30b67a8545750387232344
+NONCE: 58bddf96158a3a588bf3ec05
+IN:
+AD: 5d
+CT:
+TAG: 3580c1601d1c9a5b1595d3dee35b0cd9e1b115d8b0abee557b2c207b8d0df5ee
+
+KEY: f755dc6786e21f39b595389a51d36673e1ffb94ffc066c03873eb31839be6fa319fd31c8bea29f03ff28831861e60b6e
+NONCE: bd6c80797f1f4c563b06fd3b
+IN:
+AD: 78d88005136e312639572343a2d0daf7483d8235291ee3ac002469456b075243dc03380c387030d546c2b1
+CT:
+TAG: dede80d810fc449a769c79a5ecd2c0d68e9e0fae567781e623ab2098c88d8a86
+
+KEY: 43a0a28fef8b89b8fb0f76de01d802935ad561e27ca9c9fa629347be676a6af758501b6a652f369045da5fef751b56bb
+NONCE: 0f6472f1e589c16ca5ad45b2
+IN:
+AD: 78e4eafccfc87631f0314c442ba4c07bca36f996a5b3408f9e445d6009a87ded16b33a4af9537a4619cab70d
+CT:
+TAG: 11fa62dd8374aabe728ebf7e9aa1c02cf8f2dbc29f9aaf1940313f0b7c3e0301
+
+KEY: acf8e5f1bd64e6289370650b5b3fd773320025c8b229fd335d9461768cd0a17b4bcc946919932efdc9fc84a7f50768bf
+NONCE: 1aecfc90d28bcdcc5a8e3578
+IN:
+AD: 6daedbdc69133b56f6a8f098f9f70cdb7e129e51115df385a6d86204a53412cd999cf2e69f45e168efed4742b6
+CT:
+TAG: fbe0511ba0ec5709def9966a9b05facf171cddd81ee2cd56e7afc867af465f31
+
+KEY: 2773c92e6cddc9a5e5dcaf3893080fd2153f009d807df0b175c76615645f2087539e299d8411b27badb749a9845c5e29
+NONCE: 6d04ed129299651aec0465f8
+IN:
+AD: 44219577e361a7a4681172d120a2d653a53ec74bc487ccde4954835943bca413d55c65dc665310148654d8c1e2e6bc2f06ec344473120ad1f95739b993a57f9ec0b3299cc088f385894fff876fc2ce8ce6b77ca253f177ba615101e84e17ad0e60704cff195dcd50eb48c77de409797e0b1c8c4c5b9215a4a0399954a008267b
+CT:
+TAG: 6ab61ac4493e58e48d071d994a000f1c1f498d22f83c8d2af56b03c155afc57e
+
+KEY: 23189bf23bc4b734410d1c7ae321c42e144a25347a8029bb925e3d8ac1b92f4eb97227c1dece86ae9dea7d127eb33f9b
+NONCE: 30681944cd5d78f46d36ed8a
+IN: 59
+AD:
+CT: 92
+TAG: 986aa8438da3cf4a98f478f90d24908c6a4e848f299873e649b256f5499d89d9
+
+KEY: 463d1148325c5f57af670877068a78203571b8b19f40e9f0373156b7448ab315df86c77d7c85ba6e54b9bc329399f687
+NONCE: cc9d015a4b5a888b36b14d05
+IN: 28
+AD: 6a
+CT: 05
+TAG: f66e8dc794b142944fa46d5c04a3e3fe00291668374846d763f2beeffd4ca4a0
+
+KEY: 937eaab44e7c7d2cd5bbb053c12e6255e0aaa42cbe7d83025b7a2887eff8f098d019c80af849b0ed7da54a5ba5b39200
+NONCE: 2b160d24df579836e1572ea2
+IN: 9a
+AD: 35841a33ba3a6ed3d89a1f76d06c61613d09834847e5a41f8616748e30c14335e5baa43d49fceaf85aeb22
+CT: 80
+TAG: 5e5799c147be0329dbcabf7ecdba6ac595ebc2d06b9d757426fbb31e8b39f62a
+
+KEY: 68a746f382fcc11c02af7b352b9d710c137a9f59bc5886dc374ca88cdc01b86fe5678fde16cfa846846539f67a429276
+NONCE: b94346c033ac1a3d709c4f09
+IN: ad
+AD: ad61c9168debf9974e19759088944e888346aff99f3e2e4522549c8ae332a0f41922972fb7c1d5ff24e7ae4b
+CT: 46
+TAG: 62ae92ff64710a9f260da2562e246356e9d749c3584fb9f40d9572307ccbbd31
+
+KEY: 6622579d1d6350fd5dff432b69d172cc51f99bdaff50b0a1c0f4cda8d5904581ba8657ba61c6936407243d7fb64b00da
+NONCE: a880caa7157a13540d2b724f
+IN: 2a
+AD: 95a23eafcff892deecaf093109d30290d819851ad5c91061510e54baa2b039b114c815da20f0e3ba2ba4875bdd
+CT: ce
+TAG: 33f09666f9fd1d92f137d9f3f7092b47b2bd71a7e3139dcd19a803a6b17f2a3a
+
+KEY: 91ce9dd87c7d11d2c4da41863b6851c40fba786a612e0fbf0d1956a71286dfc61fa10bf7d148cecd72b6ceeb82b68d3f
+NONCE: a50dc3d8fd63d3076cc70ff6
+IN: da
+AD: 9ce8e1a777c159ec775abbd67d85e84f3550c3296e848dec18b61bbd713a98a033805bfe6e2f2a011dd7fd754708e524168142aeee579cae19c7eab78fa7c42fa335f0c725baf556160beef9e4afd1050a2c8813be6bd14cc6982116d0229d53e9b4de923abf6ba99bdffe1d5f21748ae74caddb077d9f7488b394436222beca
+CT: 2b
+TAG: 1541cd745bc0259dd72a212474f5c7b8c121dd0289d674e5ba8d56a220d1f1d0
+
+KEY: 1ad577d3b47e3fff8528e336a43a7ffef72f811e05b5c69ccfe777b10f29061e289178e394a1c87ba483c7f98ea5431d
+NONCE: 1fcaa4757a9e48ed2cb3be62
+IN: 46d30dac550103006c292a9ac05d31
+AD:
+CT: 37616eba30c55595fa0ad5d50f91ca
+TAG: 5c3ac4010f75adf90f81e775b07ab939e7551a9b8e0486ba33766728ed498245
+
+KEY: 6df310dc1847b42c68e50b03d154b73d7f3823354b32759c5369bce1a1b4cd63ccdb911c2dc792acf84b8b8f3fdfb89d
+NONCE: 92e6759a31dd556ff9124d73
+IN: 6daba76658db642209e276ff7c8d46
+AD: 32
+CT: ce1814c03037078b6be3252460af48
+TAG: 46e61913f2a1ff6e77faade9a7cd37a82eff3ebec4276fbddff9266b9c9bd873
+
+KEY: f848c2300995f5c98dcd0db24574d7c61459ca64c084421c6ad156e80e398904417ee745245ddae91be20fb07e66bdb6
+NONCE: 3b177e11063445717f417d14
+IN: bbf225131c821a6a60817cc65bf699
+AD: 4c5ab4fdbe0018344629349feed5d8c3ae0c5b64f2b093576a2aaa1225e7a50eca01a9962c9b4f8fc5c12a
+CT: 1538957e78f3ab0fed77906153d715
+TAG: 2c7760d47407ad7b0d5b85fa4967eaa7b6c0bb6eb16619adde7a191abfdf3da3
+
+KEY: d406cac07630ce2c071732a0ec95f55123486d2677465768dc7db13f90902cf172f92e19f57f5cf7c68cd7bde7ee4b4b
+NONCE: 766aede0120b634a4be6fa12
+IN: 3804d40090a38d4c97a5fff631068c
+AD: 7707b7d0f266284e84c2ecdd5a18832650c3e27d66697616c9e9bb2f8a09a3295de0119582ca3614b9608548
+CT: 91e96462a5dfbe8b7af201158a36dc
+TAG: 56623e5813070a0e2f5184aed83b9863301ca02e3108f7afc478d48305e397f8
+
+KEY: 42bb22a317ed9f9df8119746e9a1257217e5b0144051ca56f39587021d969bc0acc02795f3bd201031e8c05af08ad079
+NONCE: 0a9f6bace71a1ab21f4917df
+IN: 013f7b8c75307158f4f300450e7a78
+AD: cd95a649ae215fe73442a6991e157232cbcabecff6042b87d41557e35b97606d606c3ded54f5d3db7aa2773f67
+CT: e588dbcecbdb7667dccf7fe34f8387
+TAG: b04461748109ed9068c7e9c0446528ef09b01613c3b3aa1ffeed6685ebb550f5
+
+KEY: e1cfcbaba3a04b5108ce2a87099a6aae936ee38acd92b7e6b7df0e3bcb9ad18fc579b5d470ef3e04c23459f509852458
+NONCE: 112dd267174bcd81e6fbd924
+IN: 288a1e44b406aebec7b418674f81e7
+AD: 7809d8011c5a963df14fb8981e874119c60b7a9d897d13a05651759db5835deffdd991fbf98b9aa71c79e48bd701b228ba248b6bed874b02da7fcf28a04c38b81c0ff628846015258af30dbf28ea4f3283f664f888fca545f5fc57dccc4ad1dd476c52fba341182ecf783706c5c458bf0ee5ec83454afba78eb8b5ca17af88ec
+CT: 80f4e1012d76f6180ca00fd32c8fec
+TAG: 6de00bf2fd3c88ab34ca9390f7e559875e43e0f938303816a3a75a35729bc453
+
+KEY: 84172547d8608bd9e788a7bb60df2982963716e45f8e63f0c5033327d85c920c5e3776e314246b1694b739c39abfa29f
+NONCE: a3f1643bb504b7ce9e5b43c2
+IN: 7e76323eb13e64da9b240a57c95c855b
+AD:
+CT: 966487c18f025d67b42a04c30d3ff4c3
+TAG: 8bb03d893f0ce8ea4a6a47245bc7f20c72acf8caa466edd01365d0f74c929463
+
+KEY: 02dee8f2e63b37fe3cbae9101fed0946e05e5090510bef3324a82e3f27456a45ab1b6cdeddb1fe515ad07aefeee6ccbc
+NONCE: 64723d21365d62926d5c2262
+IN: 4f1f132c50a01ad48882ce88655b33f7
+AD: d8
+CT: b102082e14cd9ecc0895f7a6f08ab522
+TAG: 2c09651c1a51cb8a375746236fe258a36e725936ccedbc4dfafee6c3084a4716
+
+KEY: 5db57cf6301bab815d38879b35c9db72fd40ac576d259ad5074d0828364050554e9fc08335b5f2bf066b09e50fbe6ba4
+NONCE: 36e5340d844de213c312177a
+IN: 41a6e910b14388740ea351eb1df980c9
+AD: 8316a6b9b155b2de5e724f7593ecdcee442eaef7b9ad204eda4744a5e648c2dd84f48ee81397e485953465
+CT: ee21d4d47042415ca27d2ecb11b13d79
+TAG: 5015da5a3339389d39d0fcafb56ef4005b342e69ba47930e84408d33aadf5f2a
+
+KEY: a493dd6de6fd6584599096442dd9345f6f2d8fc2d426c78eee2b992b4071aba4ce463f3ca293c84b2faf3e8644b6ec25
+NONCE: 4f9be6f788ee960adc650d86
+IN: 4de6e244251091cf13762d20685e9085
+AD: d15da312b7522c18384acdbf6348b5e105557f1790a6a203a65acd73397524681666743f3145048775ad84e3
+CT: bb1296457daa39d889c8f986938d6a39
+TAG: b93548cea90c34d03d6f5683ae2cc78814531b803d42cfe57623fd4bdc8f084c
+
+KEY: 8cc59ebe2c7375a70915c48d2978a1f720bc0aa2775ce9189ae7b3d5dda9a81e56cde0e0a29939599409b71f0b65f346
+NONCE: b0ab041f37ea1e594f1eddb3
+IN: cd0aeaf6806cb99e6bc1c8c5d830de8c
+AD: 8f4b5a9609df757826dbe7e51bb6a2c6f45f601263cf668836193513cf008ab6b36a7d5447039f1268821ec37e
+CT: 5d5375b9d9cff6d0c1dbd14221509a0d
+TAG: d8850bbc838e068b817c24d018f8f1e1cb8aac0a68392a700f48099f81b6c37c
+
+KEY: f3e9c507478d3f99dbf3e2421e45929b096ab3f3d4aa4ef9c338c5a1a2425c9936b7df602502d33cbafcf781350da77e
+NONCE: d4872a30c9d1fa9001a25afe
+IN: 25e05ea69a956b12a9be4ef03ae9d30c
+AD: 8b346c20e7c64b805d9c8d325829201753069c60b3f221f31474f55cb20315373ccd7c2a8f215e9efc407ae91b05d8b6d693a3780fdd65d7715cdded86c3d6204055812f3fce897f829d1df9ffaaf48885291701ac1765090c383162dd13d6bac88baa0cb2d748363bbb79843a1594ec6d8778854a63b7c9ffeb6d1fb17e90f1
+CT: 61325c7e0d29e9ad50b9c0fec02d7ef4
+TAG: 4b2d0caece46ce2496445883c03234e900189c22b54390b399d78ee4ebfbb7d4
+
+KEY: 3d9b651e65e9239c9e33aafb091b348161ab797901fd0468aedd014e4d5683c8f3f54f20ea6bb07bb25dd258df7bcd5e
+NONCE: 32bcf856a14437114e7814cc
+IN: 08a667c2923f87a7db6502478d32280bdc
+AD:
+CT: 5e8e02cc91c732356bb9f1fc599426a379
+TAG: 5449e878d558beff4bc7dfbb5f0195444705cfb259773b4faec524fbaca37ea0
+
+KEY: 2124cedb5f3f2558f8b9a2304a29c0df6102333cb4aa10625aa82cd76ab645c73f3b7cbf7c96cacdcb9e0b738e40c042
+NONCE: 7ae419446a3a105beb2fbcc5
+IN: a305dc4a2e50cc8e7a65a4b10b73849636
+AD: 70
+CT: fcaea620f7e9ed1337214c4b432d9869d2
+TAG: bfc739c8504a4d9033ab1915f46c1bf65c5382fe9ed1c134026ba32c63ca131e
+
+KEY: b027feb1aced8fb3af27a9fd7f531c30991ec1abd9f230a3e5d6ee9fc6a77747013f8e14dcdbd07b0083d0ce23dfa711
+NONCE: a30a6520f933ff5265e6e305
+IN: a705f842d542cb6957fbce21854755c6dc
+AD: 447bdaf34dfab9cc3dd7777ebaf80077f391093bac9817bf02ad98db9d3f271282ecaf0ff19652f92076d1
+CT: 3ddcb07c121b498f1abb73bedb527d4df4
+TAG: 55957a0e884dea22d6ace10e5936cdac891f5b54225349ede5c44715f1064b5e
+
+KEY: ffefb7770a7cf125395703985823f3e926f3722ca0764518fd2b8996577bec03648c8d542af1c6e36b51174b0ba88316
+NONCE: 4c31394b4b24f6251a839891
+IN: f026a1d352c37b204c6c1138abee9a9a75
+AD: 1e7c0f71a3aacd87ea785521ea31f93b1efd0bdf97952e0b84ecd50c706806deffc19caea312b5a9988454d2
+CT: 23c8bae37db93ed9f55f2903e04b7c6a8e
+TAG: 89d0a7e7d921dea5bb54c28e79b612688e42506aa69b141de830c8d63bdefcee
+
+KEY: 453cf5e4f48ce5a961c94af0e1639c156965970f561ac17fe08d5b75975abe3db87412640972e463290800666be80441
+NONCE: b3e3f9708a86c7cdf139e496
+IN: 53f1b11de497cc6ecb411a777dc3d60197
+AD: afe29e074dcce850ac6640230e6b9f66a64587c5fbe8679144e065d3b1700c721833ba8f918e926c9142f5f362
+CT: 15d5f597be46a19566a72c5e843b77f70c
+TAG: a561c3375c096a116a721e9404e555a2deaf3f677a8611694281663274708f58
+
+KEY: 3d497f81d0652d475bcd85cf53bda13f79ef0afeaec09dd679a6e5ea58f87ba6576269f836096d5ac034594b17073331
+NONCE: 3fb1664830821e2b524890c8
+IN: bd75c313f5c8f6007a2185bc39d0af01bb
+AD: 50744ed959e2b8ba5b5f4807e2997ea0b96ebfcdeaa1c6b33853219844592e82ad67abf6ccbb272cfdba6a3e45c07fec4d4a0ebe4235f11d916771a764d9a129d39f6b84f0b5fb4cdf789ca2f5ea306b25d047a9b1a1e2e90905b6fba472e70b2fa25c96602cfa0031f31c68954d7487507081b8e70f8aa1342cb8b4a98ce9c2
+CT: abe3869ac43fd8b429ee8b8539c970bc86
+TAG: 33fcd301c2bf624bccb92a986c2dd5f2ecafc32649ff550eb5312fc81cbce46e
+
+KEY: 353c3e9f87b40fc0281869c68d9d9bee5c95771dd79998c059bc5ceda71f139fe447cfdf340e9eac57f232b9d230e45d
+NONCE: cc7a4b46b02f4e7f96fd34e3
+IN: 44bcb61332930f606276268ddbf3287bcaedb5b25704489cbee63ec839d7a69533dbfb6e95fe5b4694eb485beb1437f0777774868ecf45c8a5b3edafa1d62a
+AD:
+CT: d038d67b8b690519fafa7467c9fb94135f9bf0bcd8247cd2c30da62ddf37a6d9a3a9bdcf8ec081fb4469c0fc2798e2e30afede7cda384438fd01e5d672dcb8
+TAG: db2c685a59cdf304c1fb57b66966a5ca1cc3536fe21eb1113c25868428640c7d
+
+KEY: 3b3786e38e110ec0c8b05fbdb3d9b6d117d1ebcdc0e7d942249fea6baafa31fe5caac227979fc833b104641e8e9ed01e
+NONCE: 53bf31912a3ededc01c91f84
+IN: 6de5890028382aafb186042864c5cca1a77ff80ba4f7f0942dcffa1579711093fb652c8d475dfca81a976be8ca77eb9c7a6b49dca1425610c945bf404ba65b
+AD: a9
+CT: 886939354fa117139f5e077baa186825ee7e2955c3a74f88af3a86b260ee9f9959a90409e7d602e36cea31e606aeaa8b9229e28f7fa58ace6fd217e5cce1e7
+TAG: 91a769003ec900dbb40ea9c9b959882d822421b510ba85ca826bc4af3b5c42e0
+
+KEY: 5a75c97f3583983bbc5eee4a882b766a6708d798a46f71e63b7509af69afd7cf86f9b42df04b626940914007078a8b9b
+NONCE: 426e8bcbcffb6b425706dae0
+IN: c24fa29a66197cad518c5a1a76abd9446a8f24c2dd81e953bfc5c00544c119d67986781a1c754224af234b0ec5e44e78610a4420eb78c283e9a56637c35c24
+AD: 6376835513967e4ccaff9a0c56b4d27a2bd0d013cd54abf95fe9a162d036af285ebc9567a16ed5abfa69aa
+CT: bc4daeef3ccdf9abdaa75591781685eee3fd7825bfe63132817a7e0f93817f22bfca30ed775a773f5bb290aac3a381a01085e861cab7b9fe4c5143138e17a5
+TAG: 79c779bfcb974ad9a8ac88dce5027df5691a3a1163a5d5893b4cdb1663b17aa1
+
+KEY: d1b301c029fe3b81e4b97e08e84dbc03b138f422161c0e74ccbda3172c034b99610f09a9e611f0e9a3ca40af4fcb3c56
+NONCE: 4032c79eb3ee4b63e44fa932
+IN: 71bcf5a5198787b85a66221c22e7bdb9d038dd3e10000555ec9271e54bfefc460ef4e71729ff7ae52859015b49f45df89ddf183fe1e19de3acb032dbaa4d57
+AD: f1cd18ff1e5ad2b65de41e083b5175966625ebebb3031e1027761e407dae4e8e193ffe7dea52ff61147f1b4e
+CT: 7c521a703b7d1cbd086bdc316d4f2ff0852c462eeaa1d7a586c561354be9ed412d9d9bd1f78cc85468750f1af09b7b17dc1ee84c926760d63504cd3a1dfa3a
+TAG: 831f3552890d997f0a8f2d832b6e92e26f6e865424699f0364a82d86ab7734d0
+
+KEY: fdd24bf37b36666a4f641115581ab4bd6b896dd3017006031b3675beed33f21a314363e3a07bbbf4359d9ac02eec847f
+NONCE: 7767cff1a096a9f7d8a9b32c
+IN: e62b7695dd41baf49d1b356e64c6d5504784380b75724b86f5f3185d1a530664aea0e5f9aeef347e1ea4754acaa7f3c233638db234c0e93db02e0bf988e7ab
+AD: 2d650f3daed2564b0df86fa23ed0343634663adfae2c422f80f9d5674bbb63e824f01ad3994834f889133bbc0e
+CT: a51f50a6ce77a22ec472bc18c37d08fb28e77efe55065b600e3edbd9ac97f0fd0eec93cd312ec7ef886cb04e1849526f0a38b14d862bcd578b99bf9a007c2e
+TAG: 89d83264364c9c84ba705e5549abcd496abed3900f65e3daa012275fed18a7da
+
+KEY: 0f88e2d00d2c4bd682f1591ea5f4c1a1090180e1195809cb363b27c863360a85b27814e6a724effa44f298430d6c9628
+NONCE: 6e2e62ecb2aa47c7e5921d25
+IN: 91efc710a57adb57017725cfa26d17d3e2993c5ee66942ca42e770a83763e9df8a455bd408dc1e2661cf301f1dd669cd6d5b4d92a886be0f54527779bae8f9
+AD: d060cbe84271e85f25a3dcb6dbf299551f0dcd5783e3df80468636e491c0100f3ec8316f24240482a88bc430a398b0ecaee5c48a274ffb2d835e200bc39ec0aa86a1c90c9e2dcb4217595d48826a81de90eb949846a33fc26bf8886ca0554e1b8f12cbeee36e65e33cbbf610c2d24264619fa93c44c88e0e3d9d368fdece461b
+CT: 10d99b98ed67d85a44fa57e706a8b028c61ef17f35f6713613d158cad90e826f90ef036a2190ba123f9b68b352ca94fbebf8ea947e569ad45f00e6a36975f8
+TAG: e345bebcc4a8ac01528bc5f317e5c378236b292c2baab6ae8654245da35d90d6
+
+KEY: 1ccec52c77239bdf6ca50e5b702943b23015d08cb1d9bac592b3dec4c96be904110713e52e114a8bc294df26530a758a
+NONCE: 38554b7c40027afe9721e14a
+IN: dac91fcdb3768df8d5ae9ddba1fe5917c084a5d9e6b14eee9a609cab2da34ec9f95cf2d10fff77108477e694c76f362e29b9a9287d8b190a748ed0a929967ff8
+AD:
+CT: e6bcb38b3bfd0b428a14bb3aca01a4a9e54b0853f10bd7750f5bb58d0e7dd18006f8929d7d862e5d6601ef63be8442334b4d51a99219cfedaa31f7ab19028459
+TAG: c4f05d9415840c2325dabbcd12dbeda31e47637437514c606dedfb8ce622edd0
+
+KEY: c82ad4c6f248bc51d3a51b958ecc2460a3c64d669f6c485c2309d26abb3fa84644a0d8c28da8091f90184b53cd556413
+NONCE: 35a29938fb7a31225b08d0e4
+IN: bb0045cec5587e50b148b140b6969612425243ed1412e812aa9f4b471ed34ced6dfa9e0acf3e31455893e4ee7e66b4661c6e1f80b7d6f1159c11387ce579b80f
+AD: 12
+CT: 5f1854fc2fb11fd721755445a1efa5a28607a725ad71cda9a3464860a6a0efe3f58727c0e0cd315f867611232abd72034dfc2b9deace8cf6cb507b1cd4032b59
+TAG: e40429ca19a88da73a7654d7ed8e0621ac2e504b0245615e262ac70bd05a3f47
+
+KEY: b01bec74fe97e5af7db2a0b1432f8b4c069447d2b56dc2668371387f753b03465412213999d2394a4b79873db06c590a
+NONCE: fec7de97d54dec8d36c9f253
+IN: 88ab078d03ffacd128edbceea7ace2e6465f4076097445a5db7f0e61ed817b6e24f22874489049bee0c58d0aa2b42b4db0bbef6ec88d032da9c82ebef57c424d
+AD: cf0ceb3e80a76d1a75f6e070f5d3fee1cd1e2699434f96e7cb3adce12d4a3148dd433b08c68b9d66962f24
+CT: 8aa3c7478b0cd86fa30870957fb5307345f89346a869d508da9d3a4fe36fb3d6a9b0c3c1bc2d44c8ea31ec028012098d6032085af0b54603dc2fa65ff091fdd6
+TAG: acb670172ec3754064b366566bdccf5056eae132e2041f1a285c5883e7eff4f3
+
+KEY: 699a94f6e6eb457b186af58c25118fcea81c8f0ad265e7c16bd6cdca15c9db64bb9a537580ca0474a4b4d54d47412d88
+NONCE: ac3fb6525f4357d831529407
+IN: a7300aa94f3d357cdb272f0a739979e08aad9551dd3bfcd0b5aca6a0972a71b502639e79e1b9e0d22db2f3220b982800d9cebbac3d10d9bf86ea25d3d417fc57
+AD: 19c3d34bb9d57d0f63f14bdd3da06a43a5afe6a8c505f038cb403515876a2765c2d61aa7e4c84e11c999b81d
+CT: 8b472f1069ace78172611369b03073f751e5206dcd2ce3b45c431095f303e70c59bfad3af8006e66e4a68f8fa2ffa534bd76bdef089d07dd38988cbf723393c6
+TAG: 8e7c3c2c41b1117928ca1cd0cd48c25c319c18e009804c007d1aab0967c0d0d4
+
+KEY: f3a7b8c2a39531d5fb3c97bc9224168aa835973f48243d6f046d00937ed428e5d672e22af26e734f0c24f989fe62621a
+NONCE: 65c61af60769672f0eeda005
+IN: 59667fceb2594e002c844a47d2b3935d2c99570b1639f0887fb082499e1d36f9699ff9ef53be3b4236136aa9e441abdc63dfe536e6fc9fa8f332baa1dad577ad
+AD: f79036742501f1ac19dbb2984e09cf5000bc4bc0424082376c307b8f1e5bf74dd29c802139d7ea93d55d336464
+CT: 9375a81f016c2dc59a8e99dc33fc0db7ef99ab2f9ade4b0ba000a614ff2bd13bfbee2d4a2338109c98c1147edca6023cea43570adc503da98379326ace89d796
+TAG: f563869420699dfa0aa84751526bd75af1473bd88311001e49230b09b8ef2797
+
+KEY: 27611a8f11cb57d08648ec816b5f3c45882dae394200cdfc803d1a52bb03f225206574ea63b63423da6972bf5a994332
+NONCE: a7f617fe7a52dd76ee443dff
+IN: d6ccb950515a4a2de7c3cf5a73b568f32fe30567bb22b3b46feb7ef07205d3215a3d689b96d4b9dbaac5a5bd6ecac6ba50314b19b37179fff2557c869950e162
+AD: 777282a98b2f262ed9456fed3610a2028bcc4433eb8f028597d3bfa220bdb0c04882de03a276d0191cd1a125270ce1630c1b94e2ec0021ce5c494d2e0bdb8745e6e94a387cbb31a0898965174bcff8bba105f94dbf080059b49dee71c3194fefe679ef6c00065154ea809293b088c0c3f2ed7824aac72319a4c4ad85ea990844
+CT: 41eacc31aa3c3a282ae7638d48fc7541d2f129e4cb3455df7e60259be9a814c8e1642ea826ac1ec7ed1fcc216a6624e79845521e7a8b16702566f27f7a7f3317
+TAG: b959992feb7005410f9ea6963525e3d9244f038731ffab8da8c4ebc72489f17a
+
+KEY: 0d9322713cd132c339c38ec7a75862860de304c70486b89b0f587095c66bfd1abe56f0b34f9ca0dac577fd4262616600
+NONCE: 3298d02dd4eb85a98cb935e3
+IN: 5dfedb1d168fe262d35f78d797560b2634f71d40f438c21cdcb8e73cf9884c11570554f55a6abd23d0e7775a9ab385ae6c9bbd67f08d1aec57347a8fad5a4b8c7b042b03c25facbffc76f0b1ce2e6c07d427eaebe71255d661ac8e8bfe8867e2d947d496ce2318a601d0beed02426311ca678d036deb3b4c65b1f89bd644a410
+AD:
+CT: ff09fe27f12a87d5208bf246378ee0740e848262442b8b9c7670c8a73fe6732192cde43c1a1246743ed49e15ec63c87dc06eb3e0c92c1f286108b2c7e0754dcf1b9c3fc87efe3683289daabf2db71d8742061f93098788c3c6f26328b86e358507a03af296d2c29009562cad3763399e0e2b89ed440f756c16214c8ab7ddfb84
+TAG: 5076c80fc76c67d6e4f9b9d470cc184db62ea7da49cae44cb3ce9e46c2f2ca9e
+
+KEY: 2695671fe86f1658d8b01ec856fb4c9d09a0c51a1b994fc87a3f72bec12052537b7429f11f7eb4aef0b128302ec8f336
+NONCE: 9739e577595418c47b9c10b7
+IN: c723c39be334a0761db795076e81e3dd85e37a57258c7e0e10fe0f48dc31bd5e683430aa70531b7c8e3a904e49bec838e760d07afa9f86b2cf78ae90f612c4560632acb7ea2d89fb1fd5396d0337111c429cdba99c6a52e863e8603aac24a83302ebf86ae69a212cb938e12085cbf73a28f75e4422995a5ec8705b12d4aa8b6d
+AD: 31
+CT: 1569b20732ee6395e605217e1cb419ce57496ba6f6e889bdfa3c93575e969eb7a0410c7930b7ea146e88577376d84f0e824b62890eb84bfe768a1513a12c2958ad1835bc1eabe602cf40f7812c7dd7da955567242cd7512090fca685fdd7306bd98a908b09464961114abbdcd610c153637400a1f81825cfdf06505947fe54ee
+TAG: d07e14a62a32ef1933abc2127cc5bfc1e43bbca663e460409c6faa3a4ccf99f3
+
+KEY: 1785ef6e7016733dd1952b3268639f231e7afa973c0a3db8780b81084c67a1783200149a1ed849ca8b5c14c7b1798b4b
+NONCE: cdf48b73c3c8d8625e52fe11
+IN: 14002f17e056d7f5524537cee6c2061e2741c01a6f9a82e2cb1747887875860d51bebf8d9b63950a051f6b228ad7567227f8a45b9fa7c4ab47eab410125303defa7e3141bd9bc5bf4ed56550801ff3bfc2dfaaf499c192b1e18879b2f59e1230778132818df8f6ad8a3dce9a1d11c98075b8b4e560edd9b5ea180f0424ab3706
+AD: a35e86e22e9a3df65e4c08e5175b4216fa9895a1be6252de911cf98349841494617eefaa007759dad7f337
+CT: 99eae989435578cb57715a7457da31b807b8078a59c2332a0a866eee9da5188baed3f517b6808095f0067e9b4b91cc1424a464f0a09fc946adbe4135a17b0e8e545d2046f81cdfdb233aa3520797319c0884ccbade8235c32d195e7b802017f88ddd86fb630de19eb97f4bf91029c001fc8f1cd2189a8ee6c120e9f1682a8703
+TAG: 1848f0b163e7b0d270e2a0ced288ea6525697170aae15038f3dcbb4ea49ef843
+
+KEY: ba9aed2bfa90eaed9b27a697bb44c715c0209cae6b2c4ddffc684bcf07ab51b0e096dbcfa26c18fc24b63408317da567
+NONCE: 4b850d6bfa64520f1aa1e79e
+IN: 5bcc2ea4d729c84340c5ceb827f239578971c595e915f0bd9d49ed51d723f8d0e8362e69fd11466230bda0dad57ad724307edcc621ebde1e57fa91fee206d81d2bb6ead94b4a804f74b6cae979f66bdfa4ad93d107ccf114c59cd3d261aa6e2fc0dfbd0df5f7c18e80d0699cc1712abbefab5029e35549d2919d0f937d444051
+AD: f80c759062e9ed0ee597406aedbcda9a14261d66a9546f1c939d20cb1d0d0974fe7a9b33d8c93287a6a8d60a
+CT: dae4fc873d302c51e55910e67482bb80ac68e9bc6ef77cb3e57a31d85fe75f9071d0b64026ba16d0b68fa9c0b7e958cf7682bcd329c4174ea0e3f3f9d2e65d82aae1350a53ea7cdcf9ab848b85cd731751f0e2917628e5066f5b1ddebc7dbda5d2d37e46a7a7ee62bb49c4431af730f9cd3da4c1d0e5f8593d8c99803f781bee
+TAG: 58b42e9117fc8cc2ba5cff74b0d92e8b381a444fa837018b15e9514fc4319fb4
+
+KEY: 37235623acb0d650f905f106dc3bfe6fd83192e53056de8795ed8d20c6e58e5efd84584007ecb17de9e76b392e12fcd7
+NONCE: dc441f1c743a92c4b975c6b6
+IN: 960ceb8d80774bd88b7c5f17042ad2e4baac71b4021c548458cffcd9a049291cb0df93076c115b54f9af878745acebc6e8f04666d053b1ed980728043c4fe7f67b2bcb0341d8a4973ed126342f9add14279f8402cbbffcecfc847379dca8a68ba4f2f26141acfca7f3ef558dbaf04629f0f46e43246b19d875be452f14e7bf56
+AD: 32579218062560f15ff966932838460f99099782e79f1f8c41cd9f6eb59b4c2c3d2dae9cd199fe66d74c7a9940
+CT: 49ad8e24a31e90ab1f8dc37dc51dff0f93f1420e79eb108f90f800274a5aa573f64e274cd52f1dbfdee363e4f86e1457bfb8f87ce57aefd34c3a5a3a93db4ebde3f73a3b4c202c993903ab378ae71042ad238e94f400c7ac1891a9890b19d445eb1db60773a3ea165f7c4b2bb2071faaf588daebac7ce09ebfc88f4d9232d9ca
+TAG: 82f908b837a5768598982f860ecea16aee84427371c4de1f1314749b70ffc173
+
+KEY: e7fc36c9fe87a38f9bb4ca67723267e80e16bf39740eb1090234a473d68aed9c96fe2f96e539795eb042276aec5d7505
+NONCE: 83d768746d40dcd695e49ff4
+IN: e61f0e02a70249b62ec9a8fdbaf6622c9c6316599daff421f1b19815707b67587d196b7e1452c7d7609f108ea946675ac5d97ed215b92a451aa6a11717ab7819f84848151007f37e2cdc8aa99969c3d5652aeeb65fc21b621865f47f44eb2c528ee1142d11f513761a6bb2d169126503db5b263a410cadd2773ff931a032a885
+AD: 59114e9f21b380ae6068609ac36688e6aa7c2533cbfe07013ad1b6663bfa42e39f20e62b45c0faa256c1d33caa9f59b1e30d8502bb7148d051451b3d0265cb9fd0d82e4f4e0489ac606956762d8e7b70abd7eca413ddb708f119c342b3d0d5df673769d8df281656d909b68b6f6438edd60339fd84ff69918b6036ad12a0a588
+CT: 4f12807736c9ab32a2be2e00c9a0236394a8bcfcec6037e7582af462a73bf10aa73bd90e2bc24b97f7001ccf653574aea294bc7b30b77540f475e0e846ab78ffcfa1fef28058e540fea43d9017d4efa05c837611b2eacf0034f26cb7903eff7874973c6da7843892bfc676170a75f839e297dc7f04c74b40f4bda20a45b2a352
+TAG: 9b05aab44ba4d1451f14e087be626232ed11c4ed04081f0d4d47ab593fc619b1
+
diff --git a/src/crypto/cipher/test/aes_256_ctr_hmac_sha256.txt b/src/crypto/cipher/test/aes_256_ctr_hmac_sha256.txt
new file mode 100644
index 0000000..2a72e1c
--- /dev/null
+++ b/src/crypto/cipher/test/aes_256_ctr_hmac_sha256.txt
@@ -0,0 +1,336 @@
+KEY: a5060fecb0a738d8ff6dd50009a757c6e58db73228534d03f32c26baa1c209f402c3e03a6947c1d9421d63ce43f6df26d30ce783f5ed0d6b88edd389d9f92d8d
+NONCE: b52227e92203630a79ec7f5c
+IN:
+AD:
+CT:
+TAG: e61a28f5df7061b4236834d2034d2b62cb63c660b7de696c26b345e66b34d222
+
+KEY: d676047046bd5be9263ae39caaa0f688abb1bc67c083658894da6aeeff80b6d58ffc7ca1a1c88f49e629bf5544b2cc7669367202b158fce83fc4a4826dd90a7c
+NONCE: eabef87a00fd99ebb6ed6d25
+IN:
+AD: 83
+CT:
+TAG: 473cf728899cd5fdd54f18d6f934c3901f7ca118fc5ab2cbb837feefa7852a67
+
+KEY: 5eaef3b8e068fbb652bd37df4dfad6490095642cd49761a35476dffc2b5b5f75236d0351d96a9028660788893323a777ea8a2ac88bb5e500b334af02b1c2a648
+NONCE: 34d049342b9db5ffa039eac0
+IN:
+AD: 7578949699d44dec9188a7f7e14b0a23637cddb9107dbb1f8e2a968aad0443356d7eeceff4316ba7b2e8fe
+CT:
+TAG: 4d2612c21357638bada9290d2a272f10fb5f070337bf87bae396a1e7253633ae
+
+KEY: eb7b3d7eeb5f26010915a36837dc83da2bad07eba714566584bf1ce62fa9b61210b0ead7182bc28c8f0427699bf04786583fa32f3c3a8a6582cdc254930043bc
+NONCE: 3bee5ebcdfc72f4ab0023211
+IN:
+AD: efecb57e79a326c6b2ce0ae74d7656992a005fbb8da5a55b9595fc5348a5489ee2e69541ec0e8a727a560625
+CT:
+TAG: f457db1e274adabe5fc898fb1eb7c4a5a8e9a2b66f964d0958aa058c1f9e15ba
+
+KEY: 1c1abffa8a2667a8c1ab347860528162d316d58e3966050dc140fd360e6ff7c557520a8982aae97c5db5495d8951eaa485e1cac4cd8f448a13d071d759885474
+NONCE: 4fdce4e59bfdf5d9b57c78e9
+IN:
+AD: 55125cefc919379b3b4b2a24ee1794f44ac66fd99b8b68f98d4abd45ba50a5b76e5375d08abe3b8b8d3c576bc8
+CT:
+TAG: c021d2c73737e54ac6e7f61f9bb44818e5bdbf8d81d43842fd25a535790fafba
+
+KEY: 366cf53bc185473acf62610b74231e53aace84e9c5d6fbf71fc24db4f42956065d3eec01ecc72a6c89266565ff530075f4532c860e3192e866b41aee98c5c42a
+NONCE: 9ff54bd7b10f4fdfd8db76c7
+IN:
+AD: 853ef59ae873bf0bfe1465e9dd8c2cddfcf123d213ba4f599d984e4ea69d3c85a23508ec7941ca740a9157ca2a788e9b519291240b307d6c5a8c6860a96b4be698659d19e31ab0ac7ae6ba31dcd609c1db67ad580fe4422e42d368c3e93a56f2a087b0d587188462310c2ebe58ecfcf7178412223808eeb2eda76446168730fe
+CT:
+TAG: 12d869dc4bd4ac4ce9ed643cccda9e11a1ade65c76f7c1535fa4ec2bcc5eb4c3
+
+KEY: 147b41369bed390f0a9561586fd975474e3b3bbf7f7ebb7a35e5cc43b516c044dce93e154ac790a109709ac5299bb17b709a913d33fd57ebfef2b48ed66393b3
+NONCE: 85b81732d2863b41d2551763
+IN: 73
+AD:
+CT: bc
+TAG: 47fd81f6eed8d3c66afe06d788ffe40717847785f4b4c617d75a11171690a60c
+
+KEY: 9bf35c1194659c1da634eab6707c55b853c8f61d087187162e926adbae02f8bd4d15bae5b05865d0e2236d64715fc39f32e4e3679a0309396c37eab13d1c637b
+NONCE: 8da14a98ee741a5fce0de732
+IN: 10
+AD: 8e
+CT: 17
+TAG: b76af41002a946af4947f98f42a873b7da0871f482990a70bda8f005274ca179
+
+KEY: 0befac10caec674c9f23676d121f065dbcc8c91852dd5eb4e80c41076995a2138077592fec665954d21fd6787234d32d3d54bf9c220cf2bf018b374bde29926e
+NONCE: a96bfb49f3a136840a0e32ff
+IN: 59
+AD: 236adab55e1bb8a8db384c01bb2afd30ff35da71f955fb217b8305a45ee075e7f8d863d4c0e5dbe36e297c
+CT: ac
+TAG: 7bb634357e0835b02a0642352a834ff6598c2ded1af8e8ab60b9ef0641fe863d
+
+KEY: acc672aecf6f10119ee77070abbc2b4fade7e910efd1f93a5716161f88606469a49df05b40332b390d3ac289abfdf6bf7c37c033b1671082922d939139de0d42
+NONCE: af0f57b55f1a73794b3ce5cc
+IN: ee
+AD: f385a50ef027e532635878a4df0deb23369774be47c42f17cbd44925b668f628338ea5f8256c5ad8219c13cf
+CT: 71
+TAG: 13a5296075ef23216c2f2e83b940d24e8e1e6a01967af96599360f11499ac0a6
+
+KEY: 6195ef5ce3ee01188c48b04ce7a28b3ddd04b78711a6d1233121fc8ec3db3a7a0e496d1b6a416675b1e666b9a3df167efb8ade29e4f22fc77111f32ba8bd1ec2
+NONCE: 092070b2f8b65fcfe646f6bc
+IN: 26
+AD: 98526dba4437d88f657c0b7ce2a2be44ef4951711a40747a7d14b195e4c0eae97247256bba7dbd93d6a8f738c1
+CT: 83
+TAG: b6aad3f91a26a38245031d6a7eb97be0d386939d4536b2a27c90a2ddb891de73
+
+KEY: 40335487f9958dfc00b76ff06dfec162ae5c6be4e26918bd12e3f21760cb0bd364521a11f5bfae11dee989627525ab5295ee404bce476c280d13d238dea1bd40
+NONCE: ecf77c7c827a34efd8cdf79d
+IN: 34
+AD: f6e661254bf235c7d5b8ee330cb754087480dec5fe4c31dee65d1ab4479642101404bb563522937fb2e41d3aa8a4d269a222e6e0bcfd07ec4b29c1185f99fff7cb5bd2ca8c5b38742270e586c8db19138b446833f2ee07a11dae5b6a1a4c28657f3380e84bffe1bafeccad57d9cfea3da7f728119ec5bb18b79e002954f4379c
+CT: 5c
+TAG: f3420d4cecae2c1ad79d977abbe408045bd87525c0da2b93e0af3e6c53ba7d74
+
+KEY: bf32ef44c7ca9851f397e70df736d7e0e6243cfd875ebb81d76ad7612dbcfd084cab6b0d67c6a6e8b567c93fd0c3abb78ae121fdb3051a62ccfa045692d3453c
+NONCE: 46e0cc64d6e431c1efc2bd2d
+IN: 959348a8ad6912d7d6c8eae52f19b1
+AD:
+CT: 55e8cb6fd958f18b3c19451c5c79a7
+TAG: af09194071cb0ed4488d27e79700f938ce77386e5d772f9853b17b719f2b1ebc
+
+KEY: a6b5b8b051edf5cea0353ead88ea887fab048ef32f8303275e93d8f926da0d4b0e34b9447cf44fa70c24c9ab964380065398336bbb20be167fc6cd5e591ef50e
+NONCE: 371363612c4675a2e59ebd39
+IN: 443d16621b0cf9a12552216f9558ca
+AD: 32
+CT: b7f432eeda8e4b8a25f0445f17ca7c
+TAG: 649934922826febab4d59dfb52a7558e6d30d56e273602b98f3c55fd8e24f4da
+
+KEY: 075b75434269a3fcc57922ee8cc55b5bbe1b90516a3b71838ade73d41ed1d1f33ae1e0e86f88f6ed7e091cae3ccb05144b3ef239831554d6e79ff97c4d8f150e
+NONCE: 754d5c4ccbfb291133859de3
+IN: 62a151add825077c59459fbf82b708
+AD: c8db27487de71124a95eb6359270a8363908159200333b46ee74e2709b308878779686bd43c24e9ecabfc3
+CT: 2ffb9a9f65c9fe3daad13768ab56bf
+TAG: 4430a90fed7d4b5b2adf5a60d6854956be4feef497781ac7d864a04259e99516
+
+KEY: e787fdeca1095f2f2760a1c5e0f302e07d6b08de39ce31fe6a0db2f76e4626eb0968768ae04d37082c114573c307699707630b8c7ceef60abe3b7831d2adcd6e
+NONCE: 9dc9bcfe8b4e2ea059e349bb
+IN: 3ad57105144e544f95b82d485f80bb
+AD: 96bce5dcaf4a90f6638a7e30cfd840a1e8dbc60cb70ab9592803f8799f909cafe71a83c2d884e1e289cc61e7
+CT: e504109cdbf57b0e8a87080379e00d
+TAG: 1798a64b5261761ecd88f36eaf7f86ed3db62100aed20dc6e337bc93c459487e
+
+KEY: b43ab650bdd201cf05e0436afe89ac54867383f04c5ed2faea5db8e6784c720d905234f1f5443c550ca14edd8d697fa2d9e288aa58c9a337b30e6d41cfa56545
+NONCE: 4e3dd3efe527902b9de45a5f
+IN: e386663e249b241fb8249cfec33ac2
+AD: 3cf7a396e1bd034ea77a54ffca789f206f94263d90d98bf3e69cb42205fc5c95cfbd0481b0ec490ea447299159
+CT: 94aacf00092723e778d25ba78e9d27
+TAG: bd5fcf90b9532e7abfa858aed90d5170f08edcdd28ff2c673e0ab45b8c0a0f39
+
+KEY: b22a7c5bb38715025cd59cc0feed9ad8e51101200000168052b294fb1ead545a517dee636a7acd22b8283afb33d30adbe02c1c8557715eea7147f3d98a97cbb9
+NONCE: 3b4244c9ad9fedd3f10fdf7a
+IN: da79e1ed131856cec3250fde7bda4b
+AD: 4b77472ade3f06500169405b86a793d63cfa58f57bde0dd706f369b391142c2fa8a3e6345ccf0a9c29b2182f578e22f55c576f155a05be5e81997fbe06410034ecddd871e5ed94b5eeffc6dbd90a8e66449da01f8ef47d28a4a4bd253ffc427f868867c73b5c709b01732bd8035b1a23ff0a903def1eb136fc90d8b3c8279769
+CT: 5d8ad7abc047bfdf9d9cd0b0aaa53e
+TAG: 41d050d518d0e51ce16bc2920aa6c76eb8eabd4ed76373c59618c6354885f47a
+
+KEY: 04b3fd8126d65f851f47b3dea22cd6e32506f21effaa3e29820ac7825e01b51c5a2816f0298154f2d8addefa2fdc34c0635d4d6b80ad23eb320c4d4f2aa1de1c
+NONCE: fae1b1da40471dbdcec64d4e
+IN: 509f116ef7435b0640cf141d5b958aaf
+AD:
+CT: ecf553eba80e6dd1fae2eab24d772a89
+TAG: 11473566e80cff5d7421f65949c34301f34de378e91ad50928cf2caeadc466d4
+
+KEY: 413d154dadc7d8869e9e0f24b3320019a04b7a37620dd9e7aa40b5c08d70dea03c12ccf7faad7009e972680e81544b647650c6ff033f56e5bcdac9a35bd7f804
+NONCE: 6a4404adae3f4a7bd2bef95c
+IN: 3539fe02b75981fad4f8762772b3c11f
+AD: eb
+CT: 3f8a96905609a4ef1a95fdb87337503d
+TAG: 8ee076fd624d90e1f6336a92165e80408ca6f0e165b201547d351177c95e8d51
+
+KEY: ddc10df673e720c00f28fdfb69f1b8fba99696f23b6f29704a0114444cc0c8a6c8606e8d37fa95aabfd65b29c655678fcec50966c8758a3fb15332a1854a8eac
+NONCE: 06331613842b4af86c13f8a2
+IN: 55d74bcfc3d1cfc716c6e6b7153c6369
+AD: acc264344ae79959f9dd5130664273ba6f345c3fc7bc33c6c1ce33312bfbd5f181a3c7a24f15e7acf72ccf
+CT: 20650d9e846eb42854692d438b21d5e8
+TAG: 973857523e7ff600cf9bcfcc98403b34ab38d939a6d76716beac42678ca5f5bd
+
+KEY: be0c884db54cf761fc24ff3dd572362910dedacece5e1d93a916df277f923f78e7dcd908e60beb0043503c5b4877a9d962a7de37cacc7387a7553949b52894ec
+NONCE: 3f027a93e2716668c7634195
+IN: 1ba8f3a87ac6738167aac1491b602ddd
+AD: d06dd1b9360a68afa3de5d239b6d91d212c5c555567545a4f133bf5a3b0f26addb9379e1cc1cd690cd427c57
+CT: 3596cc50ae72db932dd83bbc8661641d
+TAG: 44a1834b1587d0f88e34137dcebbca059dfb8f65ddab18f338a8a30152167be0
+
+KEY: 2ee848726730c64332877a4f88ad7fb241a73b71fbee8eeb4d9d6485855ea32b487e03968e1a7b9e8ac8ab7fbd84257efbce0aa207aeefa67302d5847e0d9c05
+NONCE: 526b0a79b6359d133ad51011
+IN: a0c0477e8a9ebfd275b674ed33230d42
+AD: ded2f0f3f28aea28b17aa58d4b906c6a9b3078f97ffe95b7e161b0c3dbf66879bea7603a046da4945c802ac8b3
+CT: b1691c8275f12f7d9af85e71dde9dd5d
+TAG: 65a5742dcbc49295c4805387e0a15f986ae47e51add9389dfabb6468a6e83013
+
+KEY: f4a7c0e29ff510c034778e47bb30a468a92140a707936d381b1554d421af107c578e74c53ea08c7f7d93cf67612061359ae458408a9c79250f776ca4192016c0
+NONCE: 025bc10dc99346c4d0766a7d
+IN: d449a2e812429beb5c466d344f5b5eec
+AD: 304dbf9a59bfd33b777d8dec9dddce4c365e72aed851210eb964c1da18119bd13248266a67408e88ac2eadfc54def0fb57f23743d376b11293377565d253d2bffe0309f2946cb78d4e9536dde4691fe1eef9ce2dc916a773d06b42fe2b014e7974d4aeffce25a0902c9b44265e5d6d26809b5f24875e80cc13f1f8872b04a237
+CT: f366e7b66683f52586e1c363c15b7fb1
+TAG: e0e1bb733471f150ddce1b83f3fc2d88589d286ca052574b7f0735bb598362d2
+
+KEY: eb78ea626b219e12937057155884547cb7578718f569dc8f2b370c0fea80e7f0d0f5cb590f0b7341d20c775bcd6a3c818e23b6cea949cf99eb94a23a81cd2249
+NONCE: 75a10f16d429b809cf12b9ef
+IN: 6b0203316e8108ff01b12df91ba6644382
+AD:
+CT: 7ee07054f76471115be159259340c24391
+TAG: ab970669d1603767d588a93cf215673ad307244f9179f46fca56e97f64a5fbac
+
+KEY: 3221167926be262b7bd0591f56be6bf030365d45ab84a93a94ea41a5e07735b17245ad43787e8791e7ceaa0472b562ed17e3b609c66c868c9b08304c8bb328b1
+NONCE: a94d8417d2bb0323bcfd354d
+IN: cec81bac7b85c441b6261163d67921eb49
+AD: dd
+CT: ddd8860fa9e2e8087db30c9da1ec9f9487
+TAG: 26a3b9bc4d4cd802cc22e7647a19fc2a5092293c9f5b1c84bdab7245a6d8f4ab
+
+KEY: 4b16e2d62294f76cd2a6c8e0928279d9de40f0b169ef9465738cbfa064c520128ee89cf657da27e4e532d8c4709d992970bfc9daab2f31b3a67e53200d3d6710
+NONCE: e746d498b9031007332447f7
+IN: 16841e3fc1f53990d33f7ba525dab121a0
+AD: a785917bc9f3aaadfd170abe83bb30c0c5d595fc8b491d983131aeab1a7b8d8771f1a963c251976152dd63
+CT: 6bcf5eac15ef74cb8a706856f62eb5e8c7
+TAG: 9dc84b06e8ec8921be4bc7762e8cebb61a95ac5660022520f9438e8f77b45796
+
+KEY: ff2f5944111226df1d9a300533d3e871694fe15a418b2090265cd8c0111b249dfb7ee86bd9228f7ea5d89d8afcf10bf69942ee4c29bfa8409b63c00c2213629e
+NONCE: 477060f0c61555873bbeb225
+IN: f091891c43e2374c2755a88a11b04beb4a
+AD: f1323fd1ac4de9719dc5966dae45dd7b8ddbee3f8da4f4f4d5f25d06bdb8ebf57328dde76d0bdb9bdc5f6b12
+CT: e0d96f6f3ed0493a289d4c3b79238b9ed6
+TAG: 71276c05b52bab0063108dbf4e8ff57cf3e15079055a309d725f14bb86671ce1
+
+KEY: 1ce841bcf2ad8accc458a2d94774c3aa53a99e7dbec587376212101303ca2b42272a23fe28514be190b82e503e7772a3713800f4360fdb767e85ea5e1f7b8eca
+NONCE: a2f8afc5ceb5382882907630
+IN: 620fece1e843d1d0b5c5a541a6f615a81d
+AD: ded910647464d0fbb0a5d93ffb9839de3360c675179c5991ad3470285d79071436025111153628c563ad1b595e
+CT: 34431c3422e009373c50f3ee6c5b3fcc2d
+TAG: 6e4e8a3967307f47e233a36ce05a4826a698fada2ac19543bab7c9ac4f79451b
+
+KEY: 6bafd28a32690851fda667eb2d3c5993f13df52b2e97630527f26c498fd5019f26177a78f27c0c41616d2a4a73757fcaf9cd92a7da8498f90315d41e7479d90a
+NONCE: 75166c506c8e1d10da4da8b9
+IN: 697bea4d6eed5e6ed243cf01cc79bfd3a5
+AD: c0fa663961c3f7e09a8c7bc73e252a232977dd6c9483f02067b34fe695f341d05338ea2002952439ce08295ee5c12f38dafffeb5716908d3f1d4bfbf9eb0e4077bf8e534f19568ed04fca3bbff95da9088cb939f7a20cc97cc0994f9308e184219bf12c8af0d66df436c296ad39832d661b88c98cbb168c751719ac1383c9124
+CT: 8f37885b9602725385fd9a244ab2a156ea
+TAG: 7fa5cedd330887900f4a44d098e04d5eca16cf94e21f897fa54b0fc116b711b6
+
+KEY: 815786c7744d15afe1d6ab452cb6696fead8b88269ba3eb35c458f6248bad77b404acc744ebb74612c4f97deaccb99a7bcc6ad41917d61057c05b30c581dc4a0
+NONCE: 12342e4704f02336ebfc91df
+IN: 7f15e696b49ae5104ced5bebbf58a9d8ddcfaf46ddce9df88fe0d58a2f8546feeb83b975c66e4dafddb7fd9d17e80127e70af06b3b8b13c3390f1f50a227e7
+AD:
+CT: 22e7c5d54a7b622c47a9edb77cfe7c094e500b0ef9595bc346de736e0088e5934dc07160aea34f24d3ab21440878213d28059551cbfdaa418af40d344674f7
+TAG: 8c271ea5c15aa771c900388267efb2f435f001c2e83f4ec297e77c608de2d579
+
+KEY: 66d87d2b18e46257476456a1f87123424477decf196b88b09acfd3ca74bdebef4c98f1b93803098a141e0acc3ce8eede065417a0c1eda9b4614558d2383762b6
+NONCE: 1ec0ca1d3b09ef186ac4bb1a
+IN: cbb59e14098c2a8ab7e84ace913515c74e056e0fb272c7b88d0dddfb62e395afb695647d97d1071eb09cc1e1776b609fceaf4e30e92640379bb8f0e762ca9c
+AD: ec
+CT: 832804b8003b0ca1b4eff1dc4da6f6a9649e5a582854bb72cd74357476bf38d81ea3bc8ac0463f21fe37683bcbe07360d0ec2d7ab90b588adf669099303ac1
+TAG: 9fecafc768fca71ffe7d640dbb7a052d97d6c8e2fc86001d71feaf284ab609f0
+
+KEY: fbff97085351f4500e73190ac139dd3ac91e268042b5926b57e0394c750b10348b47641d195d5fb5b0846256ab229f102538b81e209db5d93b4d55f30c453d9c
+NONCE: d4868c918de2af7d3e3f57d3
+IN: 4f14aa5a680d66ae15ce0ce4739888f64d827def862572f9a6cd620badbe4ee9d75f4f9bc1f73d409f519a657f53a50d50e68e22f33a8ef5aa08b1212889e5
+AD: c41253e96696a948ce500030af27086842aacb79c04cc02a42b858a65c630065a5292bb9b2e69ea5fe5a7a
+CT: 08596ac0550574e352edc13d7e390d8fd0a57406dd61e1543066b4aa0ea06670f356e26ada0d6c61c1e41de1b4fd7a251c961fae44b23523ce227eec99a338
+TAG: 72f58de3e6697c8419ef518748fe0bb3cb930907c71b6d682c5e61068206d991
+
+KEY: c78c550aba82b571d39ce21d6ecf5e5f7c2a7bf921c6162c64ec1fdff4d0b8c41bfcea0e2486cc86b9ed9e9ceb73c4ec228a2ecbcfa0379174e76475cc21ae31
+NONCE: b5adf4de19980a71cb8ae8e6
+IN: 3d5e43ce95ff9d7f797f27b904c07291a35678fe76a9c57f0c0cba724f38acbb22c6c185db864a2a17b7ef2d67a04810ee5a45fd5a4e28a15a1ae16971451d
+AD: b5eeb9a18d436ada7bd5601944784f50fb0a989397b5c781a2cdf29337315dc7664f3c1cbf17f37fd0cc8b30
+CT: f91f1f20d06ad4480ff233480228994cfa052f9bf3038d06d997d31eb68bffa4960341b93eb5ed2260341e6816519c47bf231db2a41ad8a9719f4de6a33de5
+TAG: 6e5eabda421961e26dc17a7e1f750425235df4eaf9a97934c1e1b4439fc22791
+
+KEY: 17b90dec44546d9dbc489e55a01f2cc64452a9b0e50506a8ad7c81bc6fb21328285cafed901a7204048866ff3bd543003fdcbeb3e9e2f3d580f9062362879633
+NONCE: f0c0cb247d210031f9b233bc
+IN: 75b9b524cbfd1287259da116f536aff56112a406f069aa08f545b5372d45b66d7a5d05e02728c4bc2c779609dfe251386f78c5f48b9dad90b363d324826cd6
+AD: 8a604a9b06ad595ce0b9ad1644a596c7d3cde81490abc80840c764c40d6df08fc71d1e8196eae0802f8c8dfc24
+CT: 23ad62a668f942e613c3b5a7828142048f1f6a67f7f0e0cc8bf3fffb2d1dd967da472d080353dc9c23b900a566f20afb850e4a47688ee507faa6178fef2afd
+TAG: e9e82d3221f964d9e6c09d761afa3f05d1316d39c82618a82dafa23607bb40a3
+
+KEY: d5c09fe24201fcc3ad4c9a9c4b759345f643e930301c3714f62c8dd4974bb15a026b217ac637b4f0e8d6ef40f36be967c50aaea83b2e72df18eeb9576865f1d8
+NONCE: 9cfa0df1fe0910b33ee9849d
+IN: bfeb3d86ce3f4c5ccd0c3945e1da0e75dd057aa5b4e1f070593394f4a0227abedac0b77478e04d498506245b162e909cb711d8b875d33f9c4578e80a0e2113
+AD: b874a8523799554436a1174ab124677dc2ae2042a436c85065c50d5b5e7519623379ffed9a9c2b84b9626214b13c1806b65a432ba79066ff28ed94d17628f5ff84618593954389181e997ebd245d31f520539e250b31c86b99992983820f79e74aeaacb3a95e690e2841aba5a384d0333ebaa5d1fde06b4b8e3e1cabc6639459
+CT: afa649ea47db94936f89612ece681bb175664a97aa6faae5745f49ac9fcbfd4287b73cb58e8d8aa12eccf309182f075098f339db697fc60540481dad0cd82e
+TAG: 9909335130df0326650823de5a4f5b6f45e6941a6a72ceaf80ef32fe67363944
+
+KEY: a13c4654606f532a8df47c367dab1b214166e4f7188c20560831ac30ba5e58d316d29764e4c716ec0126657c926ba2e4541da062447228ae61340a951101b4a0
+NONCE: a2df3417ebb86bbb2f954939
+IN: f1954e59a319547d32e81f846e0c79db41c681166b43eb9c10458948606ced50a44df26fad5654a7c25d3fb52539cf25fcc1c11707c4b5aca7910a76e2374740
+AD:
+CT: 374726a4691f178a4c0a6f96108ba30c4ca8a30242c14e84380969473879d4a5de580fab4cf6ef6e465560a15028ba78a1a88f9e62322cb698b15ccce6ba83a8
+TAG: 683e5a3e61d9d9c8b170f1d4eaa4f74dcbecb1a4cb1551dc364bbb336d4e4109
+
+KEY: 0c1751677a9b7373e0c2ceab2c8e4dab50af22e2230be3187c21ed46069168d173c28a7474d8f7c3cab39401663405aebdcc474ce136e1fff9cfc520bfe17ca6
+NONCE: 38bc2efcd97998de1528b064
+IN: 8a3c6212240bdcb86da98f0e3ab3e9e78f7f61f0627ea088ab283e739a0bed5c360eeed26cea43ec09b4f3556049a1d7f8ef86abfd1118f9c0e34cc6eea4544a
+AD: 20
+CT: a1a9f7f4750be3d89fc4f25917f8ffa7dd462ce712ddf61792a01b1840bc8e428000372252f1b41055416a961db3be8fbe774f0a0a71a82e79e74927522703a0
+TAG: ae24708df0d5893a902765f6c6c2eebae0c11312936cd415bf4a74bb8498a367
+
+KEY: 154c21eb43d8d556e5f782ddd64d577ac8066fa172c2936fc2b2e875aa437f941819d9ecfaefa2e388fdeea81a0ece8dcb7647f2c68da48884aeb1315b577c09
+NONCE: e14d1bd8681373d41702a762
+IN: a2c880fcda87d9d4681a735a6790d93a1c9c68e55b87d5f7b3146665a6b2051398eb9895e1f5d522841668b9915633aa8cb40048c619baf6d63ca2da486cdeb8
+AD: b0b725cf634349ce1d3ac49d48313a09697efd9996cc5afd06b1d0817181d0374db05825dc2f08207bfb3b
+CT: 1cc0db5980863df7a40c78e323a78be6c6d556d4e3b5f930d8d0f2c6a10c6477e31c000d3f0563b46e1a4aa566a4ef4b433e17e94c43338b51a7a3f862739b6e
+TAG: fe005424112de2a5ca6e68ada40984df1ae5ac666cf5fee19e9a0f203dd69f52
+
+KEY: c34482341724ee431b5272ee2964b245d7657778f7927cad4b5a1bc30a176b1eb88a83ac9faf58215a72855edf94f8e86fade58c5b5907994bb8381c9f21b753
+NONCE: 4934d9afc32fc7e2d8851594
+IN: aa3d32adc47b0b84d1b038ddcaeb007a7d5c96cc06a943eba5da6d0d367625330556e67da099c84086b3f46bb4b72986e076eb426913e415cd20bee34e434bd0
+AD: 076a7bc587b306f3da3ba88e66a55cb8125bbf8aa000dda266e950f381e35ac938ac86f8a15a83022a25f28b
+CT: cf017d87da8927e42c1f10fd3d73cf483bae43f4e110363159a9fbb7cba363930a0364cd42a5de2c70171edc4caf15bfc7238f7087bf1402b32c7bdb1f493393
+TAG: 3961efea656aab1b83082522b801fafdae346f7d4be70db1981283f323e5b5dd
+
+KEY: 363e10d8b3fe349014d6222761bba7af86545dcd1812fe2e5ada564c5008f8ea1850f374208e87362afa135f20f9e79dd0ad32f86448263416086d3afc5d37c0
+NONCE: cc545928edd3b21c0e8bc0f1
+IN: b68e3a54d17dab6eb41b03de2df14e792201d78a9c1cbf341da421da82b026ff471d4305ede5c6baae162a098c73da5cab93f30d6d540b4eaa0ee772448dade8
+AD: e21498edf4e25ada2dd6a382eceaf737623e501db34f5c5bd5c963f45818b146a6e45aa92db2a2069e55d46a4c
+CT: e4920c1fddb5dfed2268781fbb17e9ad2ea88bf2a0f116fbb7b309b25a5b9f989e1abc334999ab175b65f87e874d8ba80792044b458dc27d2b24c989d24385e1
+TAG: f0dcfa064cdf042e0b9a0443d634c38695dd09b99dadc647195fc2ad53dde547
+
+KEY: ae93f58aefa94e4e0622f2e962529fd2efdab840fd0bce62e163ca0fb004ec3b22e246073614203d9b63fe2842ef5903ed08b3e52abf7ea18acbe16fa8f66368
+NONCE: c9ac237c87270f2d88b91b64
+IN: a75f49778a6c03b0f8915f5d09efe99c5f4e9cd928713882e6b9b78bab3541812db41792b893c7e2259debc6c660ce708851912a5b9eaf91416d86b5de114ce1
+AD: a4b198a329e9c5bb6d9f31a6415811eb33c79422b0db130b78d788c38c0b9a5122688cbc50fea811afa20789465f9ee4362336cc3701ece701179af96eb7c86d5a00ed8582f24364393287d5dbc3e83a82b7a585cee5b152b5da40aa45ccd46dc841004778998c7efe9eb43c9762d1c8581eee64e18c5a961bda5aafdd5cfec8
+CT: 453fad9395106a703ccbfe811bf775f1827ea960c71d79242d2ea0e3e31b14baa76eb6d107dfc6e484f4e5146f8cad5b389e4c0fa18260c96a193edbc8091a36
+TAG: b67082c21557b31392a9821fbce4b93706f96856d2581c92e7fb65dd2166624f
+
+KEY: a145adafac46280e1cee8696903c5f3866540f27f17a519637373d95dca4ac5ac0bfd85ca6e1f8df8ae3fcfc9158421581669db52c20a3e19c5d251952f63218
+NONCE: 90bd43611f235ff225b23208
+IN: cbe5f3a5b7a94b8665cac1a4d173a225679e1a3926d8596b5adc0ef4fd00f7d93a432ff141cc04f877be60b6a17fff40ac845a91bcee3b483862f67d9a76ef498ce5e49c361bfc018e401aff47b397e96b2982d4fdcd043ca09905be9634e83dc22a667c955bc992ec96ca1b76f73631767f64fc7151284d5aa81c1aa42eb3aa
+AD:
+CT: 604f718dbce17dfca1fc5e0f400151cb65bea9d7d8f26d56687a76a23f89201aab01ef928006d15493f5b1501bb99c517cf123acd956ab575e687298488a88d5739c266e67ca6a20a5dbe5f5f27ac778816f04e7b1764cb716477f3aa01482cb6b25fe034ab5d942013164aa124608cacf13d6cc9487446cfba54315fc6bfc42
+TAG: 8e3e1a01945bfd9e1aa4eff1cdd0a6da6d8fdd5446e6d732a673effe8e44d76a
+
+KEY: 63ac8e2561341587bc066c87cd23f7f33e6023bdc1521a91d6ce63d3ab213825d95d674928b56da1741aad8e85a8b703239ad74e0304ad555eeadebf4ae30aa6
+NONCE: 4f3073c3b780ebb146e136c7
+IN: 7f9a05b1aead29b4d5361c2606e5db8a48122858842679cd46f8386ef9359f998cd2c6c266791429624ff634a160d08faf1523b650c30b2fcd71517da5f377000251ef23cfd2510a0630215ad45fa6d2313f9add040a07df8259b82d3f29cf1ab8477cd114c9ee579d3e2ce60c5da2f3375b68b4d6e0913d39dac9399c00bd32
+AD: 22
+CT: d4ed811c8db932348e0c311e9278ef22f22cec8af88b3ac0cef77f13bbd9b8cca037c1ea87590a0ce3f3e7b3ffe1dcc4c7cd9e721baa5f126a3e0afb26dcfa02bf44428846c0f1e07ba0e026c23a39877de1e69e16a2766ff4fa3d4e8d3a97ba28f407f459ae3520dd840e8f9e149ea582048dc6e3d0227bd86a9c26ddd59895
+TAG: 0abc9111229bcb725953d139a2dcb1aa0cb9d3d6c01ef4733482dc5edcc88958
+
+KEY: 355454fbe12f125edbc13550a7494f37efbe12b843058d29f892e1524289c2868ef0050a75a232d3083c381289e4950e352d68d64bf05f0608d694763c36641c
+NONCE: 0a344bb3da1c4260f2daf256
+IN: 362e97f8ef09f30e5db2f21d40568d347d9bc42d4c94a563484b12eb109886ccfd2c61c40dfe93eb836bb6aa4f828e77c137485da2df494cbeb6a9a0192c3777b4d7a927fba11a8eaf604b85a81ac4719ce8b595a74656286fd0b80d1ad3f3393e6038b258af97af9a77f6760d486d9caf5a451ba26dee51bda0f76d75bfc26e
+AD: c7c2e8196f37185b44515480d5d9451d79d07df4c1256bff6382f942727ce9b3a4f81ae964d8af2cd9f638
+CT: 32a67922947fd6b1c1bfaf3e1d41397173b97095e55307cae1c574daca275778d4aa4313fb1fe5b3997ff18800903ce044c7d0976abbb03b6cc1f7498d8b56d00672bd74f7cb152b677c632ef7a6f6fc13e95e82b6e35d663eb47f27c229c81174fd7c62c94c414e47216af2580fe822643e54907af77ae18e903fe856a02173
+TAG: 72d0fe5baee8090c5f8e79890b77f6d72a4213a7d1a81e0d1f1c9e6731e44d54
+
+KEY: 664478c9d30d2cbc39351ec3b3494f3edb81e32e48bd4ef05969da07e770e4181a9ada3b2f83b46f40fc2d9ad35fd8ee6864ff3d70436d6cca3f8e0563cc3b06
+NONCE: 7313df9679181ffad2972a6b
+IN: 142f073f2ce443c68822f120b5009e39bea3453017dc04c1b091adfddcb2a7e361c2b79eab1bf0818bc86e9d7964834d3775698b56a11ee07a0c9c03cb7bb895bf1a1dde3975c3662d233052824f1539f58cd6ad5cadb58fecaf2b34935ff711c45a639d642fb8fc3a52929b1296683bb13e67f2cc8ed9090126cdf28a4395c6
+AD: d0d78b94505793af546912f3780699dd72e288c775bfc75da6e306defcd868f6d40c6d6ce34fab9c11574ef5
+CT: cb913e40ea5dfe76beae612e9732d23ce352789987134822b2324db585179bf90d0ee20bee102e93a49a55fc978d19e99ba316cf8d9a10d2f2bcb75da4b135d1fcb8057edc33a180586015d8829a128f8fdc87b72497016c280f54f4d974c2c7e9d32ae137eaa1bcb670be237269fa73c3a0f273da9e70d89600ae7c231fc9d4
+TAG: dcc158c254ff7e131ad854a2158d51c643c281dfd7df342d5481384ab236a685
+
+KEY: 409d1b4e1c187c8b1c053e999f2af648583e1045d56d553cce9270d08c5643ef365eb35e3bdeaedcd164b0122ad185e71c75146a9807104d9b65b56d9bc1dc55
+NONCE: 1cce3f08a5aa5824d063a6f2
+IN: a255239e4065f3effe6aa5e88814d516236d016c51cd8eb35af7cee86418966559802f8ff7ac39c6a45acc1f1b18cc28d7cc32ae66dff43289fe44c3a2a72fbadf3a7249d76c1ba9671dfc420ddf513539f2da5f31030f2b6775c57432c2c3486621d841e80dd4894229debc12ef47d74716838f2d807e208f0fdaf733bce76e
+AD: 8f34f8b676e71844841c6a7b63fef1ad3061f2449c1044e1a281595da2d9e9fd141aea7350bd8cf9774d375e67
+CT: 969fc2c64261db415e51eee8cc5e0cf5185b8e3325dea516a70e32115a5b72233a44458c40f2daff3594d71e42ca2e3fc1c444ce171d22ef40009d798456613fa4b76beaa6d469e235997a302ac468c8bcfb8ef5de5cda58d7e554a9eab6cb568945dc37f28b0dbd674c083dfbd2e42fda1b42d0c1966e9652a21b32af71e2d5
+TAG: fa0789a83c255412501944a67bdceaff3f01d9a23b0c749be38abc956e2acae6
+
+KEY: e6fd8144cdb305bf9e62a2c901764c62902f354409d8c5b9c8cbfc0ba8ac7d0859ff8994e573e46784395d89c355a91a313f601b56e86ed3fd10ba428a5481ce
+NONCE: bae080718d3e5c5998542f15
+IN: 2258ffcd6fcf91b1723f8db0047525d61cc8ffc440acf3290690685d16384292493807312b7dfc23ac9d9c3ee1405baab21a3770a05875cfe325268b65fc877463e3208c842ea4a32cf144cc46d57afd91f6b6b5d85fb2dedb0702f0c4e7f742cf4c9b4aec02f07267ec1f7b96a5a3ef25f6c1b4c27bd829e86583e239cd854b
+AD: 51ae57749b7757718aef9b9c47da5794659516e7f98bc80e6c18c89253f8617963331f54d4f009f087d1d2bd69a083f3a4b98f2a51ce24ffc6079774f7c7b01638b6131bfccebe21fea67bc839c259a50fcc0a16a69ada3c5adee4097d9e053a03266cb9b4b39ee2a465ec1aa058e61a0b9888b93bfcfd103f91ca3a7b274a10
+CT: 5b2fe8eea3313cc04d5ec75d75d05b3242b6e3b65c6fa1761716780c9529ff8ca523096dd037c5bda27984aa93c702ce9c01c63569a90657cc6373ad5d4473028b7eef69dd79c44c38d0063e8a8b7f1aa2bf6b646711ecd4eea3fa27408e089d9c4c4aceedff29a25baa6a9069eb7eac83a53212c0b387d700547c46cdc525e3
+TAG: 60319de093aec5c0bb8d5f17e950b0f4df0dfd20ad96490f6f12db461b2a4a84
+
diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_test.txt
index b250df3..f3c6d35 100644
--- a/src/crypto/cipher/test/cipher_test.txt
+++ b/src/crypto/cipher/test/cipher_test.txt
@@ -76,6 +76,43 @@
AES-128-GCM:00000000000000000000000000000000:000000000000000000000000:0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:0388dace60b6a392f328c2b971b2fe78f795aaab494b5923f7fd89ff948bc1e0200211214e7394da2089b6acd093abe0c94da219118e297d7b7ebcbcc9c388f28ade7d85a8ee35616f7124a9d527029195b84d1b96c690ff2f2de30bf2ec89e00253786e126504f0dab90c48a30321de3345e6b0461e7c9e6c6b7afedde83f40::cac45f60e31efd3b5a43b98a22ce1aa1
# 192 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606::566f8ef683078bfdeeffa869d751a017
+# 288 bytes plaintext, iv is chosen so that initial counter LSB is 0xFF
+AES-128-GCM:00000000000000000000000000000000:ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:56b3373ca9ef6e4a2b64fe1e9a17b61425f10d47a75a5fce13efc6bc784af24f4141bdd48cf7c770887afd573cca5418a9aeffcd7c5ceddfc6a78397b9a85b499da558257267caab2ad0b23ca476a53cb17fb41c4b8b475cb4f3f7165094c229c9e8c4dc0a2a5ff1903e501511221376a1cdb8364c5061a20cae74bc4acd76ceb0abc9fd3217ef9f8c90be402ddf6d8697f4f880dff15bfb7a6b28241ec8fe183c2d59e3f9dfff653c7126f0acb9e64211f42bae12af462b1070bef1ab5e3606872ca10dee15b3249b1a1b958f23134c4bccb7d03200bce420a2f8eb66dcf3644d1423c1b5699003c13ecef4bf38a3b60eedc34033bac1902783dc6d89e2e774188a439c7ebcc0672dbda4ddcfb2794613b0be41315ef778708a70ee7d75165c::8b307f6b33286d0ab026a9ed3fe1e85f
# 80 bytes plaintext, submitted by Intel
AES-128-GCM:843ffcf5d2b72694d19ed01d01249412:dbcca32ebf9b804617c3aa9e:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f:6268c6fa2a80b2d137467f092f657ac04d89be2beaa623d61b5a868c8f03ff95d3dcee23ad2f1ab3a6c80eaf4b140eb05de3457f0fbc111a6b43d0763aa422a3013cf1dc37fe417d1fbfc449b75d4cc5:00000000000000000000000000000000101112131415161718191a1b1c1d1e1f:3b629ccfbc1119b7319e1dce2cd6fd6d
+# OFB tests from OpenSSL upstream.
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:1
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:1
+# OFB-AES128.Decrypt
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:3B3FD92EB72DAD20333449F8E83CFB4A:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:50FE67CC996D32B6DA0937E99BAFEC60:AE2D8A571E03AC9C9EB76FAC45AF8E51:7789508D16918F03F53C52DAC54ED825:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:D9A4DADA0892239F6B8B3D7680E15674:30C81C46A35CE411E5FBC1191A0A52EF:9740051E9C5FECF64344F7A82260EDCC:0
+AES-128-OFB:2B7E151628AED2A6ABF7158809CF4F3C:A78819583F0308E7A6BF36B1386ABF23:F69F2445DF4F9B17AD2B417BE66C3710:304C6528F659C77866A510D9C1D6AE5E:0
+# OFB-AES256.Encrypt
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:1
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:1
+# OFB-AES256.Decrypt
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:DC7E84BFDA79164B7ECD8486985D3860:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:B7BF3A5DF43989DD97F0FA97EBCE2F4A:AE2D8A571E03AC9C9EB76FAC45AF8E51:4FEBDC6740D20B3AC88F6AD82A4FB08D:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:E1C656305ED1A7A6563805746FE03EDC:30C81C46A35CE411E5FBC1191A0A52EF:71AB47A086E86EEDF39D1C5BBA97C408:0
+AES-256-OFB:603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4:41635BE625B48AFC1666DD42A09D96E7:F69F2445DF4F9B17AD2B417BE66C3710:0126141D67F37BE8538F5A8BE740E484:0
+
+# AES-192 CBC-mode test from upstream OpenSSL.
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:000102030405060708090A0B0C0D0E0F:6BC1BEE22E409F96E93D7E117393172A:4F021DB243BC633D7178183A9FA071E8
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:4F021DB243BC633D7178183A9FA071E8:AE2D8A571E03AC9C9EB76FAC45AF8E51:B4D9ADA9AD7DEDF4E5E738763F69145A
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:B4D9ADA9AD7DEDF4E5E738763F69145A:30C81C46A35CE411E5FBC1191A0A52EF:571B242012FB7AE07FA9BAAC3DF102E0
+AES-192-CBC:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B:571B242012FB7AE07FA9BAAC3DF102E0:F69F2445DF4F9B17AD2B417BE66C3710:08B0E27988598881D920A9E64F5615CD
+
+# AES-192-ECB tests from FIPS-197
+AES-192-ECB:000102030405060708090A0B0C0D0E0F1011121314151617::00112233445566778899AABBCCDDEEFF:DDA97CA4864CDFE06EAF70A0EC0D7191:1
+
+# AES-192-ECB tests from NIST document SP800-38A
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::6BC1BEE22E409F96E93D7E117393172A:BD334F1D6E45F25FF712A214571FA5CC:1
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::AE2D8A571E03AC9C9EB76FAC45AF8E51:974104846D0AD3AD7734ECB3ECEE4EEF:1
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::30C81C46A35CE411E5FBC1191A0A52EF:EF7AFD2270E2E60ADCE0BA2FACE6444E:1
+AES-192-ECB:8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B::F69F2445DF4F9B17AD2B417BE66C3710:9A4B41BA738D6C72FB16691603C18E0E:1
diff --git a/src/crypto/cmac/CMakeLists.txt b/src/crypto/cmac/CMakeLists.txt
new file mode 100644
index 0000000..8ebd80c
--- /dev/null
+++ b/src/crypto/cmac/CMakeLists.txt
@@ -0,0 +1,17 @@
+include_directories(. .. ../../include)
+
+add_library(
+ cmac
+
+ OBJECT
+
+ cmac.c
+)
+
+add_executable(
+ cmac_test
+
+ cmac_test.cc
+)
+
+target_link_libraries(cmac_test crypto)
diff --git a/src/crypto/cmac/cmac.c b/src/crypto/cmac/cmac.c
new file mode 100644
index 0000000..fa4c3c4
--- /dev/null
+++ b/src/crypto/cmac/cmac.c
@@ -0,0 +1,239 @@
+/* ====================================================================
+ * Copyright (c) 2010 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ==================================================================== */
+
+#include <openssl/cmac.h>
+
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/aes.h>
+#include <openssl/cipher.h>
+#include <openssl/mem.h>
+
+
+struct cmac_ctx_st {
+ EVP_CIPHER_CTX cipher_ctx;
+ /* k1 and k2 are the CMAC subkeys. See
+ * https://tools.ietf.org/html/rfc4493#section-2.3 */
+ uint8_t k1[AES_BLOCK_SIZE];
+ uint8_t k2[AES_BLOCK_SIZE];
+ /* Last (possibly partial) scratch */
+ uint8_t block[AES_BLOCK_SIZE];
+ /* block_used contains the number of valid bytes in |block|. */
+ unsigned block_used;
+};
+
+static void CMAC_CTX_init(CMAC_CTX *ctx) {
+ EVP_CIPHER_CTX_init(&ctx->cipher_ctx);
+}
+
+static void CMAC_CTX_cleanup(CMAC_CTX *ctx) {
+ EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);
+ OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));
+ OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));
+ OPENSSL_cleanse(ctx->block, sizeof(ctx->block));
+}
+
+int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
+ const uint8_t *in, size_t in_len) {
+ const EVP_CIPHER *cipher;
+ switch (key_len) {
+ case 16:
+ cipher = EVP_aes_128_cbc();
+ break;
+ case 32:
+ cipher = EVP_aes_256_cbc();
+ break;
+ default:
+ return 0;
+ }
+
+ size_t scratch_out_len;
+ CMAC_CTX ctx;
+ CMAC_CTX_init(&ctx);
+
+ const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&
+ CMAC_Update(&ctx, in, in_len) &&
+ CMAC_Final(&ctx, out, &scratch_out_len);
+
+ CMAC_CTX_cleanup(&ctx);
+ return ok;
+}
+
+CMAC_CTX *CMAC_CTX_new(void) {
+ CMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+ if (ctx != NULL) {
+ CMAC_CTX_init(ctx);
+ }
+ return ctx;
+}
+
+void CMAC_CTX_free(CMAC_CTX *ctx) {
+ if (ctx == NULL) {
+ return;
+ }
+
+ CMAC_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+}
+
+/* binary_field_mul_x treats the 128 bits at |in| as an element of GF(2¹²⁸)
+ * with a hard-coded reduction polynomial and sets |out| as x times the
+ * input.
+ *
+ * See https://tools.ietf.org/html/rfc4493#section-2.3 */
+static void binary_field_mul_x(uint8_t out[16], const uint8_t in[16]) {
+ unsigned i;
+
+ /* Shift |in| to left, including carry. */
+ for (i = 0; i < 15; i++) {
+ out[i] = (in[i] << 1) | (in[i+1] >> 7);
+ }
+
+ /* If MSB set fixup with R. */
+ const uint8_t carry = in[0] >> 7;
+ out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);
+}
+
+static const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};
+
+int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
+ const EVP_CIPHER *cipher, ENGINE *engine) {
+ uint8_t scratch[AES_BLOCK_SIZE];
+
+ if (EVP_CIPHER_block_size(cipher) != AES_BLOCK_SIZE ||
+ EVP_CIPHER_key_length(cipher) != key_len ||
+ !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL, key, kZeroIV) ||
+ !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, AES_BLOCK_SIZE) ||
+ /* Reset context again ready for first data. */
+ !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {
+ return 0;
+ }
+
+ binary_field_mul_x(ctx->k1, scratch);
+ binary_field_mul_x(ctx->k2, ctx->k1);
+ ctx->block_used = 0;
+
+ return 1;
+}
+
+int CMAC_Reset(CMAC_CTX *ctx) {
+ ctx->block_used = 0;
+ return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);
+}
+
+int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
+ uint8_t scratch[AES_BLOCK_SIZE];
+
+ if (ctx->block_used > 0) {
+ size_t todo = AES_BLOCK_SIZE - ctx->block_used;
+ if (in_len < todo) {
+ todo = in_len;
+ }
+
+ memcpy(ctx->block + ctx->block_used, in, todo);
+ in += todo;
+ in_len -= todo;
+ ctx->block_used += todo;
+
+ /* If |in_len| is zero then either |ctx->block_used| is less than
+ * |AES_BLOCK_SIZE|, in which case we can stop here, or |ctx->block_used|
+ * is exactly |AES_BLOCK_SIZE| but there's no more data to process. In the
+ * latter case we don't want to process this block now because it might be
+ * the last block and that block is treated specially. */
+ if (in_len == 0) {
+ return 1;
+ }
+
+ assert(ctx->block_used == AES_BLOCK_SIZE);
+
+ if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, AES_BLOCK_SIZE)) {
+ return 0;
+ }
+ }
+
+ /* Encrypt all but one of the remaining blocks. */
+ while (in_len > AES_BLOCK_SIZE) {
+ if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, AES_BLOCK_SIZE)) {
+ return 0;
+ }
+ in += AES_BLOCK_SIZE;
+ in_len -= AES_BLOCK_SIZE;
+ }
+
+ memcpy(ctx->block, in, in_len);
+ ctx->block_used = in_len;
+
+ return 1;
+}
+
+int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
+ *out_len = AES_BLOCK_SIZE;
+ if (out == NULL) {
+ return 1;
+ }
+
+ const uint8_t *mask = ctx->k1;
+
+ if (ctx->block_used != AES_BLOCK_SIZE) {
+ /* If the last block is incomplete, terminate it with a single 'one' bit
+ * followed by zeros. */
+ ctx->block[ctx->block_used] = 0x80;
+ memset(ctx->block + ctx->block_used + 1, 0,
+ AES_BLOCK_SIZE - (ctx->block_used + 1));
+
+ mask = ctx->k2;
+ }
+
+ unsigned i;
+ for (i = 0; i < AES_BLOCK_SIZE; i++) {
+ out[i] = ctx->block[i] ^ mask[i];
+ }
+
+ return EVP_Cipher(&ctx->cipher_ctx, out, out, AES_BLOCK_SIZE);
+}
diff --git a/src/crypto/cmac/cmac_test.cc b/src/crypto/cmac/cmac_test.cc
new file mode 100644
index 0000000..0f06860
--- /dev/null
+++ b/src/crypto/cmac/cmac_test.cc
@@ -0,0 +1,154 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+
+#include <algorithm>
+
+#include <openssl/cmac.h>
+
+#include "../test/scoped_types.h"
+
+
+static void dump(const uint8_t *got, const uint8_t *expected, size_t len) {
+ ScopedBIO bio(BIO_new_fp(stderr, 0 /* don't close */));
+
+ BIO_puts(bio.get(), "\nGot:\n");
+ BIO_hexdump(bio.get(), got, len, 2 /* indent */);
+ BIO_puts(bio.get(), "Expected:\n");
+ BIO_hexdump(bio.get(), expected, len, 2 /* indent */);
+ BIO_flush(bio.get());
+}
+
+static int test(const char *name, const uint8_t *key, size_t key_len,
+ const uint8_t *msg, size_t msg_len, const uint8_t *expected) {
+ uint8_t out[16];
+
+ if (!AES_CMAC(out, key, key_len, msg, msg_len)) {
+ fprintf(stderr, "%s: AES_CMAC failed\n", name);
+ return 0;
+ }
+
+ if (CRYPTO_memcmp(out, expected, sizeof(out)) != 0) {
+ fprintf(stderr, "%s: CMAC result differs:\n", name);
+ dump(out, expected, sizeof(out));
+ return 0;
+ }
+
+ ScopedCMAC_CTX ctx(CMAC_CTX_new());
+ if (!CMAC_Init(ctx.get(), key, key_len, EVP_aes_128_cbc(), NULL)) {
+ fprintf(stderr, "%s: CMAC_Init failed.\n", name);
+ return 0;
+ }
+
+ for (unsigned chunk_size = 1; chunk_size <= msg_len; chunk_size++) {
+ if (!CMAC_Reset(ctx.get())) {
+ fprintf(stderr, "%s/%u: CMAC_Reset failed.\n", name, chunk_size);
+ return 0;
+ }
+
+ size_t done = 0;
+ while (done < msg_len) {
+ size_t todo = std::min(msg_len - done, static_cast<size_t>(chunk_size));
+ if (!CMAC_Update(ctx.get(), msg + done, todo)) {
+ fprintf(stderr, "%s/%u: CMAC_Update failed.\n", name, chunk_size);
+ return 0;
+ }
+
+ done += todo;
+ }
+
+ size_t out_len;
+ if (!CMAC_Final(ctx.get(), out, &out_len)) {
+ fprintf(stderr, "%s/%u: CMAC_Final failed.\n", name, chunk_size);
+ return 0;
+ }
+
+ if (out_len != sizeof(out)) {
+ fprintf(stderr, "%s/%u: incorrect out_len: %u.\n", name, chunk_size,
+ static_cast<unsigned>(out_len));
+ return 0;
+ }
+
+ if (CRYPTO_memcmp(out, expected, sizeof(out)) != 0) {
+ fprintf(stderr, "%s/%u: CMAC result differs:\n", name, chunk_size);
+ dump(out, expected, sizeof(out));
+ return 0;
+ }
+ }
+
+ return 1;
+}
+
+static int rfc_4493_test_vectors(void) {
+ static const uint8_t kKey[16] = {
+ 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+ 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
+ };
+ static const uint8_t kOut1[16] = {
+ 0xbb, 0x1d, 0x69, 0x29, 0xe9, 0x59, 0x37, 0x28,
+ 0x7f, 0xa3, 0x7d, 0x12, 0x9b, 0x75, 0x67, 0x46,
+ };
+ static const uint8_t kMsg2[] = {
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+ 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ };
+ static const uint8_t kOut2[16] = {
+ 0x07, 0x0a, 0x16, 0xb4, 0x6b, 0x4d, 0x41, 0x44,
+ 0xf7, 0x9b, 0xdd, 0x9d, 0xd0, 0x4a, 0x28, 0x7c,
+ };
+ static const uint8_t kMsg3[] = {
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+ 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+ 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+ };
+ static const uint8_t kOut3[16] = {
+ 0xdf, 0xa6, 0x67, 0x47, 0xde, 0x9a, 0xe6, 0x30,
+ 0x30, 0xca, 0x32, 0x61, 0x14, 0x97, 0xc8, 0x27,
+ };
+ static const uint8_t kMsg4[] = {
+ 0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
+ 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a,
+ 0xae, 0x2d, 0x8a, 0x57, 0x1e, 0x03, 0xac, 0x9c,
+ 0x9e, 0xb7, 0x6f, 0xac, 0x45, 0xaf, 0x8e, 0x51,
+ 0x30, 0xc8, 0x1c, 0x46, 0xa3, 0x5c, 0xe4, 0x11,
+ 0xe5, 0xfb, 0xc1, 0x19, 0x1a, 0x0a, 0x52, 0xef,
+ 0xf6, 0x9f, 0x24, 0x45, 0xdf, 0x4f, 0x9b, 0x17,
+ 0xad, 0x2b, 0x41, 0x7b, 0xe6, 0x6c, 0x37, 0x10,
+ };
+ static const uint8_t kOut4[16] = {
+ 0x51, 0xf0, 0xbe, 0xbf, 0x7e, 0x3b, 0x9d, 0x92,
+ 0xfc, 0x49, 0x74, 0x17, 0x79, 0x36, 0x3c, 0xfe,
+ };
+
+ if (!test("RFC 4493 #1", kKey, sizeof(kKey), NULL, 0, kOut1) ||
+ !test("RFC 4493 #2", kKey, sizeof(kKey), kMsg2, sizeof(kMsg2), kOut2) ||
+ !test("RFC 4493 #3", kKey, sizeof(kKey), kMsg3, sizeof(kMsg3), kOut3) ||
+ !test("RFC 4493 #4", kKey, sizeof(kKey), kMsg4, sizeof(kMsg4), kOut4)) {
+ return 0;
+ }
+
+ return 1;
+}
+
+int main(int argc, char **argv) {
+ if (!rfc_4493_test_vectors()) {
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/conf/CMakeLists.txt b/src/crypto/conf/CMakeLists.txt
index f54d904..8046bb8 100644
--- a/src/crypto/conf/CMakeLists.txt
+++ b/src/crypto/conf/CMakeLists.txt
@@ -6,5 +6,4 @@
OBJECT
conf.c
- conf_error.c
)
diff --git a/src/crypto/conf/conf.c b/src/crypto/conf/conf.c
index b8dab95..213efc5 100644
--- a/src/crypto/conf/conf.c
+++ b/src/crypto/conf/conf.c
@@ -90,9 +90,13 @@
}
}
-CONF *NCONF_new(void) {
+CONF *NCONF_new(void *method) {
CONF *conf;
+ if (method != NULL) {
+ return NULL;
+ }
+
conf = OPENSSL_malloc(sizeof(CONF));
if (conf == NULL) {
return NULL;
@@ -530,20 +534,22 @@
BIO_gets(in, p, CONFBUFSIZE - 1);
p[CONFBUFSIZE - 1] = '\0';
ii = i = strlen(p);
- if (i == 0 && !again)
+ if (i == 0 && !again) {
break;
+ }
again = 0;
while (i > 0) {
- if ((p[i - 1] != '\r') && (p[i - 1] != '\n'))
+ if ((p[i - 1] != '\r') && (p[i - 1] != '\n')) {
break;
- else
+ } else {
i--;
+ }
}
/* we removed some trailing stuff so there is a new
* line on the end. */
- if (ii && i == ii)
+ if (ii && i == ii) {
again = 1; /* long line */
- else {
+ } else {
p[i] = '\0';
eline++; /* another input line */
}
@@ -564,15 +570,17 @@
again = 1;
}
}
- if (again)
+ if (again) {
continue;
+ }
bufnum = 0;
buf = buff->data;
clear_comments(conf, buf);
s = eat_ws(conf, buf);
- if (IS_EOF(conf, *s))
+ if (IS_EOF(conf, *s)) {
continue; /* blank line */
+ }
if (*s == '[') {
char *ss;
@@ -591,10 +599,12 @@
goto err;
}
*end = '\0';
- if (!str_copy(conf, NULL, §ion, start))
+ if (!str_copy(conf, NULL, §ion, start)) {
goto err;
- if ((sv = get_section(conf, section)) == NULL)
+ }
+ if ((sv = get_section(conf, section)) == NULL) {
sv = NCONF_new_section(conf, section);
+ }
if (sv == NULL) {
OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
goto err;
@@ -619,11 +629,13 @@
*end = '\0';
p++;
start = eat_ws(conf, p);
- while (!IS_EOF(conf, *p))
+ while (!IS_EOF(conf, *p)) {
p++;
+ }
p--;
- while ((p != start) && (IS_WS(conf, *p)))
+ while ((p != start) && (IS_WS(conf, *p))) {
p--;
+ }
p++;
*p = '\0';
@@ -631,8 +643,9 @@
OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (psection == NULL)
+ if (psection == NULL) {
psection = section;
+ }
v->name = (char *)OPENSSL_malloc(strlen(pname) + 1);
v->value = NULL;
if (v->name == NULL) {
@@ -640,18 +653,21 @@
goto err;
}
BUF_strlcpy(v->name, pname, strlen(pname) + 1);
- if (!str_copy(conf, psection, &(v->value), start))
+ if (!str_copy(conf, psection, &(v->value), start)) {
goto err;
+ }
if (strcmp(psection, section) != 0) {
- if ((tv = get_section(conf, psection)) == NULL)
+ if ((tv = get_section(conf, psection)) == NULL) {
tv = NCONF_new_section(conf, psection);
+ }
if (tv == NULL) {
OPENSSL_PUT_ERROR(CONF, def_load_bio, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
goto err;
}
- } else
+ } else {
tv = sv;
+ }
if (add_string(conf, tv, v) == 0) {
OPENSSL_PUT_ERROR(CONF, def_load_bio, ERR_R_MALLOC_FAILURE);
goto err;
@@ -659,29 +675,37 @@
v = NULL;
}
}
- if (buff != NULL)
+ if (buff != NULL) {
BUF_MEM_free(buff);
- if (section != NULL)
+ }
+ if (section != NULL) {
OPENSSL_free(section);
+ }
return 1;
err:
- if (buff != NULL)
+ if (buff != NULL) {
BUF_MEM_free(buff);
- if (section != NULL)
+ }
+ if (section != NULL) {
OPENSSL_free(section);
- if (out_error_line != NULL)
+ }
+ if (out_error_line != NULL) {
*out_error_line = eline;
+ }
BIO_snprintf(btmp, sizeof btmp, "%ld", eline);
ERR_add_error_data(2, "line ", btmp);
if (v != NULL) {
- if (v->name != NULL)
+ if (v->name != NULL) {
OPENSSL_free(v->name);
- if (v->value != NULL)
+ }
+ if (v->value != NULL) {
OPENSSL_free(v->value);
- if (v != NULL)
+ }
+ if (v != NULL) {
OPENSSL_free(v);
+ }
}
return 0;
}
@@ -701,6 +725,10 @@
return ret;
}
+int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line) {
+ return def_load_bio(conf, bio, out_error_line);
+}
+
int CONF_parse_list(const char *list, char sep, int remove_whitespace,
int (*list_cb)(const char *elem, int len, void *usr),
void *arg) {
diff --git a/src/crypto/conf/conf_error.c b/src/crypto/conf/conf_error.c
deleted file mode 100644
index b5dd001..0000000
--- a/src/crypto/conf/conf_error.c
+++ /dev/null
@@ -1,31 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/conf.h>
-
-const ERR_STRING_DATA CONF_error_string_data[] = {
- {ERR_PACK(ERR_LIB_CONF, CONF_F_CONF_parse_list, 0), "CONF_parse_list"},
- {ERR_PACK(ERR_LIB_CONF, CONF_F_NCONF_load, 0), "NCONF_load"},
- {ERR_PACK(ERR_LIB_CONF, CONF_F_def_load_bio, 0), "def_load_bio"},
- {ERR_PACK(ERR_LIB_CONF, CONF_F_str_copy, 0), "str_copy"},
- {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_LIST_CANNOT_BE_NULL), "LIST_CANNOT_BE_NULL"},
- {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_MISSING_CLOSE_SQUARE_BRACKET), "MISSING_CLOSE_SQUARE_BRACKET"},
- {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_MISSING_EQUAL_SIGN), "MISSING_EQUAL_SIGN"},
- {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_NO_CLOSE_BRACE), "NO_CLOSE_BRACE"},
- {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "UNABLE_TO_CREATE_NEW_SECTION"},
- {ERR_PACK(ERR_LIB_CONF, 0, CONF_R_VARIABLE_HAS_NO_VALUE), "VARIABLE_HAS_NO_VALUE"},
- {0, NULL},
-};
diff --git a/src/crypto/cpu-arm-asm.S b/src/crypto/cpu-arm-asm.S
new file mode 100644
index 0000000..faf3ad8
--- /dev/null
+++ b/src/crypto/cpu-arm-asm.S
@@ -0,0 +1,32 @@
+# Copyright (c) 2014, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+#if !defined(OPENSSL_NO_ASM) && defined(__arm__)
+
+.syntax unified
+.cpu cortex-a8
+.fpu neon
+.text
+.thumb
+.align 2
+.global CRYPTO_arm_neon_probe
+.hidden CRYPTO_arm_neon_probe
+.type CRYPTO_arm_neon_probe, %function
+.thumb_func
+CRYPTO_arm_neon_probe:
+ vorr q1, q1, q1
+ bx lr
+.section .note.GNU-stack,"",%progbits
+
+#endif /* !OPENSSL_NO_ASM && __arm__ */
diff --git a/src/crypto/cpu-arm.c b/src/crypto/cpu-arm.c
index 96392d8..74e937b 100644
--- a/src/crypto/cpu-arm.c
+++ b/src/crypto/cpu-arm.c
@@ -17,7 +17,12 @@
#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
#include <inttypes.h>
-#include <stdio.h>
+#include <string.h>
+
+#if !defined(OPENSSL_TRUSTY)
+#include <setjmp.h>
+#include <signal.h>
+#endif
#include "arm_arch.h"
@@ -28,14 +33,15 @@
unsigned long getauxval(unsigned long type) __attribute__((weak));
-static const unsigned long AT_HWCAP = 16;
-static const unsigned long AT_HWCAP2 = 26;
-
char CRYPTO_is_NEON_capable(void) {
return (OPENSSL_armcap_P & ARMV7_NEON) != 0;
}
+static char g_set_neon_called = 0;
+
void CRYPTO_set_NEON_capable(char neon_capable) {
+ g_set_neon_called = 1;
+
if (neon_capable) {
OPENSSL_armcap_P |= ARMV7_NEON;
} else {
@@ -56,11 +62,81 @@
}
}
+#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && !defined(OPENSSL_TRUSTY)
+
+static sigjmp_buf sigill_jmp;
+
+static void sigill_handler(int signal) {
+ siglongjmp(sigill_jmp, signal);
+}
+
+void CRYPTO_arm_neon_probe();
+
+// probe_for_NEON returns 1 if a NEON instruction runs successfully. Because
+// getauxval doesn't exist on Android until Jelly Bean, supporting NEON on
+// older devices requires this.
+static int probe_for_NEON() {
+ int supported = 0;
+
+ sigset_t sigmask;
+ sigfillset(&sigmask);
+ sigdelset(&sigmask, SIGILL);
+ sigdelset(&sigmask, SIGTRAP);
+ sigdelset(&sigmask, SIGFPE);
+ sigdelset(&sigmask, SIGBUS);
+ sigdelset(&sigmask, SIGSEGV);
+
+ struct sigaction sigill_original_action, sigill_action;
+ memset(&sigill_action, 0, sizeof(sigill_action));
+ sigill_action.sa_handler = sigill_handler;
+ sigill_action.sa_mask = sigmask;
+
+ sigset_t original_sigmask;
+ sigprocmask(SIG_SETMASK, &sigmask, &original_sigmask);
+
+ if (sigsetjmp(sigill_jmp, 1 /* save signals */) == 0) {
+ sigaction(SIGILL, &sigill_action, &sigill_original_action);
+
+ // This function cannot be inline asm because GCC will refuse to compile
+ // inline NEON instructions unless building with -mfpu=neon, which would
+ // defeat the point of probing for support at runtime.
+ CRYPTO_arm_neon_probe();
+ supported = 1;
+ }
+ // Note that Android up to and including Lollipop doesn't restore the signal
+ // mask correctly after returning from a sigsetjmp. So that would need to be
+ // set again here if more probes were added.
+ // See https://android-review.googlesource.com/#/c/127624/
+
+ sigaction(SIGILL, &sigill_original_action, NULL);
+ sigprocmask(SIG_SETMASK, &original_sigmask, NULL);
+
+ return supported;
+}
+
+#else
+
+static int probe_for_NEON(void) {
+ return 0;
+}
+
+#endif /* !OPENSSL_NO_ASM && OPENSSL_ARM && !OPENSSL_TRUSTY */
+
void OPENSSL_cpuid_setup(void) {
if (getauxval == NULL) {
+ // On ARM, but not AArch64, try a NEON instruction and see whether it works
+ // in order to probe for NEON support.
+ //
+ // Note that |CRYPTO_is_NEON_capable| can be true even if
+ // |CRYPTO_set_NEON_capable| has never been called if the code was compiled
+ // with NEON support enabled (e.g. -mfpu=neon).
+ if (!g_set_neon_called && !CRYPTO_is_NEON_capable() && probe_for_NEON()) {
+ OPENSSL_armcap_P |= ARMV7_NEON;
+ }
return;
}
+ static const unsigned long AT_HWCAP = 16;
unsigned long hwcap = getauxval(AT_HWCAP);
#if defined(OPENSSL_ARM)
@@ -71,6 +147,7 @@
/* In 32-bit mode, the ARMv8 feature bits are in a different aux vector
* value. */
+ static const unsigned long AT_HWCAP2 = 26;
hwcap = getauxval(AT_HWCAP2);
/* See /usr/include/asm/hwcap.h on an ARM installation for the source of
@@ -93,7 +170,7 @@
}
#endif
- OPENSSL_armcap_P |= ARMV7_NEON | ARMV7_NEON_FUNCTIONAL;
+ OPENSSL_armcap_P |= ARMV7_NEON;
if (hwcap & kAES) {
OPENSSL_armcap_P |= ARMV8_AES;
diff --git a/src/crypto/cpu-intel.c b/src/crypto/cpu-intel.c
index 69f4570..df0e127 100644
--- a/src/crypto/cpu-intel.c
+++ b/src/crypto/cpu-intel.c
@@ -64,6 +64,7 @@
#if !defined(OPENSSL_NO_ASM) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64))
#include <inttypes.h>
+#include <stdlib.h>
#include <stdio.h>
#include <string.h>
diff --git a/src/crypto/cpu-x86-asm.pl b/src/crypto/cpu-x86-asm.pl
index 1ac7d84..319c436 100644
--- a/src/crypto/cpu-x86-asm.pl
+++ b/src/crypto/cpu-x86-asm.pl
@@ -110,10 +110,6 @@
&cmp ("ebp",0);
&jne (&label("notintel"));
&or ("edx",1<<30); # set reserved bit#30 on Intel CPUs
- &and (&HB("eax"),15); # familiy ID
- &cmp (&HB("eax"),15); # P4?
- &jne (&label("notintel"));
- &or ("edx",1<<20); # set reserved bit#20 to engage RC4_CHAR
&set_label("notintel");
&bt ("edx",28); # test hyper-threading bit
&jnc (&label("generic"));
diff --git a/src/crypto/cpu-x86_64-asm.pl b/src/crypto/cpu-x86_64-asm.pl
index 59cfd18..89d7a6c 100644
--- a/src/crypto/cpu-x86_64-asm.pl
+++ b/src/crypto/cpu-x86_64-asm.pl
@@ -122,10 +122,6 @@
cmp \$0,%r9d
jne .Lnotintel
or \$0x40000000,%edx # set reserved bit#30 on Intel CPUs
- and \$15,%ah
- cmp \$15,%ah # examine Family ID
- jne .Lnotintel
- or \$0x00100000,%edx # set reserved bit#20 to engage RC4_CHAR
.Lnotintel:
bt \$28,%edx # test hyper-threading bit
jnc .Lgeneric
diff --git a/src/crypto/crypto_error.c b/src/crypto/crypto_error.c
deleted file mode 100644
index 3e63dca..0000000
--- a/src/crypto/crypto_error.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/crypto.h>
-
-const ERR_STRING_DATA CRYPTO_error_string_data[] = {
- {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_CRYPTO_set_ex_data, 0), "CRYPTO_set_ex_data"},
- {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_get_class, 0), "get_class"},
- {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_get_func_pointers, 0), "get_func_pointers"},
- {ERR_PACK(ERR_LIB_CRYPTO, CRYPTO_F_get_new_index, 0), "get_new_index"},
- {0, NULL},
-};
diff --git a/src/crypto/des/des.c b/src/crypto/des/des.c
index 6d00011..56a2996 100644
--- a/src/crypto/des/des.c
+++ b/src/crypto/des/des.c
@@ -56,6 +56,8 @@
#include <openssl/des.h>
+#include <stdlib.h>
+
#include "internal.h"
@@ -349,6 +351,35 @@
}
}
+static const uint8_t kOddParity[256] = {
+ 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14,
+ 14, 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28,
+ 31, 31, 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44,
+ 44, 47, 47, 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59,
+ 61, 61, 62, 62, 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74,
+ 74, 76, 76, 79, 79, 81, 81, 82, 82, 84, 84, 87, 87, 88, 88,
+ 91, 91, 93, 93, 94, 94, 97, 97, 98, 98, 100, 100, 103, 103, 104,
+ 104, 107, 107, 109, 109, 110, 110, 112, 112, 115, 115, 117, 117, 118, 118,
+ 121, 121, 122, 122, 124, 124, 127, 127, 128, 128, 131, 131, 133, 133, 134,
+ 134, 137, 137, 138, 138, 140, 140, 143, 143, 145, 145, 146, 146, 148, 148,
+ 151, 151, 152, 152, 155, 155, 157, 157, 158, 158, 161, 161, 162, 162, 164,
+ 164, 167, 167, 168, 168, 171, 171, 173, 173, 174, 174, 176, 176, 179, 179,
+ 181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, 191, 193, 193, 194,
+ 194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, 206, 208, 208,
+ 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, 224,
+ 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239,
+ 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254,
+ 254
+};
+
+void DES_set_odd_parity(DES_cblock *key) {
+ unsigned i;
+
+ for (i = 0; i < DES_KEY_SZ; i++) {
+ key->bytes[i] = kOddParity[key->bytes[i]];
+ }
+}
+
static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) {
uint32_t l, r, t, u;
const uint32_t *s;
@@ -609,6 +640,29 @@
tin[0] = tin[1] = 0;
}
+void DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output,
+ const DES_key_schedule *ks1, const DES_key_schedule *ks2,
+ const DES_key_schedule *ks3, int enc) {
+ uint32_t l0, l1;
+ uint32_t ll[2];
+ const uint8_t *in = input->bytes;
+ uint8_t *out = output->bytes;
+
+ c2l(in, l0);
+ c2l(in, l1);
+ ll[0] = l0;
+ ll[1] = l1;
+ if (enc) {
+ DES_encrypt3(ll, ks1, ks2, ks3);
+ } else {
+ DES_decrypt3(ll, ks1, ks2, ks3);
+ }
+ l0 = ll[0];
+ l1 = ll[1];
+ l2c(l0, out);
+ l2c(l1, out);
+}
+
void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,
const DES_key_schedule *ks1,
const DES_key_schedule *ks2,
diff --git a/src/crypto/dh/CMakeLists.txt b/src/crypto/dh/CMakeLists.txt
index 4e31206..9e487d5 100644
--- a/src/crypto/dh/CMakeLists.txt
+++ b/src/crypto/dh/CMakeLists.txt
@@ -10,13 +10,12 @@
params.c
check.c
dh_asn1.c
- dh_error.c
)
add_executable(
dh_test
- dh_test.c
+ dh_test.cc
)
target_link_libraries(dh_test crypto)
diff --git a/src/crypto/dh/dh.c b/src/crypto/dh/dh.c
index 7a50da7..ab7ed8b 100644
--- a/src/crypto/dh/dh.c
+++ b/src/crypto/dh/dh.c
@@ -66,10 +66,13 @@
#include <openssl/thread.h>
#include "internal.h"
+#include "../internal.h"
extern const DH_METHOD DH_default_method;
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
DH *DH_new(void) { return DH_new_method(NULL); }
DH *DH_new_method(const ENGINE *engine) {
@@ -90,14 +93,16 @@
}
METHOD_ref(dh->meth);
+ CRYPTO_MUTEX_init(&dh->method_mont_p_lock);
+
dh->references = 1;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data)) {
+ if (!CRYPTO_new_ex_data(&g_ex_data_class, dh, &dh->ex_data)) {
OPENSSL_free(dh);
return NULL;
}
if (dh->meth->init && !dh->meth->init(dh)) {
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, dh, &dh->ex_data);
METHOD_unref(dh->meth);
OPENSSL_free(dh);
return NULL;
@@ -120,7 +125,7 @@
}
METHOD_unref(dh->meth);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, dh, &dh->ex_data);
if (dh->method_mont_p) BN_MONT_CTX_free(dh->method_mont_p);
if (dh->p != NULL) BN_clear_free(dh->p);
@@ -131,6 +136,7 @@
if (dh->counter != NULL) BN_clear_free(dh->counter);
if (dh->pub_key != NULL) BN_clear_free(dh->pub_key);
if (dh->priv_key != NULL) BN_clear_free(dh->priv_key);
+ CRYPTO_MUTEX_cleanup(&dh->method_mont_p_lock);
OPENSSL_free(dh);
}
@@ -173,9 +179,7 @@
}
}
- if (*dst) {
- BN_free(*dst);
- }
+ BN_free(*dst);
*dst = a;
return 1;
}
@@ -198,11 +202,10 @@
return 0;
}
- if (to->seed) {
- OPENSSL_free(to->seed);
- to->seed = NULL;
- to->seedlen = 0;
- }
+ OPENSSL_free(to->seed);
+ to->seed = NULL;
+ to->seedlen = 0;
+
if (from->seed) {
to->seed = BUF_memdup(from->seed, from->seedlen);
if (!to->seed) {
@@ -230,8 +233,12 @@
int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, argl, argp, new_func,
- dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+ dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int DH_set_ex_data(DH *d, int idx, void *arg) {
diff --git a/src/crypto/dh/dh_error.c b/src/crypto/dh/dh_error.c
deleted file mode 100644
index 5ecc5d1..0000000
--- a/src/crypto/dh/dh_error.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/dh.h>
-
-const ERR_STRING_DATA DH_error_string_data[] = {
- {ERR_PACK(ERR_LIB_DH, DH_F_DH_new_method, 0), "DH_new_method"},
- {ERR_PACK(ERR_LIB_DH, DH_F_compute_key, 0), "compute_key"},
- {ERR_PACK(ERR_LIB_DH, DH_F_generate_key, 0), "generate_key"},
- {ERR_PACK(ERR_LIB_DH, DH_F_generate_parameters, 0), "generate_parameters"},
- {ERR_PACK(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR), "BAD_GENERATOR"},
- {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "INVALID_PUBKEY"},
- {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "MODULUS_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "NO_PRIVATE_VALUE"},
- {0, NULL},
-};
diff --git a/src/crypto/dh/dh_impl.c b/src/crypto/dh/dh_impl.c
index 9f416b7..f269412 100644
--- a/src/crypto/dh/dh_impl.c
+++ b/src/crypto/dh/dh_impl.c
@@ -58,9 +58,11 @@
#include <openssl/bn.h>
#include <openssl/err.h>
+#include <openssl/thread.h>
#include "internal.h"
+
#define OPENSSL_DH_MAX_MODULUS_BITS 10000
static int generate_parameters(DH *ret, int prime_bits, int generator, BN_GENCB *cb) {
@@ -206,8 +208,8 @@
pub_key = dh->pub_key;
}
- mont =
- BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx);
+ mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,
+ dh->p, ctx);
if (!mont) {
goto err;
}
@@ -243,10 +245,10 @@
OPENSSL_PUT_ERROR(DH, generate_key, ERR_R_BN_LIB);
}
- if (pub_key != NULL && dh->pub_key == NULL) {
+ if (dh->pub_key == NULL) {
BN_free(pub_key);
}
- if (priv_key != NULL && dh->priv_key == NULL) {
+ if (dh->priv_key == NULL) {
BN_free(priv_key);
}
BN_CTX_free(ctx);
@@ -281,8 +283,8 @@
goto err;
}
- mont =
- BN_MONT_CTX_set_locked(&dh->method_mont_p, CRYPTO_LOCK_DH, dh->p, ctx);
+ mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,
+ dh->p, ctx);
if (!mont) {
goto err;
}
diff --git a/src/crypto/dh/dh_test.c b/src/crypto/dh/dh_test.cc
similarity index 75%
rename from src/crypto/dh/dh_test.c
rename to src/crypto/dh/dh_test.cc
index 3575f34..16a5ae0 100644
--- a/src/crypto/dh/dh_test.c
+++ b/src/crypto/dh/dh_test.cc
@@ -59,151 +59,153 @@
#include <stdio.h>
#include <string.h>
-#include <openssl/bio.h>
+#include <vector>
+
#include <openssl/bn.h>
#include <openssl/crypto.h>
+#include <openssl/err.h>
#include <openssl/mem.h>
#include "internal.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
-static int cb(int p, int n, BN_GENCB *arg) {
+static bool RunBasicTests();
+static bool RunRFC5114Tests();
+
+int main(int argc, char *argv[]) {
+ CRYPTO_library_init();
+
+ if (!RunBasicTests() ||
+ !RunRFC5114Tests()) {
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
+
+static int GenerateCallback(int p, int n, BN_GENCB *arg) {
char c = '*';
- if (p == 0)
+ if (p == 0) {
c = '.';
- if (p == 1)
+ } else if (p == 1) {
c = '+';
- if (p == 2)
+ } else if (p == 2) {
c = '*';
- if (p == 3)
+ } else if (p == 3) {
c = '\n';
- BIO_write(arg->arg, &c, 1);
- (void)BIO_flush(arg->arg);
+ }
+ FILE *out = reinterpret_cast<FILE*>(arg->arg);
+ fputc(c, out);
+ fflush(out);
return 1;
}
-static int run_rfc5114_tests(void);
-
-int main(int argc, char *argv[]) {
- BN_GENCB _cb;
- DH *a;
- DH *b = NULL;
- char buf[12];
- unsigned char *abuf = NULL, *bbuf = NULL;
- int i, alen, blen, aout, bout, ret = 1;
- BIO *out;
-
- CRYPTO_library_init();
-
- out = BIO_new(BIO_s_file());
- if (out == NULL) {
- return 1;
- }
- BIO_set_fp(out, stdout, BIO_NOCLOSE);
-
- BN_GENCB_set(&_cb, &cb, out);
- if (((a = DH_new()) == NULL) ||
- !DH_generate_parameters_ex(a, 64, DH_GENERATOR_5, &_cb)) {
- goto err;
+static bool RunBasicTests() {
+ BN_GENCB cb;
+ BN_GENCB_set(&cb, &GenerateCallback, stdout);
+ ScopedDH a(DH_new());
+ if (!a || !DH_generate_parameters_ex(a.get(), 64, DH_GENERATOR_5, &cb)) {
+ return false;
}
- if (!DH_check(a, &i))
- goto err;
- if (i & DH_CHECK_P_NOT_PRIME)
- BIO_puts(out, "p value is not prime\n");
- if (i & DH_CHECK_P_NOT_SAFE_PRIME)
- BIO_puts(out, "p value is not a safe prime\n");
- if (i & DH_CHECK_UNABLE_TO_CHECK_GENERATOR)
- BIO_puts(out, "unable to check the generator value\n");
- if (i & DH_CHECK_NOT_SUITABLE_GENERATOR)
- BIO_puts(out, "the g value is not a generator\n");
+ int check_result;
+ if (!DH_check(a.get(), &check_result)) {
+ return false;
+ }
+ if (check_result & DH_CHECK_P_NOT_PRIME) {
+ printf("p value is not prime\n");
+ }
+ if (check_result & DH_CHECK_P_NOT_SAFE_PRIME) {
+ printf("p value is not a safe prime\n");
+ }
+ if (check_result & DH_CHECK_UNABLE_TO_CHECK_GENERATOR) {
+ printf("unable to check the generator value\n");
+ }
+ if (check_result & DH_CHECK_NOT_SUITABLE_GENERATOR) {
+ printf("the g value is not a generator\n");
+ }
- BIO_puts(out, "\np =");
- BN_print(out, a->p);
- BIO_puts(out, "\ng =");
- BN_print(out, a->g);
- BIO_puts(out, "\n");
+ printf("\np = ");
+ BN_print_fp(stdout, a->p);
+ printf("\ng = ");
+ BN_print_fp(stdout, a->g);
+ printf("\n");
- b = DH_new();
- if (b == NULL) {
- goto err;
+ ScopedDH b(DH_new());
+ if (!b) {
+ return false;
}
b->p = BN_dup(a->p);
b->g = BN_dup(a->g);
- if (b->p == NULL || b->g == NULL) {
- goto err;
+ if (b->p == nullptr || b->g == nullptr) {
+ return false;
}
- if (!DH_generate_key(a))
- goto err;
- BIO_puts(out, "pri 1=");
- BN_print(out, a->priv_key);
- BIO_puts(out, "\npub 1=");
- BN_print(out, a->pub_key);
- BIO_puts(out, "\n");
-
- if (!DH_generate_key(b))
- goto err;
- BIO_puts(out, "pri 2=");
- BN_print(out, b->priv_key);
- BIO_puts(out, "\npub 2=");
- BN_print(out, b->pub_key);
- BIO_puts(out, "\n");
-
- alen = DH_size(a);
- abuf = (unsigned char *)OPENSSL_malloc(alen);
- aout = DH_compute_key(abuf, b->pub_key, a);
-
- BIO_puts(out, "key1 =");
- for (i = 0; i < aout; i++) {
- sprintf(buf, "%02X", abuf[i]);
- BIO_puts(out, buf);
+ if (!DH_generate_key(a.get())) {
+ return false;
}
- BIO_puts(out, "\n");
+ printf("pri1 = ");
+ BN_print_fp(stdout, a->priv_key);
+ printf("\npub1 = ");
+ BN_print_fp(stdout, a->pub_key);
+ printf("\n");
- blen = DH_size(b);
- bbuf = (unsigned char *)OPENSSL_malloc(blen);
- bout = DH_compute_key(bbuf, a->pub_key, b);
-
- BIO_puts(out, "key2 =");
- for (i = 0; i < bout; i++) {
- sprintf(buf, "%02X", bbuf[i]);
- BIO_puts(out, buf);
+ if (!DH_generate_key(b.get())) {
+ return false;
}
- BIO_puts(out, "\n");
- if ((aout < 4) || (bout != aout) || (memcmp(abuf, bbuf, aout) != 0)) {
+ printf("pri2 = ");
+ BN_print_fp(stdout, b->priv_key);
+ printf("\npub2 = ");
+ BN_print_fp(stdout, b->pub_key);
+ printf("\n");
+
+ std::vector<uint8_t> key1(DH_size(a.get()));
+ int ret = DH_compute_key(bssl::vector_data(&key1), b->pub_key, a.get());
+ if (ret < 0) {
+ return false;
+ }
+ key1.resize(ret);
+
+ printf("key1 = ");
+ for (size_t i = 0; i < key1.size(); i++) {
+ printf("%02x", key1[i]);
+ }
+ printf("\n");
+
+ std::vector<uint8_t> key2(DH_size(b.get()));
+ ret = DH_compute_key(bssl::vector_data(&key2), a->pub_key, b.get());
+ if (ret < 0) {
+ return false;
+ }
+ key2.resize(ret);
+
+ printf("key2 = ");
+ for (size_t i = 0; i < key2.size(); i++) {
+ printf("%02x", key2[i]);
+ }
+ printf("\n");
+
+ if (key1.size() < 4 || key1 != key2) {
fprintf(stderr, "Error in DH routines\n");
- ret = 1;
- } else
- ret = 0;
+ return false;
+ }
- if (!run_rfc5114_tests())
- ret = 1;
-
-err:
- BIO_print_errors_fp(stderr);
-
- if (abuf != NULL)
- OPENSSL_free(abuf);
- if (bbuf != NULL)
- OPENSSL_free(bbuf);
- if (b != NULL)
- DH_free(b);
- if (a != NULL)
- DH_free(a);
- BIO_free(out);
- return ret;
+ return true;
}
/* Test data from RFC 5114 */
-static const unsigned char dhtest_1024_160_xA[] = {
+static const uint8_t kDHTest1024_160_xA[] = {
0xB9, 0xA3, 0xB3, 0xAE, 0x8F, 0xEF, 0xC1, 0xA2, 0x93, 0x04,
0x96, 0x50, 0x70, 0x86, 0xF8, 0x45, 0x5D, 0x48, 0x94, 0x3E};
-static const unsigned char dhtest_1024_160_yA[] = {
+static const uint8_t kDHTest1024_160_yA[] = {
0x2A, 0x85, 0x3B, 0x3D, 0x92, 0x19, 0x75, 0x01, 0xB9, 0x01, 0x5B, 0x2D,
0xEB, 0x3E, 0xD8, 0x4F, 0x5E, 0x02, 0x1D, 0xCC, 0x3E, 0x52, 0xF1, 0x09,
0xD3, 0x27, 0x3D, 0x2B, 0x75, 0x21, 0x28, 0x1C, 0xBA, 0xBE, 0x0E, 0x76,
@@ -215,10 +217,10 @@
0x8F, 0x9D, 0x45, 0x96, 0x5F, 0x75, 0xA5, 0xF3, 0xD1, 0xDF, 0x37, 0x01,
0x16, 0x5F, 0xC9, 0xE5, 0x0C, 0x42, 0x79, 0xCE, 0xB0, 0x7F, 0x98, 0x95,
0x40, 0xAE, 0x96, 0xD5, 0xD8, 0x8E, 0xD7, 0x76};
-static const unsigned char dhtest_1024_160_xB[] = {
+static const uint8_t kDHTest1024_160_xB[] = {
0x93, 0x92, 0xC9, 0xF9, 0xEB, 0x6A, 0x7A, 0x6A, 0x90, 0x22,
0xF7, 0xD8, 0x3E, 0x72, 0x23, 0xC6, 0x83, 0x5B, 0xBD, 0xDA};
-static const unsigned char dhtest_1024_160_yB[] = {
+static const uint8_t kDHTest1024_160_yB[] = {
0x71, 0x7A, 0x6C, 0xB0, 0x53, 0x37, 0x1F, 0xF4, 0xA3, 0xB9, 0x32, 0x94,
0x1C, 0x1E, 0x56, 0x63, 0xF8, 0x61, 0xA1, 0xD6, 0xAD, 0x34, 0xAE, 0x66,
0x57, 0x6D, 0xFB, 0x98, 0xF6, 0xC6, 0xCB, 0xF9, 0xDD, 0xD5, 0xA5, 0x6C,
@@ -230,7 +232,7 @@
0x31, 0x1E, 0x53, 0xFD, 0x2C, 0x14, 0xB5, 0x74, 0xE6, 0xA3, 0x10, 0x9A,
0x3D, 0xA1, 0xBE, 0x41, 0xBD, 0xCE, 0xAA, 0x18, 0x6F, 0x5C, 0xE0, 0x67,
0x16, 0xA2, 0xB6, 0xA0, 0x7B, 0x3C, 0x33, 0xFE};
-static const unsigned char dhtest_1024_160_Z[] = {
+static const uint8_t kDHTest1024_160_Z[] = {
0x5C, 0x80, 0x4F, 0x45, 0x4D, 0x30, 0xD9, 0xC4, 0xDF, 0x85, 0x27, 0x1F,
0x93, 0x52, 0x8C, 0x91, 0xDF, 0x6B, 0x48, 0xAB, 0x5F, 0x80, 0xB3, 0xB5,
0x9C, 0xAA, 0xC1, 0xB2, 0x8F, 0x8A, 0xCB, 0xA9, 0xCD, 0x3E, 0x39, 0xF3,
@@ -242,11 +244,11 @@
0x5B, 0xD8, 0x3A, 0x19, 0xFB, 0x0B, 0x5E, 0x96, 0xBF, 0x8F, 0xA4, 0xD0,
0x9E, 0x34, 0x55, 0x25, 0x16, 0x7E, 0xCD, 0x91, 0x55, 0x41, 0x6F, 0x46,
0xF4, 0x08, 0xED, 0x31, 0xB6, 0x3C, 0x6E, 0x6D};
-static const unsigned char dhtest_2048_224_xA[] = {
+static const uint8_t kDHTest2048_224_xA[] = {
0x22, 0xE6, 0x26, 0x01, 0xDB, 0xFF, 0xD0, 0x67, 0x08, 0xA6,
0x80, 0xF7, 0x47, 0xF3, 0x61, 0xF7, 0x6D, 0x8F, 0x4F, 0x72,
0x1A, 0x05, 0x48, 0xE4, 0x83, 0x29, 0x4B, 0x0C};
-static const unsigned char dhtest_2048_224_yA[] = {
+static const uint8_t kDHTest2048_224_yA[] = {
0x1B, 0x3A, 0x63, 0x45, 0x1B, 0xD8, 0x86, 0xE6, 0x99, 0xE6, 0x7B, 0x49,
0x4E, 0x28, 0x8B, 0xD7, 0xF8, 0xE0, 0xD3, 0x70, 0xBA, 0xDD, 0xA7, 0xA0,
0xEF, 0xD2, 0xFD, 0xE7, 0xD8, 0xF6, 0x61, 0x45, 0xCC, 0x9F, 0x28, 0x04,
@@ -269,11 +271,11 @@
0xB7, 0x0E, 0x71, 0x03, 0x92, 0x0A, 0xA1, 0x6D, 0x85, 0xE5, 0x2B, 0xCB,
0xAB, 0x8D, 0x78, 0x6A, 0x68, 0x17, 0x8F, 0xA8, 0xFF, 0x7C, 0x2F, 0x5C,
0x71, 0x64, 0x8D, 0x6F};
-static const unsigned char dhtest_2048_224_xB[] = {
+static const uint8_t kDHTest2048_224_xB[] = {
0x4F, 0xF3, 0xBC, 0x96, 0xC7, 0xFC, 0x6A, 0x6D, 0x71, 0xD3,
0xB3, 0x63, 0x80, 0x0A, 0x7C, 0xDF, 0xEF, 0x6F, 0xC4, 0x1B,
0x44, 0x17, 0xEA, 0x15, 0x35, 0x3B, 0x75, 0x90};
-static const unsigned char dhtest_2048_224_yB[] = {
+static const uint8_t kDHTest2048_224_yB[] = {
0x4D, 0xCE, 0xE9, 0x92, 0xA9, 0x76, 0x2A, 0x13, 0xF2, 0xF8, 0x38, 0x44,
0xAD, 0x3D, 0x77, 0xEE, 0x0E, 0x31, 0xC9, 0x71, 0x8B, 0x3D, 0xB6, 0xC2,
0x03, 0x5D, 0x39, 0x61, 0x18, 0x2C, 0x3E, 0x0B, 0xA2, 0x47, 0xEC, 0x41,
@@ -296,7 +298,7 @@
0xB8, 0x56, 0xF9, 0x68, 0x27, 0x73, 0x4C, 0x18, 0x41, 0x38, 0xE9, 0x15,
0xD9, 0xC3, 0x00, 0x2E, 0xBC, 0xE5, 0x31, 0x20, 0x54, 0x6A, 0x7E, 0x20,
0x02, 0x14, 0x2B, 0x6C};
-static const unsigned char dhtest_2048_224_Z[] = {
+static const uint8_t kDHTest2048_224_Z[] = {
0x34, 0xD9, 0xBD, 0xDC, 0x1B, 0x42, 0x17, 0x6C, 0x31, 0x3F, 0xEA, 0x03,
0x4C, 0x21, 0x03, 0x4D, 0x07, 0x4A, 0x63, 0x13, 0xBB, 0x4E, 0xCD, 0xB3,
0x70, 0x3F, 0xFF, 0x42, 0x45, 0x67, 0xA4, 0x6B, 0xDF, 0x75, 0x53, 0x0E,
@@ -319,11 +321,11 @@
0x03, 0xE1, 0x3F, 0x95, 0x29, 0x95, 0xFB, 0x03, 0xC6, 0x9D, 0x3C, 0xC4,
0x7F, 0xCB, 0x51, 0x0B, 0x69, 0x98, 0xFF, 0xD3, 0xAA, 0x6D, 0xE7, 0x3C,
0xF9, 0xF6, 0x38, 0x69};
-static const unsigned char dhtest_2048_256_xA[] = {
+static const uint8_t kDHTest2048_256_xA[] = {
0x08, 0x81, 0x38, 0x2C, 0xDB, 0x87, 0x66, 0x0C, 0x6D, 0xC1, 0x3E,
0x61, 0x49, 0x38, 0xD5, 0xB9, 0xC8, 0xB2, 0xF2, 0x48, 0x58, 0x1C,
0xC5, 0xE3, 0x1B, 0x35, 0x45, 0x43, 0x97, 0xFC, 0xE5, 0x0E};
-static const unsigned char dhtest_2048_256_yA[] = {
+static const uint8_t kDHTest2048_256_yA[] = {
0x2E, 0x93, 0x80, 0xC8, 0x32, 0x3A, 0xF9, 0x75, 0x45, 0xBC, 0x49, 0x41,
0xDE, 0xB0, 0xEC, 0x37, 0x42, 0xC6, 0x2F, 0xE0, 0xEC, 0xE8, 0x24, 0xA6,
0xAB, 0xDB, 0xE6, 0x6C, 0x59, 0xBE, 0xE0, 0x24, 0x29, 0x11, 0xBF, 0xB9,
@@ -346,11 +348,11 @@
0x4E, 0x90, 0x52, 0x69, 0x34, 0x1D, 0xC0, 0x71, 0x14, 0x26, 0x68, 0x5F,
0x4E, 0xF3, 0x7E, 0x86, 0x8A, 0x81, 0x26, 0xFF, 0x3F, 0x22, 0x79, 0xB5,
0x7C, 0xA6, 0x7E, 0x29};
-static const unsigned char dhtest_2048_256_xB[] = {
+static const uint8_t kDHTest2048_256_xB[] = {
0x7D, 0x62, 0xA7, 0xE3, 0xEF, 0x36, 0xDE, 0x61, 0x7B, 0x13, 0xD1,
0xAF, 0xB8, 0x2C, 0x78, 0x0D, 0x83, 0xA2, 0x3B, 0xD4, 0xEE, 0x67,
0x05, 0x64, 0x51, 0x21, 0xF3, 0x71, 0xF5, 0x46, 0xA5, 0x3D};
-static const unsigned char dhtest_2048_256_yB[] = {
+static const uint8_t kDHTest2048_256_yB[] = {
0x57, 0x5F, 0x03, 0x51, 0xBD, 0x2B, 0x1B, 0x81, 0x74, 0x48, 0xBD, 0xF8,
0x7A, 0x6C, 0x36, 0x2C, 0x1E, 0x28, 0x9D, 0x39, 0x03, 0xA3, 0x0B, 0x98,
0x32, 0xC5, 0x74, 0x1F, 0xA2, 0x50, 0x36, 0x3E, 0x7A, 0xCB, 0xC7, 0xF7,
@@ -373,7 +375,7 @@
0x90, 0xB8, 0x9D, 0x24, 0xF7, 0x1B, 0x0A, 0xB6, 0x97, 0x82, 0x3D, 0x7D,
0xEB, 0x1A, 0xFF, 0x5B, 0x0E, 0x8E, 0x4A, 0x45, 0xD4, 0x9F, 0x7F, 0x53,
0x75, 0x7E, 0x19, 0x13};
-static const unsigned char dhtest_2048_256_Z[] = {
+static const uint8_t kDHTest2048_256_Z[] = {
0x86, 0xC7, 0x0B, 0xF8, 0xD0, 0xBB, 0x81, 0xBB, 0x01, 0x07, 0x8A, 0x17,
0x21, 0x9C, 0xB7, 0xD2, 0x72, 0x03, 0xDB, 0x2A, 0x19, 0xC8, 0x77, 0xF1,
0xD1, 0xF1, 0x9F, 0xD7, 0xD7, 0x7E, 0xF2, 0x25, 0x46, 0xA6, 0x8F, 0x00,
@@ -397,106 +399,82 @@
0xEA, 0x87, 0xFE, 0xBE, 0x63, 0xB6, 0xC8, 0xF8, 0x46, 0xEC, 0x6D, 0xB0,
0xC2, 0x6C, 0x5D, 0x7C};
-typedef struct {
+struct RFC5114TestData {
DH *(*get_param)(const ENGINE *engine);
- const unsigned char *xA;
+ const uint8_t *xA;
size_t xA_len;
- const unsigned char *yA;
+ const uint8_t *yA;
size_t yA_len;
- const unsigned char *xB;
+ const uint8_t *xB;
size_t xB_len;
- const unsigned char *yB;
+ const uint8_t *yB;
size_t yB_len;
- const unsigned char *Z;
+ const uint8_t *Z;
size_t Z_len;
-} rfc5114_td;
+};
-#define make_rfc5114_td(pre) \
+#define MAKE_RFC5114_TEST_DATA(pre) \
{ \
- DH_get_##pre, dhtest_##pre##_xA, sizeof(dhtest_##pre##_xA), \
- dhtest_##pre##_yA, sizeof(dhtest_##pre##_yA), dhtest_##pre##_xB, \
- sizeof(dhtest_##pre##_xB), dhtest_##pre##_yB, \
- sizeof(dhtest_##pre##_yB), dhtest_##pre##_Z, sizeof(dhtest_##pre##_Z) \
+ DH_get_##pre, kDHTest##pre##_xA, sizeof(kDHTest##pre##_xA), \
+ kDHTest##pre##_yA, sizeof(kDHTest##pre##_yA), kDHTest##pre##_xB, \
+ sizeof(kDHTest##pre##_xB), kDHTest##pre##_yB, \
+ sizeof(kDHTest##pre##_yB), kDHTest##pre##_Z, sizeof(kDHTest##pre##_Z) \
}
-static const rfc5114_td rfctd[] = {make_rfc5114_td(1024_160),
- make_rfc5114_td(2048_224),
- make_rfc5114_td(2048_256)};
+static const RFC5114TestData kRFCTestData[] = {
+ MAKE_RFC5114_TEST_DATA(1024_160),
+ MAKE_RFC5114_TEST_DATA(2048_224),
+ MAKE_RFC5114_TEST_DATA(2048_256),
+ };
-static int run_rfc5114_tests(void) {
- int i;
- DH *dhA = NULL, *dhB = NULL;
- unsigned char *Z1 = NULL, *Z2 = NULL;
-
- for (i = 0; i < (int)(sizeof(rfctd) / sizeof(rfc5114_td)); i++) {
- const rfc5114_td *td = rfctd + i;
+static bool RunRFC5114Tests() {
+ for (unsigned i = 0; i < sizeof(kRFCTestData) / sizeof(RFC5114TestData); i++) {
+ const RFC5114TestData *td = kRFCTestData + i;
/* Set up DH structures setting key components */
- dhA = td->get_param(NULL);
- dhB = td->get_param(NULL);
- if (!dhA || !dhB)
- goto bad_err;
+ ScopedDH dhA(td->get_param(nullptr));
+ ScopedDH dhB(td->get_param(nullptr));
+ if (!dhA || !dhB) {
+ fprintf(stderr, "Initialisation error RFC5114 set %u\n", i + 1);
+ return false;
+ }
- dhA->priv_key = BN_bin2bn(td->xA, td->xA_len, NULL);
- dhA->pub_key = BN_bin2bn(td->yA, td->yA_len, NULL);
+ dhA->priv_key = BN_bin2bn(td->xA, td->xA_len, nullptr);
+ dhA->pub_key = BN_bin2bn(td->yA, td->yA_len, nullptr);
- dhB->priv_key = BN_bin2bn(td->xB, td->xB_len, NULL);
- dhB->pub_key = BN_bin2bn(td->yB, td->yB_len, NULL);
+ dhB->priv_key = BN_bin2bn(td->xB, td->xB_len, nullptr);
+ dhB->pub_key = BN_bin2bn(td->yB, td->yB_len, nullptr);
- if (!dhA->priv_key || !dhA->pub_key || !dhB->priv_key || !dhB->pub_key)
- goto bad_err;
+ if (!dhA->priv_key || !dhA->pub_key || !dhB->priv_key || !dhB->pub_key) {
+ fprintf(stderr, "BN_bin2bn error RFC5114 set %u\n", i + 1);
+ return false;
+ }
- if ((td->Z_len != (size_t)DH_size(dhA)) ||
- (td->Z_len != (size_t)DH_size(dhB)))
- goto err;
+ if ((td->Z_len != (size_t)DH_size(dhA.get())) ||
+ (td->Z_len != (size_t)DH_size(dhB.get()))) {
+ return false;
+ }
- Z1 = OPENSSL_malloc(DH_size(dhA));
- Z2 = OPENSSL_malloc(DH_size(dhB));
+ std::vector<uint8_t> Z1(DH_size(dhA.get()));
+ std::vector<uint8_t> Z2(DH_size(dhB.get()));
/* Work out shared secrets using both sides and compare
- * with expected values.
- */
- if (!DH_compute_key(Z1, dhB->pub_key, dhA))
- goto bad_err;
- if (!DH_compute_key(Z2, dhA->pub_key, dhB))
- goto bad_err;
+ * with expected values. */
+ int ret1 = DH_compute_key(bssl::vector_data(&Z1), dhB->pub_key, dhA.get());
+ int ret2 = DH_compute_key(bssl::vector_data(&Z2), dhA->pub_key, dhB.get());
+ if (ret1 < 0 || ret2 < 0) {
+ fprintf(stderr, "DH_compute_key error RFC5114 set %u\n", i + 1);
+ return false;
+ }
- if (memcmp(Z1, td->Z, td->Z_len))
- goto err;
- if (memcmp(Z2, td->Z, td->Z_len))
- goto err;
+ if (static_cast<size_t>(ret1) != td->Z_len ||
+ memcmp(bssl::vector_data(&Z1), td->Z, td->Z_len) != 0 ||
+ static_cast<size_t>(ret2) != td->Z_len ||
+ memcmp(bssl::vector_data(&Z2), td->Z, td->Z_len) != 0) {
+ fprintf(stderr, "Test failed RFC5114 set %u\n", i + 1);
+ return false;
+ }
- printf("RFC5114 parameter test %d OK\n", i + 1);
-
- DH_free(dhA);
- dhA = NULL;
- DH_free(dhB);
- dhB = NULL;
- OPENSSL_free(Z1);
- Z1 = NULL;
- OPENSSL_free(Z2);
- Z2 = NULL;
+ printf("RFC5114 parameter test %u OK\n", i + 1);
}
- printf("PASS\n");
return 1;
-
-bad_err:
- fprintf(stderr, "Initalisation error RFC5114 set %d\n", i + 1);
- BIO_print_errors_fp(stderr);
-
-err:
- if (Z1 != NULL) {
- OPENSSL_free(Z1);
- }
- if (Z2 != NULL) {
- OPENSSL_free(Z2);
- }
- if (dhA != NULL) {
- DH_free(dhA);
- }
- if (dhB != NULL) {
- DH_free(dhB);
- }
-
- fprintf(stderr, "Test failed RFC5114 set %d\n", i + 1);
- return 0;
}
diff --git a/src/crypto/digest/CMakeLists.txt b/src/crypto/digest/CMakeLists.txt
index 6426399..8cab46a 100644
--- a/src/crypto/digest/CMakeLists.txt
+++ b/src/crypto/digest/CMakeLists.txt
@@ -7,13 +7,12 @@
digest.c
digests.c
- digest_error.c
)
add_executable(
digest_test
- digest_test.c
+ digest_test.cc
)
target_link_libraries(digest_test crypto)
diff --git a/src/crypto/digest/digest.c b/src/crypto/digest/digest.c
index 3897c60..e32eafd 100644
--- a/src/crypto/digest/digest.c
+++ b/src/crypto/digest/digest.c
@@ -68,8 +68,6 @@
int EVP_MD_type(const EVP_MD *md) { return md->type; }
-const char *EVP_MD_name(const EVP_MD *md) { return OBJ_nid2sn(md->type); }
-
uint32_t EVP_MD_flags(const EVP_MD *md) { return md->flags; }
size_t EVP_MD_size(const EVP_MD *md) { return md->md_size; }
diff --git a/src/crypto/digest/digest_error.c b/src/crypto/digest/digest_error.c
deleted file mode 100644
index 0cc6702..0000000
--- a/src/crypto/digest/digest_error.c
+++ /dev/null
@@ -1,24 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/digest.h>
-
-const ERR_STRING_DATA DIGEST_error_string_data[] = {
- {ERR_PACK(ERR_LIB_DIGEST, DIGEST_F_EVP_DigestInit_ex, 0), "EVP_DigestInit_ex"},
- {ERR_PACK(ERR_LIB_DIGEST, DIGEST_F_EVP_MD_CTX_copy_ex, 0), "EVP_MD_CTX_copy_ex"},
- {ERR_PACK(ERR_LIB_DIGEST, 0, DIGEST_R_INPUT_NOT_INITIALIZED), "INPUT_NOT_INITIALIZED"},
- {0, NULL},
-};
diff --git a/src/crypto/digest/digest_test.c b/src/crypto/digest/digest_test.c
deleted file mode 100644
index 6c73e95..0000000
--- a/src/crypto/digest/digest_test.c
+++ /dev/null
@@ -1,244 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/crypto.h>
-#include <openssl/digest.h>
-#include <openssl/err.h>
-#include <openssl/md4.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
-
-
-typedef struct {
- /* md_func is the digest to test. */
- const EVP_MD *(*md_func)(void);
- /* one_shot_func is the convenience one-shot version of the
- * digest. */
- uint8_t *(*one_shot_func)(const uint8_t *, size_t, uint8_t *);
- /* input is a NUL-terminated string to hash. */
- const char *input;
- /* repeat is the number of times to repeat input. */
- size_t repeat;
- /* expected_hex is the expected digest in hexadecimal. */
- const char *expected_hex;
-} TEST_VECTOR;
-
-static const TEST_VECTOR kTestVectors[] = {
- /* MD4 tests, from RFC 1320. (crypto/md4 does not provide a
- * one-shot MD4 function.) */
- { &EVP_md4, NULL, "", 1, "31d6cfe0d16ae931b73c59d7e0c089c0" },
- { &EVP_md4, NULL, "a", 1, "bde52cb31de33e46245e05fbdbd6fb24" },
- { &EVP_md4, NULL, "abc", 1, "a448017aaf21d8525fc10ae87aa6729d" },
- { &EVP_md4, NULL, "message digest", 1,
- "d9130a8164549fe818874806e1c7014b" },
- { &EVP_md4, NULL, "abcdefghijklmnopqrstuvwxyz", 1,
- "d79e1c308aa5bbcdeea8ed63df412da9" },
- { &EVP_md4, NULL,
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
- "043f8582f241db351ce627e153e7f0e4" },
- { &EVP_md4, NULL, "1234567890", 8, "e33b4ddc9c38f2199c3e7b164fcc0536" },
-
- /* MD5 tests, from RFC 1321. */
- { &EVP_md5, &MD5, "", 1, "d41d8cd98f00b204e9800998ecf8427e" },
- { &EVP_md5, &MD5, "a", 1, "0cc175b9c0f1b6a831c399e269772661" },
- { &EVP_md5, &MD5, "abc", 1, "900150983cd24fb0d6963f7d28e17f72" },
- { &EVP_md5, &MD5, "message digest", 1, "f96b697d7cb7938d525a2f31aaf161d0" },
- { &EVP_md5, &MD5, "abcdefghijklmnopqrstuvwxyz", 1,
- "c3fcd3d76192e4007dfb496cca67e13b" },
- { &EVP_md5, &MD5,
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
- "d174ab98d277d9f5a5611c2c9f419d9f" },
- { &EVP_md5, &MD5, "1234567890", 8, "57edf4a22be3c955ac49da2e2107b67a" },
-
- /* SHA-1 tests, from RFC 3174. */
- { &EVP_sha1, &SHA1, "abc", 1, "a9993e364706816aba3e25717850c26c9cd0d89d" },
- { &EVP_sha1, &SHA1,
- "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
- "84983e441c3bd26ebaae4aa1f95129e5e54670f1" },
- { &EVP_sha1, &SHA1, "a", 1000000,
- "34aa973cd4c4daa4f61eeb2bdbad27316534016f" },
- { &EVP_sha1, &SHA1,
- "0123456701234567012345670123456701234567012345670123456701234567", 10,
- "dea356a2cddd90c7a7ecedc5ebb563934f460452" },
-
- /* SHA-224 tests, from RFC 3874. */
- { &EVP_sha224, &SHA224, "abc", 1,
- "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7" },
- { &EVP_sha224, &SHA224,
- "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
- "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525" },
- { &EVP_sha224, &SHA224,
- "a", 1000000,
- "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67" },
-
- /* SHA-256 tests, from NIST. */
- { &EVP_sha256, &SHA256, "abc", 1,
- "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" },
- { &EVP_sha256, &SHA256,
- "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
- "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1" },
-
- /* SHA-384 tests, from NIST. */
- { &EVP_sha384, &SHA384, "abc", 1,
- "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
- "8086072ba1e7cc2358baeca134c825a7" },
- { &EVP_sha384, &SHA384,
- "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
- "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 1,
- "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
- "fcc7c71a557e2db966c3e9fa91746039" },
-
- /* SHA-512 tests, from NIST. */
- { &EVP_sha512, &SHA512, "abc", 1,
- "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
- "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" },
- { &EVP_sha512, &SHA512,
- "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
- "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 1,
- "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
- "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909" },
-
- /* MD5-SHA1 tests. */
- { &EVP_md5_sha1, NULL, "abc", 1,
- "900150983cd24fb0d6963f7d28e17f72a9993e364706816aba3e25717850c26c9cd0d89d" },
-};
-
-static int compare_digest(const TEST_VECTOR *test,
- const uint8_t *digest,
- size_t digest_len) {
- static const char kHexTable[] = "0123456789abcdef";
- size_t i;
- char digest_hex[2*EVP_MAX_MD_SIZE + 1];
-
- for (i = 0; i < digest_len; i++) {
- digest_hex[2*i] = kHexTable[digest[i] >> 4];
- digest_hex[2*i + 1] = kHexTable[digest[i] & 0xf];
- }
- digest_hex[2*digest_len] = '\0';
-
- if (strcmp(digest_hex, test->expected_hex) != 0) {
- fprintf(stderr, "%s(\"%s\" * %d) = %s; want %s\n",
- EVP_MD_name(test->md_func()), test->input, (int)test->repeat,
- digest_hex, test->expected_hex);
- return 0;
- }
-
- return 1;
-}
-
-static int test_digest(const TEST_VECTOR *test) {
- int ret = 0;
- EVP_MD_CTX ctx;
- size_t i;
- uint8_t digest[EVP_MAX_MD_SIZE];
- unsigned digest_len;
-
- EVP_MD_CTX_init(&ctx);
-
- /* Test the input provided. */
- if (!EVP_DigestInit_ex(&ctx, test->md_func(), NULL)) {
- fprintf(stderr, "EVP_DigestInit_ex failed\n");
- goto done;
- }
- for (i = 0; i < test->repeat; i++) {
- if (!EVP_DigestUpdate(&ctx, test->input, strlen(test->input))) {
- fprintf(stderr, "EVP_DigestUpdate failed\n");
- goto done;
- }
- }
- if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
- fprintf(stderr, "EVP_DigestFinal_ex failed\n");
- goto done;
- }
- if (!compare_digest(test, digest, digest_len)) {
- goto done;
- }
-
- /* Test the input one character at a time. */
- if (!EVP_DigestInit_ex(&ctx, test->md_func(), NULL)) {
- fprintf(stderr, "EVP_DigestInit_ex failed\n");
- goto done;
- }
- if (!EVP_DigestUpdate(&ctx, NULL, 0)) {
- fprintf(stderr, "EVP_DigestUpdate failed\n");
- goto done;
- }
- for (i = 0; i < test->repeat; i++) {
- const char *p;
- for (p = test->input; *p; p++) {
- if (!EVP_DigestUpdate(&ctx, p, 1)) {
- fprintf(stderr, "EVP_DigestUpdate failed\n");
- goto done;
- }
- }
- }
- if (!EVP_DigestFinal_ex(&ctx, digest, &digest_len)) {
- fprintf(stderr, "EVP_DigestFinal_ex failed\n");
- goto done;
- }
- if (digest_len != EVP_MD_size(test->md_func())) {
- fprintf(stderr, "EVP_MD_size output incorrect\n");
- goto done;
- }
- if (!compare_digest(test, digest, digest_len)) {
- goto done;
- }
-
- /* Test the one-shot function. */
- if (test->one_shot_func && test->repeat == 1) {
- uint8_t *out = test->one_shot_func((const uint8_t *)test->input,
- strlen(test->input), digest);
- if (out != digest) {
- fprintf(stderr, "one_shot_func gave incorrect return\n");
- goto done;
- }
- if (!compare_digest(test, digest, EVP_MD_size(test->md_func()))) {
- goto done;
- }
-
- /* Test the deprecated static buffer variant, until it's removed. */
- out = test->one_shot_func((const uint8_t *)test->input, strlen(test->input),
- NULL);
- if (!compare_digest(test, out, EVP_MD_size(test->md_func()))) {
- goto done;
- }
- }
-
- ret = 1;
-
-done:
- EVP_MD_CTX_cleanup(&ctx);
- return ret;
-}
-
-int main(void) {
- size_t i;
-
- CRYPTO_library_init();
- ERR_load_crypto_strings();
-
- for (i = 0; i < sizeof(kTestVectors) / sizeof(kTestVectors[0]); i++) {
- if (!test_digest(&kTestVectors[i])) {
- fprintf(stderr, "Test %d failed\n", (int)i);
- return 1;
- }
- }
-
- printf("PASS\n");
- return 0;
-}
diff --git a/src/crypto/digest/digest_test.cc b/src/crypto/digest/digest_test.cc
new file mode 100644
index 0000000..dcb569c
--- /dev/null
+++ b/src/crypto/digest/digest_test.cc
@@ -0,0 +1,249 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/err.h>
+#include <openssl/md4.h>
+#include <openssl/md5.h>
+#include <openssl/sha.h>
+
+#include "../test/scoped_types.h"
+
+
+struct MD {
+ // name is the name of the digest.
+ const char* name;
+ // md_func is the digest to test.
+ const EVP_MD *(*func)(void);
+ // one_shot_func is the convenience one-shot version of the
+ // digest.
+ uint8_t *(*one_shot_func)(const uint8_t *, size_t, uint8_t *);
+};
+
+static const MD md4 = { "MD4", &EVP_md4, nullptr };
+static const MD md5 = { "MD5", &EVP_md5, &MD5 };
+static const MD sha1 = { "SHA1", &EVP_sha1, &SHA1 };
+static const MD sha224 = { "SHA224", &EVP_sha224, &SHA224 };
+static const MD sha256 = { "SHA256", &EVP_sha256, &SHA256 };
+static const MD sha384 = { "SHA384", &EVP_sha384, &SHA384 };
+static const MD sha512 = { "SHA512", &EVP_sha512, &SHA512 };
+static const MD md5_sha1 = { "MD5-SHA1", &EVP_md5_sha1, nullptr };
+
+struct TestVector {
+ // md is the digest to test.
+ const MD &md;
+ // input is a NUL-terminated string to hash.
+ const char *input;
+ // repeat is the number of times to repeat input.
+ size_t repeat;
+ // expected_hex is the expected digest in hexadecimal.
+ const char *expected_hex;
+};
+
+static const TestVector kTestVectors[] = {
+ // MD4 tests, from RFC 1320. (crypto/md4 does not provide a
+ // one-shot MD4 function.)
+ { md4, "", 1, "31d6cfe0d16ae931b73c59d7e0c089c0" },
+ { md4, "a", 1, "bde52cb31de33e46245e05fbdbd6fb24" },
+ { md4, "abc", 1, "a448017aaf21d8525fc10ae87aa6729d" },
+ { md4, "message digest", 1, "d9130a8164549fe818874806e1c7014b" },
+ { md4, "abcdefghijklmnopqrstuvwxyz", 1,
+ "d79e1c308aa5bbcdeea8ed63df412da9" },
+ { md4,
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
+ "043f8582f241db351ce627e153e7f0e4" },
+ { md4, "1234567890", 8, "e33b4ddc9c38f2199c3e7b164fcc0536" },
+
+ // MD5 tests, from RFC 1321.
+ { md5, "", 1, "d41d8cd98f00b204e9800998ecf8427e" },
+ { md5, "a", 1, "0cc175b9c0f1b6a831c399e269772661" },
+ { md5, "abc", 1, "900150983cd24fb0d6963f7d28e17f72" },
+ { md5, "message digest", 1, "f96b697d7cb7938d525a2f31aaf161d0" },
+ { md5, "abcdefghijklmnopqrstuvwxyz", 1,
+ "c3fcd3d76192e4007dfb496cca67e13b" },
+ { md5,
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", 1,
+ "d174ab98d277d9f5a5611c2c9f419d9f" },
+ { md5, "1234567890", 8, "57edf4a22be3c955ac49da2e2107b67a" },
+
+ // SHA-1 tests, from RFC 3174.
+ { sha1, "abc", 1, "a9993e364706816aba3e25717850c26c9cd0d89d" },
+ { sha1,
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
+ "84983e441c3bd26ebaae4aa1f95129e5e54670f1" },
+ { sha1, "a", 1000000, "34aa973cd4c4daa4f61eeb2bdbad27316534016f" },
+ { sha1,
+ "0123456701234567012345670123456701234567012345670123456701234567", 10,
+ "dea356a2cddd90c7a7ecedc5ebb563934f460452" },
+
+ // SHA-224 tests, from RFC 3874.
+ { sha224, "abc", 1,
+ "23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7" },
+ { sha224,
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
+ "75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525" },
+ { sha224,
+ "a", 1000000,
+ "20794655980c91d8bbb4c1ea97618a4bf03f42581948b2ee4ee7ad67" },
+
+ // SHA-256 tests, from NIST.
+ { sha256, "abc", 1,
+ "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" },
+ { sha256,
+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 1,
+ "248d6a61d20638b8e5c026930c3e6039a33ce45964ff2167f6ecedd419db06c1" },
+
+ // SHA-384 tests, from NIST.
+ { sha384, "abc", 1,
+ "cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed"
+ "8086072ba1e7cc2358baeca134c825a7" },
+ { sha384,
+ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+ "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 1,
+ "09330c33f71147e83d192fc782cd1b4753111b173b3b05d22fa08086e3b0f712"
+ "fcc7c71a557e2db966c3e9fa91746039" },
+
+ // SHA-512 tests, from NIST.
+ { sha512, "abc", 1,
+ "ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a"
+ "2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" },
+ { sha512,
+ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
+ "hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu", 1,
+ "8e959b75dae313da8cf4f72814fc143f8f7779c6eb9f7fa17299aeadb6889018"
+ "501d289e4900f7e4331b99dec4b5433ac7d329eeb6dd26545e96e55b874be909" },
+
+ // MD5-SHA1 tests.
+ { md5_sha1, "abc", 1,
+ "900150983cd24fb0d6963f7d28e17f72a9993e364706816aba3e25717850c26c9cd0d89d" },
+};
+
+static bool CompareDigest(const TestVector *test,
+ const uint8_t *digest,
+ size_t digest_len) {
+ static const char kHexTable[] = "0123456789abcdef";
+ size_t i;
+ char digest_hex[2*EVP_MAX_MD_SIZE + 1];
+
+ for (i = 0; i < digest_len; i++) {
+ digest_hex[2*i] = kHexTable[digest[i] >> 4];
+ digest_hex[2*i + 1] = kHexTable[digest[i] & 0xf];
+ }
+ digest_hex[2*digest_len] = '\0';
+
+ if (strcmp(digest_hex, test->expected_hex) != 0) {
+ fprintf(stderr, "%s(\"%s\" * %d) = %s; want %s\n",
+ test->md.name, test->input, (int)test->repeat,
+ digest_hex, test->expected_hex);
+ return false;
+ }
+
+ return true;
+}
+
+static int TestDigest(const TestVector *test) {
+ ScopedEVP_MD_CTX ctx;
+
+ // Test the input provided.
+ if (!EVP_DigestInit_ex(ctx.get(), test->md.func(), NULL)) {
+ fprintf(stderr, "EVP_DigestInit_ex failed\n");
+ return false;
+ }
+ for (size_t i = 0; i < test->repeat; i++) {
+ if (!EVP_DigestUpdate(ctx.get(), test->input, strlen(test->input))) {
+ fprintf(stderr, "EVP_DigestUpdate failed\n");
+ return false;
+ }
+ }
+ uint8_t digest[EVP_MAX_MD_SIZE];
+ unsigned digest_len;
+ if (!EVP_DigestFinal_ex(ctx.get(), digest, &digest_len)) {
+ fprintf(stderr, "EVP_DigestFinal_ex failed\n");
+ return false;
+ }
+ if (!CompareDigest(test, digest, digest_len)) {
+ return false;
+ }
+
+ // Test the input one character at a time.
+ if (!EVP_DigestInit_ex(ctx.get(), test->md.func(), NULL)) {
+ fprintf(stderr, "EVP_DigestInit_ex failed\n");
+ return false;
+ }
+ if (!EVP_DigestUpdate(ctx.get(), NULL, 0)) {
+ fprintf(stderr, "EVP_DigestUpdate failed\n");
+ return false;
+ }
+ for (size_t i = 0; i < test->repeat; i++) {
+ for (const char *p = test->input; *p; p++) {
+ if (!EVP_DigestUpdate(ctx.get(), p, 1)) {
+ fprintf(stderr, "EVP_DigestUpdate failed\n");
+ return false;
+ }
+ }
+ }
+ if (!EVP_DigestFinal_ex(ctx.get(), digest, &digest_len)) {
+ fprintf(stderr, "EVP_DigestFinal_ex failed\n");
+ return false;
+ }
+ if (digest_len != EVP_MD_size(test->md.func())) {
+ fprintf(stderr, "EVP_MD_size output incorrect\n");
+ return false;
+ }
+ if (!CompareDigest(test, digest, digest_len)) {
+ return false;
+ }
+
+ // Test the one-shot function.
+ if (test->md.one_shot_func && test->repeat == 1) {
+ uint8_t *out = test->md.one_shot_func((const uint8_t *)test->input,
+ strlen(test->input), digest);
+ if (out != digest) {
+ fprintf(stderr, "one_shot_func gave incorrect return\n");
+ return false;
+ }
+ if (!CompareDigest(test, digest, EVP_MD_size(test->md.func()))) {
+ return false;
+ }
+
+ // Test the deprecated static buffer variant, until it's removed.
+ out = test->md.one_shot_func((const uint8_t *)test->input,
+ strlen(test->input), NULL);
+ if (!CompareDigest(test, out, EVP_MD_size(test->md.func()))) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+int main(void) {
+ CRYPTO_library_init();
+ ERR_load_crypto_strings();
+
+ for (size_t i = 0; i < sizeof(kTestVectors) / sizeof(kTestVectors[0]); i++) {
+ if (!TestDigest(&kTestVectors[i])) {
+ fprintf(stderr, "Test %d failed\n", (int)i);
+ return 1;
+ }
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/digest/md32_common.h b/src/crypto/digest/md32_common.h
index a4ce355..d7caba2 100644
--- a/src/crypto/digest/md32_common.h
+++ b/src/crypto/digest/md32_common.h
@@ -51,8 +51,6 @@
#include <openssl/base.h>
-#include <string.h>
-
#if defined(__cplusplus)
extern "C" {
@@ -74,8 +72,7 @@
* HASH_CBLOCK
* size of a unit chunk HASH_BLOCK operates on.
* HASH_LONG
- * has to be at lest 32 bit wide, if it's wider, then
- * HASH_LONG_LOG2 *has to* be defined along
+ * has to be at least 32 bit wide.
* HASH_CTX
* context structure that at least contains following
* members:
@@ -103,19 +100,6 @@
* HASH_MAKE_STRING
* macro convering context variables to an ASCII hash string.
*
- * MD5 example:
- *
- * #define DATA_ORDER_IS_LITTLE_ENDIAN
- *
- * #define HASH_LONG MD5_LONG
- * #define HASH_LONG_LOG2 MD5_LONG_LOG2
- * #define HASH_CTX MD5_CTX
- * #define HASH_CBLOCK MD5_CBLOCK
- * #define HASH_UPDATE MD5_Update
- * #define HASH_TRANSFORM MD5_Transform
- * #define HASH_FINAL MD5_Final
- * #define HASH_BLOCK_DATA_ORDER md5_block_data_order
- *
* <appro@fy.chalmers.se>
*/
diff --git a/src/crypto/directory_posix.c b/src/crypto/directory_posix.c
index c16701d..b944b69 100644
--- a/src/crypto/directory_posix.c
+++ b/src/crypto/directory_posix.c
@@ -35,6 +35,7 @@
#include <dirent.h>
#include <errno.h>
+#include <stdlib.h>
#include <string.h>
#if defined(OPENSSL_PNACL)
diff --git a/src/crypto/directory_win.c b/src/crypto/directory_win.c
index 2e4600f..4ebacf2 100644
--- a/src/crypto/directory_win.c
+++ b/src/crypto/directory_win.c
@@ -41,6 +41,9 @@
#define NAME_MAX 255
#endif
+#include <openssl/mem.h>
+
+
struct OPENSSL_dir_context_st {
WIN32_FIND_DATA ctx;
HANDLE handle;
diff --git a/src/crypto/dsa/CMakeLists.txt b/src/crypto/dsa/CMakeLists.txt
index fbc053e..dab2c4c 100644
--- a/src/crypto/dsa/CMakeLists.txt
+++ b/src/crypto/dsa/CMakeLists.txt
@@ -8,7 +8,6 @@
dsa.c
dsa_impl.c
dsa_asn1.c
- dsa_error.c
)
add_executable(
diff --git a/src/crypto/dsa/dsa.c b/src/crypto/dsa/dsa.c
index 8816b63..e8e3d73 100644
--- a/src/crypto/dsa/dsa.c
+++ b/src/crypto/dsa/dsa.c
@@ -67,12 +67,16 @@
#include <openssl/err.h>
#include <openssl/ex_data.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
#include "internal.h"
+#include "../internal.h"
extern const DSA_METHOD DSA_default_method;
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
DSA *DSA_new(void) { return DSA_new_method(NULL); }
DSA *DSA_new_method(const ENGINE *engine) {
@@ -96,14 +100,16 @@
dsa->write_params = 1;
dsa->references = 1;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data)) {
+ CRYPTO_MUTEX_init(&dsa->method_mont_p_lock);
+
+ if (!CRYPTO_new_ex_data(&g_ex_data_class, dsa, &dsa->ex_data)) {
METHOD_unref(dsa->meth);
OPENSSL_free(dsa);
return NULL;
}
if (dsa->meth->init && !dsa->meth->init(dsa)) {
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);
METHOD_unref(dsa->meth);
OPENSSL_free(dsa);
return NULL;
@@ -126,22 +132,16 @@
}
METHOD_unref(dsa->meth);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);
- if (dsa->p != NULL)
- BN_clear_free(dsa->p);
- if (dsa->q != NULL)
- BN_clear_free(dsa->q);
- if (dsa->g != NULL)
- BN_clear_free(dsa->g);
- if (dsa->pub_key != NULL)
- BN_clear_free(dsa->pub_key);
- if (dsa->priv_key != NULL)
- BN_clear_free(dsa->priv_key);
- if (dsa->kinv != NULL)
- BN_clear_free(dsa->kinv);
- if (dsa->r != NULL)
- BN_clear_free(dsa->r);
+ BN_clear_free(dsa->p);
+ BN_clear_free(dsa->q);
+ BN_clear_free(dsa->g);
+ BN_clear_free(dsa->pub_key);
+ BN_clear_free(dsa->priv_key);
+ BN_clear_free(dsa->kinv);
+ BN_clear_free(dsa->r);
+ CRYPTO_MUTEX_cleanup(&dsa->method_mont_p_lock);
OPENSSL_free(dsa);
}
@@ -184,12 +184,8 @@
return;
}
- if (sig->r) {
- BN_free(sig->r);
- }
- if (sig->s) {
- BN_free(sig->s);
- }
+ BN_free(sig->r);
+ BN_free(sig->s);
OPENSSL_free(sig);
}
@@ -268,12 +264,8 @@
ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);
err:
- if (der != NULL) {
- OPENSSL_free(der);
- }
- if (s) {
- DSA_SIG_free(s);
- }
+ OPENSSL_free(der);
+ DSA_SIG_free(s);
return ret;
}
@@ -309,8 +301,12 @@
int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, argl, argp, new_func,
- dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+ dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int DSA_set_ex_data(DSA *d, int idx, void *arg) {
@@ -347,8 +343,6 @@
return ret;
err:
- if (ret != NULL) {
- DH_free(ret);
- }
+ DH_free(ret);
return NULL;
}
diff --git a/src/crypto/dsa/dsa_error.c b/src/crypto/dsa/dsa_error.c
deleted file mode 100644
index 5a83908..0000000
--- a/src/crypto/dsa/dsa_error.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/dsa.h>
-
-const ERR_STRING_DATA DSA_error_string_data[] = {
- {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_new_method, 0), "DSA_new_method"},
- {ERR_PACK(ERR_LIB_DSA, DSA_F_dsa_sig_cb, 0), "dsa_sig_cb"},
- {ERR_PACK(ERR_LIB_DSA, DSA_F_sign, 0), "sign"},
- {ERR_PACK(ERR_LIB_DSA, DSA_F_sign_setup, 0), "sign_setup"},
- {ERR_PACK(ERR_LIB_DSA, DSA_F_verify, 0), "verify"},
- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_BAD_Q_VALUE), "BAD_Q_VALUE"},
- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "MODULUS_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NEED_NEW_SETUP_VALUES), "NEED_NEW_SETUP_VALUES"},
- {0, NULL},
-};
diff --git a/src/crypto/dsa/dsa_impl.c b/src/crypto/dsa/dsa_impl.c
index 6719758..b7e1fd8 100644
--- a/src/crypto/dsa/dsa_impl.c
+++ b/src/crypto/dsa/dsa_impl.c
@@ -66,6 +66,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
+#include <openssl/thread.h>
#include "internal.h"
@@ -122,14 +123,16 @@
BN_set_flags(&k, BN_FLG_CONSTTIME);
- if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
- CRYPTO_LOCK_DSA, dsa->p, ctx)) {
+ if (BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
+ (CRYPTO_MUTEX *)&dsa->method_mont_p_lock, dsa->p,
+ ctx) == NULL) {
goto err;
}
/* Compute r = (g^k mod p) mod q */
- if (!BN_copy(&kq, &k))
+ if (!BN_copy(&kq, &k)) {
goto err;
+ }
/* We do not want timing information to leak the length of k,
* so we compute g^k using an equivalent exponent of fixed length.
@@ -137,11 +140,11 @@
* (This is a kludge that we need because the BN_mod_exp_mont()
* does not let us specify the desired timing behaviour.) */
- if (!BN_add(&kq, &kq, dsa->q))
+ if (!BN_add(&kq, &kq, dsa->q)) {
goto err;
- if (BN_num_bits(&kq) <= BN_num_bits(dsa->q)) {
- if (!BN_add(&kq, &kq, dsa->q))
- goto err;
+ }
+ if (BN_num_bits(&kq) <= BN_num_bits(dsa->q) && !BN_add(&kq, &kq, dsa->q)) {
+ goto err;
}
K = &kq;
@@ -159,14 +162,10 @@
goto err;
}
- if (*kinvp != NULL) {
- BN_clear_free(*kinvp);
- }
+ BN_clear_free(*kinvp);
*kinvp = kinv;
kinv = NULL;
- if (*rp != NULL) {
- BN_clear_free(*rp);
- }
+ BN_clear_free(*rp);
*rp = r;
ret = 1;
@@ -274,15 +273,10 @@
BN_free(r);
BN_free(s);
}
- if (ctx != NULL) {
- BN_CTX_free(ctx);
- }
+ BN_CTX_free(ctx);
BN_clear_free(&m);
BN_clear_free(&xr);
- if (kinv != NULL) {
- /* dsa->kinv is NULL now if we used it */
- BN_clear_free(kinv);
- }
+ BN_clear_free(kinv);
return ret;
}
@@ -363,12 +357,14 @@
}
mont = BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,
- CRYPTO_LOCK_DSA, dsa->p, ctx);
+ (CRYPTO_MUTEX *)&dsa->method_mont_p_lock,
+ dsa->p, ctx);
if (!mont) {
goto err;
}
- if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, mont)) {
+ if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,
+ mont)) {
goto err;
}
@@ -387,9 +383,7 @@
if (ret != 1) {
OPENSSL_PUT_ERROR(DSA, verify, ERR_R_BN_LIB);
}
- if (ctx != NULL) {
- BN_CTX_free(ctx);
- }
+ BN_CTX_free(ctx);
BN_free(&u1);
BN_free(&u2);
BN_free(&t1);
@@ -442,15 +436,13 @@
ok = 1;
err:
- if (pub_key != NULL && dsa->pub_key == NULL) {
+ if (dsa->pub_key == NULL) {
BN_free(pub_key);
}
- if (priv_key != NULL && dsa->priv_key == NULL) {
+ if (dsa->priv_key == NULL) {
BN_free(priv_key);
}
- if (ctx != NULL) {
- BN_CTX_free(ctx);
- }
+ BN_CTX_free(ctx);
return ok;
}
@@ -701,15 +693,9 @@
err:
if (ok) {
- if (ret->p) {
- BN_free(ret->p);
- }
- if (ret->q) {
- BN_free(ret->q);
- }
- if (ret->g) {
- BN_free(ret->g);
- }
+ BN_free(ret->p);
+ BN_free(ret->q);
+ BN_free(ret->g);
ret->p = BN_dup(p);
ret->q = BN_dup(q);
ret->g = BN_dup(g);
@@ -730,9 +716,7 @@
BN_CTX_free(ctx);
}
- if (mont != NULL) {
- BN_MONT_CTX_free(mont);
- }
+ BN_MONT_CTX_free(mont);
return ok;
}
diff --git a/src/crypto/dsa/dsa_test.c b/src/crypto/dsa/dsa_test.c
index 1273638..9b70dbe 100644
--- a/src/crypto/dsa/dsa_test.c
+++ b/src/crypto/dsa/dsa_test.c
@@ -61,7 +61,6 @@
#include <string.h>
-#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
@@ -166,9 +165,6 @@
0xdc, 0xd8, 0xc8,
};
-static BIO *bio_err = NULL;
-static BIO *bio_out = NULL;
-
static DSA *get_fips_dsa(void) {
DSA *dsa = DSA_new();
if (!dsa) {
@@ -187,7 +183,7 @@
return dsa;
}
-static int test_generate(void) {
+static int test_generate(FILE *out) {
BN_GENCB cb;
DSA *dsa = NULL;
int counter, ok = 0, i, j;
@@ -196,49 +192,49 @@
uint8_t sig[256];
unsigned int siglen;
- BIO_printf(bio_out, "test generation of DSA parameters\n");
+ fprintf(out, "test generation of DSA parameters\n");
- BN_GENCB_set(&cb, dsa_cb, bio_out);
+ BN_GENCB_set(&cb, dsa_cb, out);
dsa = DSA_new();
if (dsa == NULL ||
!DSA_generate_parameters_ex(dsa, 512, seed, 20, &counter, &h, &cb)) {
goto end;
}
- BIO_printf(bio_out, "seed\n");
+ fprintf(out, "seed\n");
for (i = 0; i < 20; i += 4) {
- BIO_printf(bio_out, "%02X%02X%02X%02X ", seed[i], seed[i + 1], seed[i + 2],
- seed[i + 3]);
+ fprintf(out, "%02X%02X%02X%02X ", seed[i], seed[i + 1], seed[i + 2],
+ seed[i + 3]);
}
- BIO_printf(bio_out, "\ncounter=%d h=%ld\n", counter, h);
+ fprintf(out, "\ncounter=%d h=%ld\n", counter, h);
if (counter != 105) {
- BIO_printf(bio_err, "counter should be 105\n");
+ fprintf(stderr, "counter should be 105\n");
goto end;
}
if (h != 2) {
- BIO_printf(bio_err, "h should be 2\n");
+ fprintf(stderr, "h should be 2\n");
goto end;
}
i = BN_bn2bin(dsa->q, buf);
j = sizeof(fips_q);
if (i != j || memcmp(buf, fips_q, i) != 0) {
- BIO_printf(bio_err, "q value is wrong\n");
+ fprintf(stderr, "q value is wrong\n");
goto end;
}
i = BN_bn2bin(dsa->p, buf);
j = sizeof(fips_p);
if (i != j || memcmp(buf, fips_p, i) != 0) {
- BIO_printf(bio_err, "p value is wrong\n");
+ fprintf(stderr, "p value is wrong\n");
goto end;
}
i = BN_bn2bin(dsa->g, buf);
j = sizeof(fips_g);
if (i != j || memcmp(buf, fips_g, i) != 0) {
- BIO_printf(bio_err, "g value is wrong\n");
+ fprintf(stderr, "g value is wrong\n");
goto end;
}
@@ -247,13 +243,11 @@
if (DSA_verify(0, fips_digest, sizeof(fips_digest), sig, siglen, dsa) == 1) {
ok = 1;
} else {
- BIO_printf(bio_err, "verification failure\n");
+ fprintf(stderr, "verification failure\n");
}
end:
- if (dsa != NULL) {
- DSA_free(dsa);
- }
+ DSA_free(dsa);
return ok;
}
@@ -267,7 +261,7 @@
int ret = DSA_verify(0, fips_digest, sizeof(fips_digest), sig, sig_len, dsa);
if (ret != expect) {
- BIO_printf(bio_err, "DSA_verify returned %d, want %d\n", ret, expect);
+ fprintf(stderr, "DSA_verify returned %d, want %d\n", ret, expect);
goto end;
}
ok = 1;
@@ -275,9 +269,7 @@
ERR_clear_error();
end:
- if (dsa != NULL) {
- DSA_free(dsa);
- }
+ DSA_free(dsa);
return ok;
}
@@ -285,23 +277,16 @@
int main(int argc, char **argv) {
CRYPTO_library_init();
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
- bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
- if (!test_generate() ||
+ if (!test_generate(stdout) ||
!test_verify(fips_sig, sizeof(fips_sig), 1) ||
!test_verify(fips_sig_negative, sizeof(fips_sig_negative), -1) ||
!test_verify(fips_sig_extra, sizeof(fips_sig_extra), -1) ||
!test_verify(fips_sig_bad_length, sizeof(fips_sig_bad_length), -1) ||
!test_verify(fips_sig_bad_r, sizeof(fips_sig_bad_r), 0)) {
- BIO_print_errors(bio_err);
- BIO_free(bio_err);
- BIO_free(bio_out);
+ ERR_print_errors_fp(stderr);
return 1;
}
- BIO_free(bio_err);
- BIO_free(bio_out);
printf("PASS\n");
return 0;
}
@@ -326,11 +311,11 @@
c = '\n';
}
- BIO_write(arg->arg, &c, 1);
- (void)BIO_flush(arg->arg);
+ fputc(c, arg->arg);
+ fflush(arg->arg);
if (!ok && p == 0 && num > 1) {
- BIO_printf((BIO *)arg, "error in dsatest\n");
+ fprintf(stderr, "error in dsatest\n");
return 0;
}
diff --git a/src/crypto/ec/CMakeLists.txt b/src/crypto/ec/CMakeLists.txt
index 11266c6..a218c0d 100644
--- a/src/crypto/ec/CMakeLists.txt
+++ b/src/crypto/ec/CMakeLists.txt
@@ -6,13 +6,14 @@
OBJECT
ec.c
- oct.c
- simple.c
- ec_montgomery.c
- wnaf.c
- ec_key.c
ec_asn1.c
- ec_error.c
+ ec_key.c
+ ec_montgomery.c
+ oct.c
+ p256-64.c
+ util-64.c
+ simple.c
+ wnaf.c
)
add_executable(
@@ -24,7 +25,7 @@
add_executable(
ec_test
- ec_test.c
+ ec_test.cc
)
target_link_libraries(example_mul crypto)
diff --git a/src/crypto/ec/ec.c b/src/crypto/ec/ec.c
index 6e676c9..5426b8f 100644
--- a/src/crypto/ec/ec.c
+++ b/src/crypto/ec/ec.c
@@ -219,11 +219,18 @@
0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09}};
const struct built_in_curve OPENSSL_built_in_curves[] = {
- {NID_secp224r1, &P224, 0},
- {NID_X9_62_prime256v1, &P256, 0},
- {NID_secp384r1, &P384, 0},
- {NID_secp521r1, &P521, 0},
- {NID_undef, 0, 0},
+ {NID_secp224r1, &P224, 0},
+ {
+ NID_X9_62_prime256v1, &P256,
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
+ EC_GFp_nistp256_method,
+#else
+ 0,
+#endif
+ },
+ {NID_secp384r1, &P384, 0},
+ {NID_secp521r1, &P521, 0},
+ {NID_undef, 0, 0},
};
EC_GROUP *ec_group_new(const EC_METHOD *meth) {
@@ -357,22 +364,14 @@
EC_GROUP_free(group);
group = NULL;
}
- if (P)
- EC_POINT_free(P);
- if (ctx)
- BN_CTX_free(ctx);
- if (p)
- BN_free(p);
- if (a)
- BN_free(a);
- if (b)
- BN_free(b);
- if (order)
- BN_free(order);
- if (x)
- BN_free(x);
- if (y)
- BN_free(y);
+ EC_POINT_free(P);
+ BN_CTX_free(ctx);
+ BN_free(p);
+ BN_free(a);
+ BN_free(b);
+ BN_free(order);
+ BN_free(x);
+ BN_free(y);
return group;
}
@@ -409,16 +408,14 @@
ec_pre_comp_free(group->pre_comp);
- if (group->generator != NULL) {
- EC_POINT_free(group->generator);
- }
+ EC_POINT_free(group->generator);
BN_free(&group->order);
BN_free(&group->cofactor);
OPENSSL_free(group);
}
-int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) {
+int ec_group_copy(EC_GROUP *dest, const EC_GROUP *src) {
if (dest->meth->group_copy == 0) {
OPENSSL_PUT_ERROR(EC, EC_GROUP_copy, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
@@ -474,7 +471,7 @@
if (t == NULL) {
return NULL;
}
- if (!EC_GROUP_copy(t, a)) {
+ if (!ec_group_copy(t, a)) {
goto err;
}
@@ -482,9 +479,7 @@
err:
if (!ok) {
- if (t) {
- EC_GROUP_free(t);
- }
+ EC_GROUP_free(t);
return NULL;
} else {
return t;
diff --git a/src/crypto/ec/ec_asn1.c b/src/crypto/ec/ec_asn1.c
index ce9b3f4..ff3dca6 100644
--- a/src/crypto/ec/ec_asn1.c
+++ b/src/crypto/ec/ec_asn1.c
@@ -172,9 +172,7 @@
return NULL;
}
} else {
- if (ret->value.named_curve) {
- ASN1_OBJECT_free(ret->value.named_curve);
- }
+ ASN1_OBJECT_free(ret->value.named_curve);
}
/* use the ASN.1 OID to describe the the elliptic curve parameters. */
@@ -257,10 +255,8 @@
return NULL;
}
- if (groupp && *groupp) {
- EC_GROUP_free(*groupp);
- }
if (groupp) {
+ EC_GROUP_free(*groupp);
*groupp = group;
}
@@ -290,16 +286,9 @@
EC_KEY *ret = NULL;
EC_PRIVATEKEY *priv_key = NULL;
- priv_key = EC_PRIVATEKEY_new();
- if (priv_key == NULL) {
- OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
-
- priv_key = d2i_EC_PRIVATEKEY(&priv_key, in, len);
+ priv_key = d2i_EC_PRIVATEKEY(NULL, in, len);
if (priv_key == NULL) {
OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_EC_LIB);
- EC_PRIVATEKEY_free(priv_key);
return NULL;
}
@@ -309,17 +298,12 @@
OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (a) {
- *a = ret;
- }
} else {
ret = *a;
}
if (priv_key->parameters) {
- if (ret->group) {
- EC_GROUP_free(ret->group);
- }
+ EC_GROUP_free(ret->group);
ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
}
@@ -343,9 +327,7 @@
goto err;
}
- if (ret->pub_key) {
- EC_POINT_free(ret->pub_key);
- }
+ EC_POINT_free(ret->pub_key);
ret->pub_key = EC_POINT_new(ret->group);
if (ret->pub_key == NULL) {
OPENSSL_PUT_ERROR(EC, d2i_ECPrivateKey, ERR_R_EC_LIB);
@@ -380,22 +362,20 @@
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
}
+ if (a) {
+ *a = ret;
+ }
ok = 1;
err:
if (!ok) {
- if (ret) {
+ if (a == NULL || *a != ret) {
EC_KEY_free(ret);
}
ret = NULL;
- if (a) {
- *a = ret;
- }
}
- if (priv_key) {
- EC_PRIVATEKEY_free(priv_key);
- }
+ EC_PRIVATEKEY_free(priv_key);
return ret;
}
@@ -419,14 +399,14 @@
priv_key->version = key->version;
- buf_len = BN_num_bytes(key->priv_key);
+ buf_len = BN_num_bytes(&key->group->order);
buffer = OPENSSL_malloc(buf_len);
if (buffer == NULL) {
OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!BN_bn2bin(key->priv_key, buffer)) {
+ if (!BN_bn2bin_padded(buffer, buf_len, key->priv_key)) {
OPENSSL_PUT_ERROR(EC, i2d_ECPrivateKey, ERR_R_BN_LIB);
goto err;
}
@@ -488,12 +468,8 @@
ok = 1;
err:
- if (buffer) {
- OPENSSL_free(buffer);
- }
- if (priv_key) {
- EC_PRIVATEKEY_free(priv_key);
- }
+ OPENSSL_free(buffer);
+ EC_PRIVATEKEY_free(priv_key);
return (ok ? ret : 0);
}
@@ -519,18 +495,21 @@
OPENSSL_PUT_ERROR(EC, d2i_ECParameters, ERR_R_MALLOC_FAILURE);
return NULL;
}
- if (key) {
- *key = ret;
- }
} else {
ret = *key;
}
if (!d2i_ECPKParameters(&ret->group, inp, len)) {
OPENSSL_PUT_ERROR(EC, d2i_ECParameters, ERR_R_EC_LIB);
+ if (key == NULL || *key == NULL) {
+ EC_KEY_free(ret);
+ }
return NULL;
}
+ if (key) {
+ *key = ret;
+ }
return ret;
}
diff --git a/src/crypto/ec/ec_error.c b/src/crypto/ec/ec_error.c
deleted file mode 100644
index 73807c7..0000000
--- a/src/crypto/ec/ec_error.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ec.h>
-
-const ERR_STRING_DATA EC_error_string_data[] = {
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_copy, 0), "EC_GROUP_copy"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_get_curve_GFp, 0), "EC_GROUP_get_curve_GFp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_get_degree, 0), "EC_GROUP_get_degree"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_GROUP_new_by_curve_name, 0), "EC_GROUP_new_by_curve_name"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_check_key, 0), "EC_KEY_check_key"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_copy, 0), "EC_KEY_copy"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_generate_key, 0), "EC_KEY_generate_key"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_new_method, 0), "EC_KEY_new_method"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_set_public_key_affine_coordinates, 0), "EC_KEY_set_public_key_affine_coordinates"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_add, 0), "EC_POINT_add"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_cmp, 0), "EC_POINT_cmp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_copy, 0), "EC_POINT_copy"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_dbl, 0), "EC_POINT_dbl"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_dup, 0), "EC_POINT_dup"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_get_affine_coordinates_GFp, 0), "EC_POINT_get_affine_coordinates_GFp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_invert, 0), "EC_POINT_invert"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_is_at_infinity, 0), "EC_POINT_is_at_infinity"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_is_on_curve, 0), "EC_POINT_is_on_curve"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_make_affine, 0), "EC_POINT_make_affine"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_new, 0), "EC_POINT_new"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_oct2point, 0), "EC_POINT_oct2point"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_point2oct, 0), "EC_POINT_point2oct"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_set_affine_coordinates_GFp, 0), "EC_POINT_set_affine_coordinates_GFp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_set_compressed_coordinates_GFp, 0), "EC_POINT_set_compressed_coordinates_GFp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINT_set_to_infinity, 0), "EC_POINT_set_to_infinity"},
- {ERR_PACK(ERR_LIB_EC, EC_F_EC_POINTs_make_affine, 0), "EC_POINTs_make_affine"},
- {ERR_PACK(ERR_LIB_EC, EC_F_compute_wNAF, 0), "compute_wNAF"},
- {ERR_PACK(ERR_LIB_EC, EC_F_d2i_ECPKParameters, 0), "d2i_ECPKParameters"},
- {ERR_PACK(ERR_LIB_EC, EC_F_d2i_ECParameters, 0), "d2i_ECParameters"},
- {ERR_PACK(ERR_LIB_EC, EC_F_d2i_ECPrivateKey, 0), "d2i_ECPrivateKey"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_decode, 0), "ec_GFp_mont_field_decode"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_encode, 0), "ec_GFp_mont_field_encode"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_mul, 0), "ec_GFp_mont_field_mul"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_set_to_one, 0), "ec_GFp_mont_field_set_to_one"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_field_sqr, 0), "ec_GFp_mont_field_sqr"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_mont_group_set_curve, 0), "ec_GFp_mont_group_set_curve"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_group_check_discriminant, 0), "ec_GFp_simple_group_check_discriminant"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_group_set_curve, 0), "ec_GFp_simple_group_set_curve"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_make_affine, 0), "ec_GFp_simple_make_affine"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_oct2point, 0), "ec_GFp_simple_oct2point"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_point2oct, 0), "ec_GFp_simple_point2oct"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_point_get_affine_coordinates, 0), "ec_GFp_simple_point_get_affine_coordinates"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_point_set_affine_coordinates, 0), "ec_GFp_simple_point_set_affine_coordinates"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_points_make_affine, 0), "ec_GFp_simple_points_make_affine"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_GFp_simple_set_compressed_coordinates, 0), "ec_GFp_simple_set_compressed_coordinates"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_asn1_group2pkparameters, 0), "ec_asn1_group2pkparameters"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_asn1_pkparameters2group, 0), "ec_asn1_pkparameters2group"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_group_new, 0), "ec_group_new"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_group_new_curve_GFp, 0), "ec_group_new_curve_GFp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_group_new_from_data, 0), "ec_group_new_from_data"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_point_set_Jprojective_coordinates_GFp, 0), "ec_point_set_Jprojective_coordinates_GFp"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_pre_comp_new, 0), "ec_pre_comp_new"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_wNAF_mul, 0), "ec_wNAF_mul"},
- {ERR_PACK(ERR_LIB_EC, EC_F_ec_wNAF_precompute_mult, 0), "ec_wNAF_precompute_mult"},
- {ERR_PACK(ERR_LIB_EC, EC_F_i2d_ECPKParameters, 0), "i2d_ECPKParameters"},
- {ERR_PACK(ERR_LIB_EC, EC_F_i2d_ECParameters, 0), "i2d_ECParameters"},
- {ERR_PACK(ERR_LIB_EC, EC_F_i2d_ECPrivateKey, 0), "i2d_ECPrivateKey"},
- {ERR_PACK(ERR_LIB_EC, EC_F_i2o_ECPublicKey, 0), "i2o_ECPublicKey"},
- {ERR_PACK(ERR_LIB_EC, EC_F_o2i_ECPublicKey, 0), "o2i_ECPublicKey"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_COORDINATES_OUT_OF_RANGE), "COORDINATES_OUT_OF_RANGE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), "D2I_ECPKPARAMETERS_FAILURE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_EC_GROUP_NEW_BY_NAME_FAILURE), "EC_GROUP_NEW_BY_NAME_FAILURE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_GF2M_NOT_SUPPORTED), "GF2M_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_GROUP2PKPARAMETERS_FAILURE), "GROUP2PKPARAMETERS_FAILURE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_I2D_ECPKPARAMETERS_FAILURE), "I2D_ECPKPARAMETERS_FAILURE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INCOMPATIBLE_OBJECTS), "INCOMPATIBLE_OBJECTS"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_COMPRESSED_POINT), "INVALID_COMPRESSED_POINT"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_COMPRESSION_BIT), "INVALID_COMPRESSION_BIT"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_ENCODING), "INVALID_ENCODING"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_FIELD), "INVALID_FIELD"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_FORM), "INVALID_FORM"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_GROUP_ORDER), "INVALID_GROUP_ORDER"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_INVALID_PRIVATE_KEY), "INVALID_PRIVATE_KEY"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PRIVATE_KEY), "MISSING_PRIVATE_KEY"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_NON_NAMED_CURVE), "NON_NAMED_CURVE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_NOT_INITIALIZED), "NOT_INITIALIZED"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_PKPARAMETERS2GROUP_FAILURE), "PKPARAMETERS2GROUP_FAILURE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_AT_INFINITY), "POINT_AT_INFINITY"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_IS_NOT_ON_CURVE), "POINT_IS_NOT_ON_CURVE"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_SLOT_FULL), "SLOT_FULL"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNDEFINED_GENERATOR), "UNDEFINED_GENERATOR"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_GROUP), "UNKNOWN_GROUP"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_UNKNOWN_ORDER), "UNKNOWN_ORDER"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_WRONG_ORDER), "WRONG_ORDER"},
- {0, NULL},
-};
diff --git a/src/crypto/ec/ec_key.c b/src/crypto/ec/ec_key.c
index 471ea9c..3652ba5 100644
--- a/src/crypto/ec/ec_key.c
+++ b/src/crypto/ec/ec_key.c
@@ -74,10 +74,14 @@
#include <openssl/err.h>
#include <openssl/ex_data.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
#include "internal.h"
+#include "../internal.h"
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
EC_KEY *EC_KEY_new(void) { return EC_KEY_new_method(NULL); }
EC_KEY *EC_KEY_new_method(const ENGINE *engine) {
@@ -100,7 +104,7 @@
ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
ret->references = 1;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data)) {
+ if (!CRYPTO_new_ex_data(&g_ex_data_class, ret, &ret->ex_data)) {
goto err1;
}
@@ -111,7 +115,7 @@
return ret;
err2:
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, ret, &ret->ex_data);
err1:
if (ret->ecdsa_meth) {
METHOD_unref(ret->ecdsa_meth);
@@ -123,6 +127,7 @@
EC_KEY *EC_KEY_new_by_curve_name(int nid) {
EC_KEY *ret = EC_KEY_new();
if (ret == NULL) {
+ OPENSSL_PUT_ERROR(EC, EC_KEY_new_by_curve_name, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->group = EC_GROUP_new_by_curve_name(nid);
@@ -149,17 +154,11 @@
METHOD_unref(r->ecdsa_meth);
}
- if (r->group != NULL) {
- EC_GROUP_free(r->group);
- }
- if (r->pub_key != NULL) {
- EC_POINT_free(r->pub_key);
- }
- if (r->priv_key != NULL) {
- BN_clear_free(r->priv_key);
- }
+ EC_GROUP_free(r->group);
+ EC_POINT_free(r->pub_key);
+ BN_clear_free(r->priv_key);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, r, &r->ex_data);
OPENSSL_cleanse((void *)r, sizeof(EC_KEY));
OPENSSL_free(r);
@@ -170,35 +169,23 @@
OPENSSL_PUT_ERROR(EC, EC_KEY_copy, ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
- /* copy the parameters */
+ /* Copy the parameters. */
if (src->group) {
/* TODO(fork): duplicating the group seems wasteful. */
- const EC_METHOD *meth = src->group->meth;
- /* clear the old group */
- if (dest->group) {
- EC_GROUP_free(dest->group);
- }
- dest->group = ec_group_new(meth);
+ EC_GROUP_free(dest->group);
+ dest->group = EC_GROUP_dup(src->group);
if (dest->group == NULL) {
return NULL;
}
- if (!EC_GROUP_copy(dest->group, src->group)) {
- return NULL;
- }
}
- /* copy the public key */
+ /* Copy the public key. */
if (src->pub_key && src->group) {
- if (dest->pub_key) {
- EC_POINT_free(dest->pub_key);
- }
- dest->pub_key = EC_POINT_new(src->group);
+ EC_POINT_free(dest->pub_key);
+ dest->pub_key = EC_POINT_dup(src->pub_key, src->group);
if (dest->pub_key == NULL) {
return NULL;
}
- if (!EC_POINT_copy(dest->pub_key, src->pub_key)) {
- return NULL;
- }
}
/* copy the private key */
@@ -214,8 +201,8 @@
}
}
/* copy method/extra data */
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, dest, &dest->ex_data);
- if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, &dest->ex_data,
+ CRYPTO_free_ex_data(&g_ex_data_class, dest, &dest->ex_data);
+ if (!CRYPTO_dup_ex_data(&g_ex_data_class, &dest->ex_data,
&src->ex_data)) {
return NULL;
}
@@ -252,9 +239,7 @@
const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key) { return key->group; }
int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {
- if (key->group != NULL) {
- EC_GROUP_free(key->group);
- }
+ EC_GROUP_free(key->group);
/* TODO(fork): duplicating the group seems wasteful but see
* |EC_KEY_set_conv_form|. */
key->group = EC_GROUP_dup(group);
@@ -266,9 +251,7 @@
}
int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {
- if (key->priv_key) {
- BN_clear_free(key->priv_key);
- }
+ BN_clear_free(key->priv_key);
key->priv_key = BN_dup(priv_key);
return (key->priv_key == NULL) ? 0 : 1;
}
@@ -278,9 +261,7 @@
}
int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key) {
- if (key->pub_key != NULL) {
- EC_POINT_free(key->pub_key);
- }
+ EC_POINT_free(key->pub_key);
key->pub_key = EC_POINT_dup(pub_key, key->group);
return (key->pub_key == NULL) ? 0 : 1;
}
@@ -371,10 +352,8 @@
ok = 1;
err:
- if (ctx != NULL)
- BN_CTX_free(ctx);
- if (point != NULL)
- EC_POINT_free(point);
+ BN_CTX_free(ctx);
+ EC_POINT_free(point);
return ok;
}
@@ -425,10 +404,8 @@
ok = 1;
err:
- if (ctx)
- BN_CTX_free(ctx);
- if (point)
- EC_POINT_free(point);
+ BN_CTX_free(ctx);
+ EC_POINT_free(point);
return ok;
}
@@ -489,22 +466,26 @@
ok = 1;
err:
- if (order)
- BN_free(order);
- if (pub_key != NULL && eckey->pub_key == NULL)
+ BN_free(order);
+ if (eckey->pub_key == NULL) {
EC_POINT_free(pub_key);
- if (priv_key != NULL && eckey->priv_key == NULL)
+ }
+ if (eckey->priv_key == NULL) {
BN_free(priv_key);
- if (ctx != NULL)
- BN_CTX_free(ctx);
+ }
+ BN_CTX_free(ctx);
return ok;
}
int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func,
CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, argl, argp, new_func,
- dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+ dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int EC_KEY_set_ex_data(EC_KEY *d, int idx, void *arg) {
diff --git a/src/crypto/ec/ec_montgomery.c b/src/crypto/ec/ec_montgomery.c
index ab04556..74dbc6c 100644
--- a/src/crypto/ec/ec_montgomery.c
+++ b/src/crypto/ec/ec_montgomery.c
@@ -121,68 +121,58 @@
int ok;
ok = ec_GFp_simple_group_init(group);
- group->field_data1 = NULL;
- group->field_data2 = NULL;
+ group->mont = NULL;
+ group->one = NULL;
return ok;
}
void ec_GFp_mont_group_finish(EC_GROUP *group) {
- if (group->field_data1 != NULL) {
- BN_MONT_CTX_free(group->field_data1);
- group->field_data1 = NULL;
- }
- if (group->field_data2 != NULL) {
- BN_free(group->field_data2);
- group->field_data2 = NULL;
- }
+ BN_MONT_CTX_free(group->mont);
+ group->mont = NULL;
+ BN_free(group->one);
+ group->one = NULL;
ec_GFp_simple_group_finish(group);
}
void ec_GFp_mont_group_clear_finish(EC_GROUP *group) {
- if (group->field_data1 != NULL) {
- BN_MONT_CTX_free(group->field_data1);
- group->field_data1 = NULL;
- }
- if (group->field_data2 != NULL) {
- BN_clear_free(group->field_data2);
- group->field_data2 = NULL;
- }
+ BN_MONT_CTX_free(group->mont);
+ group->mont = NULL;
+ BN_clear_free(group->one);
+ group->one = NULL;
ec_GFp_simple_group_clear_finish(group);
}
int ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) {
- if (dest->field_data1 != NULL) {
- BN_MONT_CTX_free(dest->field_data1);
- dest->field_data1 = NULL;
- }
- if (dest->field_data2 != NULL) {
- BN_clear_free(dest->field_data2);
- dest->field_data2 = NULL;
- }
+ BN_MONT_CTX_free(dest->mont);
+ dest->mont = NULL;
+ BN_clear_free(dest->one);
+ dest->one = NULL;
- if (!ec_GFp_simple_group_copy(dest, src))
+ if (!ec_GFp_simple_group_copy(dest, src)) {
return 0;
-
- if (src->field_data1 != NULL) {
- dest->field_data1 = BN_MONT_CTX_new();
- if (dest->field_data1 == NULL)
- return 0;
- if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1))
- goto err;
}
- if (src->field_data2 != NULL) {
- dest->field_data2 = BN_dup(src->field_data2);
- if (dest->field_data2 == NULL)
+
+ if (src->mont != NULL) {
+ dest->mont = BN_MONT_CTX_new();
+ if (dest->mont == NULL) {
+ return 0;
+ }
+ if (!BN_MONT_CTX_copy(dest->mont, src->mont)) {
goto err;
+ }
+ }
+ if (src->one != NULL) {
+ dest->one = BN_dup(src->one);
+ if (dest->one == NULL) {
+ goto err;
+ }
}
return 1;
err:
- if (dest->field_data1 != NULL) {
- BN_MONT_CTX_free(dest->field_data1);
- dest->field_data1 = NULL;
- }
+ BN_MONT_CTX_free(dest->mont);
+ dest->mont = NULL;
return 0;
}
@@ -193,104 +183,101 @@
BIGNUM *one = NULL;
int ret = 0;
- if (group->field_data1 != NULL) {
- BN_MONT_CTX_free(group->field_data1);
- group->field_data1 = NULL;
- }
- if (group->field_data2 != NULL) {
- BN_free(group->field_data2);
- group->field_data2 = NULL;
- }
+ BN_MONT_CTX_free(group->mont);
+ group->mont = NULL;
+ BN_free(group->one);
+ group->one = NULL;
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
mont = BN_MONT_CTX_new();
- if (mont == NULL)
+ if (mont == NULL) {
goto err;
+ }
if (!BN_MONT_CTX_set(mont, p, ctx)) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_group_set_curve, ERR_R_BN_LIB);
goto err;
}
one = BN_new();
- if (one == NULL)
+ if (one == NULL || !BN_to_montgomery(one, BN_value_one(), mont, ctx)) {
goto err;
- if (!BN_to_montgomery(one, BN_value_one(), mont, ctx))
- goto err;
+ }
- group->field_data1 = mont;
+ group->mont = mont;
mont = NULL;
- group->field_data2 = one;
+ group->one = one;
one = NULL;
ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
if (!ret) {
- BN_MONT_CTX_free(group->field_data1);
- group->field_data1 = NULL;
- BN_free(group->field_data2);
- group->field_data2 = NULL;
+ BN_MONT_CTX_free(group->mont);
+ group->mont = NULL;
+ BN_free(group->one);
+ group->one = NULL;
}
err:
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
- if (mont != NULL)
- BN_MONT_CTX_free(mont);
+ BN_CTX_free(new_ctx);
+ BN_MONT_CTX_free(mont);
+ BN_free(one);
return ret;
}
int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx) {
- if (group->field_data1 == NULL) {
+ if (group->mont == NULL) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_mul, EC_R_NOT_INITIALIZED);
return 0;
}
- return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx);
+ return BN_mod_mul_montgomery(r, a, b, group->mont, ctx);
}
int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx) {
- if (group->field_data1 == NULL) {
+ if (group->mont == NULL) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_sqr, EC_R_NOT_INITIALIZED);
return 0;
}
- return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
+ return BN_mod_mul_montgomery(r, a, a, group->mont, ctx);
}
int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx) {
- if (group->field_data1 == NULL) {
+ if (group->mont == NULL) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_encode, EC_R_NOT_INITIALIZED);
return 0;
}
- return BN_to_montgomery(r, a, (BN_MONT_CTX *)group->field_data1, ctx);
+ return BN_to_montgomery(r, a, group->mont, ctx);
}
int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx) {
- if (group->field_data1 == NULL) {
+ if (group->mont == NULL) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_decode, EC_R_NOT_INITIALIZED);
return 0;
}
- return BN_from_montgomery(r, a, group->field_data1, ctx);
+ return BN_from_montgomery(r, a, group->mont, ctx);
}
int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r,
BN_CTX *ctx) {
- if (group->field_data2 == NULL) {
+ if (group->one == NULL) {
OPENSSL_PUT_ERROR(EC, ec_GFp_mont_field_set_to_one, EC_R_NOT_INITIALIZED);
return 0;
}
- if (!BN_copy(r, group->field_data2))
+ if (!BN_copy(r, group->one)) {
return 0;
+ }
return 1;
}
diff --git a/src/crypto/ec/ec_test.c b/src/crypto/ec/ec_test.c
deleted file mode 100644
index 8d53f87..0000000
--- a/src/crypto/ec/ec_test.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bio.h>
-#include <openssl/crypto.h>
-#include <openssl/ec_key.h>
-#include <openssl/err.h>
-
-#include "internal.h"
-
-
-static const uint8_t kECKeyWithoutPublic[] = {
- 0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,
- 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,
- 0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
- 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
-};
-
-int test_d2i_ECPrivateKey(void) {
- int len, ret = 0;
- uint8_t *out = NULL, *outp;
- const uint8_t *inp;
- EC_KEY *key = NULL;
- BIGNUM *x = NULL, *y = NULL;
- const EC_POINT *public;
- char *x_hex = NULL, *y_hex = NULL;
-
- inp = kECKeyWithoutPublic;
- key = d2i_ECPrivateKey(NULL, &inp, sizeof(kECKeyWithoutPublic));
-
- if (key == NULL || inp != kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) {
- fprintf(stderr, "Failed to parse private key.\n");
- BIO_print_errors_fp(stderr);
- goto out;
- }
-
- len = i2d_ECPrivateKey(key, NULL);
- out = malloc(len);
- outp = out;
- if (len != i2d_ECPrivateKey(key, &outp)) {
- fprintf(stderr, "Failed to serialize private key.\n");
- BIO_print_errors_fp(stderr);
- goto out;
- }
-
- if (0 != memcmp(out, kECKeyWithoutPublic, len)) {
- fprintf(stderr, "Serialisation of key doesn't match original.\n");
- goto out;
- }
-
- public = EC_KEY_get0_public_key(key);
- if (public == NULL) {
- fprintf(stderr, "Public key missing.\n");
- goto out;
- }
-
- x = BN_new();
- y = BN_new();
- if (x == NULL || y == NULL) {
- goto out;
- }
- if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key), public, x, y,
- NULL)) {
- fprintf(stderr, "Failed to get public key in affine coordinates.\n");
- goto out;
- }
- x_hex = BN_bn2hex(x);
- y_hex = BN_bn2hex(y);
- if (0 != strcmp(x_hex, "c81561ecf2e54edefe6617db1c7a34a70744ddb261f269b83dacfcd2ade5a681") ||
- 0 != strcmp(y_hex, "e0e2afa3f9b6abe4c698ef6495f1be49a3196c5056acb3763fe4507eec596e88")) {
- fprintf(stderr, "Incorrect public key: %s %s\n", x_hex, y_hex);
- goto out;
- }
-
- ret = 1;
-
-out:
- if (key != NULL) {
- EC_KEY_free(key);
- }
- if (out != NULL) {
- free(out);
- }
- if (x != NULL) {
- BN_free(x);
- }
- if (y != NULL) {
- BN_free(y);
- }
- if (x_hex != NULL) {
- OPENSSL_free(x_hex);
- }
- if (y_hex != NULL) {
- OPENSSL_free(y_hex);
- }
- return ret;
-}
-
-int main(void) {
- CRYPTO_library_init();
- ERR_load_crypto_strings();
-
- if (!test_d2i_ECPrivateKey()) {
- fprintf(stderr, "failed\n");
- return 1;
- }
-
- printf("PASS\n");
- return 0;
-}
diff --git a/src/crypto/ec/ec_test.cc b/src/crypto/ec/ec_test.cc
new file mode 100644
index 0000000..74685eb
--- /dev/null
+++ b/src/crypto/ec/ec_test.cc
@@ -0,0 +1,185 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <vector>
+
+#include <openssl/crypto.h>
+#include <openssl/ec_key.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+// kECKeyWithoutPublic is an ECPrivateKey with the optional publicKey field
+// omitted.
+static const uint8_t kECKeyWithoutPublic[] = {
+ 0x30, 0x31, 0x02, 0x01, 0x01, 0x04, 0x20, 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0,
+ 0x76, 0x61, 0xf8, 0x14, 0x2c, 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e,
+ 0xfe, 0x46, 0xc0, 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,
+ 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07,
+};
+
+// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
+// the private key is one. The private key is incorrectly encoded without zero
+// padding.
+static const uint8_t kECKeyMissingZeros[] = {
+ 0x30, 0x58, 0x02, 0x01, 0x01, 0x04, 0x01, 0x01, 0xa0, 0x0a, 0x06, 0x08, 0x2a,
+ 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04,
+ 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63,
+ 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1,
+ 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f,
+ 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+ 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5,
+};
+
+// kECKeyMissingZeros is an ECPrivateKey containing a degenerate P-256 key where
+// the private key is one. The private key is encoded with the required zero
+// padding.
+static const uint8_t kECKeyWithZeros[] = {
+ 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+ 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0xa1,
+ 0x44, 0x03, 0x42, 0x00, 0x04, 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47,
+ 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d,
+ 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96, 0x4f, 0xe3,
+ 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e,
+ 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68,
+ 0x37, 0xbf, 0x51, 0xf5,
+};
+
+// DecodeECPrivateKey decodes |in| as an ECPrivateKey structure and returns the
+// result or nullptr on error.
+static ScopedEC_KEY DecodeECPrivateKey(const uint8_t *in, size_t in_len) {
+ const uint8_t *inp = in;
+ ScopedEC_KEY ret(d2i_ECPrivateKey(NULL, &inp, in_len));
+ if (!ret || inp != in + in_len) {
+ return nullptr;
+ }
+ return ret;
+}
+
+// EncodeECPrivateKey encodes |key| as an ECPrivateKey structure into |*out|. It
+// returns true on success or false on error.
+static bool EncodeECPrivateKey(std::vector<uint8_t> *out, EC_KEY *key) {
+ int len = i2d_ECPrivateKey(key, NULL);
+ out->resize(len);
+ uint8_t *outp = bssl::vector_data(out);
+ return i2d_ECPrivateKey(key, &outp) == len;
+}
+
+bool Testd2i_ECPrivateKey() {
+ ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithoutPublic,
+ sizeof(kECKeyWithoutPublic));
+ if (!key) {
+ fprintf(stderr, "Failed to parse private key.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ std::vector<uint8_t> out;
+ if (!EncodeECPrivateKey(&out, key.get())) {
+ fprintf(stderr, "Failed to serialize private key.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ if (std::vector<uint8_t>(kECKeyWithoutPublic,
+ kECKeyWithoutPublic + sizeof(kECKeyWithoutPublic)) !=
+ out) {
+ fprintf(stderr, "Serialisation of key doesn't match original.\n");
+ return false;
+ }
+
+ const EC_POINT *pub_key = EC_KEY_get0_public_key(key.get());
+ if (pub_key == NULL) {
+ fprintf(stderr, "Public key missing.\n");
+ return false;
+ }
+
+ ScopedBIGNUM x(BN_new());
+ ScopedBIGNUM y(BN_new());
+ if (!x || !y) {
+ return false;
+ }
+ if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(key.get()),
+ pub_key, x.get(), y.get(), NULL)) {
+ fprintf(stderr, "Failed to get public key in affine coordinates.\n");
+ return false;
+ }
+ ScopedOpenSSLString x_hex(BN_bn2hex(x.get()));
+ ScopedOpenSSLString y_hex(BN_bn2hex(y.get()));
+ if (0 != strcmp(
+ x_hex.get(),
+ "c81561ecf2e54edefe6617db1c7a34a70744ddb261f269b83dacfcd2ade5a681") ||
+ 0 != strcmp(
+ y_hex.get(),
+ "e0e2afa3f9b6abe4c698ef6495f1be49a3196c5056acb3763fe4507eec596e88")) {
+ fprintf(stderr, "Incorrect public key: %s %s\n", x_hex.get(), y_hex.get());
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestZeroPadding() {
+ // Check that the correct encoding round-trips.
+ ScopedEC_KEY key = DecodeECPrivateKey(kECKeyWithZeros,
+ sizeof(kECKeyWithZeros));
+ std::vector<uint8_t> out;
+ if (!key || !EncodeECPrivateKey(&out, key.get())) {
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ if (std::vector<uint8_t>(kECKeyWithZeros,
+ kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
+ fprintf(stderr, "Serialisation of key was incorrect.\n");
+ return false;
+ }
+
+ // Keys without leading zeros also parse, but they encode correctly.
+ key = DecodeECPrivateKey(kECKeyMissingZeros, sizeof(kECKeyMissingZeros));
+ if (!key || !EncodeECPrivateKey(&out, key.get())) {
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ if (std::vector<uint8_t>(kECKeyWithZeros,
+ kECKeyWithZeros + sizeof(kECKeyWithZeros)) != out) {
+ fprintf(stderr, "Serialisation of key was incorrect.\n");
+ return false;
+ }
+
+ return true;
+}
+
+int main(void) {
+ CRYPTO_library_init();
+ ERR_load_crypto_strings();
+
+ if (!Testd2i_ECPrivateKey() ||
+ !TestZeroPadding()) {
+ fprintf(stderr, "failed\n");
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/ec/internal.h b/src/crypto/ec/internal.h
index da116c4..0a8bf24 100644
--- a/src/crypto/ec/internal.h
+++ b/src/crypto/ec/internal.h
@@ -81,8 +81,6 @@
/* Use default functions for poin2oct, oct2point and compressed coordinates */
#define EC_FLAGS_DEFAULT_OCT 0x1
-typedef struct ec_method_st EC_METHOD;
-
struct ec_method_st {
/* Various method flags */
int flags;
@@ -205,35 +203,14 @@
/* The following members are handled by the method functions,
* even if they appear generic */
- BIGNUM field; /* Field specification.
- * For curves over GF(p), this is the modulus;
- * for curves over GF(2^m), this is the
- * irreducible polynomial defining the field. */
+ BIGNUM field; /* For curves over GF(p), this is the modulus. */
- int poly[6]; /* Field specification for curves over GF(2^m).
- * The irreducible f(t) is then of the form:
- * t^poly[0] + t^poly[1] + ... + t^poly[k]
- * where m = poly[0] > poly[1] > ... > poly[k] = 0.
- * The array is terminated with poly[k+1]=-1.
- * All elliptic curve irreducibles have at most 5
- * non-zero terms. */
-
- BIGNUM a, b; /* Curve coefficients.
- * (Here the assumption is that BIGNUMs can be used
- * or abused for all kinds of fields, not just GF(p).)
- * For characteristic > 3, the curve is defined
- * by a Weierstrass equation of the form
- * y^2 = x^3 + a*x + b.
- * For characteristic 2, the curve is defined by
- * an equation of the form
- * y^2 + x*y = x^3 + a*x^2 + b. */
+ BIGNUM a, b; /* Curve coefficients. */
int a_is_minus3; /* enable optimized point arithmetics for special case */
- void *field_data1; /* method-specific (e.g., Montgomery structure) */
- void *field_data2; /* method-specific */
- int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *,
- BN_CTX *); /* method-specific */
+ BN_MONT_CTX *mont; /* Montgomery structure. */
+ BIGNUM *one; /* The value one */
} /* EC_GROUP */;
struct ec_point_st {
@@ -250,6 +227,7 @@
} /* EC_POINT */;
EC_GROUP *ec_group_new(const EC_METHOD *meth);
+int ec_group_copy(EC_GROUP *dest, const EC_GROUP *src);
int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
size_t num, const EC_POINT *points[], const BIGNUM *scalars[],
@@ -329,6 +307,19 @@
const BIGNUM *y, const BIGNUM *z,
BN_CTX *ctx);
+void ec_GFp_nistp_points_make_affine_internal(
+ size_t num, void *point_array, size_t felem_size, void *tmp_felems,
+ void (*felem_one)(void *out), int (*felem_is_zero)(const void *in),
+ void (*felem_assign)(void *out, const void *in),
+ void (*felem_square)(void *out, const void *in),
+ void (*felem_mul)(void *out, const void *in1, const void *in2),
+ void (*felem_inv)(void *out, const void *in),
+ void (*felem_contract)(void *out, const void *in));
+
+void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit, uint8_t in);
+
+const EC_METHOD *EC_GFp_nistp256_method(void);
+
struct ec_key_st {
int version;
diff --git a/src/crypto/ec/oct.c b/src/crypto/ec/oct.c
index c4729ef..816a42f 100644
--- a/src/crypto/ec/oct.c
+++ b/src/crypto/ec/oct.c
@@ -164,18 +164,14 @@
if (used_ctx) {
BN_CTX_end(ctx);
}
- if (new_ctx != NULL) {
- BN_CTX_free(new_ctx);
- }
+ BN_CTX_free(new_ctx);
return ret;
err:
if (used_ctx) {
BN_CTX_end(ctx);
}
- if (new_ctx != NULL) {
- BN_CTX_free(new_ctx);
- }
+ BN_CTX_free(new_ctx);
return 0;
}
@@ -227,40 +223,46 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
- if (y == NULL)
+ if (y == NULL) {
goto err;
+ }
- if (!BN_bin2bn(buf + 1, field_len, x))
+ if (!BN_bin2bn(buf + 1, field_len, x)) {
goto err;
+ }
if (BN_ucmp(x, &group->field) >= 0) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_oct2point, EC_R_INVALID_ENCODING);
goto err;
}
if (form == POINT_CONVERSION_COMPRESSED) {
- if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx))
+ if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) {
goto err;
+ }
} else {
- if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
+ if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) {
goto err;
+ }
if (BN_ucmp(y, &group->field) >= 0) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_oct2point, EC_R_INVALID_ENCODING);
goto err;
}
- if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
goto err;
+ }
}
- if (!EC_POINT_is_on_curve(group, point, ctx)) /* test required by X9.62 */
- {
+ /* test required by X9.62 */
+ if (!EC_POINT_is_on_curve(group, point, ctx)) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_oct2point, EC_R_POINT_IS_NOT_ON_CURVE);
goto err;
}
@@ -269,8 +271,7 @@
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -441,15 +442,15 @@
goto err;
}
- if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
+ if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
goto err;
+ }
ret = 1;
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
diff --git a/src/crypto/ec/p256-64.c b/src/crypto/ec/p256-64.c
new file mode 100644
index 0000000..8f824de
--- /dev/null
+++ b/src/crypto/ec/p256-64.c
@@ -0,0 +1,1936 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+/* A 64-bit implementation of the NIST P-256 elliptic curve point
+ * multiplication
+ *
+ * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
+ * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
+ * work which got its smarts from Daniel J. Bernstein's work on the same. */
+
+#include <openssl/base.h>
+
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
+
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+
+#include <string.h>
+
+#include "internal.h"
+
+
+typedef uint8_t u8;
+typedef uint64_t u64;
+typedef int64_t s64;
+typedef __uint128_t uint128_t;
+typedef __int128_t int128_t;
+
+/* The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We
+ * can serialise an element of this field into 32 bytes. We call this an
+ * felem_bytearray. */
+typedef u8 felem_bytearray[32];
+
+/* These are the parameters of P256, taken from FIPS 186-3, page 86. These
+ * values are big-endian. */
+static const felem_bytearray nistp256_curve_params[5] = {
+ {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* p */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
+ {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* a = -3 */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xfc}, /* b */
+ {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, 0xbd, 0x55,
+ 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
+ 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b},
+ {0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, /* x */
+ 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81,
+ 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96},
+ {0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, /* y */
+ 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+ 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}};
+
+/* The representation of field elements.
+ * ------------------------------------
+ *
+ * We represent field elements with either four 128-bit values, eight 128-bit
+ * values, or four 64-bit values. The field element represented is:
+ * v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192 (mod p)
+ * or:
+ * v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512 (mod p)
+ *
+ * 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
+ * apart, but are 128-bits wide, the most significant bits of each limb overlap
+ * with the least significant bits of the next.
+ *
+ * A field element with four limbs is an 'felem'. One with eight limbs is a
+ * 'longfelem'
+ *
+ * A field element with four, 64-bit values is called a 'smallfelem'. Small
+ * values are used as intermediate values before multiplication. */
+
+#define NLIMBS 4
+
+typedef uint128_t limb;
+typedef limb felem[NLIMBS];
+typedef limb longfelem[NLIMBS * 2];
+typedef u64 smallfelem[NLIMBS];
+
+/* This is the value of the prime as four 64-bit words, little-endian. */
+static const u64 kPrime[4] = {0xfffffffffffffffful, 0xffffffff, 0,
+ 0xffffffff00000001ul};
+static const u64 bottom63bits = 0x7ffffffffffffffful;
+
+/* bin32_to_felem takes a little-endian byte array and converts it into felem
+ * form. This assumes that the CPU is little-endian. */
+static void bin32_to_felem(felem out, const u8 in[32]) {
+ out[0] = *((u64 *)&in[0]);
+ out[1] = *((u64 *)&in[8]);
+ out[2] = *((u64 *)&in[16]);
+ out[3] = *((u64 *)&in[24]);
+}
+
+/* smallfelem_to_bin32 takes a smallfelem and serialises into a little endian,
+ * 32 byte array. This assumes that the CPU is little-endian. */
+static void smallfelem_to_bin32(u8 out[32], const smallfelem in) {
+ *((u64 *)&out[0]) = in[0];
+ *((u64 *)&out[8]) = in[1];
+ *((u64 *)&out[16]) = in[2];
+ *((u64 *)&out[24]) = in[3];
+}
+
+/* To preserve endianness when using BN_bn2bin and BN_bin2bn. */
+static void flip_endian(u8 *out, const u8 *in, unsigned len) {
+ unsigned i;
+ for (i = 0; i < len; ++i) {
+ out[i] = in[len - 1 - i];
+ }
+}
+
+/* BN_to_felem converts an OpenSSL BIGNUM into an felem. */
+static int BN_to_felem(felem out, const BIGNUM *bn) {
+ if (BN_is_negative(bn)) {
+ OPENSSL_PUT_ERROR(EC, BN_to_felem, EC_R_BIGNUM_OUT_OF_RANGE);
+ return 0;
+ }
+
+ felem_bytearray b_out;
+ /* BN_bn2bin eats leading zeroes */
+ memset(b_out, 0, sizeof(b_out));
+ unsigned num_bytes = BN_num_bytes(bn);
+ if (num_bytes > sizeof(b_out)) {
+ OPENSSL_PUT_ERROR(EC, BN_to_felem, EC_R_BIGNUM_OUT_OF_RANGE);
+ return 0;
+ }
+
+ felem_bytearray b_in;
+ num_bytes = BN_bn2bin(bn, b_in);
+ flip_endian(b_out, b_in, num_bytes);
+ bin32_to_felem(out, b_out);
+ return 1;
+}
+
+/* felem_to_BN converts an felem into an OpenSSL BIGNUM. */
+static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in) {
+ felem_bytearray b_in, b_out;
+ smallfelem_to_bin32(b_in, in);
+ flip_endian(b_out, b_in, sizeof(b_out));
+ return BN_bin2bn(b_out, sizeof(b_out), out);
+}
+
+/* Field operations. */
+
+static void smallfelem_one(smallfelem out) {
+ out[0] = 1;
+ out[1] = 0;
+ out[2] = 0;
+ out[3] = 0;
+}
+
+static void smallfelem_assign(smallfelem out, const smallfelem in) {
+ out[0] = in[0];
+ out[1] = in[1];
+ out[2] = in[2];
+ out[3] = in[3];
+}
+
+static void felem_assign(felem out, const felem in) {
+ out[0] = in[0];
+ out[1] = in[1];
+ out[2] = in[2];
+ out[3] = in[3];
+}
+
+/* felem_sum sets out = out + in. */
+static void felem_sum(felem out, const felem in) {
+ out[0] += in[0];
+ out[1] += in[1];
+ out[2] += in[2];
+ out[3] += in[3];
+}
+
+/* felem_small_sum sets out = out + in. */
+static void felem_small_sum(felem out, const smallfelem in) {
+ out[0] += in[0];
+ out[1] += in[1];
+ out[2] += in[2];
+ out[3] += in[3];
+}
+
+/* felem_scalar sets out = out * scalar */
+static void felem_scalar(felem out, const u64 scalar) {
+ out[0] *= scalar;
+ out[1] *= scalar;
+ out[2] *= scalar;
+ out[3] *= scalar;
+}
+
+/* longfelem_scalar sets out = out * scalar */
+static void longfelem_scalar(longfelem out, const u64 scalar) {
+ out[0] *= scalar;
+ out[1] *= scalar;
+ out[2] *= scalar;
+ out[3] *= scalar;
+ out[4] *= scalar;
+ out[5] *= scalar;
+ out[6] *= scalar;
+ out[7] *= scalar;
+}
+
+#define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9)
+#define two105 (((limb)1) << 105)
+#define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9)
+
+/* zero105 is 0 mod p */
+static const felem zero105 = {two105m41m9, two105, two105m41p9, two105m41p9};
+
+/* smallfelem_neg sets |out| to |-small|
+ * On exit:
+ * out[i] < out[i] + 2^105 */
+static void smallfelem_neg(felem out, const smallfelem small) {
+ /* In order to prevent underflow, we subtract from 0 mod p. */
+ out[0] = zero105[0] - small[0];
+ out[1] = zero105[1] - small[1];
+ out[2] = zero105[2] - small[2];
+ out[3] = zero105[3] - small[3];
+}
+
+/* felem_diff subtracts |in| from |out|
+ * On entry:
+ * in[i] < 2^104
+ * On exit:
+ * out[i] < out[i] + 2^105. */
+static void felem_diff(felem out, const felem in) {
+ /* In order to prevent underflow, we add 0 mod p before subtracting. */
+ out[0] += zero105[0];
+ out[1] += zero105[1];
+ out[2] += zero105[2];
+ out[3] += zero105[3];
+
+ out[0] -= in[0];
+ out[1] -= in[1];
+ out[2] -= in[2];
+ out[3] -= in[3];
+}
+
+#define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11)
+#define two107 (((limb)1) << 107)
+#define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11)
+
+/* zero107 is 0 mod p */
+static const felem zero107 = {two107m43m11, two107, two107m43p11, two107m43p11};
+
+/* An alternative felem_diff for larger inputs |in|
+ * felem_diff_zero107 subtracts |in| from |out|
+ * On entry:
+ * in[i] < 2^106
+ * On exit:
+ * out[i] < out[i] + 2^107. */
+static void felem_diff_zero107(felem out, const felem in) {
+ /* In order to prevent underflow, we add 0 mod p before subtracting. */
+ out[0] += zero107[0];
+ out[1] += zero107[1];
+ out[2] += zero107[2];
+ out[3] += zero107[3];
+
+ out[0] -= in[0];
+ out[1] -= in[1];
+ out[2] -= in[2];
+ out[3] -= in[3];
+}
+
+/* longfelem_diff subtracts |in| from |out|
+ * On entry:
+ * in[i] < 7*2^67
+ * On exit:
+ * out[i] < out[i] + 2^70 + 2^40. */
+static void longfelem_diff(longfelem out, const longfelem in) {
+ static const limb two70m8p6 =
+ (((limb)1) << 70) - (((limb)1) << 8) + (((limb)1) << 6);
+ static const limb two70p40 = (((limb)1) << 70) + (((limb)1) << 40);
+ static const limb two70 = (((limb)1) << 70);
+ static const limb two70m40m38p6 = (((limb)1) << 70) - (((limb)1) << 40) -
+ (((limb)1) << 38) + (((limb)1) << 6);
+ static const limb two70m6 = (((limb)1) << 70) - (((limb)1) << 6);
+
+ /* add 0 mod p to avoid underflow */
+ out[0] += two70m8p6;
+ out[1] += two70p40;
+ out[2] += two70;
+ out[3] += two70m40m38p6;
+ out[4] += two70m6;
+ out[5] += two70m6;
+ out[6] += two70m6;
+ out[7] += two70m6;
+
+ /* in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6 */
+ out[0] -= in[0];
+ out[1] -= in[1];
+ out[2] -= in[2];
+ out[3] -= in[3];
+ out[4] -= in[4];
+ out[5] -= in[5];
+ out[6] -= in[6];
+ out[7] -= in[7];
+}
+
+#define two64m0 (((limb)1) << 64) - 1
+#define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1
+#define two64m46 (((limb)1) << 64) - (((limb)1) << 46)
+#define two64m32 (((limb)1) << 64) - (((limb)1) << 32)
+
+/* zero110 is 0 mod p. */
+static const felem zero110 = {two64m0, two110p32m0, two64m46, two64m32};
+
+/* felem_shrink converts an felem into a smallfelem. The result isn't quite
+ * minimal as the value may be greater than p.
+ *
+ * On entry:
+ * in[i] < 2^109
+ * On exit:
+ * out[i] < 2^64. */
+static void felem_shrink(smallfelem out, const felem in) {
+ felem tmp;
+ u64 a, b, mask;
+ s64 high, low;
+ static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
+
+ /* Carry 2->3 */
+ tmp[3] = zero110[3] + in[3] + ((u64)(in[2] >> 64));
+ /* tmp[3] < 2^110 */
+
+ tmp[2] = zero110[2] + (u64)in[2];
+ tmp[0] = zero110[0] + in[0];
+ tmp[1] = zero110[1] + in[1];
+ /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
+
+ /* We perform two partial reductions where we eliminate the high-word of
+ * tmp[3]. We don't update the other words till the end. */
+ a = tmp[3] >> 64; /* a < 2^46 */
+ tmp[3] = (u64)tmp[3];
+ tmp[3] -= a;
+ tmp[3] += ((limb)a) << 32;
+ /* tmp[3] < 2^79 */
+
+ b = a;
+ a = tmp[3] >> 64; /* a < 2^15 */
+ b += a; /* b < 2^46 + 2^15 < 2^47 */
+ tmp[3] = (u64)tmp[3];
+ tmp[3] -= a;
+ tmp[3] += ((limb)a) << 32;
+ /* tmp[3] < 2^64 + 2^47 */
+
+ /* This adjusts the other two words to complete the two partial
+ * reductions. */
+ tmp[0] += b;
+ tmp[1] -= (((limb)b) << 32);
+
+ /* In order to make space in tmp[3] for the carry from 2 -> 3, we
+ * conditionally subtract kPrime if tmp[3] is large enough. */
+ high = tmp[3] >> 64;
+ /* As tmp[3] < 2^65, high is either 1 or 0 */
+ high <<= 63;
+ high >>= 63;
+ /* high is:
+ * all ones if the high word of tmp[3] is 1
+ * all zeros if the high word of tmp[3] if 0 */
+ low = tmp[3];
+ mask = low >> 63;
+ /* mask is:
+ * all ones if the MSB of low is 1
+ * all zeros if the MSB of low if 0 */
+ low &= bottom63bits;
+ low -= kPrime3Test;
+ /* if low was greater than kPrime3Test then the MSB is zero */
+ low = ~low;
+ low >>= 63;
+ /* low is:
+ * all ones if low was > kPrime3Test
+ * all zeros if low was <= kPrime3Test */
+ mask = (mask & low) | high;
+ tmp[0] -= mask & kPrime[0];
+ tmp[1] -= mask & kPrime[1];
+ /* kPrime[2] is zero, so omitted */
+ tmp[3] -= mask & kPrime[3];
+ /* tmp[3] < 2**64 - 2**32 + 1 */
+
+ tmp[1] += ((u64)(tmp[0] >> 64));
+ tmp[0] = (u64)tmp[0];
+ tmp[2] += ((u64)(tmp[1] >> 64));
+ tmp[1] = (u64)tmp[1];
+ tmp[3] += ((u64)(tmp[2] >> 64));
+ tmp[2] = (u64)tmp[2];
+ /* tmp[i] < 2^64 */
+
+ out[0] = tmp[0];
+ out[1] = tmp[1];
+ out[2] = tmp[2];
+ out[3] = tmp[3];
+}
+
+/* smallfelem_expand converts a smallfelem to an felem */
+static void smallfelem_expand(felem out, const smallfelem in) {
+ out[0] = in[0];
+ out[1] = in[1];
+ out[2] = in[2];
+ out[3] = in[3];
+}
+
+/* smallfelem_square sets |out| = |small|^2
+ * On entry:
+ * small[i] < 2^64
+ * On exit:
+ * out[i] < 7 * 2^64 < 2^67 */
+static void smallfelem_square(longfelem out, const smallfelem small) {
+ limb a;
+ u64 high, low;
+
+ a = ((uint128_t)small[0]) * small[0];
+ low = a;
+ high = a >> 64;
+ out[0] = low;
+ out[1] = high;
+
+ a = ((uint128_t)small[0]) * small[1];
+ low = a;
+ high = a >> 64;
+ out[1] += low;
+ out[1] += low;
+ out[2] = high;
+
+ a = ((uint128_t)small[0]) * small[2];
+ low = a;
+ high = a >> 64;
+ out[2] += low;
+ out[2] *= 2;
+ out[3] = high;
+
+ a = ((uint128_t)small[0]) * small[3];
+ low = a;
+ high = a >> 64;
+ out[3] += low;
+ out[4] = high;
+
+ a = ((uint128_t)small[1]) * small[2];
+ low = a;
+ high = a >> 64;
+ out[3] += low;
+ out[3] *= 2;
+ out[4] += high;
+
+ a = ((uint128_t)small[1]) * small[1];
+ low = a;
+ high = a >> 64;
+ out[2] += low;
+ out[3] += high;
+
+ a = ((uint128_t)small[1]) * small[3];
+ low = a;
+ high = a >> 64;
+ out[4] += low;
+ out[4] *= 2;
+ out[5] = high;
+
+ a = ((uint128_t)small[2]) * small[3];
+ low = a;
+ high = a >> 64;
+ out[5] += low;
+ out[5] *= 2;
+ out[6] = high;
+ out[6] += high;
+
+ a = ((uint128_t)small[2]) * small[2];
+ low = a;
+ high = a >> 64;
+ out[4] += low;
+ out[5] += high;
+
+ a = ((uint128_t)small[3]) * small[3];
+ low = a;
+ high = a >> 64;
+ out[6] += low;
+ out[7] = high;
+}
+
+/*felem_square sets |out| = |in|^2
+ * On entry:
+ * in[i] < 2^109
+ * On exit:
+ * out[i] < 7 * 2^64 < 2^67. */
+static void felem_square(longfelem out, const felem in) {
+ u64 small[4];
+ felem_shrink(small, in);
+ smallfelem_square(out, small);
+}
+
+/* smallfelem_mul sets |out| = |small1| * |small2|
+ * On entry:
+ * small1[i] < 2^64
+ * small2[i] < 2^64
+ * On exit:
+ * out[i] < 7 * 2^64 < 2^67. */
+static void smallfelem_mul(longfelem out, const smallfelem small1,
+ const smallfelem small2) {
+ limb a;
+ u64 high, low;
+
+ a = ((uint128_t)small1[0]) * small2[0];
+ low = a;
+ high = a >> 64;
+ out[0] = low;
+ out[1] = high;
+
+ a = ((uint128_t)small1[0]) * small2[1];
+ low = a;
+ high = a >> 64;
+ out[1] += low;
+ out[2] = high;
+
+ a = ((uint128_t)small1[1]) * small2[0];
+ low = a;
+ high = a >> 64;
+ out[1] += low;
+ out[2] += high;
+
+ a = ((uint128_t)small1[0]) * small2[2];
+ low = a;
+ high = a >> 64;
+ out[2] += low;
+ out[3] = high;
+
+ a = ((uint128_t)small1[1]) * small2[1];
+ low = a;
+ high = a >> 64;
+ out[2] += low;
+ out[3] += high;
+
+ a = ((uint128_t)small1[2]) * small2[0];
+ low = a;
+ high = a >> 64;
+ out[2] += low;
+ out[3] += high;
+
+ a = ((uint128_t)small1[0]) * small2[3];
+ low = a;
+ high = a >> 64;
+ out[3] += low;
+ out[4] = high;
+
+ a = ((uint128_t)small1[1]) * small2[2];
+ low = a;
+ high = a >> 64;
+ out[3] += low;
+ out[4] += high;
+
+ a = ((uint128_t)small1[2]) * small2[1];
+ low = a;
+ high = a >> 64;
+ out[3] += low;
+ out[4] += high;
+
+ a = ((uint128_t)small1[3]) * small2[0];
+ low = a;
+ high = a >> 64;
+ out[3] += low;
+ out[4] += high;
+
+ a = ((uint128_t)small1[1]) * small2[3];
+ low = a;
+ high = a >> 64;
+ out[4] += low;
+ out[5] = high;
+
+ a = ((uint128_t)small1[2]) * small2[2];
+ low = a;
+ high = a >> 64;
+ out[4] += low;
+ out[5] += high;
+
+ a = ((uint128_t)small1[3]) * small2[1];
+ low = a;
+ high = a >> 64;
+ out[4] += low;
+ out[5] += high;
+
+ a = ((uint128_t)small1[2]) * small2[3];
+ low = a;
+ high = a >> 64;
+ out[5] += low;
+ out[6] = high;
+
+ a = ((uint128_t)small1[3]) * small2[2];
+ low = a;
+ high = a >> 64;
+ out[5] += low;
+ out[6] += high;
+
+ a = ((uint128_t)small1[3]) * small2[3];
+ low = a;
+ high = a >> 64;
+ out[6] += low;
+ out[7] = high;
+}
+
+/* felem_mul sets |out| = |in1| * |in2|
+ * On entry:
+ * in1[i] < 2^109
+ * in2[i] < 2^109
+ * On exit:
+ * out[i] < 7 * 2^64 < 2^67 */
+static void felem_mul(longfelem out, const felem in1, const felem in2) {
+ smallfelem small1, small2;
+ felem_shrink(small1, in1);
+ felem_shrink(small2, in2);
+ smallfelem_mul(out, small1, small2);
+}
+
+/* felem_small_mul sets |out| = |small1| * |in2|
+ * On entry:
+ * small1[i] < 2^64
+ * in2[i] < 2^109
+ * On exit:
+ * out[i] < 7 * 2^64 < 2^67 */
+static void felem_small_mul(longfelem out, const smallfelem small1,
+ const felem in2) {
+ smallfelem small2;
+ felem_shrink(small2, in2);
+ smallfelem_mul(out, small1, small2);
+}
+
+#define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4)
+#define two100 (((limb)1) << 100)
+#define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4)
+
+/* zero100 is 0 mod p */
+static const felem zero100 = {two100m36m4, two100, two100m36p4, two100m36p4};
+
+/* Internal function for the different flavours of felem_reduce.
+ * felem_reduce_ reduces the higher coefficients in[4]-in[7].
+ * On entry:
+ * out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
+ * out[1] >= in[7] + 2^32*in[4]
+ * out[2] >= in[5] + 2^32*in[5]
+ * out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
+ * On exit:
+ * out[0] <= out[0] + in[4] + 2^32*in[5]
+ * out[1] <= out[1] + in[5] + 2^33*in[6]
+ * out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
+ * out[3] <= out[3] + 2^32*in[4] + 3*in[7] */
+static void felem_reduce_(felem out, const longfelem in) {
+ int128_t c;
+ /* combine common terms from below */
+ c = in[4] + (in[5] << 32);
+ out[0] += c;
+ out[3] -= c;
+
+ c = in[5] - in[7];
+ out[1] += c;
+ out[2] -= c;
+
+ /* the remaining terms */
+ /* 256: [(0,1),(96,-1),(192,-1),(224,1)] */
+ out[1] -= (in[4] << 32);
+ out[3] += (in[4] << 32);
+
+ /* 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)] */
+ out[2] -= (in[5] << 32);
+
+ /* 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)] */
+ out[0] -= in[6];
+ out[0] -= (in[6] << 32);
+ out[1] += (in[6] << 33);
+ out[2] += (in[6] * 2);
+ out[3] -= (in[6] << 32);
+
+ /* 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)] */
+ out[0] -= in[7];
+ out[0] -= (in[7] << 32);
+ out[2] += (in[7] << 33);
+ out[3] += (in[7] * 3);
+}
+
+/* felem_reduce converts a longfelem into an felem.
+ * To be called directly after felem_square or felem_mul.
+ * On entry:
+ * in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
+ * in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
+ * On exit:
+ * out[i] < 2^101 */
+static void felem_reduce(felem out, const longfelem in) {
+ out[0] = zero100[0] + in[0];
+ out[1] = zero100[1] + in[1];
+ out[2] = zero100[2] + in[2];
+ out[3] = zero100[3] + in[3];
+
+ felem_reduce_(out, in);
+
+ /* out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
+ * out[1] > 2^100 - 2^64 - 7*2^96 > 0
+ * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
+ * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
+ *
+ * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
+ * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
+ * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
+ * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101 */
+}
+
+/* felem_reduce_zero105 converts a larger longfelem into an felem.
+ * On entry:
+ * in[0] < 2^71
+ * On exit:
+ * out[i] < 2^106 */
+static void felem_reduce_zero105(felem out, const longfelem in) {
+ out[0] = zero105[0] + in[0];
+ out[1] = zero105[1] + in[1];
+ out[2] = zero105[2] + in[2];
+ out[3] = zero105[3] + in[3];
+
+ felem_reduce_(out, in);
+
+ /* out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
+ * out[1] > 2^105 - 2^71 - 2^103 > 0
+ * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
+ * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
+ *
+ * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+ * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
+ * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
+ * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106 */
+}
+
+/* subtract_u64 sets *result = *result - v and *carry to one if the
+ * subtraction underflowed. */
+static void subtract_u64(u64 *result, u64 *carry, u64 v) {
+ uint128_t r = *result;
+ r -= v;
+ *carry = (r >> 64) & 1;
+ *result = (u64)r;
+}
+
+/* felem_contract converts |in| to its unique, minimal representation. On
+ * entry: in[i] < 2^109. */
+static void felem_contract(smallfelem out, const felem in) {
+ u64 all_equal_so_far = 0, result = 0;
+
+ felem_shrink(out, in);
+ /* small is minimal except that the value might be > p */
+
+ all_equal_so_far--;
+ /* We are doing a constant time test if out >= kPrime. We need to compare
+ * each u64, from most-significant to least significant. For each one, if
+ * all words so far have been equal (m is all ones) then a non-equal
+ * result is the answer. Otherwise we continue. */
+ unsigned i;
+ for (i = 3; i < 4; i--) {
+ u64 equal;
+ uint128_t a = ((uint128_t)kPrime[i]) - out[i];
+ /* if out[i] > kPrime[i] then a will underflow and the high 64-bits
+ * will all be set. */
+ result |= all_equal_so_far & ((u64)(a >> 64));
+
+ /* if kPrime[i] == out[i] then |equal| will be all zeros and the
+ * decrement will make it all ones. */
+ equal = kPrime[i] ^ out[i];
+ equal--;
+ equal &= equal << 32;
+ equal &= equal << 16;
+ equal &= equal << 8;
+ equal &= equal << 4;
+ equal &= equal << 2;
+ equal &= equal << 1;
+ equal = ((s64)equal) >> 63;
+
+ all_equal_so_far &= equal;
+ }
+
+ /* if all_equal_so_far is still all ones then the two values are equal
+ * and so out >= kPrime is true. */
+ result |= all_equal_so_far;
+
+ /* if out >= kPrime then we subtract kPrime. */
+ u64 carry;
+ subtract_u64(&out[0], &carry, result & kPrime[0]);
+ subtract_u64(&out[1], &carry, carry);
+ subtract_u64(&out[2], &carry, carry);
+ subtract_u64(&out[3], &carry, carry);
+
+ subtract_u64(&out[1], &carry, result & kPrime[1]);
+ subtract_u64(&out[2], &carry, carry);
+ subtract_u64(&out[3], &carry, carry);
+
+ subtract_u64(&out[2], &carry, result & kPrime[2]);
+ subtract_u64(&out[3], &carry, carry);
+
+ subtract_u64(&out[3], &carry, result & kPrime[3]);
+}
+
+static void smallfelem_square_contract(smallfelem out, const smallfelem in) {
+ longfelem longtmp;
+ felem tmp;
+
+ smallfelem_square(longtmp, in);
+ felem_reduce(tmp, longtmp);
+ felem_contract(out, tmp);
+}
+
+static void smallfelem_mul_contract(smallfelem out, const smallfelem in1,
+ const smallfelem in2) {
+ longfelem longtmp;
+ felem tmp;
+
+ smallfelem_mul(longtmp, in1, in2);
+ felem_reduce(tmp, longtmp);
+ felem_contract(out, tmp);
+}
+
+/* felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
+ * otherwise.
+ * On entry:
+ * small[i] < 2^64 */
+static limb smallfelem_is_zero(const smallfelem small) {
+ limb result;
+ u64 is_p;
+
+ u64 is_zero = small[0] | small[1] | small[2] | small[3];
+ is_zero--;
+ is_zero &= is_zero << 32;
+ is_zero &= is_zero << 16;
+ is_zero &= is_zero << 8;
+ is_zero &= is_zero << 4;
+ is_zero &= is_zero << 2;
+ is_zero &= is_zero << 1;
+ is_zero = ((s64)is_zero) >> 63;
+
+ is_p = (small[0] ^ kPrime[0]) | (small[1] ^ kPrime[1]) |
+ (small[2] ^ kPrime[2]) | (small[3] ^ kPrime[3]);
+ is_p--;
+ is_p &= is_p << 32;
+ is_p &= is_p << 16;
+ is_p &= is_p << 8;
+ is_p &= is_p << 4;
+ is_p &= is_p << 2;
+ is_p &= is_p << 1;
+ is_p = ((s64)is_p) >> 63;
+
+ is_zero |= is_p;
+
+ result = is_zero;
+ result |= ((limb)is_zero) << 64;
+ return result;
+}
+
+static int smallfelem_is_zero_int(const smallfelem small) {
+ return (int)(smallfelem_is_zero(small) & ((limb)1));
+}
+
+/* felem_inv calculates |out| = |in|^{-1}
+ *
+ * Based on Fermat's Little Theorem:
+ * a^p = a (mod p)
+ * a^{p-1} = 1 (mod p)
+ * a^{p-2} = a^{-1} (mod p) */
+static void felem_inv(felem out, const felem in) {
+ felem ftmp, ftmp2;
+ /* each e_I will hold |in|^{2^I - 1} */
+ felem e2, e4, e8, e16, e32, e64;
+ longfelem tmp;
+ unsigned i;
+
+ felem_square(tmp, in);
+ felem_reduce(ftmp, tmp); /* 2^1 */
+ felem_mul(tmp, in, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^2 - 2^0 */
+ felem_assign(e2, ftmp);
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^3 - 2^1 */
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^4 - 2^2 */
+ felem_mul(tmp, ftmp, e2);
+ felem_reduce(ftmp, tmp); /* 2^4 - 2^0 */
+ felem_assign(e4, ftmp);
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^5 - 2^1 */
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^6 - 2^2 */
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^7 - 2^3 */
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp); /* 2^8 - 2^4 */
+ felem_mul(tmp, ftmp, e4);
+ felem_reduce(ftmp, tmp); /* 2^8 - 2^0 */
+ felem_assign(e8, ftmp);
+ for (i = 0; i < 8; i++) {
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp);
+ } /* 2^16 - 2^8 */
+ felem_mul(tmp, ftmp, e8);
+ felem_reduce(ftmp, tmp); /* 2^16 - 2^0 */
+ felem_assign(e16, ftmp);
+ for (i = 0; i < 16; i++) {
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp);
+ } /* 2^32 - 2^16 */
+ felem_mul(tmp, ftmp, e16);
+ felem_reduce(ftmp, tmp); /* 2^32 - 2^0 */
+ felem_assign(e32, ftmp);
+ for (i = 0; i < 32; i++) {
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp);
+ } /* 2^64 - 2^32 */
+ felem_assign(e64, ftmp);
+ felem_mul(tmp, ftmp, in);
+ felem_reduce(ftmp, tmp); /* 2^64 - 2^32 + 2^0 */
+ for (i = 0; i < 192; i++) {
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp);
+ } /* 2^256 - 2^224 + 2^192 */
+
+ felem_mul(tmp, e64, e32);
+ felem_reduce(ftmp2, tmp); /* 2^64 - 2^0 */
+ for (i = 0; i < 16; i++) {
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp);
+ } /* 2^80 - 2^16 */
+ felem_mul(tmp, ftmp2, e16);
+ felem_reduce(ftmp2, tmp); /* 2^80 - 2^0 */
+ for (i = 0; i < 8; i++) {
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp);
+ } /* 2^88 - 2^8 */
+ felem_mul(tmp, ftmp2, e8);
+ felem_reduce(ftmp2, tmp); /* 2^88 - 2^0 */
+ for (i = 0; i < 4; i++) {
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp);
+ } /* 2^92 - 2^4 */
+ felem_mul(tmp, ftmp2, e4);
+ felem_reduce(ftmp2, tmp); /* 2^92 - 2^0 */
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp); /* 2^93 - 2^1 */
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp); /* 2^94 - 2^2 */
+ felem_mul(tmp, ftmp2, e2);
+ felem_reduce(ftmp2, tmp); /* 2^94 - 2^0 */
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp); /* 2^95 - 2^1 */
+ felem_square(tmp, ftmp2);
+ felem_reduce(ftmp2, tmp); /* 2^96 - 2^2 */
+ felem_mul(tmp, ftmp2, in);
+ felem_reduce(ftmp2, tmp); /* 2^96 - 3 */
+
+ felem_mul(tmp, ftmp2, ftmp);
+ felem_reduce(out, tmp); /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
+}
+
+static void smallfelem_inv_contract(smallfelem out, const smallfelem in) {
+ felem tmp;
+
+ smallfelem_expand(tmp, in);
+ felem_inv(tmp, tmp);
+ felem_contract(out, tmp);
+}
+
+/* Group operations
+ * ----------------
+ *
+ * Building on top of the field operations we have the operations on the
+ * elliptic curve group itself. Points on the curve are represented in Jacobian
+ * coordinates. */
+
+/* point_double calculates 2*(x_in, y_in, z_in)
+ *
+ * The method is taken from:
+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
+ *
+ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
+ * while x_out == y_in is not (maybe this works, but it's not tested). */
+static void point_double(felem x_out, felem y_out, felem z_out,
+ const felem x_in, const felem y_in, const felem z_in) {
+ longfelem tmp, tmp2;
+ felem delta, gamma, beta, alpha, ftmp, ftmp2;
+ smallfelem small1, small2;
+
+ felem_assign(ftmp, x_in);
+ /* ftmp[i] < 2^106 */
+ felem_assign(ftmp2, x_in);
+ /* ftmp2[i] < 2^106 */
+
+ /* delta = z^2 */
+ felem_square(tmp, z_in);
+ felem_reduce(delta, tmp);
+ /* delta[i] < 2^101 */
+
+ /* gamma = y^2 */
+ felem_square(tmp, y_in);
+ felem_reduce(gamma, tmp);
+ /* gamma[i] < 2^101 */
+ felem_shrink(small1, gamma);
+
+ /* beta = x*gamma */
+ felem_small_mul(tmp, small1, x_in);
+ felem_reduce(beta, tmp);
+ /* beta[i] < 2^101 */
+
+ /* alpha = 3*(x-delta)*(x+delta) */
+ felem_diff(ftmp, delta);
+ /* ftmp[i] < 2^105 + 2^106 < 2^107 */
+ felem_sum(ftmp2, delta);
+ /* ftmp2[i] < 2^105 + 2^106 < 2^107 */
+ felem_scalar(ftmp2, 3);
+ /* ftmp2[i] < 3 * 2^107 < 2^109 */
+ felem_mul(tmp, ftmp, ftmp2);
+ felem_reduce(alpha, tmp);
+ /* alpha[i] < 2^101 */
+ felem_shrink(small2, alpha);
+
+ /* x' = alpha^2 - 8*beta */
+ smallfelem_square(tmp, small2);
+ felem_reduce(x_out, tmp);
+ felem_assign(ftmp, beta);
+ felem_scalar(ftmp, 8);
+ /* ftmp[i] < 8 * 2^101 = 2^104 */
+ felem_diff(x_out, ftmp);
+ /* x_out[i] < 2^105 + 2^101 < 2^106 */
+
+ /* z' = (y + z)^2 - gamma - delta */
+ felem_sum(delta, gamma);
+ /* delta[i] < 2^101 + 2^101 = 2^102 */
+ felem_assign(ftmp, y_in);
+ felem_sum(ftmp, z_in);
+ /* ftmp[i] < 2^106 + 2^106 = 2^107 */
+ felem_square(tmp, ftmp);
+ felem_reduce(z_out, tmp);
+ felem_diff(z_out, delta);
+ /* z_out[i] < 2^105 + 2^101 < 2^106 */
+
+ /* y' = alpha*(4*beta - x') - 8*gamma^2 */
+ felem_scalar(beta, 4);
+ /* beta[i] < 4 * 2^101 = 2^103 */
+ felem_diff_zero107(beta, x_out);
+ /* beta[i] < 2^107 + 2^103 < 2^108 */
+ felem_small_mul(tmp, small2, beta);
+ /* tmp[i] < 7 * 2^64 < 2^67 */
+ smallfelem_square(tmp2, small1);
+ /* tmp2[i] < 7 * 2^64 */
+ longfelem_scalar(tmp2, 8);
+ /* tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67 */
+ longfelem_diff(tmp, tmp2);
+ /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+ felem_reduce_zero105(y_out, tmp);
+ /* y_out[i] < 2^106 */
+}
+
+/* point_double_small is the same as point_double, except that it operates on
+ * smallfelems. */
+static void point_double_small(smallfelem x_out, smallfelem y_out,
+ smallfelem z_out, const smallfelem x_in,
+ const smallfelem y_in, const smallfelem z_in) {
+ felem felem_x_out, felem_y_out, felem_z_out;
+ felem felem_x_in, felem_y_in, felem_z_in;
+
+ smallfelem_expand(felem_x_in, x_in);
+ smallfelem_expand(felem_y_in, y_in);
+ smallfelem_expand(felem_z_in, z_in);
+ point_double(felem_x_out, felem_y_out, felem_z_out, felem_x_in, felem_y_in,
+ felem_z_in);
+ felem_shrink(x_out, felem_x_out);
+ felem_shrink(y_out, felem_y_out);
+ felem_shrink(z_out, felem_z_out);
+}
+
+/* copy_conditional copies in to out iff mask is all ones. */
+static void copy_conditional(felem out, const felem in, limb mask) {
+ unsigned i;
+ for (i = 0; i < NLIMBS; ++i) {
+ const limb tmp = mask & (in[i] ^ out[i]);
+ out[i] ^= tmp;
+ }
+}
+
+/* copy_small_conditional copies in to out iff mask is all ones. */
+static void copy_small_conditional(felem out, const smallfelem in, limb mask) {
+ unsigned i;
+ const u64 mask64 = mask;
+ for (i = 0; i < NLIMBS; ++i) {
+ out[i] = ((limb)(in[i] & mask64)) | (out[i] & ~mask);
+ }
+}
+
+/* point_add calcuates (x1, y1, z1) + (x2, y2, z2)
+ *
+ * The method is taken from:
+ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
+ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
+ *
+ * This function includes a branch for checking whether the two input points
+ * are equal, (while not equal to the point at infinity). This case never
+ * happens during single point multiplication, so there is no timing leak for
+ * ECDH or ECDSA signing. */
+static void point_add(felem x3, felem y3, felem z3, const felem x1,
+ const felem y1, const felem z1, const int mixed,
+ const smallfelem x2, const smallfelem y2,
+ const smallfelem z2) {
+ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
+ longfelem tmp, tmp2;
+ smallfelem small1, small2, small3, small4, small5;
+ limb x_equal, y_equal, z1_is_zero, z2_is_zero;
+
+ felem_shrink(small3, z1);
+
+ z1_is_zero = smallfelem_is_zero(small3);
+ z2_is_zero = smallfelem_is_zero(z2);
+
+ /* ftmp = z1z1 = z1**2 */
+ smallfelem_square(tmp, small3);
+ felem_reduce(ftmp, tmp);
+ /* ftmp[i] < 2^101 */
+ felem_shrink(small1, ftmp);
+
+ if (!mixed) {
+ /* ftmp2 = z2z2 = z2**2 */
+ smallfelem_square(tmp, z2);
+ felem_reduce(ftmp2, tmp);
+ /* ftmp2[i] < 2^101 */
+ felem_shrink(small2, ftmp2);
+
+ felem_shrink(small5, x1);
+
+ /* u1 = ftmp3 = x1*z2z2 */
+ smallfelem_mul(tmp, small5, small2);
+ felem_reduce(ftmp3, tmp);
+ /* ftmp3[i] < 2^101 */
+
+ /* ftmp5 = z1 + z2 */
+ felem_assign(ftmp5, z1);
+ felem_small_sum(ftmp5, z2);
+ /* ftmp5[i] < 2^107 */
+
+ /* ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2 */
+ felem_square(tmp, ftmp5);
+ felem_reduce(ftmp5, tmp);
+ /* ftmp2 = z2z2 + z1z1 */
+ felem_sum(ftmp2, ftmp);
+ /* ftmp2[i] < 2^101 + 2^101 = 2^102 */
+ felem_diff(ftmp5, ftmp2);
+ /* ftmp5[i] < 2^105 + 2^101 < 2^106 */
+
+ /* ftmp2 = z2 * z2z2 */
+ smallfelem_mul(tmp, small2, z2);
+ felem_reduce(ftmp2, tmp);
+
+ /* s1 = ftmp2 = y1 * z2**3 */
+ felem_mul(tmp, y1, ftmp2);
+ felem_reduce(ftmp6, tmp);
+ /* ftmp6[i] < 2^101 */
+ } else {
+ /* We'll assume z2 = 1 (special case z2 = 0 is handled later). */
+
+ /* u1 = ftmp3 = x1*z2z2 */
+ felem_assign(ftmp3, x1);
+ /* ftmp3[i] < 2^106 */
+
+ /* ftmp5 = 2z1z2 */
+ felem_assign(ftmp5, z1);
+ felem_scalar(ftmp5, 2);
+ /* ftmp5[i] < 2*2^106 = 2^107 */
+
+ /* s1 = ftmp2 = y1 * z2**3 */
+ felem_assign(ftmp6, y1);
+ /* ftmp6[i] < 2^106 */
+ }
+
+ /* u2 = x2*z1z1 */
+ smallfelem_mul(tmp, x2, small1);
+ felem_reduce(ftmp4, tmp);
+
+ /* h = ftmp4 = u2 - u1 */
+ felem_diff_zero107(ftmp4, ftmp3);
+ /* ftmp4[i] < 2^107 + 2^101 < 2^108 */
+ felem_shrink(small4, ftmp4);
+
+ x_equal = smallfelem_is_zero(small4);
+
+ /* z_out = ftmp5 * h */
+ felem_small_mul(tmp, small4, ftmp5);
+ felem_reduce(z_out, tmp);
+ /* z_out[i] < 2^101 */
+
+ /* ftmp = z1 * z1z1 */
+ smallfelem_mul(tmp, small1, small3);
+ felem_reduce(ftmp, tmp);
+
+ /* s2 = tmp = y2 * z1**3 */
+ felem_small_mul(tmp, y2, ftmp);
+ felem_reduce(ftmp5, tmp);
+
+ /* r = ftmp5 = (s2 - s1)*2 */
+ felem_diff_zero107(ftmp5, ftmp6);
+ /* ftmp5[i] < 2^107 + 2^107 = 2^108 */
+ felem_scalar(ftmp5, 2);
+ /* ftmp5[i] < 2^109 */
+ felem_shrink(small1, ftmp5);
+ y_equal = smallfelem_is_zero(small1);
+
+ if (x_equal && y_equal && !z1_is_zero && !z2_is_zero) {
+ point_double(x3, y3, z3, x1, y1, z1);
+ return;
+ }
+
+ /* I = ftmp = (2h)**2 */
+ felem_assign(ftmp, ftmp4);
+ felem_scalar(ftmp, 2);
+ /* ftmp[i] < 2*2^108 = 2^109 */
+ felem_square(tmp, ftmp);
+ felem_reduce(ftmp, tmp);
+
+ /* J = ftmp2 = h * I */
+ felem_mul(tmp, ftmp4, ftmp);
+ felem_reduce(ftmp2, tmp);
+
+ /* V = ftmp4 = U1 * I */
+ felem_mul(tmp, ftmp3, ftmp);
+ felem_reduce(ftmp4, tmp);
+
+ /* x_out = r**2 - J - 2V */
+ smallfelem_square(tmp, small1);
+ felem_reduce(x_out, tmp);
+ felem_assign(ftmp3, ftmp4);
+ felem_scalar(ftmp4, 2);
+ felem_sum(ftmp4, ftmp2);
+ /* ftmp4[i] < 2*2^101 + 2^101 < 2^103 */
+ felem_diff(x_out, ftmp4);
+ /* x_out[i] < 2^105 + 2^101 */
+
+ /* y_out = r(V-x_out) - 2 * s1 * J */
+ felem_diff_zero107(ftmp3, x_out);
+ /* ftmp3[i] < 2^107 + 2^101 < 2^108 */
+ felem_small_mul(tmp, small1, ftmp3);
+ felem_mul(tmp2, ftmp6, ftmp2);
+ longfelem_scalar(tmp2, 2);
+ /* tmp2[i] < 2*2^67 = 2^68 */
+ longfelem_diff(tmp, tmp2);
+ /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
+ felem_reduce_zero105(y_out, tmp);
+ /* y_out[i] < 2^106 */
+
+ copy_small_conditional(x_out, x2, z1_is_zero);
+ copy_conditional(x_out, x1, z2_is_zero);
+ copy_small_conditional(y_out, y2, z1_is_zero);
+ copy_conditional(y_out, y1, z2_is_zero);
+ copy_small_conditional(z_out, z2, z1_is_zero);
+ copy_conditional(z_out, z1, z2_is_zero);
+ felem_assign(x3, x_out);
+ felem_assign(y3, y_out);
+ felem_assign(z3, z_out);
+}
+
+/* point_add_small is the same as point_add, except that it operates on
+ * smallfelems. */
+static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
+ smallfelem x1, smallfelem y1, smallfelem z1,
+ smallfelem x2, smallfelem y2, smallfelem z2) {
+ felem felem_x3, felem_y3, felem_z3;
+ felem felem_x1, felem_y1, felem_z1;
+ smallfelem_expand(felem_x1, x1);
+ smallfelem_expand(felem_y1, y1);
+ smallfelem_expand(felem_z1, z1);
+ point_add(felem_x3, felem_y3, felem_z3, felem_x1, felem_y1, felem_z1, 0, x2,
+ y2, z2);
+ felem_shrink(x3, felem_x3);
+ felem_shrink(y3, felem_y3);
+ felem_shrink(z3, felem_z3);
+}
+
+/* Base point pre computation
+ * --------------------------
+ *
+ * Two different sorts of precomputed tables are used in the following code.
+ * Each contain various points on the curve, where each point is three field
+ * elements (x, y, z).
+ *
+ * For the base point table, z is usually 1 (0 for the point at infinity).
+ * This table has 2 * 16 elements, starting with the following:
+ * index | bits | point
+ * ------+---------+------------------------------
+ * 0 | 0 0 0 0 | 0G
+ * 1 | 0 0 0 1 | 1G
+ * 2 | 0 0 1 0 | 2^64G
+ * 3 | 0 0 1 1 | (2^64 + 1)G
+ * 4 | 0 1 0 0 | 2^128G
+ * 5 | 0 1 0 1 | (2^128 + 1)G
+ * 6 | 0 1 1 0 | (2^128 + 2^64)G
+ * 7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
+ * 8 | 1 0 0 0 | 2^192G
+ * 9 | 1 0 0 1 | (2^192 + 1)G
+ * 10 | 1 0 1 0 | (2^192 + 2^64)G
+ * 11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
+ * 12 | 1 1 0 0 | (2^192 + 2^128)G
+ * 13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
+ * 14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
+ * 15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
+ * followed by a copy of this with each element multiplied by 2^32.
+ *
+ * The reason for this is so that we can clock bits into four different
+ * locations when doing simple scalar multiplies against the base point,
+ * and then another four locations using the second 16 elements.
+ *
+ * Tables for other points have table[i] = iG for i in 0 .. 16. */
+
+/* gmul is the table of precomputed base points */
+static const smallfelem gmul[2][16][3] = {
+ {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
+ {{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2,
+ 0x6b17d1f2e12c4247},
+ {0xcbb6406837bf51f5, 0x2bce33576b315ece, 0x8ee7eb4a7c0f9e16,
+ 0x4fe342e2fe1a7f9b},
+ {1, 0, 0, 0}},
+ {{0x90e75cb48e14db63, 0x29493baaad651f7e, 0x8492592e326e25de,
+ 0x0fa822bc2811aaa5},
+ {0xe41124545f462ee7, 0x34b1a65050fe82f5, 0x6f4ad4bcb3df188b,
+ 0xbff44ae8f5dba80d},
+ {1, 0, 0, 0}},
+ {{0x93391ce2097992af, 0xe96c98fd0d35f1fa, 0xb257c0de95e02789,
+ 0x300a4bbc89d6726f},
+ {0xaa54a291c08127a0, 0x5bb1eeada9d806a5, 0x7f1ddb25ff1e3c6f,
+ 0x72aac7e0d09b4644},
+ {1, 0, 0, 0}},
+ {{0x57c84fc9d789bd85, 0xfc35ff7dc297eac3, 0xfb982fd588c6766e,
+ 0x447d739beedb5e67},
+ {0x0c7e33c972e25b32, 0x3d349b95a7fae500, 0xe12e9d953a4aaff7,
+ 0x2d4825ab834131ee},
+ {1, 0, 0, 0}},
+ {{0x13949c932a1d367f, 0xef7fbd2b1a0a11b7, 0xddc6068bb91dfc60,
+ 0xef9519328a9c72ff},
+ {0x196035a77376d8a8, 0x23183b0895ca1740, 0xc1ee9807022c219c,
+ 0x611e9fc37dbb2c9b},
+ {1, 0, 0, 0}},
+ {{0xcae2b1920b57f4bc, 0x2936df5ec6c9bc36, 0x7dea6482e11238bf,
+ 0x550663797b51f5d8},
+ {0x44ffe216348a964c, 0x9fb3d576dbdefbe1, 0x0afa40018d9d50e5,
+ 0x157164848aecb851},
+ {1, 0, 0, 0}},
+ {{0xe48ecafffc5cde01, 0x7ccd84e70d715f26, 0xa2e8f483f43e4391,
+ 0xeb5d7745b21141ea},
+ {0xcac917e2731a3479, 0x85f22cfe2844b645, 0x0990e6a158006cee,
+ 0xeafd72ebdbecc17b},
+ {1, 0, 0, 0}},
+ {{0x6cf20ffb313728be, 0x96439591a3c6b94a, 0x2736ff8344315fc5,
+ 0xa6d39677a7849276},
+ {0xf2bab833c357f5f4, 0x824a920c2284059b, 0x66b8babd2d27ecdf,
+ 0x674f84749b0b8816},
+ {1, 0, 0, 0}},
+ {{0x2df48c04677c8a3e, 0x74e02f080203a56b, 0x31855f7db8c7fedb,
+ 0x4e769e7672c9ddad},
+ {0xa4c36165b824bbb0, 0xfb9ae16f3b9122a5, 0x1ec0057206947281,
+ 0x42b99082de830663},
+ {1, 0, 0, 0}},
+ {{0x6ef95150dda868b9, 0xd1f89e799c0ce131, 0x7fdc1ca008a1c478,
+ 0x78878ef61c6ce04d},
+ {0x9c62b9121fe0d976, 0x6ace570ebde08d4f, 0xde53142c12309def,
+ 0xb6cb3f5d7b72c321},
+ {1, 0, 0, 0}},
+ {{0x7f991ed2c31a3573, 0x5b82dd5bd54fb496, 0x595c5220812ffcae,
+ 0x0c88bc4d716b1287},
+ {0x3a57bf635f48aca8, 0x7c8181f4df2564f3, 0x18d1b5b39c04e6aa,
+ 0xdd5ddea3f3901dc6},
+ {1, 0, 0, 0}},
+ {{0xe96a79fb3e72ad0c, 0x43a0a28c42ba792f, 0xefe0a423083e49f3,
+ 0x68f344af6b317466},
+ {0xcdfe17db3fb24d4a, 0x668bfc2271f5c626, 0x604ed93c24d67ff3,
+ 0x31b9c405f8540a20},
+ {1, 0, 0, 0}},
+ {{0xd36b4789a2582e7f, 0x0d1a10144ec39c28, 0x663c62c3edbad7a0,
+ 0x4052bf4b6f461db9},
+ {0x235a27c3188d25eb, 0xe724f33999bfcc5b, 0x862be6bd71d70cc8,
+ 0xfecf4d5190b0fc61},
+ {1, 0, 0, 0}},
+ {{0x74346c10a1d4cfac, 0xafdf5cc08526a7a4, 0x123202a8f62bff7a,
+ 0x1eddbae2c802e41a},
+ {0x8fa0af2dd603f844, 0x36e06b7e4c701917, 0x0c45f45273db33a0,
+ 0x43104d86560ebcfc},
+ {1, 0, 0, 0}},
+ {{0x9615b5110d1d78e5, 0x66b0de3225c4744b, 0x0a4a46fb6aaf363a,
+ 0xb48e26b484f7a21c},
+ {0x06ebb0f621a01b2d, 0xc004e4048b7b0f98, 0x64131bcdfed6f668,
+ 0xfac015404d4d3dab},
+ {1, 0, 0, 0}}},
+ {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},
+ {{0x3a5a9e22185a5943, 0x1ab919365c65dfb6, 0x21656b32262c71da,
+ 0x7fe36b40af22af89},
+ {0xd50d152c699ca101, 0x74b3d5867b8af212, 0x9f09f40407dca6f1,
+ 0xe697d45825b63624},
+ {1, 0, 0, 0}},
+ {{0xa84aa9397512218e, 0xe9a521b074ca0141, 0x57880b3a18a2e902,
+ 0x4a5b506612a677a6},
+ {0x0beada7a4c4f3840, 0x626db15419e26d9d, 0xc42604fbe1627d40,
+ 0xeb13461ceac089f1},
+ {1, 0, 0, 0}},
+ {{0xf9faed0927a43281, 0x5e52c4144103ecbc, 0xc342967aa815c857,
+ 0x0781b8291c6a220a},
+ {0x5a8343ceeac55f80, 0x88f80eeee54a05e3, 0x97b2a14f12916434,
+ 0x690cde8df0151593},
+ {1, 0, 0, 0}},
+ {{0xaee9c75df7f82f2a, 0x9e4c35874afdf43a, 0xf5622df437371326,
+ 0x8a535f566ec73617},
+ {0xc5f9a0ac223094b7, 0xcde533864c8c7669, 0x37e02819085a92bf,
+ 0x0455c08468b08bd7},
+ {1, 0, 0, 0}},
+ {{0x0c0a6e2c9477b5d9, 0xf9a4bf62876dc444, 0x5050a949b6cdc279,
+ 0x06bada7ab77f8276},
+ {0xc8b4aed1ea48dac9, 0xdebd8a4b7ea1070f, 0x427d49101366eb70,
+ 0x5b476dfd0e6cb18a},
+ {1, 0, 0, 0}},
+ {{0x7c5c3e44278c340a, 0x4d54606812d66f3b, 0x29a751b1ae23c5d8,
+ 0x3e29864e8a2ec908},
+ {0x142d2a6626dbb850, 0xad1744c4765bd780, 0x1f150e68e322d1ed,
+ 0x239b90ea3dc31e7e},
+ {1, 0, 0, 0}},
+ {{0x78c416527a53322a, 0x305dde6709776f8e, 0xdbcab759f8862ed4,
+ 0x820f4dd949f72ff7},
+ {0x6cc544a62b5debd4, 0x75be5d937b4e8cc4, 0x1b481b1b215c14d3,
+ 0x140406ec783a05ec},
+ {1, 0, 0, 0}},
+ {{0x6a703f10e895df07, 0xfd75f3fa01876bd8, 0xeb5b06e70ce08ffe,
+ 0x68f6b8542783dfee},
+ {0x90c76f8a78712655, 0xcf5293d2f310bf7f, 0xfbc8044dfda45028,
+ 0xcbe1feba92e40ce6},
+ {1, 0, 0, 0}},
+ {{0xe998ceea4396e4c1, 0xfc82ef0b6acea274, 0x230f729f2250e927,
+ 0xd0b2f94d2f420109},
+ {0x4305adddb38d4966, 0x10b838f8624c3b45, 0x7db2636658954e7a,
+ 0x971459828b0719e5},
+ {1, 0, 0, 0}},
+ {{0x4bd6b72623369fc9, 0x57f2929e53d0b876, 0xc2d5cba4f2340687,
+ 0x961610004a866aba},
+ {0x49997bcd2e407a5e, 0x69ab197d92ddcb24, 0x2cf1f2438fe5131c,
+ 0x7acb9fadcee75e44},
+ {1, 0, 0, 0}},
+ {{0x254e839423d2d4c0, 0xf57f0c917aea685b, 0xa60d880f6f75aaea,
+ 0x24eb9acca333bf5b},
+ {0xe3de4ccb1cda5dea, 0xfeef9341c51a6b4f, 0x743125f88bac4c4d,
+ 0x69f891c5acd079cc},
+ {1, 0, 0, 0}},
+ {{0xeee44b35702476b5, 0x7ed031a0e45c2258, 0xb422d1e7bd6f8514,
+ 0xe51f547c5972a107},
+ {0xa25bcd6fc9cf343d, 0x8ca922ee097c184e, 0xa62f98b3a9fe9a06,
+ 0x1c309a2b25bb1387},
+ {1, 0, 0, 0}},
+ {{0x9295dbeb1967c459, 0xb00148833472c98e, 0xc504977708011828,
+ 0x20b87b8aa2c4e503},
+ {0x3063175de057c277, 0x1bd539338fe582dd, 0x0d11adef5f69a044,
+ 0xf5c6fa49919776be},
+ {1, 0, 0, 0}},
+ {{0x8c944e760fd59e11, 0x3876cba1102fad5f, 0xa454c3fad83faa56,
+ 0x1ed7d1b9332010b9},
+ {0xa1011a270024b889, 0x05e4d0dcac0cd344, 0x52b520f0eb6a2a24,
+ 0x3a2b03f03217257a},
+ {1, 0, 0, 0}},
+ {{0xf20fc2afdf1d043d, 0xf330240db58d5a62, 0xfc7d229ca0058c3b,
+ 0x15fee545c78dd9f6},
+ {0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb,
+ 0x4ab5b6b2b8753f81},
+ {1, 0, 0, 0}}}};
+
+/* select_point selects the |idx|th point from a precomputation table and
+ * copies it to out. */
+static void select_point(const u64 idx, unsigned int size,
+ const smallfelem pre_comp[16][3], smallfelem out[3]) {
+ unsigned i, j;
+ u64 *outlimbs = &out[0][0];
+ memset(outlimbs, 0, 3 * sizeof(smallfelem));
+
+ for (i = 0; i < size; i++) {
+ const u64 *inlimbs = (u64 *)&pre_comp[i][0][0];
+ u64 mask = i ^ idx;
+ mask |= mask >> 4;
+ mask |= mask >> 2;
+ mask |= mask >> 1;
+ mask &= 1;
+ mask--;
+ for (j = 0; j < NLIMBS * 3; j++) {
+ outlimbs[j] |= inlimbs[j] & mask;
+ }
+ }
+}
+
+/* get_bit returns the |i|th bit in |in| */
+static char get_bit(const felem_bytearray in, int i) {
+ if (i < 0 || i >= 256) {
+ return 0;
+ }
+ return (in[i >> 3] >> (i & 7)) & 1;
+}
+
+/* Interleaved point multiplication using precomputed point multiples: The
+ * small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[], the scalars
+ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the
+ * generator, using certain (large) precomputed multiples in g_pre_comp.
+ * Output point (X, Y, Z) is stored in x_out, y_out, z_out. */
+static void batch_mul(felem x_out, felem y_out, felem z_out,
+ const felem_bytearray scalars[],
+ const unsigned num_points, const u8 *g_scalar,
+ const int mixed, const smallfelem pre_comp[][17][3],
+ const smallfelem g_pre_comp[2][16][3]) {
+ int i, skip;
+ unsigned num, gen_mul = (g_scalar != NULL);
+ felem nq[3], ftmp;
+ smallfelem tmp[3];
+ u64 bits;
+ u8 sign, digit;
+
+ /* set nq to the point at infinity */
+ memset(nq, 0, 3 * sizeof(felem));
+
+ /* Loop over all scalars msb-to-lsb, interleaving additions of multiples
+ * of the generator (two in each of the last 32 rounds) and additions of
+ * other points multiples (every 5th round). */
+
+ skip = 1; /* save two point operations in the first
+ * round */
+ for (i = (num_points ? 255 : 31); i >= 0; --i) {
+ /* double */
+ if (!skip) {
+ point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
+ }
+
+ /* add multiples of the generator */
+ if (gen_mul && i <= 31) {
+ /* first, look 32 bits upwards */
+ bits = get_bit(g_scalar, i + 224) << 3;
+ bits |= get_bit(g_scalar, i + 160) << 2;
+ bits |= get_bit(g_scalar, i + 96) << 1;
+ bits |= get_bit(g_scalar, i + 32);
+ /* select the point to add, in constant time */
+ select_point(bits, 16, g_pre_comp[1], tmp);
+
+ if (!skip) {
+ /* Arg 1 below is for "mixed" */
+ point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1, tmp[0], tmp[1],
+ tmp[2]);
+ } else {
+ smallfelem_expand(nq[0], tmp[0]);
+ smallfelem_expand(nq[1], tmp[1]);
+ smallfelem_expand(nq[2], tmp[2]);
+ skip = 0;
+ }
+
+ /* second, look at the current position */
+ bits = get_bit(g_scalar, i + 192) << 3;
+ bits |= get_bit(g_scalar, i + 128) << 2;
+ bits |= get_bit(g_scalar, i + 64) << 1;
+ bits |= get_bit(g_scalar, i);
+ /* select the point to add, in constant time */
+ select_point(bits, 16, g_pre_comp[0], tmp);
+ /* Arg 1 below is for "mixed" */
+ point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1, tmp[0], tmp[1],
+ tmp[2]);
+ }
+
+ /* do other additions every 5 doublings */
+ if (num_points && (i % 5 == 0)) {
+ /* loop over all scalars */
+ for (num = 0; num < num_points; ++num) {
+ bits = get_bit(scalars[num], i + 4) << 5;
+ bits |= get_bit(scalars[num], i + 3) << 4;
+ bits |= get_bit(scalars[num], i + 2) << 3;
+ bits |= get_bit(scalars[num], i + 1) << 2;
+ bits |= get_bit(scalars[num], i) << 1;
+ bits |= get_bit(scalars[num], i - 1);
+ ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
+
+ /* select the point to add or subtract, in constant time. */
+ select_point(digit, 17, pre_comp[num], tmp);
+ smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the negative
+ * point */
+ copy_small_conditional(ftmp, tmp[1], (((limb)sign) - 1));
+ felem_contract(tmp[1], ftmp);
+
+ if (!skip) {
+ point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], mixed, tmp[0],
+ tmp[1], tmp[2]);
+ } else {
+ smallfelem_expand(nq[0], tmp[0]);
+ smallfelem_expand(nq[1], tmp[1]);
+ smallfelem_expand(nq[2], tmp[2]);
+ skip = 0;
+ }
+ }
+ }
+ }
+ felem_assign(x_out, nq[0]);
+ felem_assign(y_out, nq[1]);
+ felem_assign(z_out, nq[2]);
+}
+
+/* Precomputation for the group generator. */
+typedef struct {
+ smallfelem g_pre_comp[2][16][3];
+ int references;
+} NISTP256_PRE_COMP;
+
+/******************************************************************************/
+/*
+ * OPENSSL EC_METHOD FUNCTIONS
+ */
+
+int ec_GFp_nistp256_group_init(EC_GROUP *group) {
+ int ret = ec_GFp_simple_group_init(group);
+ group->a_is_minus3 = 1;
+ return ret;
+}
+
+int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+ const BIGNUM *a, const BIGNUM *b,
+ BN_CTX *ctx) {
+ int ret = 0;
+ BN_CTX *new_ctx = NULL;
+ BIGNUM *curve_p, *curve_a, *curve_b;
+
+ if (ctx == NULL) {
+ if ((ctx = new_ctx = BN_CTX_new()) == NULL) {
+ return 0;
+ }
+ }
+ BN_CTX_start(ctx);
+ if (((curve_p = BN_CTX_get(ctx)) == NULL) ||
+ ((curve_a = BN_CTX_get(ctx)) == NULL) ||
+ ((curve_b = BN_CTX_get(ctx)) == NULL)) {
+ goto err;
+ }
+ BN_bin2bn(nistp256_curve_params[0], sizeof(felem_bytearray), curve_p);
+ BN_bin2bn(nistp256_curve_params[1], sizeof(felem_bytearray), curve_a);
+ BN_bin2bn(nistp256_curve_params[2], sizeof(felem_bytearray), curve_b);
+ if (BN_cmp(curve_p, p) ||
+ BN_cmp(curve_a, a) ||
+ BN_cmp(curve_b, b)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_group_set_curve,
+ EC_R_WRONG_CURVE_PARAMETERS);
+ goto err;
+ }
+ ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
+
+err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ return ret;
+}
+
+/* Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
+ * (X/Z^2, Y/Z^3). */
+int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
+ const EC_POINT *point,
+ BIGNUM *x, BIGNUM *y,
+ BN_CTX *ctx) {
+ felem z1, z2, x_in, y_in;
+ smallfelem x_out, y_out;
+ longfelem tmp;
+
+ if (EC_POINT_is_at_infinity(group, point)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_point_get_affine_coordinates,
+ EC_R_POINT_AT_INFINITY);
+ return 0;
+ }
+ if (!BN_to_felem(x_in, &point->X) ||
+ !BN_to_felem(y_in, &point->Y) ||
+ !BN_to_felem(z1, &point->Z)) {
+ return 0;
+ }
+ felem_inv(z2, z1);
+ felem_square(tmp, z2);
+ felem_reduce(z1, tmp);
+ felem_mul(tmp, x_in, z1);
+ felem_reduce(x_in, tmp);
+ felem_contract(x_out, x_in);
+ if (x != NULL && !smallfelem_to_BN(x, x_out)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_point_get_affine_coordinates,
+ ERR_R_BN_LIB);
+ return 0;
+ }
+ felem_mul(tmp, z1, z2);
+ felem_reduce(z1, tmp);
+ felem_mul(tmp, y_in, z1);
+ felem_reduce(y_in, tmp);
+ felem_contract(y_out, y_in);
+ if (y != NULL && !smallfelem_to_BN(y, y_out)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_point_get_affine_coordinates,
+ ERR_R_BN_LIB);
+ return 0;
+ }
+ return 1;
+}
+
+/* points below is of size |num|, and tmp_smallfelems is of size |num+1| */
+static void make_points_affine(size_t num, smallfelem points[][3],
+ smallfelem tmp_smallfelems[]) {
+ /* Runs in constant time, unless an input is the point at infinity (which
+ * normally shouldn't happen). */
+ ec_GFp_nistp_points_make_affine_internal(
+ num, points, sizeof(smallfelem), tmp_smallfelems,
+ (void (*)(void *))smallfelem_one,
+ (int (*)(const void *))smallfelem_is_zero_int,
+ (void (*)(void *, const void *))smallfelem_assign,
+ (void (*)(void *, const void *))smallfelem_square_contract,
+ (void (*)(void *, const void *, const void *))smallfelem_mul_contract,
+ (void (*)(void *, const void *))smallfelem_inv_contract,
+ /* nothing to contract */
+ (void (*)(void *, const void *))smallfelem_assign);
+}
+
+/* Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL
+ * values Result is stored in r (r can equal one of the inputs). */
+int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
+ const BIGNUM *scalar, size_t num,
+ const EC_POINT *points[],
+ const BIGNUM *scalars[], BN_CTX *ctx) {
+ int ret = 0;
+ int j;
+ int mixed = 0;
+ BN_CTX *new_ctx = NULL;
+ BIGNUM *x, *y, *z, *tmp_scalar;
+ felem_bytearray g_secret;
+ felem_bytearray *secrets = NULL;
+ smallfelem(*pre_comp)[17][3] = NULL;
+ smallfelem *tmp_smallfelems = NULL;
+ felem_bytearray tmp;
+ unsigned i, num_bytes;
+ int have_pre_comp = 0;
+ size_t num_points = num;
+ smallfelem x_in, y_in, z_in;
+ felem x_out, y_out, z_out;
+ const smallfelem(*g_pre_comp)[16][3] = NULL;
+ EC_POINT *generator = NULL;
+ const EC_POINT *p = NULL;
+ const BIGNUM *p_scalar = NULL;
+
+ if (ctx == NULL) {
+ ctx = new_ctx = BN_CTX_new();
+ if (ctx == NULL) {
+ return 0;
+ }
+ }
+
+ BN_CTX_start(ctx);
+ if ((x = BN_CTX_get(ctx)) == NULL ||
+ (y = BN_CTX_get(ctx)) == NULL ||
+ (z = BN_CTX_get(ctx)) == NULL ||
+ (tmp_scalar = BN_CTX_get(ctx)) == NULL) {
+ goto err;
+ }
+
+ if (scalar != NULL) {
+ /* try to use the standard precomputation */
+ g_pre_comp = &gmul[0];
+ generator = EC_POINT_new(group);
+ if (generator == NULL) {
+ goto err;
+ }
+ /* get the generator from precomputation */
+ if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) ||
+ !smallfelem_to_BN(y, g_pre_comp[0][1][1]) ||
+ !smallfelem_to_BN(z, g_pre_comp[0][1][2])) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!ec_point_set_Jprojective_coordinates_GFp(group, generator, x, y, z,
+ ctx)) {
+ goto err;
+ }
+ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
+ /* precomputation matches generator */
+ have_pre_comp = 1;
+ } else {
+ /* we don't have valid precomputation: treat the generator as a
+ * random point. */
+ num_points++;
+ }
+ }
+
+ if (num_points > 0) {
+ if (num_points >= 3) {
+ /* unless we precompute multiples for just one or two points,
+ * converting those into affine form is time well spent */
+ mixed = 1;
+ }
+ secrets = OPENSSL_malloc(num_points * sizeof(felem_bytearray));
+ pre_comp = OPENSSL_malloc(num_points * 17 * 3 * sizeof(smallfelem));
+ if (mixed) {
+ tmp_smallfelems =
+ OPENSSL_malloc((num_points * 17 + 1) * sizeof(smallfelem));
+ }
+ if (secrets == NULL || pre_comp == NULL ||
+ (mixed && tmp_smallfelems == NULL)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ /* we treat NULL scalars as 0, and NULL points as points at infinity,
+ * i.e., they contribute nothing to the linear combination. */
+ memset(secrets, 0, num_points * sizeof(felem_bytearray));
+ memset(pre_comp, 0, num_points * 17 * 3 * sizeof(smallfelem));
+ for (i = 0; i < num_points; ++i) {
+ if (i == num) {
+ /* we didn't have a valid precomputation, so we pick the generator. */
+ p = EC_GROUP_get0_generator(group);
+ p_scalar = scalar;
+ } else {
+ /* the i^th point */
+ p = points[i];
+ p_scalar = scalars[i];
+ }
+ if (p_scalar != NULL && p != NULL) {
+ /* reduce scalar to 0 <= scalar < 2^256 */
+ if (BN_num_bits(p_scalar) > 256 || BN_is_negative(p_scalar)) {
+ /* this is an unusual input, and we don't guarantee
+ * constant-timeness. */
+ if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+ goto err;
+ }
+ num_bytes = BN_bn2bin(tmp_scalar, tmp);
+ } else {
+ num_bytes = BN_bn2bin(p_scalar, tmp);
+ }
+ flip_endian(secrets[i], tmp, num_bytes);
+ /* precompute multiples */
+ if (!BN_to_felem(x_out, &p->X) ||
+ !BN_to_felem(y_out, &p->Y) ||
+ !BN_to_felem(z_out, &p->Z)) {
+ goto err;
+ }
+ felem_shrink(pre_comp[i][1][0], x_out);
+ felem_shrink(pre_comp[i][1][1], y_out);
+ felem_shrink(pre_comp[i][1][2], z_out);
+ for (j = 2; j <= 16; ++j) {
+ if (j & 1) {
+ point_add_small(pre_comp[i][j][0], pre_comp[i][j][1],
+ pre_comp[i][j][2], pre_comp[i][1][0],
+ pre_comp[i][1][1], pre_comp[i][1][2],
+ pre_comp[i][j - 1][0], pre_comp[i][j - 1][1],
+ pre_comp[i][j - 1][2]);
+ } else {
+ point_double_small(pre_comp[i][j][0], pre_comp[i][j][1],
+ pre_comp[i][j][2], pre_comp[i][j / 2][0],
+ pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]);
+ }
+ }
+ }
+ }
+ if (mixed) {
+ make_points_affine(num_points * 17, pre_comp[0], tmp_smallfelems);
+ }
+ }
+
+ /* the scalar for the generator */
+ if (scalar != NULL && have_pre_comp) {
+ memset(g_secret, 0, sizeof(g_secret));
+ /* reduce scalar to 0 <= scalar < 2^256 */
+ if (BN_num_bits(scalar) > 256 || BN_is_negative(scalar)) {
+ /* this is an unusual input, and we don't guarantee
+ * constant-timeness. */
+ if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+ goto err;
+ }
+ num_bytes = BN_bn2bin(tmp_scalar, tmp);
+ } else {
+ num_bytes = BN_bn2bin(scalar, tmp);
+ }
+ flip_endian(g_secret, tmp, num_bytes);
+ /* do the multiplication with generator precomputation */
+ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
+ num_points, g_secret, mixed, (const smallfelem(*)[17][3])pre_comp,
+ g_pre_comp);
+ } else {
+ /* do the multiplication without generator precomputation */
+ batch_mul(x_out, y_out, z_out, (const felem_bytearray(*))secrets,
+ num_points, NULL, mixed, (const smallfelem(*)[17][3])pre_comp,
+ NULL);
+ }
+
+ /* reduce the output to its unique minimal representation */
+ felem_contract(x_in, x_out);
+ felem_contract(y_in, y_out);
+ felem_contract(z_in, z_out);
+ if (!smallfelem_to_BN(x, x_in) ||
+ !smallfelem_to_BN(y, y_in) ||
+ !smallfelem_to_BN(z, z_in)) {
+ OPENSSL_PUT_ERROR(EC, ec_GFp_nistp256_points_mul, ERR_R_BN_LIB);
+ goto err;
+ }
+ ret = ec_point_set_Jprojective_coordinates_GFp(group, r, x, y, z, ctx);
+
+err:
+ BN_CTX_end(ctx);
+ EC_POINT_free(generator);
+ BN_CTX_free(new_ctx);
+ OPENSSL_free(secrets);
+ OPENSSL_free(pre_comp);
+ OPENSSL_free(tmp_smallfelems);
+ return ret;
+}
+
+const EC_METHOD *EC_GFp_nistp256_method(void) {
+ static const EC_METHOD ret = {
+ EC_FLAGS_DEFAULT_OCT,
+ ec_GFp_nistp256_group_init,
+ ec_GFp_simple_group_finish,
+ ec_GFp_simple_group_clear_finish,
+ ec_GFp_simple_group_copy, ec_GFp_nistp256_group_set_curve,
+ ec_GFp_simple_group_get_curve, ec_GFp_simple_group_get_degree,
+ ec_GFp_simple_group_check_discriminant, ec_GFp_simple_point_init,
+ ec_GFp_simple_point_finish, ec_GFp_simple_point_clear_finish,
+ ec_GFp_simple_point_copy, ec_GFp_simple_point_set_to_infinity,
+ ec_GFp_simple_set_Jprojective_coordinates_GFp,
+ ec_GFp_simple_get_Jprojective_coordinates_GFp,
+ ec_GFp_simple_point_set_affine_coordinates,
+ ec_GFp_nistp256_point_get_affine_coordinates,
+ 0 /* point_set_compressed_coordinates */, 0 /* point2oct */,
+ 0 /* oct2point */, ec_GFp_simple_add, ec_GFp_simple_dbl,
+ ec_GFp_simple_invert, ec_GFp_simple_is_at_infinity,
+ ec_GFp_simple_is_on_curve, ec_GFp_simple_cmp, ec_GFp_simple_make_affine,
+ ec_GFp_simple_points_make_affine, ec_GFp_nistp256_points_mul,
+ 0 /* precompute_mult */, 0 /* have_precompute_mult */,
+ ec_GFp_simple_field_mul, ec_GFp_simple_field_sqr, 0 /* field_div */,
+ 0 /* field_encode */, 0 /* field_decode */, 0 /* field_set_to_one */
+ };
+
+ return &ret;
+}
+
+#endif /* 64_BIT && !WINDOWS */
diff --git a/src/crypto/ec/simple.c b/src/crypto/ec/simple.c
index b3f96fa..69fd2e4 100644
--- a/src/crypto/ec/simple.c
+++ b/src/crypto/ec/simple.c
@@ -178,47 +178,55 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
tmp_a = BN_CTX_get(ctx);
- if (tmp_a == NULL)
+ if (tmp_a == NULL) {
goto err;
+ }
/* group->field */
- if (!BN_copy(&group->field, p))
+ if (!BN_copy(&group->field, p)) {
goto err;
+ }
BN_set_negative(&group->field, 0);
/* group->a */
- if (!BN_nnmod(tmp_a, a, p, ctx))
+ if (!BN_nnmod(tmp_a, a, p, ctx)) {
goto err;
+ }
if (group->meth->field_encode) {
- if (!group->meth->field_encode(group, &group->a, tmp_a, ctx))
+ if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) {
goto err;
- } else if (!BN_copy(&group->a, tmp_a))
+ }
+ } else if (!BN_copy(&group->a, tmp_a)) {
goto err;
+ }
/* group->b */
- if (!BN_nnmod(&group->b, b, p, ctx))
+ if (!BN_nnmod(&group->b, b, p, ctx)) {
goto err;
- if (group->meth->field_encode)
- if (!group->meth->field_encode(group, &group->b, &group->b, ctx))
- goto err;
+ }
+ if (group->meth->field_encode &&
+ !group->meth->field_encode(group, &group->b, &group->b, ctx)) {
+ goto err;
+ }
/* group->a_is_minus3 */
- if (!BN_add_word(tmp_a, 3))
+ if (!BN_add_word(tmp_a, 3)) {
goto err;
+ }
group->a_is_minus3 = (0 == BN_cmp(tmp_a, &group->field));
ret = 1;
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -227,34 +235,30 @@
int ret = 0;
BN_CTX *new_ctx = NULL;
- if (p != NULL) {
- if (!BN_copy(p, &group->field))
- return 0;
+ if (p != NULL && !BN_copy(p, &group->field)) {
+ return 0;
}
if (a != NULL || b != NULL) {
if (group->meth->field_decode) {
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
- if (a != NULL) {
- if (!group->meth->field_decode(group, a, &group->a, ctx))
- goto err;
+ if (a != NULL && !group->meth->field_decode(group, a, &group->a, ctx)) {
+ goto err;
}
- if (b != NULL) {
- if (!group->meth->field_decode(group, b, &group->b, ctx))
- goto err;
+ if (b != NULL && !group->meth->field_decode(group, b, &group->b, ctx)) {
+ goto err;
}
} else {
- if (a != NULL) {
- if (!BN_copy(a, &group->a))
- goto err;
+ if (a != NULL && !BN_copy(a, &group->a)) {
+ goto err;
}
- if (b != NULL) {
- if (!BN_copy(b, &group->b))
- goto err;
+ if (b != NULL && !BN_copy(b, &group->b)) {
+ goto err;
}
}
}
@@ -262,8 +266,7 @@
ret = 1;
err:
- if (new_ctx)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -291,54 +294,54 @@
tmp_1 = BN_CTX_get(ctx);
tmp_2 = BN_CTX_get(ctx);
order = BN_CTX_get(ctx);
- if (order == NULL)
+ if (order == NULL) {
goto err;
+ }
if (group->meth->field_decode) {
- if (!group->meth->field_decode(group, a, &group->a, ctx))
+ if (!group->meth->field_decode(group, a, &group->a, ctx) ||
+ !group->meth->field_decode(group, b, &group->b, ctx)) {
goto err;
- if (!group->meth->field_decode(group, b, &group->b, ctx))
- goto err;
+ }
} else {
- if (!BN_copy(a, &group->a))
+ if (!BN_copy(a, &group->a) || !BN_copy(b, &group->b)) {
goto err;
- if (!BN_copy(b, &group->b))
- goto err;
+ }
}
/* check the discriminant:
* y^2 = x^3 + a*x + b is an elliptic curve <=> 4*a^3 + 27*b^2 != 0 (mod p)
* 0 =< a, b < p */
if (BN_is_zero(a)) {
- if (BN_is_zero(b))
+ if (BN_is_zero(b)) {
goto err;
+ }
} else if (!BN_is_zero(b)) {
- if (!BN_mod_sqr(tmp_1, a, p, ctx))
+ if (!BN_mod_sqr(tmp_1, a, p, ctx) ||
+ !BN_mod_mul(tmp_2, tmp_1, a, p, ctx) ||
+ !BN_lshift(tmp_1, tmp_2, 2)) {
goto err;
- if (!BN_mod_mul(tmp_2, tmp_1, a, p, ctx))
- goto err;
- if (!BN_lshift(tmp_1, tmp_2, 2))
- goto err;
+ }
/* tmp_1 = 4*a^3 */
- if (!BN_mod_sqr(tmp_2, b, p, ctx))
+ if (!BN_mod_sqr(tmp_2, b, p, ctx) ||
+ !BN_mul_word(tmp_2, 27)) {
goto err;
- if (!BN_mul_word(tmp_2, 27))
- goto err;
+ }
/* tmp_2 = 27*b^2 */
- if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx))
+ if (!BN_mod_add(a, tmp_1, tmp_2, p, ctx) ||
+ BN_is_zero(a)) {
goto err;
- if (BN_is_zero(a))
- goto err;
+ }
}
ret = 1;
err:
- if (ctx != NULL)
+ if (ctx != NULL) {
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ }
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -365,12 +368,11 @@
}
int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) {
- if (!BN_copy(&dest->X, &src->X))
+ if (!BN_copy(&dest->X, &src->X) ||
+ !BN_copy(&dest->Y, &src->Y) ||
+ !BN_copy(&dest->Z, &src->Z)) {
return 0;
- if (!BN_copy(&dest->Y, &src->Y))
- return 0;
- if (!BN_copy(&dest->Z, &src->Z))
- return 0;
+ }
dest->Z_is_one = src->Z_is_one;
return 1;
@@ -391,41 +393,45 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
if (x != NULL) {
- if (!BN_nnmod(&point->X, x, &group->field, ctx))
+ if (!BN_nnmod(&point->X, x, &group->field, ctx)) {
goto err;
- if (group->meth->field_encode) {
- if (!group->meth->field_encode(group, &point->X, &point->X, ctx))
- goto err;
+ }
+ if (group->meth->field_encode &&
+ !group->meth->field_encode(group, &point->X, &point->X, ctx)) {
+ goto err;
}
}
if (y != NULL) {
- if (!BN_nnmod(&point->Y, y, &group->field, ctx))
+ if (!BN_nnmod(&point->Y, y, &group->field, ctx)) {
goto err;
- if (group->meth->field_encode) {
- if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx))
- goto err;
+ }
+ if (group->meth->field_encode &&
+ !group->meth->field_encode(group, &point->Y, &point->Y, ctx)) {
+ goto err;
}
}
if (z != NULL) {
int Z_is_one;
- if (!BN_nnmod(&point->Z, z, &group->field, ctx))
+ if (!BN_nnmod(&point->Z, z, &group->field, ctx)) {
goto err;
+ }
Z_is_one = BN_is_one(&point->Z);
if (group->meth->field_encode) {
if (Z_is_one && (group->meth->field_set_to_one != 0)) {
- if (!group->meth->field_set_to_one(group, &point->Z, ctx))
+ if (!group->meth->field_set_to_one(group, &point->Z, ctx)) {
goto err;
- } else {
- if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx))
- goto err;
+ }
+ } else if (!group->meth->field_encode(group, &point->Z, &point->Z, ctx)) {
+ goto err;
}
}
point->Z_is_one = Z_is_one;
@@ -434,8 +440,7 @@
ret = 1;
err:
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -449,42 +454,36 @@
if (group->meth->field_decode != 0) {
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
- if (x != NULL) {
- if (!group->meth->field_decode(group, x, &point->X, ctx))
- goto err;
+ if (x != NULL && !group->meth->field_decode(group, x, &point->X, ctx)) {
+ goto err;
}
- if (y != NULL) {
- if (!group->meth->field_decode(group, y, &point->Y, ctx))
- goto err;
+ if (y != NULL && !group->meth->field_decode(group, y, &point->Y, ctx)) {
+ goto err;
}
- if (z != NULL) {
- if (!group->meth->field_decode(group, z, &point->Z, ctx))
- goto err;
+ if (z != NULL && !group->meth->field_decode(group, z, &point->Z, ctx)) {
+ goto err;
}
} else {
- if (x != NULL) {
- if (!BN_copy(x, &point->X))
- goto err;
+ if (x != NULL && !BN_copy(x, &point->X)) {
+ goto err;
}
- if (y != NULL) {
- if (!BN_copy(y, &point->Y))
- goto err;
+ if (y != NULL && !BN_copy(y, &point->Y)) {
+ goto err;
}
- if (z != NULL) {
- if (!BN_copy(z, &point->Z))
- goto err;
+ if (z != NULL && !BN_copy(z, &point->Z)) {
+ goto err;
}
}
ret = 1;
err:
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -518,8 +517,9 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
@@ -527,14 +527,16 @@
Z_1 = BN_CTX_get(ctx);
Z_2 = BN_CTX_get(ctx);
Z_3 = BN_CTX_get(ctx);
- if (Z_3 == NULL)
+ if (Z_3 == NULL) {
goto err;
+ }
/* transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3) */
if (group->meth->field_decode) {
- if (!group->meth->field_decode(group, Z, &point->Z, ctx))
+ if (!group->meth->field_decode(group, Z, &point->Z, ctx)) {
goto err;
+ }
Z_ = Z;
} else {
Z_ = &point->Z;
@@ -542,22 +544,18 @@
if (BN_is_one(Z_)) {
if (group->meth->field_decode) {
- if (x != NULL) {
- if (!group->meth->field_decode(group, x, &point->X, ctx))
- goto err;
+ if (x != NULL && !group->meth->field_decode(group, x, &point->X, ctx)) {
+ goto err;
}
- if (y != NULL) {
- if (!group->meth->field_decode(group, y, &point->Y, ctx))
- goto err;
+ if (y != NULL && !group->meth->field_decode(group, y, &point->Y, ctx)) {
+ goto err;
}
} else {
- if (x != NULL) {
- if (!BN_copy(x, &point->X))
- goto err;
+ if (x != NULL && !BN_copy(x, &point->X)) {
+ goto err;
}
- if (y != NULL) {
- if (!BN_copy(y, &point->Y))
- goto err;
+ if (y != NULL && !BN_copy(y, &point->Y)) {
+ goto err;
}
}
} else {
@@ -569,34 +567,34 @@
if (group->meth->field_encode == 0) {
/* field_sqr works on standard representation */
- if (!group->meth->field_sqr(group, Z_2, Z_1, ctx))
+ if (!group->meth->field_sqr(group, Z_2, Z_1, ctx)) {
goto err;
- } else {
- if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx))
- goto err;
+ }
+ } else if (!BN_mod_sqr(Z_2, Z_1, &group->field, ctx)) {
+ goto err;
}
- if (x != NULL) {
- /* in the Montgomery case, field_mul will cancel out Montgomery factor in
- * X: */
- if (!group->meth->field_mul(group, x, &point->X, Z_2, ctx))
- goto err;
+ /* in the Montgomery case, field_mul will cancel out Montgomery factor in
+ * X: */
+ if (x != NULL && !group->meth->field_mul(group, x, &point->X, Z_2, ctx)) {
+ goto err;
}
if (y != NULL) {
if (group->meth->field_encode == 0) {
/* field_mul works on standard representation */
- if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx))
+ if (!group->meth->field_mul(group, Z_3, Z_2, Z_1, ctx)) {
goto err;
- } else {
- if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx))
- goto err;
+ }
+ } else if (!BN_mod_mul(Z_3, Z_2, Z_1, &group->field, ctx)) {
+ goto err;
}
/* in the Montgomery case, field_mul will cancel out Montgomery factor in
* Y: */
- if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx))
+ if (!group->meth->field_mul(group, y, &point->Y, Z_3, ctx)) {
goto err;
+ }
}
}
@@ -604,8 +602,7 @@
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -619,12 +616,15 @@
BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6;
int ret = 0;
- if (a == b)
+ if (a == b) {
return EC_POINT_dbl(group, r, a, ctx);
- if (EC_POINT_is_at_infinity(group, a))
+ }
+ if (EC_POINT_is_at_infinity(group, a)) {
return EC_POINT_copy(r, b);
- if (EC_POINT_is_at_infinity(group, b))
+ }
+ if (EC_POINT_is_at_infinity(group, b)) {
return EC_POINT_copy(r, a);
+ }
field_mul = group->meth->field_mul;
field_sqr = group->meth->field_sqr;
@@ -632,8 +632,9 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
@@ -644,8 +645,9 @@
n4 = BN_CTX_get(ctx);
n5 = BN_CTX_get(ctx);
n6 = BN_CTX_get(ctx);
- if (n6 == NULL)
+ if (n6 == NULL) {
goto end;
+ }
/* Note that in this function we must not read components of 'a' or 'b'
* once we have written the corresponding components of 'r'.
@@ -654,53 +656,51 @@
/* n1, n2 */
if (b->Z_is_one) {
- if (!BN_copy(n1, &a->X))
+ if (!BN_copy(n1, &a->X) || !BN_copy(n2, &a->Y)) {
goto end;
- if (!BN_copy(n2, &a->Y))
- goto end;
+ }
/* n1 = X_a */
/* n2 = Y_a */
} else {
- if (!field_sqr(group, n0, &b->Z, ctx))
+ if (!field_sqr(group, n0, &b->Z, ctx) ||
+ !field_mul(group, n1, &a->X, n0, ctx)) {
goto end;
- if (!field_mul(group, n1, &a->X, n0, ctx))
- goto end;
+ }
/* n1 = X_a * Z_b^2 */
- if (!field_mul(group, n0, n0, &b->Z, ctx))
+ if (!field_mul(group, n0, n0, &b->Z, ctx) ||
+ !field_mul(group, n2, &a->Y, n0, ctx)) {
goto end;
- if (!field_mul(group, n2, &a->Y, n0, ctx))
- goto end;
+ }
/* n2 = Y_a * Z_b^3 */
}
/* n3, n4 */
if (a->Z_is_one) {
- if (!BN_copy(n3, &b->X))
+ if (!BN_copy(n3, &b->X) || !BN_copy(n4, &b->Y)) {
goto end;
- if (!BN_copy(n4, &b->Y))
- goto end;
+ }
/* n3 = X_b */
/* n4 = Y_b */
} else {
- if (!field_sqr(group, n0, &a->Z, ctx))
+ if (!field_sqr(group, n0, &a->Z, ctx) ||
+ !field_mul(group, n3, &b->X, n0, ctx)) {
goto end;
- if (!field_mul(group, n3, &b->X, n0, ctx))
- goto end;
+ }
/* n3 = X_b * Z_a^2 */
- if (!field_mul(group, n0, n0, &a->Z, ctx))
+ if (!field_mul(group, n0, n0, &a->Z, ctx) ||
+ !field_mul(group, n4, &b->Y, n0, ctx)) {
goto end;
- if (!field_mul(group, n4, &b->Y, n0, ctx))
- goto end;
+ }
/* n4 = Y_b * Z_a^3 */
}
/* n5, n6 */
- if (!BN_mod_sub_quick(n5, n1, n3, p))
+ if (!BN_mod_sub_quick(n5, n1, n3, p) ||
+ !BN_mod_sub_quick(n6, n2, n4, p)) {
goto end;
- if (!BN_mod_sub_quick(n6, n2, n4, p))
- goto end;
+ }
/* n5 = n1 - n3 */
/* n6 = n2 - n4 */
@@ -721,76 +721,79 @@
}
/* 'n7', 'n8' */
- if (!BN_mod_add_quick(n1, n1, n3, p))
+ if (!BN_mod_add_quick(n1, n1, n3, p) ||
+ !BN_mod_add_quick(n2, n2, n4, p)) {
goto end;
- if (!BN_mod_add_quick(n2, n2, n4, p))
- goto end;
+ }
/* 'n7' = n1 + n3 */
/* 'n8' = n2 + n4 */
/* Z_r */
if (a->Z_is_one && b->Z_is_one) {
- if (!BN_copy(&r->Z, n5))
+ if (!BN_copy(&r->Z, n5)) {
goto end;
+ }
} else {
if (a->Z_is_one) {
- if (!BN_copy(n0, &b->Z))
+ if (!BN_copy(n0, &b->Z)) {
goto end;
+ }
} else if (b->Z_is_one) {
- if (!BN_copy(n0, &a->Z))
+ if (!BN_copy(n0, &a->Z)) {
goto end;
- } else {
- if (!field_mul(group, n0, &a->Z, &b->Z, ctx))
- goto end;
- }
- if (!field_mul(group, &r->Z, n0, n5, ctx))
+ }
+ } else if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) {
goto end;
+ }
+ if (!field_mul(group, &r->Z, n0, n5, ctx)) {
+ goto end;
+ }
}
r->Z_is_one = 0;
/* Z_r = Z_a * Z_b * n5 */
/* X_r */
- if (!field_sqr(group, n0, n6, ctx))
+ if (!field_sqr(group, n0, n6, ctx) ||
+ !field_sqr(group, n4, n5, ctx) ||
+ !field_mul(group, n3, n1, n4, ctx) ||
+ !BN_mod_sub_quick(&r->X, n0, n3, p)) {
goto end;
- if (!field_sqr(group, n4, n5, ctx))
- goto end;
- if (!field_mul(group, n3, n1, n4, ctx))
- goto end;
- if (!BN_mod_sub_quick(&r->X, n0, n3, p))
- goto end;
+ }
/* X_r = n6^2 - n5^2 * 'n7' */
/* 'n9' */
- if (!BN_mod_lshift1_quick(n0, &r->X, p))
+ if (!BN_mod_lshift1_quick(n0, &r->X, p) ||
+ !BN_mod_sub_quick(n0, n3, n0, p)) {
goto end;
- if (!BN_mod_sub_quick(n0, n3, n0, p))
- goto end;
+ }
/* n9 = n5^2 * 'n7' - 2 * X_r */
/* Y_r */
- if (!field_mul(group, n0, n0, n6, ctx))
- goto end;
- if (!field_mul(group, n5, n4, n5, ctx))
+ if (!field_mul(group, n0, n0, n6, ctx) ||
+ !field_mul(group, n5, n4, n5, ctx)) {
goto end; /* now n5 is n5^3 */
- if (!field_mul(group, n1, n2, n5, ctx))
+ }
+ if (!field_mul(group, n1, n2, n5, ctx) ||
+ !BN_mod_sub_quick(n0, n0, n1, p)) {
goto end;
- if (!BN_mod_sub_quick(n0, n0, n1, p))
+ }
+ if (BN_is_odd(n0) && !BN_add(n0, n0, p)) {
goto end;
- if (BN_is_odd(n0))
- if (!BN_add(n0, n0, p))
- goto end;
+ }
/* now 0 <= n0 < 2*p, and n0 is even */
- if (!BN_rshift1(&r->Y, n0))
+ if (!BN_rshift1(&r->Y, n0)) {
goto end;
+ }
/* Y_r = (n6 * 'n9' - 'n8' * 'n5^3') / 2 */
ret = 1;
end:
- if (ctx) /* otherwise we already called BN_CTX_end */
+ if (ctx) {
+ /* otherwise we already called BN_CTX_end */
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ }
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -816,8 +819,9 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
@@ -825,8 +829,9 @@
n1 = BN_CTX_get(ctx);
n2 = BN_CTX_get(ctx);
n3 = BN_CTX_get(ctx);
- if (n3 == NULL)
+ if (n3 == NULL) {
goto err;
+ }
/* Note that in this function we must not read components of 'a'
* once we have written the corresponding components of 'r'.
@@ -835,108 +840,95 @@
/* n1 */
if (a->Z_is_one) {
- if (!field_sqr(group, n0, &a->X, ctx))
+ if (!field_sqr(group, n0, &a->X, ctx) ||
+ !BN_mod_lshift1_quick(n1, n0, p) ||
+ !BN_mod_add_quick(n0, n0, n1, p) ||
+ !BN_mod_add_quick(n1, n0, &group->a, p)) {
goto err;
- if (!BN_mod_lshift1_quick(n1, n0, p))
- goto err;
- if (!BN_mod_add_quick(n0, n0, n1, p))
- goto err;
- if (!BN_mod_add_quick(n1, n0, &group->a, p))
- goto err;
+ }
/* n1 = 3 * X_a^2 + a_curve */
} else if (group->a_is_minus3) {
- if (!field_sqr(group, n1, &a->Z, ctx))
+ if (!field_sqr(group, n1, &a->Z, ctx) ||
+ !BN_mod_add_quick(n0, &a->X, n1, p) ||
+ !BN_mod_sub_quick(n2, &a->X, n1, p) ||
+ !field_mul(group, n1, n0, n2, ctx) ||
+ !BN_mod_lshift1_quick(n0, n1, p) ||
+ !BN_mod_add_quick(n1, n0, n1, p)) {
goto err;
- if (!BN_mod_add_quick(n0, &a->X, n1, p))
- goto err;
- if (!BN_mod_sub_quick(n2, &a->X, n1, p))
- goto err;
- if (!field_mul(group, n1, n0, n2, ctx))
- goto err;
- if (!BN_mod_lshift1_quick(n0, n1, p))
- goto err;
- if (!BN_mod_add_quick(n1, n0, n1, p))
- goto err;
+ }
/* n1 = 3 * (X_a + Z_a^2) * (X_a - Z_a^2)
* = 3 * X_a^2 - 3 * Z_a^4 */
} else {
- if (!field_sqr(group, n0, &a->X, ctx))
+ if (!field_sqr(group, n0, &a->X, ctx) ||
+ !BN_mod_lshift1_quick(n1, n0, p) ||
+ !BN_mod_add_quick(n0, n0, n1, p) ||
+ !field_sqr(group, n1, &a->Z, ctx) ||
+ !field_sqr(group, n1, n1, ctx) ||
+ !field_mul(group, n1, n1, &group->a, ctx) ||
+ !BN_mod_add_quick(n1, n1, n0, p)) {
goto err;
- if (!BN_mod_lshift1_quick(n1, n0, p))
- goto err;
- if (!BN_mod_add_quick(n0, n0, n1, p))
- goto err;
- if (!field_sqr(group, n1, &a->Z, ctx))
- goto err;
- if (!field_sqr(group, n1, n1, ctx))
- goto err;
- if (!field_mul(group, n1, n1, &group->a, ctx))
- goto err;
- if (!BN_mod_add_quick(n1, n1, n0, p))
- goto err;
+ }
/* n1 = 3 * X_a^2 + a_curve * Z_a^4 */
}
/* Z_r */
if (a->Z_is_one) {
- if (!BN_copy(n0, &a->Y))
+ if (!BN_copy(n0, &a->Y)) {
goto err;
- } else {
- if (!field_mul(group, n0, &a->Y, &a->Z, ctx))
- goto err;
- }
- if (!BN_mod_lshift1_quick(&r->Z, n0, p))
+ }
+ } else if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) {
goto err;
+ }
+ if (!BN_mod_lshift1_quick(&r->Z, n0, p)) {
+ goto err;
+ }
r->Z_is_one = 0;
/* Z_r = 2 * Y_a * Z_a */
/* n2 */
- if (!field_sqr(group, n3, &a->Y, ctx))
+ if (!field_sqr(group, n3, &a->Y, ctx) ||
+ !field_mul(group, n2, &a->X, n3, ctx) ||
+ !BN_mod_lshift_quick(n2, n2, 2, p)) {
goto err;
- if (!field_mul(group, n2, &a->X, n3, ctx))
- goto err;
- if (!BN_mod_lshift_quick(n2, n2, 2, p))
- goto err;
+ }
/* n2 = 4 * X_a * Y_a^2 */
/* X_r */
- if (!BN_mod_lshift1_quick(n0, n2, p))
+ if (!BN_mod_lshift1_quick(n0, n2, p) ||
+ !field_sqr(group, &r->X, n1, ctx) ||
+ !BN_mod_sub_quick(&r->X, &r->X, n0, p)) {
goto err;
- if (!field_sqr(group, &r->X, n1, ctx))
- goto err;
- if (!BN_mod_sub_quick(&r->X, &r->X, n0, p))
- goto err;
+ }
/* X_r = n1^2 - 2 * n2 */
/* n3 */
- if (!field_sqr(group, n0, n3, ctx))
+ if (!field_sqr(group, n0, n3, ctx) ||
+ !BN_mod_lshift_quick(n3, n0, 3, p)) {
goto err;
- if (!BN_mod_lshift_quick(n3, n0, 3, p))
- goto err;
+ }
/* n3 = 8 * Y_a^4 */
/* Y_r */
- if (!BN_mod_sub_quick(n0, n2, &r->X, p))
+ if (!BN_mod_sub_quick(n0, n2, &r->X, p) ||
+ !field_mul(group, n0, n1, n0, ctx) ||
+ !BN_mod_sub_quick(&r->Y, n0, n3, p)) {
goto err;
- if (!field_mul(group, n0, n1, n0, ctx))
- goto err;
- if (!BN_mod_sub_quick(&r->Y, n0, n3, p))
- goto err;
+ }
/* Y_r = n1 * (n2 - X_r) - n3 */
ret = 1;
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
int ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) {
- if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y))
+ if (EC_POINT_is_at_infinity(group, point) || BN_is_zero(&point->Y)) {
/* point is its own inverse */
return 1;
+ }
return BN_usub(&point->Y, &group->field, &point->Y);
}
@@ -955,8 +947,9 @@
BIGNUM *rh, *tmp, *Z4, *Z6;
int ret = -1;
- if (EC_POINT_is_at_infinity(group, point))
+ if (EC_POINT_is_at_infinity(group, point)) {
return 1;
+ }
field_mul = group->meth->field_mul;
field_sqr = group->meth->field_sqr;
@@ -964,8 +957,9 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return -1;
+ }
}
BN_CTX_start(ctx);
@@ -973,8 +967,9 @@
tmp = BN_CTX_get(ctx);
Z4 = BN_CTX_get(ctx);
Z6 = BN_CTX_get(ctx);
- if (Z6 == NULL)
+ if (Z6 == NULL) {
goto err;
+ }
/* We have a curve defined by a Weierstrass equation
* y^2 = x^3 + a*x + b.
@@ -987,64 +982,62 @@
*/
/* rh := X^2 */
- if (!field_sqr(group, rh, &point->X, ctx))
+ if (!field_sqr(group, rh, &point->X, ctx)) {
goto err;
+ }
if (!point->Z_is_one) {
- if (!field_sqr(group, tmp, &point->Z, ctx))
+ if (!field_sqr(group, tmp, &point->Z, ctx) ||
+ !field_sqr(group, Z4, tmp, ctx) ||
+ !field_mul(group, Z6, Z4, tmp, ctx)) {
goto err;
- if (!field_sqr(group, Z4, tmp, ctx))
- goto err;
- if (!field_mul(group, Z6, Z4, tmp, ctx))
- goto err;
+ }
/* rh := (rh + a*Z^4)*X */
if (group->a_is_minus3) {
- if (!BN_mod_lshift1_quick(tmp, Z4, p))
+ if (!BN_mod_lshift1_quick(tmp, Z4, p) ||
+ !BN_mod_add_quick(tmp, tmp, Z4, p) ||
+ !BN_mod_sub_quick(rh, rh, tmp, p) ||
+ !field_mul(group, rh, rh, &point->X, ctx)) {
goto err;
- if (!BN_mod_add_quick(tmp, tmp, Z4, p))
- goto err;
- if (!BN_mod_sub_quick(rh, rh, tmp, p))
- goto err;
- if (!field_mul(group, rh, rh, &point->X, ctx))
- goto err;
+ }
} else {
- if (!field_mul(group, tmp, Z4, &group->a, ctx))
+ if (!field_mul(group, tmp, Z4, &group->a, ctx) ||
+ !BN_mod_add_quick(rh, rh, tmp, p) ||
+ !field_mul(group, rh, rh, &point->X, ctx)) {
goto err;
- if (!BN_mod_add_quick(rh, rh, tmp, p))
- goto err;
- if (!field_mul(group, rh, rh, &point->X, ctx))
- goto err;
+ }
}
/* rh := rh + b*Z^6 */
- if (!field_mul(group, tmp, &group->b, Z6, ctx))
+ if (!field_mul(group, tmp, &group->b, Z6, ctx) ||
+ !BN_mod_add_quick(rh, rh, tmp, p)) {
goto err;
- if (!BN_mod_add_quick(rh, rh, tmp, p))
- goto err;
+ }
} else {
/* point->Z_is_one */
/* rh := (rh + a)*X */
- if (!BN_mod_add_quick(rh, rh, &group->a, p))
+ if (!BN_mod_add_quick(rh, rh, &group->a, p) ||
+ !field_mul(group, rh, rh, &point->X, ctx)) {
goto err;
- if (!field_mul(group, rh, rh, &point->X, ctx))
- goto err;
+ }
/* rh := rh + b */
- if (!BN_mod_add_quick(rh, rh, &group->b, p))
+ if (!BN_mod_add_quick(rh, rh, &group->b, p)) {
goto err;
+ }
}
/* 'lh' := Y^2 */
- if (!field_sqr(group, tmp, &point->Y, ctx))
+ if (!field_sqr(group, tmp, &point->Y, ctx)) {
goto err;
+ }
ret = (0 == BN_ucmp(tmp, rh));
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -1068,8 +1061,9 @@
return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
}
- if (EC_POINT_is_at_infinity(group, b))
+ if (EC_POINT_is_at_infinity(group, b)) {
return 1;
+ }
if (a->Z_is_one && b->Z_is_one) {
return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1;
@@ -1080,8 +1074,9 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return -1;
+ }
}
BN_CTX_start(ctx);
@@ -1089,8 +1084,9 @@
tmp2 = BN_CTX_get(ctx);
Za23 = BN_CTX_get(ctx);
Zb23 = BN_CTX_get(ctx);
- if (Zb23 == NULL)
+ if (Zb23 == NULL) {
goto end;
+ }
/* We have to decide whether
* (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),
@@ -1099,21 +1095,23 @@
*/
if (!b->Z_is_one) {
- if (!field_sqr(group, Zb23, &b->Z, ctx))
+ if (!field_sqr(group, Zb23, &b->Z, ctx) ||
+ !field_mul(group, tmp1, &a->X, Zb23, ctx)) {
goto end;
- if (!field_mul(group, tmp1, &a->X, Zb23, ctx))
- goto end;
+ }
tmp1_ = tmp1;
- } else
+ } else {
tmp1_ = &a->X;
+ }
if (!a->Z_is_one) {
- if (!field_sqr(group, Za23, &a->Z, ctx))
+ if (!field_sqr(group, Za23, &a->Z, ctx) ||
+ !field_mul(group, tmp2, &b->X, Za23, ctx)) {
goto end;
- if (!field_mul(group, tmp2, &b->X, Za23, ctx))
- goto end;
+ }
tmp2_ = tmp2;
- } else
+ } else {
tmp2_ = &b->X;
+ }
/* compare X_a*Z_b^2 with X_b*Z_a^2 */
if (BN_cmp(tmp1_, tmp2_) != 0) {
@@ -1123,21 +1121,23 @@
if (!b->Z_is_one) {
- if (!field_mul(group, Zb23, Zb23, &b->Z, ctx))
+ if (!field_mul(group, Zb23, Zb23, &b->Z, ctx) ||
+ !field_mul(group, tmp1, &a->Y, Zb23, ctx)) {
goto end;
- if (!field_mul(group, tmp1, &a->Y, Zb23, ctx))
- goto end;
+ }
/* tmp1_ = tmp1 */
- } else
+ } else {
tmp1_ = &a->Y;
+ }
if (!a->Z_is_one) {
- if (!field_mul(group, Za23, Za23, &a->Z, ctx))
+ if (!field_mul(group, Za23, Za23, &a->Z, ctx) ||
+ !field_mul(group, tmp2, &b->Y, Za23, ctx)) {
goto end;
- if (!field_mul(group, tmp2, &b->Y, Za23, ctx))
- goto end;
+ }
/* tmp2_ = tmp2 */
- } else
+ } else {
tmp2_ = &b->Y;
+ }
/* compare Y_a*Z_b^3 with Y_b*Z_a^3 */
if (BN_cmp(tmp1_, tmp2_) != 0) {
@@ -1150,8 +1150,7 @@
end:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -1161,25 +1160,28 @@
BIGNUM *x, *y;
int ret = 0;
- if (point->Z_is_one || EC_POINT_is_at_infinity(group, point))
+ if (point->Z_is_one || EC_POINT_is_at_infinity(group, point)) {
return 1;
+ }
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
return 0;
+ }
}
BN_CTX_start(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
- if (y == NULL)
+ if (y == NULL) {
goto err;
+ }
- if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx))
+ if (!EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx) ||
+ !EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {
goto err;
- if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx))
- goto err;
+ }
if (!point->Z_is_one) {
OPENSSL_PUT_ERROR(EC, ec_GFp_simple_make_affine, ERR_R_INTERNAL_ERROR);
goto err;
@@ -1189,8 +1191,7 @@
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
+ BN_CTX_free(new_ctx);
return ret;
}
@@ -1335,9 +1336,7 @@
err:
BN_CTX_end(ctx);
- if (new_ctx != NULL) {
- BN_CTX_free(new_ctx);
- }
+ BN_CTX_free(new_ctx);
if (prod_Z != NULL) {
for (i = 0; i < num; i++) {
if (prod_Z[i] == NULL) {
diff --git a/src/crypto/ec/util-64.c b/src/crypto/ec/util-64.c
new file mode 100644
index 0000000..171b063
--- /dev/null
+++ b/src/crypto/ec/util-64.c
@@ -0,0 +1,183 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/base.h>
+
+
+#if defined(OPENSSL_64_BIT) && !defined(OPENSSL_WINDOWS)
+
+#include <openssl/ec.h>
+
+#include "internal.h"
+
+/* Convert an array of points into affine coordinates. (If the point at
+ * infinity is found (Z = 0), it remains unchanged.) This function is
+ * essentially an equivalent to EC_POINTs_make_affine(), but works with the
+ * internal representation of points as used by ecp_nistp###.c rather than
+ * with (BIGNUM-based) EC_POINT data structures. point_array is the
+ * input/output buffer ('num' points in projective form, i.e. three
+ * coordinates each), based on an internal representation of field elements
+ * of size 'felem_size'. tmp_felems needs to point to a temporary array of
+ * 'num'+1 field elements for storage of intermediate values. */
+void ec_GFp_nistp_points_make_affine_internal(
+ size_t num, void *point_array, size_t felem_size, void *tmp_felems,
+ void (*felem_one)(void *out), int (*felem_is_zero)(const void *in),
+ void (*felem_assign)(void *out, const void *in),
+ void (*felem_square)(void *out, const void *in),
+ void (*felem_mul)(void *out, const void *in1, const void *in2),
+ void (*felem_inv)(void *out, const void *in),
+ void (*felem_contract)(void *out, const void *in)) {
+ int i = 0;
+
+#define tmp_felem(I) (&((char *)tmp_felems)[(I)*felem_size])
+#define X(I) (&((char *)point_array)[3 * (I)*felem_size])
+#define Y(I) (&((char *)point_array)[(3 * (I) + 1) * felem_size])
+#define Z(I) (&((char *)point_array)[(3 * (I) + 2) * felem_size])
+
+ if (!felem_is_zero(Z(0))) {
+ felem_assign(tmp_felem(0), Z(0));
+ } else {
+ felem_one(tmp_felem(0));
+ }
+
+ for (i = 1; i < (int)num; i++) {
+ if (!felem_is_zero(Z(i))) {
+ felem_mul(tmp_felem(i), tmp_felem(i - 1), Z(i));
+ } else {
+ felem_assign(tmp_felem(i), tmp_felem(i - 1));
+ }
+ }
+ /* Now each tmp_felem(i) is the product of Z(0) .. Z(i), skipping any
+ * zero-valued factors: if Z(i) = 0, we essentially pretend that Z(i) = 1. */
+
+ felem_inv(tmp_felem(num - 1), tmp_felem(num - 1));
+ for (i = num - 1; i >= 0; i--) {
+ if (i > 0) {
+ /* tmp_felem(i-1) is the product of Z(0) .. Z(i-1), tmp_felem(i)
+ * is the inverse of the product of Z(0) .. Z(i). */
+ /* 1/Z(i) */
+ felem_mul(tmp_felem(num), tmp_felem(i - 1), tmp_felem(i));
+ } else {
+ felem_assign(tmp_felem(num), tmp_felem(0)); /* 1/Z(0) */
+ }
+
+ if (!felem_is_zero(Z(i))) {
+ if (i > 0) {
+ /* For next iteration, replace tmp_felem(i-1) by its inverse. */
+ felem_mul(tmp_felem(i - 1), tmp_felem(i), Z(i));
+ }
+
+ /* Convert point (X, Y, Z) into affine form (X/(Z^2), Y/(Z^3), 1). */
+ felem_square(Z(i), tmp_felem(num)); /* 1/(Z^2) */
+ felem_mul(X(i), X(i), Z(i)); /* X/(Z^2) */
+ felem_mul(Z(i), Z(i), tmp_felem(num)); /* 1/(Z^3) */
+ felem_mul(Y(i), Y(i), Z(i)); /* Y/(Z^3) */
+ felem_contract(X(i), X(i));
+ felem_contract(Y(i), Y(i));
+ felem_one(Z(i));
+ } else {
+ if (i > 0) {
+ /* For next iteration, replace tmp_felem(i-1) by its inverse. */
+ felem_assign(tmp_felem(i - 1), tmp_felem(i));
+ }
+ }
+ }
+}
+
+/* This function looks at 5+1 scalar bits (5 current, 1 adjacent less
+ * significant bit), and recodes them into a signed digit for use in fast point
+ * multiplication: the use of signed rather than unsigned digits means that
+ * fewer points need to be precomputed, given that point inversion is easy (a
+ * precomputed point dP makes -dP available as well).
+ *
+ * BACKGROUND:
+ *
+ * Signed digits for multiplication were introduced by Booth ("A signed binary
+ * multiplication technique", Quart. Journ. Mech. and Applied Math., vol. IV,
+ * pt. 2 (1951), pp. 236-240), in that case for multiplication of integers.
+ * Booth's original encoding did not generally improve the density of nonzero
+ * digits over the binary representation, and was merely meant to simplify the
+ * handling of signed factors given in two's complement; but it has since been
+ * shown to be the basis of various signed-digit representations that do have
+ * further advantages, including the wNAF, using the following general
+ * approach:
+ *
+ * (1) Given a binary representation
+ *
+ * b_k ... b_2 b_1 b_0,
+ *
+ * of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1
+ * by using bit-wise subtraction as follows:
+ *
+ * b_k b_(k-1) ... b_2 b_1 b_0
+ * - b_k ... b_3 b_2 b_1 b_0
+ * -------------------------------------
+ * s_k b_(k-1) ... s_3 s_2 s_1 s_0
+ *
+ * A left-shift followed by subtraction of the original value yields a new
+ * representation of the same value, using signed bits s_i = b_(i+1) - b_i.
+ * This representation from Booth's paper has since appeared in the
+ * literature under a variety of different names including "reversed binary
+ * form", "alternating greedy expansion", "mutual opposite form", and
+ * "sign-alternating {+-1}-representation".
+ *
+ * An interesting property is that among the nonzero bits, values 1 and -1
+ * strictly alternate.
+ *
+ * (2) Various window schemes can be applied to the Booth representation of
+ * integers: for example, right-to-left sliding windows yield the wNAF
+ * (a signed-digit encoding independently discovered by various researchers
+ * in the 1990s), and left-to-right sliding windows yield a left-to-right
+ * equivalent of the wNAF (independently discovered by various researchers
+ * around 2004).
+ *
+ * To prevent leaking information through side channels in point multiplication,
+ * we need to recode the given integer into a regular pattern: sliding windows
+ * as in wNAFs won't do, we need their fixed-window equivalent -- which is a few
+ * decades older: we'll be using the so-called "modified Booth encoding" due to
+ * MacSorley ("High-speed arithmetic in binary computers", Proc. IRE, vol. 49
+ * (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five
+ * signed bits into a signed digit:
+ *
+ * s_(4j + 4) s_(4j + 3) s_(4j + 2) s_(4j + 1) s_(4j)
+ *
+ * The sign-alternating property implies that the resulting digit values are
+ * integers from -16 to 16.
+ *
+ * Of course, we don't actually need to compute the signed digits s_i as an
+ * intermediate step (that's just a nice way to see how this scheme relates
+ * to the wNAF): a direct computation obtains the recoded digit from the
+ * six bits b_(4j + 4) ... b_(4j - 1).
+ *
+ * This function takes those five bits as an integer (0 .. 63), writing the
+ * recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute
+ * value, in the range 0 .. 8). Note that this integer essentially provides the
+ * input bits "shifted to the left" by one position: for example, the input to
+ * compute the least significant recoded digit, given that there's no bit b_-1,
+ * has to be b_4 b_3 b_2 b_1 b_0 0. */
+void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit,
+ uint8_t in) {
+ uint8_t s, d;
+
+ s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as
+ * 6-bit value */
+ d = (1 << 6) - in - 1;
+ d = (d & s) | (in & ~s);
+ d = (d >> 1) + (d & 1);
+
+ *sign = s & 1;
+ *digit = d;
+}
+
+#endif /* 64_BIT && !WINDOWS */
diff --git a/src/crypto/ec/wnaf.c b/src/crypto/ec/wnaf.c
index 9016328..d87a7d9 100644
--- a/src/crypto/ec/wnaf.c
+++ b/src/crypto/ec/wnaf.c
@@ -72,6 +72,7 @@
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
#include "internal.h"
@@ -84,7 +85,6 @@
/* structure for precomputed multiples of the generator */
typedef struct ec_pre_comp_st {
- const EC_GROUP *group; /* parent EC_GROUP object */
size_t blocksize; /* block size for wNAF splitting */
size_t numblocks; /* max. number of blocks for which we have precomputation */
size_t w; /* window size */
@@ -94,18 +94,14 @@
int references;
} EC_PRE_COMP;
-static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) {
+static EC_PRE_COMP *ec_pre_comp_new(void) {
EC_PRE_COMP *ret = NULL;
- if (!group)
- return NULL;
-
ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP));
if (!ret) {
OPENSSL_PUT_ERROR(EC, ec_pre_comp_new, ERR_R_MALLOC_FAILURE);
return ret;
}
- ret->group = group;
ret->blocksize = 8; /* default */
ret->numblocks = 0;
ret->w = 4; /* default */
@@ -125,14 +121,8 @@
}
void ec_pre_comp_free(EC_PRE_COMP *pre_comp) {
- int i;
-
- if (!pre_comp) {
- return;
- }
-
- i = CRYPTO_add(&pre_comp->references, -1, CRYPTO_LOCK_EC_PRE_COMP);
- if (i > 0) {
+ if (pre_comp == NULL ||
+ CRYPTO_add(&pre_comp->references, -1, CRYPTO_LOCK_EC_PRE_COMP) > 0) {
return;
}
@@ -272,8 +262,9 @@
OPENSSL_free(r);
r = NULL;
}
- if (ok)
+ if (ok) {
*ret_len = len;
+ }
return r;
}
@@ -341,8 +332,9 @@
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
goto err;
+ }
}
if (scalar != NULL) {
@@ -365,8 +357,9 @@
numblocks = (BN_num_bits(scalar) / blocksize) + 1;
/* we cannot use more blocks than we have precomputation for */
- if (numblocks > pre_comp->numblocks)
+ if (numblocks > pre_comp->numblocks) {
numblocks = pre_comp->numblocks;
+ }
pre_points_per_block = (size_t)1 << (pre_comp->w - 1);
@@ -413,10 +406,12 @@
wNAF[i + 1] = NULL; /* make sure we always have a pivot */
wNAF[i] =
compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
- if (wNAF[i] == NULL)
+ if (wNAF[i] == NULL) {
goto err;
- if (wNAF_len[i] > max_len)
+ }
+ if (wNAF_len[i] > max_len) {
max_len = wNAF_len[i];
+ }
}
if (numblocks) {
@@ -440,8 +435,9 @@
/* use the window size for which we have precomputation */
wsize[num] = pre_comp->w;
tmp_wNAF = compute_wNAF(scalar, wsize[num], &tmp_len);
- if (!tmp_wNAF)
+ if (!tmp_wNAF) {
goto err;
+ }
if (tmp_len <= max_len) {
/* One of the other wNAFs is at least as long
@@ -484,10 +480,11 @@
goto err;
}
tmp_len -= blocksize;
- } else
+ } else {
/* last block gets whatever is left
* (this could be more or less than 'blocksize'!) */
wNAF_len[i] = tmp_len;
+ }
wNAF[i + 1] = NULL;
wNAF[i] = OPENSSL_malloc(wNAF_len[i]);
@@ -497,8 +494,9 @@
goto err;
}
memcpy(wNAF[i], pp, wNAF_len[i]);
- if (wNAF_len[i] > max_len)
+ if (wNAF_len[i] > max_len) {
max_len = wNAF_len[i];
+ }
if (*tmp_points == NULL) {
OPENSSL_PUT_ERROR(EC, ec_wNAF_mul, ERR_R_INTERNAL_ERROR);
@@ -531,8 +529,9 @@
val_sub[i] = v;
for (j = 0; j < ((size_t)1 << (wsize[i] - 1)); j++) {
*v = EC_POINT_new(group);
- if (*v == NULL)
+ if (*v == NULL) {
goto err;
+ }
v++;
}
}
@@ -541,8 +540,9 @@
goto err;
}
- if (!(tmp = EC_POINT_new(group)))
+ if (!(tmp = EC_POINT_new(group))) {
goto err;
+ }
/* prepare precomputed values:
* val_sub[i][0] := points[i]
@@ -552,34 +552,36 @@
*/
for (i = 0; i < num + num_scalar; i++) {
if (i < num) {
- if (!EC_POINT_copy(val_sub[i][0], points[i]))
+ if (!EC_POINT_copy(val_sub[i][0], points[i])) {
goto err;
- } else {
- if (!EC_POINT_copy(val_sub[i][0], generator))
- goto err;
+ }
+ } else if (!EC_POINT_copy(val_sub[i][0], generator)) {
+ goto err;
}
if (wsize[i] > 1) {
- if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx))
+ if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx)) {
goto err;
+ }
for (j = 1; j < ((size_t)1 << (wsize[i] - 1)); j++) {
- if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx))
+ if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx)) {
goto err;
+ }
}
}
}
#if 1 /* optional; EC_window_bits_for_scalar_size assumes we do this step */
- if (!EC_POINTs_make_affine(group, num_val, val, ctx))
+ if (!EC_POINTs_make_affine(group, num_val, val, ctx)) {
goto err;
+ }
#endif
r_is_at_infinity = 1;
for (k = max_len - 1; k >= 0; k--) {
- if (!r_is_at_infinity) {
- if (!EC_POINT_dbl(group, r, r, ctx))
- goto err;
+ if (!r_is_at_infinity && !EC_POINT_dbl(group, r, r, ctx)) {
+ goto err;
}
for (i = 0; i < totalnum; i++) {
@@ -590,13 +592,13 @@
if (digit) {
is_neg = digit < 0;
- if (is_neg)
+ if (is_neg) {
digit = -digit;
+ }
if (is_neg != r_is_inverted) {
- if (!r_is_at_infinity) {
- if (!EC_POINT_invert(group, r, ctx))
- goto err;
+ if (!r_is_at_infinity && !EC_POINT_invert(group, r, ctx)) {
+ goto err;
}
r_is_inverted = !r_is_inverted;
}
@@ -604,12 +606,14 @@
/* digit > 0 */
if (r_is_at_infinity) {
- if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
+ if (!EC_POINT_copy(r, val_sub[i][digit >> 1])) {
goto err;
+ }
r_is_at_infinity = 0;
} else {
- if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
+ if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx)) {
goto err;
+ }
}
}
}
@@ -617,42 +621,37 @@
}
if (r_is_at_infinity) {
- if (!EC_POINT_set_to_infinity(group, r))
+ if (!EC_POINT_set_to_infinity(group, r)) {
goto err;
- } else {
- if (r_is_inverted)
- if (!EC_POINT_invert(group, r, ctx))
- goto err;
+ }
+ } else if (r_is_inverted && !EC_POINT_invert(group, r, ctx)) {
+ goto err;
}
ret = 1;
err:
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
- if (tmp != NULL)
- EC_POINT_free(tmp);
- if (wsize != NULL)
- OPENSSL_free(wsize);
- if (wNAF_len != NULL)
- OPENSSL_free(wNAF_len);
+ BN_CTX_free(new_ctx);
+ EC_POINT_free(tmp);
+ OPENSSL_free(wsize);
+ OPENSSL_free(wNAF_len);
if (wNAF != NULL) {
signed char **w;
- for (w = wNAF; *w != NULL; w++)
+ for (w = wNAF; *w != NULL; w++) {
OPENSSL_free(*w);
+ }
OPENSSL_free(wNAF);
}
if (val != NULL) {
- for (v = val; *v != NULL; v++)
+ for (v = val; *v != NULL; v++) {
EC_POINT_clear_free(*v);
+ }
OPENSSL_free(val);
}
- if (val_sub != NULL) {
- OPENSSL_free(val_sub);
- }
+ OPENSSL_free(val_sub);
return ret;
}
@@ -690,33 +689,36 @@
int ret = 0;
/* if there is an old EC_PRE_COMP object, throw it away */
- if (group->pre_comp) {
- ec_pre_comp_free(group->pre_comp);
- group->pre_comp = NULL;
- }
-
- if ((pre_comp = ec_pre_comp_new(group)) == NULL)
- return 0;
+ ec_pre_comp_free(group->pre_comp);
+ group->pre_comp = NULL;
generator = EC_GROUP_get0_generator(group);
if (generator == NULL) {
OPENSSL_PUT_ERROR(EC, ec_wNAF_precompute_mult, EC_R_UNDEFINED_GENERATOR);
- goto err;
+ return 0;
+ }
+
+ pre_comp = ec_pre_comp_new();
+ if (pre_comp == NULL) {
+ return 0;
}
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
+ if (ctx == NULL) {
goto err;
+ }
}
BN_CTX_start(ctx);
order = BN_CTX_get(ctx);
- if (order == NULL)
+ if (order == NULL) {
goto err;
+ }
- if (!EC_GROUP_get_order(group, order, ctx))
+ if (!EC_GROUP_get_order(group, order, ctx)) {
goto err;
+ }
if (BN_is_zero(order)) {
OPENSSL_PUT_ERROR(EC, ec_wNAF_precompute_mult, EC_R_UNKNOWN_ORDER);
goto err;
@@ -764,23 +766,27 @@
goto err;
}
- if (!EC_POINT_copy(base, generator))
+ if (!EC_POINT_copy(base, generator)) {
goto err;
+ }
/* do the precomputation */
for (i = 0; i < numblocks; i++) {
size_t j;
- if (!EC_POINT_dbl(group, tmp_point, base, ctx))
+ if (!EC_POINT_dbl(group, tmp_point, base, ctx)) {
goto err;
+ }
- if (!EC_POINT_copy(*var++, base))
+ if (!EC_POINT_copy(*var++, base)) {
goto err;
+ }
for (j = 1; j < pre_points_per_block; j++, var++) {
/* calculate odd multiples of the current base point */
- if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx))
+ if (!EC_POINT_add(group, *var, tmp_point, *(var - 1), ctx)) {
goto err;
+ }
}
if (i < numblocks - 1) {
@@ -792,19 +798,21 @@
goto err;
}
- if (!EC_POINT_dbl(group, base, tmp_point, ctx))
+ if (!EC_POINT_dbl(group, base, tmp_point, ctx)) {
goto err;
+ }
for (k = 2; k < blocksize; k++) {
- if (!EC_POINT_dbl(group, base, base, ctx))
+ if (!EC_POINT_dbl(group, base, base, ctx)) {
goto err;
+ }
}
}
}
- if (!EC_POINTs_make_affine(group, num, points, ctx))
+ if (!EC_POINTs_make_affine(group, num, points, ctx)) {
goto err;
+ }
- pre_comp->group = group;
pre_comp->blocksize = blocksize;
pre_comp->numblocks = numblocks;
pre_comp->w = w;
@@ -818,23 +826,21 @@
ret = 1;
err:
- if (ctx != NULL)
+ if (ctx != NULL) {
BN_CTX_end(ctx);
- if (new_ctx != NULL)
- BN_CTX_free(new_ctx);
- if (pre_comp)
- ec_pre_comp_free(pre_comp);
+ }
+ BN_CTX_free(new_ctx);
+ ec_pre_comp_free(pre_comp);
if (points) {
EC_POINT **p;
- for (p = points; *p != NULL; p++)
+ for (p = points; *p != NULL; p++) {
EC_POINT_free(*p);
+ }
OPENSSL_free(points);
}
- if (tmp_point)
- EC_POINT_free(tmp_point);
- if (base)
- EC_POINT_free(base);
+ EC_POINT_free(tmp_point);
+ EC_POINT_free(base);
return ret;
}
diff --git a/src/crypto/ecdh/CMakeLists.txt b/src/crypto/ecdh/CMakeLists.txt
index b312148..346e72d 100644
--- a/src/crypto/ecdh/CMakeLists.txt
+++ b/src/crypto/ecdh/CMakeLists.txt
@@ -6,5 +6,4 @@
OBJECT
ecdh.c
- ecdh_error.c
)
diff --git a/src/crypto/ecdh/ecdh.c b/src/crypto/ecdh/ecdh.c
index d4497f1..a011bab 100644
--- a/src/crypto/ecdh/ecdh.c
+++ b/src/crypto/ecdh/ecdh.c
@@ -145,13 +145,17 @@
}
err:
- if (tmp)
+ if (tmp) {
EC_POINT_free(tmp);
- if (ctx)
+ }
+ if (ctx) {
BN_CTX_end(ctx);
- if (ctx)
+ }
+ if (ctx) {
BN_CTX_free(ctx);
- if (buf)
+ }
+ if (buf) {
OPENSSL_free(buf);
+ }
return ret;
}
diff --git a/src/crypto/ecdh/ecdh_error.c b/src/crypto/ecdh/ecdh_error.c
deleted file mode 100644
index 8ba1854..0000000
--- a/src/crypto/ecdh/ecdh_error.c
+++ /dev/null
@@ -1,25 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ecdh.h>
-
-const ERR_STRING_DATA ECDH_error_string_data[] = {
- {ERR_PACK(ERR_LIB_ECDH, ECDH_F_ECDH_compute_key, 0), "ECDH_compute_key"},
- {ERR_PACK(ERR_LIB_ECDH, 0, ECDH_R_KDF_FAILED), "KDF_FAILED"},
- {ERR_PACK(ERR_LIB_ECDH, 0, ECDH_R_NO_PRIVATE_VALUE), "NO_PRIVATE_VALUE"},
- {ERR_PACK(ERR_LIB_ECDH, 0, ECDH_R_POINT_ARITHMETIC_FAILURE), "POINT_ARITHMETIC_FAILURE"},
- {0, NULL},
-};
diff --git a/src/crypto/ecdsa/CMakeLists.txt b/src/crypto/ecdsa/CMakeLists.txt
index 4bddd27..c8645d1 100644
--- a/src/crypto/ecdsa/CMakeLists.txt
+++ b/src/crypto/ecdsa/CMakeLists.txt
@@ -7,14 +7,13 @@
ecdsa.c
ecdsa_asn1.c
- ecdsa_error.c
)
add_executable(
ecdsa_test
- ecdsa_test.c
+ ecdsa_test.cc
)
target_link_libraries(ecdsa_test crypto)
diff --git a/src/crypto/ecdsa/ecdsa.c b/src/crypto/ecdsa/ecdsa.c
index d389799..b71799e 100644
--- a/src/crypto/ecdsa/ecdsa.c
+++ b/src/crypto/ecdsa/ecdsa.c
@@ -57,7 +57,6 @@
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>
-#include <openssl/thread.h>
#include "../ec/internal.h"
@@ -98,12 +97,8 @@
ret = ECDSA_do_verify(digest, digest_len, s, eckey);
err:
- if (der != NULL) {
- OPENSSL_free(der);
- }
- if (s != NULL) {
- ECDSA_SIG_free(s);
- }
+ OPENSSL_free(der);
+ ECDSA_SIG_free(s);
return ret;
}
@@ -232,9 +227,7 @@
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
- if (point) {
- EC_POINT_free(point);
- }
+ EC_POINT_free(point);
return ret;
}
@@ -334,12 +327,8 @@
goto err;
}
/* clear old values if necessary */
- if (*rp != NULL) {
- BN_clear_free(*rp);
- }
- if (*kinvp != NULL) {
- BN_clear_free(*kinvp);
- }
+ BN_clear_free(*rp);
+ BN_clear_free(*kinvp);
/* save the pre-computed values */
*rp = r;
@@ -348,21 +337,15 @@
err:
if (!ret) {
- if (k != NULL) {
- BN_clear_free(k);
- }
- if (r != NULL) {
- BN_clear_free(r);
- }
+ BN_clear_free(k);
+ BN_clear_free(r);
}
- if (ctx_in == NULL)
+ if (ctx_in == NULL) {
BN_CTX_free(ctx);
- if (order != NULL)
- BN_free(order);
- if (tmp_point != NULL)
- EC_POINT_free(tmp_point);
- if (X)
- BN_clear_free(X);
+ }
+ BN_free(order);
+ EC_POINT_free(tmp_point);
+ BN_clear_free(X);
return ret;
}
@@ -461,16 +444,11 @@
ECDSA_SIG_free(ret);
ret = NULL;
}
- if (ctx)
- BN_CTX_free(ctx);
- if (m)
- BN_clear_free(m);
- if (tmp)
- BN_clear_free(tmp);
- if (order)
- BN_free(order);
- if (kinv)
- BN_clear_free(kinv);
+ BN_CTX_free(ctx);
+ BN_clear_free(m);
+ BN_clear_free(tmp);
+ BN_free(order);
+ BN_clear_free(kinv);
return ret;
}
diff --git a/src/crypto/ecdsa/ecdsa_asn1.c b/src/crypto/ecdsa/ecdsa_asn1.c
index b3c6a87..f557ca7 100644
--- a/src/crypto/ecdsa/ecdsa_asn1.c
+++ b/src/crypto/ecdsa/ecdsa_asn1.c
@@ -55,6 +55,7 @@
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/ec_key.h>
+#include <openssl/mem.h>
#include "../ec/internal.h"
@@ -67,7 +68,7 @@
ASN1_SIMPLE(ECDSA_SIG, s, CBIGNUM),
} ASN1_SEQUENCE_END(ECDSA_SIG);
-IMPLEMENT_ASN1_FUNCTIONS_const(ECDSA_SIG);
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ECDSA_SIG, ECDSA_SIG, ECDSA_SIG);
size_t ECDSA_size(const EC_KEY *key) {
size_t ret, i, group_order_size;
@@ -114,3 +115,27 @@
BN_clear_free(order);
return ret;
}
+
+ECDSA_SIG *ECDSA_SIG_new(void) {
+ ECDSA_SIG *sig = OPENSSL_malloc(sizeof(ECDSA_SIG));
+ if (sig == NULL) {
+ return NULL;
+ }
+ sig->r = BN_new();
+ sig->s = BN_new();
+ if (sig->r == NULL || sig->s == NULL) {
+ ECDSA_SIG_free(sig);
+ return NULL;
+ }
+ return sig;
+}
+
+void ECDSA_SIG_free(ECDSA_SIG *sig) {
+ if (sig == NULL) {
+ return;
+ }
+
+ BN_free(sig->r);
+ BN_free(sig->s);
+ OPENSSL_free(sig);
+}
diff --git a/src/crypto/ecdsa/ecdsa_error.c b/src/crypto/ecdsa/ecdsa_error.c
deleted file mode 100644
index cbd69ce..0000000
--- a/src/crypto/ecdsa/ecdsa_error.c
+++ /dev/null
@@ -1,32 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ecdsa.h>
-
-const ERR_STRING_DATA ECDSA_error_string_data[] = {
- {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_do_sign_ex, 0), "ECDSA_do_sign_ex"},
- {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_do_verify, 0), "ECDSA_do_verify"},
- {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_sign_ex, 0), "ECDSA_sign_ex"},
- {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ECDSA_sign_setup, 0), "ECDSA_sign_setup"},
- {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_digest_to_bn, 0), "digest_to_bn"},
- {ERR_PACK(ERR_LIB_ECDSA, ECDSA_F_ecdsa_sign_setup, 0), "ecdsa_sign_setup"},
- {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_BAD_SIGNATURE), "BAD_SIGNATURE"},
- {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
- {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_NEED_NEW_SETUP_VALUES), "NEED_NEW_SETUP_VALUES"},
- {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_NOT_IMPLEMENTED), "NOT_IMPLEMENTED"},
- {ERR_PACK(ERR_LIB_ECDSA, 0, ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED), "RANDOM_NUMBER_GENERATION_FAILED"},
- {0, NULL},
-};
diff --git a/src/crypto/ecdsa/ecdsa_test.c b/src/crypto/ecdsa/ecdsa_test.c
deleted file mode 100644
index d48f9c3..0000000
--- a/src/crypto/ecdsa/ecdsa_test.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/* ====================================================================
- * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/ecdsa.h>
-
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/crypto.h>
-#include <openssl/ec.h>
-#include <openssl/err.h>
-#include <openssl/mem.h>
-#include <openssl/obj.h>
-#include <openssl/rand.h>
-
-
-int test_builtin(BIO *out) {
- size_t n = 0;
- EC_KEY *eckey = NULL, *wrong_eckey = NULL;
- EC_GROUP *group;
- BIGNUM *order = NULL;
- ECDSA_SIG *ecdsa_sig = NULL;
- unsigned char digest[20], wrong_digest[20];
- unsigned char *signature = NULL;
- const unsigned char *sig_ptr;
- unsigned char *sig_ptr2;
- unsigned char *raw_buf = NULL;
- unsigned int sig_len, r_len, s_len, bn_len, buf_len;
- int nid, ret = 0;
-
- /* fill digest values with some random data */
- if (!RAND_bytes(digest, 20) || !RAND_bytes(wrong_digest, 20)) {
- BIO_printf(out, "ERROR: unable to get random data\n");
- goto builtin_err;
- }
-
- order = BN_new();
- if (order == NULL) {
- goto builtin_err;
- }
-
- /* create and verify a ecdsa signature with every availble curve
- * (with ) */
- BIO_printf(out,
- "\ntesting ECDSA_sign() and ECDSA_verify() "
- "with some internal curves:\n");
-
- static const int kCurveNIDs[] = {NID_secp224r1, NID_X9_62_prime256v1,
- NID_secp384r1, NID_secp521r1, NID_undef};
-
- /* now create and verify a signature for every curve */
- for (n = 0; kCurveNIDs[n] != NID_undef; n++) {
- unsigned char dirt, offset;
-
- nid = kCurveNIDs[n];
- /* create new ecdsa key (== EC_KEY) */
- eckey = EC_KEY_new();
- if (eckey == NULL) {
- goto builtin_err;
- }
- group = EC_GROUP_new_by_curve_name(nid);
- if (group == NULL) {
- goto builtin_err;
- }
- if (!EC_KEY_set_group(eckey, group)) {
- goto builtin_err;
- }
- EC_GROUP_free(group);
- if (!EC_GROUP_get_order(EC_KEY_get0_group(eckey), order, NULL)) {
- goto builtin_err;
- }
- if (BN_num_bits(order) < 160) {
- /* Too small to test. */
- EC_KEY_free(eckey);
- eckey = NULL;
- continue;
- }
-
- BIO_printf(out, "%s: ", OBJ_nid2sn(nid));
- /* create key */
- if (!EC_KEY_generate_key(eckey)) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- /* create second key */
- wrong_eckey = EC_KEY_new();
- if (wrong_eckey == NULL) {
- goto builtin_err;
- }
- group = EC_GROUP_new_by_curve_name(nid);
- if (group == NULL) {
- goto builtin_err;
- }
- if (EC_KEY_set_group(wrong_eckey, group) == 0) {
- goto builtin_err;
- }
- EC_GROUP_free(group);
- if (!EC_KEY_generate_key(wrong_eckey)) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
-
- BIO_printf(out, ".");
- (void)BIO_flush(out);
- /* check key */
- if (!EC_KEY_check_key(eckey)) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
- /* create signature */
- sig_len = ECDSA_size(eckey);
- signature = OPENSSL_malloc(sig_len);
- if (signature == NULL) {
- goto builtin_err;
- }
- if (!ECDSA_sign(0, digest, 20, signature, &sig_len, eckey)) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
- /* verify signature */
- if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
- /* verify signature with the wrong key */
- if (ECDSA_verify(0, digest, 20, signature, sig_len, wrong_eckey) == 1) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
- /* wrong digest */
- if (ECDSA_verify(0, wrong_digest, 20, signature, sig_len, eckey) == 1) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
- /* wrong length */
- if (ECDSA_verify(0, digest, 20, signature, sig_len - 1, eckey) == 1) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
-
- /* Modify a single byte of the signature: to ensure we don't
- * garble the ASN1 structure, we read the raw signature and
- * modify a byte in one of the bignums directly. */
- sig_ptr = signature;
- ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len);
- if (ecdsa_sig == NULL) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
-
- /* Store the two BIGNUMs in raw_buf. */
- r_len = BN_num_bytes(ecdsa_sig->r);
- s_len = BN_num_bytes(ecdsa_sig->s);
- bn_len = BN_num_bytes(order);
- if (r_len > bn_len || s_len > bn_len) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- buf_len = 2 * bn_len;
- raw_buf = OPENSSL_malloc(2 * bn_len);
- if (raw_buf == NULL) {
- goto builtin_err;
- }
- /* Pad the bignums with leading zeroes. */
- if (!BN_bn2bin_padded(raw_buf, bn_len, ecdsa_sig->r) ||
- !BN_bn2bin_padded(raw_buf + bn_len, bn_len, ecdsa_sig->s)) {
- goto builtin_err;
- }
-
- /* Modify a single byte in the buffer. */
- offset = raw_buf[10] % buf_len;
- dirt = raw_buf[11] ? raw_buf[11] : 1;
- raw_buf[offset] ^= dirt;
- /* Now read the BIGNUMs back in from raw_buf. */
- if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
- BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
- goto builtin_err;
- }
-
- sig_ptr2 = signature;
- sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
- if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- /* Sanity check: undo the modification and verify signature. */
- raw_buf[offset] ^= dirt;
- if (BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL ||
- BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL) {
- goto builtin_err;
- }
-
- sig_ptr2 = signature;
- sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
- if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1) {
- BIO_printf(out, " failed\n");
- goto builtin_err;
- }
- BIO_printf(out, ".");
- (void)BIO_flush(out);
-
- BIO_printf(out, " ok\n");
- /* cleanup */
- /* clean bogus errors */
- ERR_clear_error();
- OPENSSL_free(signature);
- signature = NULL;
- EC_KEY_free(eckey);
- eckey = NULL;
- EC_KEY_free(wrong_eckey);
- wrong_eckey = NULL;
- ECDSA_SIG_free(ecdsa_sig);
- ecdsa_sig = NULL;
- OPENSSL_free(raw_buf);
- raw_buf = NULL;
- }
-
- ret = 1;
-builtin_err:
- if (eckey) {
- EC_KEY_free(eckey);
- }
- if (order) {
- BN_free(order);
- }
- if (wrong_eckey) {
- EC_KEY_free(wrong_eckey);
- }
- if (ecdsa_sig) {
- ECDSA_SIG_free(ecdsa_sig);
- }
- if (signature) {
- OPENSSL_free(signature);
- }
- if (raw_buf) {
- OPENSSL_free(raw_buf);
- }
-
- return ret;
-}
-
-int main(void) {
- int ret = 1;
- BIO *out;
-
- CRYPTO_library_init();
- ERR_load_crypto_strings();
-
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
- if (!test_builtin(out))
- goto err;
-
- ret = 0;
-
-err:
- if (ret)
- BIO_printf(out, "\nECDSA test failed\n");
- else
- BIO_printf(out, "\nPASS\n");
- if (ret)
- BIO_print_errors(out);
-
- if (out != NULL)
- BIO_free(out);
-
- return ret;
-}
diff --git a/src/crypto/ecdsa/ecdsa_test.cc b/src/crypto/ecdsa/ecdsa_test.cc
new file mode 100644
index 0000000..a6bd7a1
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_test.cc
@@ -0,0 +1,340 @@
+/* ====================================================================
+ * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/ecdsa.h>
+
+#include <vector>
+
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+#include <openssl/rand.h>
+
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+enum Api {
+ kEncodedApi,
+ kRawApi,
+};
+
+// VerifyECDSASig returns true on success, false on failure.
+static bool VerifyECDSASig(Api api, const uint8_t *digest,
+ size_t digest_len, const ECDSA_SIG *ecdsa_sig,
+ EC_KEY *eckey, int expected_result) {
+ int actual_result;
+
+ switch (api) {
+ case kEncodedApi: {
+ int sig_len = i2d_ECDSA_SIG(ecdsa_sig, NULL);
+ if (sig_len <= 0) {
+ return false;
+ }
+ std::vector<uint8_t> signature(static_cast<size_t>(sig_len));
+ uint8_t *sig_ptr = bssl::vector_data(&signature);
+ sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
+ if (sig_len <= 0) {
+ return false;
+ }
+ actual_result = ECDSA_verify(0, digest, digest_len, bssl::vector_data(&signature),
+ signature.size(), eckey);
+ break;
+ }
+
+ case kRawApi:
+ actual_result = ECDSA_do_verify(digest, digest_len, ecdsa_sig, eckey);
+ break;
+
+ default:
+ return false;
+ }
+ return expected_result == actual_result;
+}
+
+// TestTamperedSig verifies that signature verification fails when a valid
+// signature is tampered with. |ecdsa_sig| must be a valid signature, which will
+// be modified. TestTamperedSig returns true on success, false on failure.
+static bool TestTamperedSig(FILE *out, Api api, const uint8_t *digest,
+ size_t digest_len, ECDSA_SIG *ecdsa_sig,
+ EC_KEY *eckey, const BIGNUM *order) {
+ // Modify a single byte of the signature: to ensure we don't
+ // garble the ASN1 structure, we read the raw signature and
+ // modify a byte in one of the bignums directly.
+
+ // Store the two BIGNUMs in raw_buf.
+ size_t r_len = BN_num_bytes(ecdsa_sig->r);
+ size_t s_len = BN_num_bytes(ecdsa_sig->s);
+ size_t bn_len = BN_num_bytes(order);
+ if (r_len > bn_len || s_len > bn_len) {
+ return false;
+ }
+ size_t buf_len = 2 * bn_len;
+ std::vector<uint8_t> raw_buf(buf_len);
+ // Pad the bignums with leading zeroes.
+ if (!BN_bn2bin_padded(bssl::vector_data(&raw_buf), bn_len, ecdsa_sig->r) ||
+ !BN_bn2bin_padded(bssl::vector_data(&raw_buf) + bn_len, bn_len,
+ ecdsa_sig->s)) {
+ return false;
+ }
+
+ // Modify a single byte in the buffer.
+ size_t offset = raw_buf[10] % buf_len;
+ uint8_t dirt = raw_buf[11] ? raw_buf[11] : 1;
+ raw_buf[offset] ^= dirt;
+ // Now read the BIGNUMs back in from raw_buf.
+ if (BN_bin2bn(bssl::vector_data(&raw_buf), bn_len, ecdsa_sig->r) == NULL ||
+ BN_bin2bn(bssl::vector_data(&raw_buf) + bn_len, bn_len,
+ ecdsa_sig->s) == NULL ||
+ !VerifyECDSASig(api, digest, digest_len, ecdsa_sig, eckey, 0)) {
+ return false;
+ }
+
+ // Sanity check: Undo the modification and verify signature.
+ raw_buf[offset] ^= dirt;
+ if (BN_bin2bn(bssl::vector_data(&raw_buf), bn_len, ecdsa_sig->r) == NULL ||
+ BN_bin2bn(bssl::vector_data(&raw_buf) + bn_len, bn_len,
+ ecdsa_sig->s) == NULL ||
+ !VerifyECDSASig(api, digest, digest_len, ecdsa_sig, eckey, 1)) {
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestBuiltin(FILE *out) {
+ // Fill digest values with some random data.
+ uint8_t digest[20], wrong_digest[20];
+ if (!RAND_bytes(digest, 20) || !RAND_bytes(wrong_digest, 20)) {
+ fprintf(out, "ERROR: unable to get random data\n");
+ return false;
+ }
+
+ static const struct {
+ int nid;
+ const char *name;
+ } kCurves[] = {
+ { NID_secp224r1, "secp224r1" },
+ { NID_X9_62_prime256v1, "secp256r1" },
+ { NID_secp384r1, "secp384r1" },
+ { NID_secp521r1, "secp521r1" },
+ { NID_undef, NULL }
+ };
+
+ // Create and verify ECDSA signatures with every available curve.
+ fputs("\ntesting ECDSA_sign(), ECDSA_verify(), ECDSA_do_sign(), and "
+ "ECDSA_do_verify() with some internal curves:\n", out);
+
+ for (size_t n = 0; kCurves[n].nid != NID_undef; n++) {
+ fprintf(out, "%s: ", kCurves[n].name);
+
+ int nid = kCurves[n].nid;
+ ScopedEC_GROUP group(EC_GROUP_new_by_curve_name(nid));
+ if (!group) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ ScopedBIGNUM order(BN_new());
+ if (!order || !EC_GROUP_get_order(group.get(), order.get(), NULL)) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ if (BN_num_bits(order.get()) < 160) {
+ // Too small to test.
+ fprintf(out, " skipped\n");
+ continue;
+ }
+
+ // Create a new ECDSA key.
+ ScopedEC_KEY eckey(EC_KEY_new());
+ if (!eckey || !EC_KEY_set_group(eckey.get(), group.get()) ||
+ !EC_KEY_generate_key(eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ // Create a second key.
+ ScopedEC_KEY wrong_eckey(EC_KEY_new());
+ if (!wrong_eckey || !EC_KEY_set_group(wrong_eckey.get(), group.get()) ||
+ !EC_KEY_generate_key(wrong_eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+
+ fprintf(out, ".");
+ fflush(out);
+
+ // Check the key.
+ if (!EC_KEY_check_key(eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+
+ // Test ASN.1-encoded signatures.
+ // Create a signature.
+ unsigned sig_len = ECDSA_size(eckey.get());
+ std::vector<uint8_t> signature(sig_len);
+ if (!ECDSA_sign(0, digest, 20, bssl::vector_data(&signature), &sig_len,
+ eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ signature.resize(sig_len);
+ fprintf(out, ".");
+ fflush(out);
+ // Verify the signature.
+ if (!ECDSA_verify(0, digest, 20, bssl::vector_data(&signature),
+ signature.size(), eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify the signature with the wrong key.
+ if (ECDSA_verify(0, digest, 20, bssl::vector_data(&signature),
+ signature.size(), wrong_eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify the signature using the wrong digest.
+ if (ECDSA_verify(0, wrong_digest, 20, bssl::vector_data(&signature),
+ signature.size(), eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify a truncated signature.
+ if (ECDSA_verify(0, digest, 20, bssl::vector_data(&signature),
+ signature.size() - 1, eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify a tampered signature.
+ const uint8_t *sig_ptr = bssl::vector_data(&signature);
+ ScopedECDSA_SIG ecdsa_sig(d2i_ECDSA_SIG(NULL, &sig_ptr, signature.size()));
+ if (!ecdsa_sig ||
+ !TestTamperedSig(out, kEncodedApi, digest, 20, ecdsa_sig.get(),
+ eckey.get(), order.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+
+ // Test ECDSA_SIG signing and verification.
+ // Create a signature.
+ ecdsa_sig.reset(ECDSA_do_sign(digest, 20, eckey.get()));
+ if (!ecdsa_sig) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify the signature using the correct key.
+ if (!ECDSA_do_verify(digest, 20, ecdsa_sig.get(), eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify the signature with the wrong key.
+ if (ECDSA_do_verify(digest, 20, ecdsa_sig.get(), wrong_eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify the signature using the wrong digest.
+ if (ECDSA_do_verify(wrong_digest, 20, ecdsa_sig.get(), eckey.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+ // Verify a tampered signature.
+ if (!TestTamperedSig(out, kRawApi, digest, 20, ecdsa_sig.get(), eckey.get(),
+ order.get())) {
+ fprintf(out, " failed\n");
+ return false;
+ }
+ fprintf(out, ".");
+ fflush(out);
+
+ fprintf(out, " ok\n");
+ // Clear bogus errors.
+ ERR_clear_error();
+ }
+
+ return true;
+}
+
+int main(void) {
+ CRYPTO_library_init();
+ ERR_load_crypto_strings();
+
+ if (!TestBuiltin(stdout)) {
+ printf("\nECDSA test failed\n");
+ ERR_print_errors_fp(stdout);
+ return 1;
+ }
+
+ printf("\nPASS\n");
+ return 0;
+}
diff --git a/src/crypto/engine/CMakeLists.txt b/src/crypto/engine/CMakeLists.txt
index cea6566..e03650e 100644
--- a/src/crypto/engine/CMakeLists.txt
+++ b/src/crypto/engine/CMakeLists.txt
@@ -6,5 +6,4 @@
OBJECT
engine.c
- engine_error.c
)
diff --git a/src/crypto/engine/engine.c b/src/crypto/engine/engine.c
index 5b8cf1c..6c3300d 100644
--- a/src/crypto/engine/engine.c
+++ b/src/crypto/engine/engine.c
@@ -15,6 +15,7 @@
#include <openssl/engine.h>
#include <string.h>
+#include <assert.h>
#include <openssl/dh.h>
#include <openssl/dsa.h>
@@ -43,33 +44,23 @@
}
void ENGINE_free(ENGINE *engine) {
- if (engine->dh_method != NULL) {
- METHOD_unref(engine->dh_method);
- }
-
+ /* Methods are currently required to be static so are not unref'ed. */
OPENSSL_free(engine);
}
/* set_method takes a pointer to a method and its given size and sets
- * |*out_member| to point to a copy of it. The copy is |compiled_size| bytes
- * long and has zero padding if needed. */
+ * |*out_member| to point to it. This function might want to be extended in the
+ * future to support making a copy of the method so that a stable ABI for
+ * ENGINEs can be supported. But, for the moment, all *_METHODS must be
+ * static. */
static int set_method(void **out_member, const void *method, size_t method_size,
size_t compiled_size) {
- void *copy = OPENSSL_malloc(compiled_size);
- if (copy == NULL) {
+ const struct openssl_method_common_st *common = method;
+ if (method_size != compiled_size || !common->is_static) {
return 0;
}
- memset(copy, 0, compiled_size);
-
- if (method_size > compiled_size) {
- method_size = compiled_size;
- }
- memcpy(copy, method, method_size);
-
- METHOD_unref(*out_member);
- *out_member = copy;
-
+ *out_member = (void*) method;
return 1;
}
@@ -114,25 +105,16 @@
}
void METHOD_ref(void *method_in) {
- struct openssl_method_common_st *method = method_in;
-
- if (method->is_static) {
- return;
- }
-
- CRYPTO_add(&method->references, 1, CRYPTO_LOCK_ENGINE);
+ assert(((struct openssl_method_common_st*) method_in)->is_static);
}
void METHOD_unref(void *method_in) {
struct openssl_method_common_st *method = method_in;
- if (method == NULL || method->is_static) {
+ if (method == NULL) {
return;
}
-
- if (CRYPTO_add(&method->references, -1, CRYPTO_LOCK_ENGINE) == 0) {
- OPENSSL_free(method);
- }
+ assert(method->is_static);
}
OPENSSL_DECLARE_ERROR_REASON(ENGINE, OPERATION_NOT_SUPPORTED);
diff --git a/src/crypto/engine/engine_error.c b/src/crypto/engine/engine_error.c
deleted file mode 100644
index 9f65f70..0000000
--- a/src/crypto/engine/engine_error.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/engine.h>
-
-const ERR_STRING_DATA ENGINE_error_string_data[] = {
- {ERR_PACK(ERR_LIB_ENGINE, 0, ENGINE_R_OPERATION_NOT_SUPPORTED), "OPERATION_NOT_SUPPORTED"},
- {0, NULL},
-};
diff --git a/src/crypto/err/CMakeLists.txt b/src/crypto/err/CMakeLists.txt
index 53dccea..89f96bd 100644
--- a/src/crypto/err/CMakeLists.txt
+++ b/src/crypto/err/CMakeLists.txt
@@ -1,18 +1,49 @@
include_directories(. .. ../../include)
+add_custom_command(
+ OUTPUT err_data.c
+ COMMAND ${GO_EXECUTABLE} run err_data_generate.go > ${CMAKE_CURRENT_BINARY_DIR}/err_data.c
+ DEPENDS
+ err_data_generate.go
+ asn1.errordata
+ bio.errordata
+ bn.errordata
+ buf.errordata
+ cipher.errordata
+ conf.errordata
+ crypto.errordata
+ dh.errordata
+ digest.errordata
+ dsa.errordata
+ ecdh.errordata
+ ecdsa.errordata
+ ec.errordata
+ engine.errordata
+ evp.errordata
+ hkdf.errordata
+ obj.errordata
+ pem.errordata
+ pkcs8.errordata
+ rsa.errordata
+ ssl.errordata
+ x509.errordata
+ x509v3.errordata
+ WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+)
+
add_library(
err
OBJECT
err.c
- err_impl.c
+ err_data.c
)
add_executable(
err_test
- err_test.c
+ err_test.cc
)
target_link_libraries(err_test crypto)
diff --git a/src/crypto/err/asn1.errordata b/src/crypto/err/asn1.errordata
new file mode 100644
index 0000000..44b9c73
--- /dev/null
+++ b/src/crypto/err/asn1.errordata
@@ -0,0 +1,152 @@
+ASN1,function,100,ASN1_BIT_STRING_set_bit
+ASN1,function,101,ASN1_ENUMERATED_set
+ASN1,function,102,ASN1_ENUMERATED_to_BN
+ASN1,function,103,ASN1_GENERALIZEDTIME_adj
+ASN1,function,104,ASN1_INTEGER_set
+ASN1,function,105,ASN1_INTEGER_to_BN
+ASN1,function,106,ASN1_OBJECT_new
+ASN1,function,107,ASN1_PCTX_new
+ASN1,function,108,ASN1_STRING_TABLE_add
+ASN1,function,109,ASN1_STRING_set
+ASN1,function,110,ASN1_STRING_type_new
+ASN1,function,111,ASN1_TIME_adj
+ASN1,function,112,ASN1_UTCTIME_adj
+ASN1,function,113,ASN1_d2i_fp
+ASN1,function,114,ASN1_dup
+ASN1,function,115,ASN1_generate_v3
+ASN1,function,116,ASN1_get_object
+ASN1,function,117,ASN1_i2d_bio
+ASN1,function,118,ASN1_i2d_fp
+ASN1,function,119,ASN1_item_d2i_fp
+ASN1,function,120,ASN1_item_dup
+ASN1,function,121,ASN1_item_ex_d2i
+ASN1,function,122,ASN1_item_i2d_bio
+ASN1,function,123,ASN1_item_i2d_fp
+ASN1,function,124,ASN1_item_pack
+ASN1,function,125,ASN1_item_unpack
+ASN1,function,126,ASN1_mbstring_ncopy
+ASN1,function,127,ASN1_template_new
+ASN1,function,128,BIO_new_NDEF
+ASN1,function,129,BN_to_ASN1_ENUMERATED
+ASN1,function,130,BN_to_ASN1_INTEGER
+ASN1,function,131,a2d_ASN1_OBJECT
+ASN1,function,132,a2i_ASN1_ENUMERATED
+ASN1,function,133,a2i_ASN1_INTEGER
+ASN1,function,134,a2i_ASN1_STRING
+ASN1,function,135,append_exp
+ASN1,function,136,asn1_cb
+ASN1,function,137,asn1_check_tlen
+ASN1,function,138,asn1_collate_primitive
+ASN1,function,139,asn1_collect
+ASN1,function,140,asn1_d2i_ex_primitive
+ASN1,function,141,asn1_d2i_read_bio
+ASN1,function,142,asn1_do_adb
+ASN1,function,143,asn1_ex_c2i
+ASN1,function,144,asn1_find_end
+ASN1,function,145,asn1_item_ex_combine_new
+ASN1,function,146,asn1_str2type
+ASN1,function,147,asn1_template_ex_d2i
+ASN1,function,148,asn1_template_noexp_d2i
+ASN1,function,149,bitstr_cb
+ASN1,function,150,c2i_ASN1_BIT_STRING
+ASN1,function,151,c2i_ASN1_INTEGER
+ASN1,function,152,c2i_ASN1_OBJECT
+ASN1,function,153,collect_data
+ASN1,function,154,d2i_ASN1_BOOLEAN
+ASN1,function,155,d2i_ASN1_OBJECT
+ASN1,function,156,d2i_ASN1_UINTEGER
+ASN1,function,157,d2i_ASN1_UTCTIME
+ASN1,function,158,d2i_ASN1_bytes
+ASN1,function,159,d2i_ASN1_type_bytes
+ASN1,function,160,i2d_ASN1_TIME
+ASN1,function,161,i2d_PrivateKey
+ASN1,function,162,long_c2i
+ASN1,function,163,parse_tagging
+ASN1,reason,100,ASN1_LENGTH_MISMATCH
+ASN1,reason,101,AUX_ERROR
+ASN1,reason,102,BAD_GET_ASN1_OBJECT_CALL
+ASN1,reason,103,BAD_OBJECT_HEADER
+ASN1,reason,104,BMPSTRING_IS_WRONG_LENGTH
+ASN1,reason,105,BN_LIB
+ASN1,reason,106,BOOLEAN_IS_WRONG_LENGTH
+ASN1,reason,107,BUFFER_TOO_SMALL
+ASN1,reason,108,DECODE_ERROR
+ASN1,reason,109,DEPTH_EXCEEDED
+ASN1,reason,110,ENCODE_ERROR
+ASN1,reason,111,ERROR_GETTING_TIME
+ASN1,reason,112,EXPECTING_AN_ASN1_SEQUENCE
+ASN1,reason,113,EXPECTING_AN_INTEGER
+ASN1,reason,114,EXPECTING_AN_OBJECT
+ASN1,reason,115,EXPECTING_A_BOOLEAN
+ASN1,reason,116,EXPECTING_A_TIME
+ASN1,reason,117,EXPLICIT_LENGTH_MISMATCH
+ASN1,reason,118,EXPLICIT_TAG_NOT_CONSTRUCTED
+ASN1,reason,119,FIELD_MISSING
+ASN1,reason,120,FIRST_NUM_TOO_LARGE
+ASN1,reason,121,HEADER_TOO_LONG
+ASN1,reason,122,ILLEGAL_BITSTRING_FORMAT
+ASN1,reason,123,ILLEGAL_BOOLEAN
+ASN1,reason,124,ILLEGAL_CHARACTERS
+ASN1,reason,125,ILLEGAL_FORMAT
+ASN1,reason,126,ILLEGAL_HEX
+ASN1,reason,127,ILLEGAL_IMPLICIT_TAG
+ASN1,reason,128,ILLEGAL_INTEGER
+ASN1,reason,129,ILLEGAL_NESTED_TAGGING
+ASN1,reason,130,ILLEGAL_NULL
+ASN1,reason,131,ILLEGAL_NULL_VALUE
+ASN1,reason,132,ILLEGAL_OBJECT
+ASN1,reason,133,ILLEGAL_OPTIONAL_ANY
+ASN1,reason,134,ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE
+ASN1,reason,135,ILLEGAL_TAGGED_ANY
+ASN1,reason,136,ILLEGAL_TIME_VALUE
+ASN1,reason,137,INTEGER_NOT_ASCII_FORMAT
+ASN1,reason,138,INTEGER_TOO_LARGE_FOR_LONG
+ASN1,reason,139,INVALID_BIT_STRING_BITS_LEFT
+ASN1,reason,140,INVALID_BMPSTRING_LENGTH
+ASN1,reason,141,INVALID_DIGIT
+ASN1,reason,142,INVALID_MODIFIER
+ASN1,reason,143,INVALID_NUMBER
+ASN1,reason,144,INVALID_OBJECT_ENCODING
+ASN1,reason,145,INVALID_SEPARATOR
+ASN1,reason,146,INVALID_TIME_FORMAT
+ASN1,reason,147,INVALID_UNIVERSALSTRING_LENGTH
+ASN1,reason,148,INVALID_UTF8STRING
+ASN1,reason,149,LIST_ERROR
+ASN1,reason,150,MALLOC_FAILURE
+ASN1,reason,151,MISSING_ASN1_EOS
+ASN1,reason,152,MISSING_EOC
+ASN1,reason,153,MISSING_SECOND_NUMBER
+ASN1,reason,154,MISSING_VALUE
+ASN1,reason,155,MSTRING_NOT_UNIVERSAL
+ASN1,reason,156,MSTRING_WRONG_TAG
+ASN1,reason,157,NESTED_ASN1_ERROR
+ASN1,reason,158,NESTED_ASN1_STRING
+ASN1,reason,159,NON_HEX_CHARACTERS
+ASN1,reason,160,NOT_ASCII_FORMAT
+ASN1,reason,161,NOT_ENOUGH_DATA
+ASN1,reason,162,NO_MATCHING_CHOICE_TYPE
+ASN1,reason,163,NULL_IS_WRONG_LENGTH
+ASN1,reason,164,OBJECT_NOT_ASCII_FORMAT
+ASN1,reason,165,ODD_NUMBER_OF_CHARS
+ASN1,reason,166,SECOND_NUMBER_TOO_LARGE
+ASN1,reason,167,SEQUENCE_LENGTH_MISMATCH
+ASN1,reason,168,SEQUENCE_NOT_CONSTRUCTED
+ASN1,reason,169,SEQUENCE_OR_SET_NEEDS_CONFIG
+ASN1,reason,170,SHORT_LINE
+ASN1,reason,171,STREAMING_NOT_SUPPORTED
+ASN1,reason,172,STRING_TOO_LONG
+ASN1,reason,173,STRING_TOO_SHORT
+ASN1,reason,174,TAG_VALUE_TOO_HIGH
+ASN1,reason,175,TIME_NOT_ASCII_FORMAT
+ASN1,reason,176,TOO_LONG
+ASN1,reason,177,TYPE_NOT_CONSTRUCTED
+ASN1,reason,178,TYPE_NOT_PRIMITIVE
+ASN1,reason,179,UNEXPECTED_EOC
+ASN1,reason,180,UNIVERSALSTRING_IS_WRONG_LENGTH
+ASN1,reason,181,UNKNOWN_FORMAT
+ASN1,reason,182,UNKNOWN_TAG
+ASN1,reason,183,UNSUPPORTED_ANY_DEFINED_BY_TYPE
+ASN1,reason,184,UNSUPPORTED_PUBLIC_KEY_TYPE
+ASN1,reason,185,UNSUPPORTED_TYPE
+ASN1,reason,186,WRONG_TAG
+ASN1,reason,187,WRONG_TYPE
diff --git a/src/crypto/err/bio.errordata b/src/crypto/err/bio.errordata
new file mode 100644
index 0000000..cd7286a
--- /dev/null
+++ b/src/crypto/err/bio.errordata
@@ -0,0 +1,35 @@
+BIO,function,100,BIO_callback_ctrl
+BIO,function,101,BIO_ctrl
+BIO,function,102,BIO_new
+BIO,function,103,BIO_new_file
+BIO,function,104,BIO_new_mem_buf
+BIO,function,105,BIO_zero_copy_get_read_buf
+BIO,function,106,BIO_zero_copy_get_read_buf_done
+BIO,function,107,BIO_zero_copy_get_write_buf
+BIO,function,108,BIO_zero_copy_get_write_buf_done
+BIO,function,109,bio_io
+BIO,function,110,bio_make_pair
+BIO,function,111,bio_write
+BIO,function,112,buffer_ctrl
+BIO,function,113,conn_ctrl
+BIO,function,114,conn_state
+BIO,function,115,file_ctrl
+BIO,function,116,file_read
+BIO,function,117,mem_write
+BIO,reason,100,BAD_FOPEN_MODE
+BIO,reason,101,BROKEN_PIPE
+BIO,reason,102,CONNECT_ERROR
+BIO,reason,103,ERROR_SETTING_NBIO
+BIO,reason,104,INVALID_ARGUMENT
+BIO,reason,105,IN_USE
+BIO,reason,106,KEEPALIVE
+BIO,reason,107,NBIO_CONNECT_ERROR
+BIO,reason,108,NO_HOSTNAME_SPECIFIED
+BIO,reason,109,NO_PORT_SPECIFIED
+BIO,reason,110,NO_SUCH_FILE
+BIO,reason,111,NULL_PARAMETER
+BIO,reason,112,SYS_LIB
+BIO,reason,113,UNABLE_TO_CREATE_SOCKET
+BIO,reason,114,UNINITIALIZED
+BIO,reason,115,UNSUPPORTED_METHOD
+BIO,reason,116,WRITE_TO_READ_ONLY_BIO
diff --git a/src/crypto/err/bn.errordata b/src/crypto/err/bn.errordata
new file mode 100644
index 0000000..ab74073
--- /dev/null
+++ b/src/crypto/err/bn.errordata
@@ -0,0 +1,42 @@
+BN,function,100,BN_CTX_get
+BN,function,101,BN_CTX_new
+BN,function,102,BN_CTX_start
+BN,function,103,BN_bn2dec
+BN,function,104,BN_bn2hex
+BN,function,105,BN_div
+BN,function,106,BN_div_recp
+BN,function,107,BN_exp
+BN,function,108,BN_generate_dsa_nonce
+BN,function,109,BN_generate_prime_ex
+BN,function,110,BN_mod_exp2_mont
+BN,function,111,BN_mod_exp_mont
+BN,function,112,BN_mod_exp_mont_consttime
+BN,function,113,BN_mod_exp_mont_word
+BN,function,114,BN_mod_inverse
+BN,function,115,BN_mod_inverse_no_branch
+BN,function,116,BN_mod_lshift_quick
+BN,function,117,BN_mod_sqrt
+BN,function,118,BN_new
+BN,function,119,BN_rand
+BN,function,120,BN_rand_range
+BN,function,121,BN_sqrt
+BN,function,122,BN_usub
+BN,function,123,bn_wexpand
+BN,function,124,mod_exp_recp
+BN,reason,100,ARG2_LT_ARG3
+BN,reason,101,BAD_RECIPROCAL
+BN,reason,102,BIGNUM_TOO_LONG
+BN,reason,103,BITS_TOO_SMALL
+BN,reason,104,CALLED_WITH_EVEN_MODULUS
+BN,reason,105,DIV_BY_ZERO
+BN,reason,106,EXPAND_ON_STATIC_BIGNUM_DATA
+BN,reason,107,INPUT_NOT_REDUCED
+BN,reason,108,INVALID_RANGE
+BN,reason,109,NEGATIVE_NUMBER
+BN,reason,110,NOT_A_SQUARE
+BN,reason,111,NOT_INITIALIZED
+BN,reason,112,NO_INVERSE
+BN,reason,113,PRIVATE_KEY_TOO_LARGE
+BN,reason,114,P_IS_NOT_PRIME
+BN,reason,115,TOO_MANY_ITERATIONS
+BN,reason,116,TOO_MANY_TEMPORARY_VARIABLES
diff --git a/src/crypto/err/buf.errordata b/src/crypto/err/buf.errordata
new file mode 100644
index 0000000..01b6c9a
--- /dev/null
+++ b/src/crypto/err/buf.errordata
@@ -0,0 +1,4 @@
+BUF,function,100,BUF_MEM_new
+BUF,function,101,BUF_memdup
+BUF,function,102,BUF_strndup
+BUF,function,103,buf_mem_grow
diff --git a/src/crypto/err/cipher.errordata b/src/crypto/err/cipher.errordata
new file mode 100644
index 0000000..ce8459b
--- /dev/null
+++ b/src/crypto/err/cipher.errordata
@@ -0,0 +1,60 @@
+CIPHER,function,100,EVP_AEAD_CTX_init
+CIPHER,function,131,EVP_AEAD_CTX_init_with_direction
+CIPHER,function,101,EVP_AEAD_CTX_open
+CIPHER,function,102,EVP_AEAD_CTX_seal
+CIPHER,function,103,EVP_CIPHER_CTX_copy
+CIPHER,function,104,EVP_CIPHER_CTX_ctrl
+CIPHER,function,105,EVP_CIPHER_CTX_set_key_length
+CIPHER,function,106,EVP_CipherInit_ex
+CIPHER,function,107,EVP_DecryptFinal_ex
+CIPHER,function,108,EVP_EncryptFinal_ex
+CIPHER,function,132,aead_aes_ctr_hmac_sha256_init
+CIPHER,function,133,aead_aes_ctr_hmac_sha256_open
+CIPHER,function,134,aead_aes_ctr_hmac_sha256_seal
+CIPHER,function,109,aead_aes_gcm_init
+CIPHER,function,110,aead_aes_gcm_open
+CIPHER,function,111,aead_aes_gcm_seal
+CIPHER,function,112,aead_aes_key_wrap_init
+CIPHER,function,113,aead_aes_key_wrap_open
+CIPHER,function,114,aead_aes_key_wrap_seal
+CIPHER,function,115,aead_chacha20_poly1305_init
+CIPHER,function,116,aead_chacha20_poly1305_open
+CIPHER,function,117,aead_chacha20_poly1305_seal
+CIPHER,function,118,aead_rc4_md5_tls_init
+CIPHER,function,119,aead_rc4_md5_tls_open
+CIPHER,function,120,aead_rc4_md5_tls_seal
+CIPHER,function,121,aead_ssl3_ensure_cipher_init
+CIPHER,function,122,aead_ssl3_init
+CIPHER,function,123,aead_ssl3_open
+CIPHER,function,124,aead_ssl3_seal
+CIPHER,function,125,aead_tls_ensure_cipher_init
+CIPHER,function,126,aead_tls_init
+CIPHER,function,127,aead_tls_open
+CIPHER,function,128,aead_tls_seal
+CIPHER,function,129,aes_init_key
+CIPHER,function,130,aesni_init_key
+CIPHER,reason,100,AES_KEY_SETUP_FAILED
+CIPHER,reason,101,BAD_DECRYPT
+CIPHER,reason,102,BAD_KEY_LENGTH
+CIPHER,reason,103,BUFFER_TOO_SMALL
+CIPHER,reason,104,CTRL_NOT_IMPLEMENTED
+CIPHER,reason,105,CTRL_OPERATION_NOT_IMPLEMENTED
+CIPHER,reason,106,DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
+CIPHER,reason,107,INITIALIZATION_ERROR
+CIPHER,reason,108,INPUT_NOT_INITIALIZED
+CIPHER,reason,109,INVALID_AD_SIZE
+CIPHER,reason,110,INVALID_KEY_LENGTH
+CIPHER,reason,111,INVALID_NONCE_SIZE
+CIPHER,reason,112,INVALID_OPERATION
+CIPHER,reason,113,IV_TOO_LARGE
+CIPHER,reason,114,NO_CIPHER_SET
+CIPHER,reason,124,NO_DIRECTION_SET
+CIPHER,reason,115,OUTPUT_ALIASES_INPUT
+CIPHER,reason,116,TAG_TOO_LARGE
+CIPHER,reason,117,TOO_LARGE
+CIPHER,reason,118,UNSUPPORTED_AD_SIZE
+CIPHER,reason,119,UNSUPPORTED_INPUT_SIZE
+CIPHER,reason,120,UNSUPPORTED_KEY_SIZE
+CIPHER,reason,121,UNSUPPORTED_NONCE_SIZE
+CIPHER,reason,122,UNSUPPORTED_TAG_SIZE
+CIPHER,reason,123,WRONG_FINAL_BLOCK_LENGTH
diff --git a/src/crypto/err/conf.errordata b/src/crypto/err/conf.errordata
new file mode 100644
index 0000000..0b96a32
--- /dev/null
+++ b/src/crypto/err/conf.errordata
@@ -0,0 +1,10 @@
+CONF,function,100,CONF_parse_list
+CONF,function,101,NCONF_load
+CONF,function,102,def_load_bio
+CONF,function,103,str_copy
+CONF,reason,100,LIST_CANNOT_BE_NULL
+CONF,reason,101,MISSING_CLOSE_SQUARE_BRACKET
+CONF,reason,102,MISSING_EQUAL_SIGN
+CONF,reason,103,NO_CLOSE_BRACE
+CONF,reason,104,UNABLE_TO_CREATE_NEW_SECTION
+CONF,reason,105,VARIABLE_HAS_NO_VALUE
diff --git a/src/crypto/err/crypto.errordata b/src/crypto/err/crypto.errordata
new file mode 100644
index 0000000..1e0e9d5
--- /dev/null
+++ b/src/crypto/err/crypto.errordata
@@ -0,0 +1,4 @@
+CRYPTO,function,100,CRYPTO_get_ex_new_index
+CRYPTO,function,101,CRYPTO_set_ex_data
+CRYPTO,function,102,get_class
+CRYPTO,function,103,get_func_pointers
diff --git a/src/crypto/err/dh.errordata b/src/crypto/err/dh.errordata
new file mode 100644
index 0000000..1fd675b
--- /dev/null
+++ b/src/crypto/err/dh.errordata
@@ -0,0 +1,8 @@
+DH,function,100,DH_new_method
+DH,function,101,compute_key
+DH,function,102,generate_key
+DH,function,103,generate_parameters
+DH,reason,100,BAD_GENERATOR
+DH,reason,101,INVALID_PUBKEY
+DH,reason,102,MODULUS_TOO_LARGE
+DH,reason,103,NO_PRIVATE_VALUE
diff --git a/src/crypto/err/digest.errordata b/src/crypto/err/digest.errordata
new file mode 100644
index 0000000..95a3622
--- /dev/null
+++ b/src/crypto/err/digest.errordata
@@ -0,0 +1,3 @@
+DIGEST,function,100,EVP_DigestInit_ex
+DIGEST,function,101,EVP_MD_CTX_copy_ex
+DIGEST,reason,100,INPUT_NOT_INITIALIZED
diff --git a/src/crypto/err/dsa.errordata b/src/crypto/err/dsa.errordata
new file mode 100644
index 0000000..c2dff23
--- /dev/null
+++ b/src/crypto/err/dsa.errordata
@@ -0,0 +1,9 @@
+DSA,function,100,DSA_new_method
+DSA,function,101,dsa_sig_cb
+DSA,function,102,sign
+DSA,function,103,sign_setup
+DSA,function,104,verify
+DSA,reason,100,BAD_Q_VALUE
+DSA,reason,101,MISSING_PARAMETERS
+DSA,reason,102,MODULUS_TOO_LARGE
+DSA,reason,103,NEED_NEW_SETUP_VALUES
diff --git a/src/crypto/err/ec.errordata b/src/crypto/err/ec.errordata
new file mode 100644
index 0000000..3b815c8
--- /dev/null
+++ b/src/crypto/err/ec.errordata
@@ -0,0 +1,93 @@
+EC,function,159,BN_to_felem
+EC,function,100,EC_GROUP_copy
+EC,function,101,EC_GROUP_get_curve_GFp
+EC,function,102,EC_GROUP_get_degree
+EC,function,103,EC_GROUP_new_by_curve_name
+EC,function,104,EC_KEY_check_key
+EC,function,105,EC_KEY_copy
+EC,function,106,EC_KEY_generate_key
+EC,function,107,EC_KEY_new_method
+EC,function,108,EC_KEY_set_public_key_affine_coordinates
+EC,function,109,EC_POINT_add
+EC,function,110,EC_POINT_cmp
+EC,function,111,EC_POINT_copy
+EC,function,112,EC_POINT_dbl
+EC,function,113,EC_POINT_dup
+EC,function,114,EC_POINT_get_affine_coordinates_GFp
+EC,function,115,EC_POINT_invert
+EC,function,116,EC_POINT_is_at_infinity
+EC,function,117,EC_POINT_is_on_curve
+EC,function,118,EC_POINT_make_affine
+EC,function,119,EC_POINT_new
+EC,function,120,EC_POINT_oct2point
+EC,function,121,EC_POINT_point2oct
+EC,function,122,EC_POINT_set_affine_coordinates_GFp
+EC,function,123,EC_POINT_set_compressed_coordinates_GFp
+EC,function,124,EC_POINT_set_to_infinity
+EC,function,125,EC_POINTs_make_affine
+EC,function,126,compute_wNAF
+EC,function,127,d2i_ECPKParameters
+EC,function,128,d2i_ECParameters
+EC,function,129,d2i_ECPrivateKey
+EC,function,130,ec_GFp_mont_field_decode
+EC,function,131,ec_GFp_mont_field_encode
+EC,function,132,ec_GFp_mont_field_mul
+EC,function,133,ec_GFp_mont_field_set_to_one
+EC,function,134,ec_GFp_mont_field_sqr
+EC,function,135,ec_GFp_mont_group_set_curve
+EC,function,160,ec_GFp_nistp256_group_set_curve
+EC,function,161,ec_GFp_nistp256_point_get_affine_coordinates
+EC,function,162,ec_GFp_nistp256_points_mul
+EC,function,136,ec_GFp_simple_group_check_discriminant
+EC,function,137,ec_GFp_simple_group_set_curve
+EC,function,138,ec_GFp_simple_make_affine
+EC,function,139,ec_GFp_simple_oct2point
+EC,function,140,ec_GFp_simple_point2oct
+EC,function,141,ec_GFp_simple_point_get_affine_coordinates
+EC,function,142,ec_GFp_simple_point_set_affine_coordinates
+EC,function,143,ec_GFp_simple_points_make_affine
+EC,function,144,ec_GFp_simple_set_compressed_coordinates
+EC,function,145,ec_asn1_group2pkparameters
+EC,function,146,ec_asn1_pkparameters2group
+EC,function,163,ec_group_copy
+EC,function,147,ec_group_new
+EC,function,148,ec_group_new_curve_GFp
+EC,function,149,ec_group_new_from_data
+EC,function,150,ec_point_set_Jprojective_coordinates_GFp
+EC,function,151,ec_pre_comp_new
+EC,function,152,ec_wNAF_mul
+EC,function,153,ec_wNAF_precompute_mult
+EC,function,154,i2d_ECPKParameters
+EC,function,155,i2d_ECParameters
+EC,function,156,i2d_ECPrivateKey
+EC,function,157,i2o_ECPublicKey
+EC,function,164,nistp256_pre_comp_new
+EC,function,158,o2i_ECPublicKey
+EC,reason,126,BIGNUM_OUT_OF_RANGE
+EC,reason,100,BUFFER_TOO_SMALL
+EC,reason,101,COORDINATES_OUT_OF_RANGE
+EC,reason,102,D2I_ECPKPARAMETERS_FAILURE
+EC,reason,103,EC_GROUP_NEW_BY_NAME_FAILURE
+EC,reason,104,GROUP2PKPARAMETERS_FAILURE
+EC,reason,105,I2D_ECPKPARAMETERS_FAILURE
+EC,reason,106,INCOMPATIBLE_OBJECTS
+EC,reason,107,INVALID_COMPRESSED_POINT
+EC,reason,108,INVALID_COMPRESSION_BIT
+EC,reason,109,INVALID_ENCODING
+EC,reason,110,INVALID_FIELD
+EC,reason,111,INVALID_FORM
+EC,reason,112,INVALID_GROUP_ORDER
+EC,reason,113,INVALID_PRIVATE_KEY
+EC,reason,114,MISSING_PARAMETERS
+EC,reason,115,MISSING_PRIVATE_KEY
+EC,reason,116,NON_NAMED_CURVE
+EC,reason,117,NOT_INITIALIZED
+EC,reason,118,PKPARAMETERS2GROUP_FAILURE
+EC,reason,119,POINT_AT_INFINITY
+EC,reason,120,POINT_IS_NOT_ON_CURVE
+EC,reason,121,SLOT_FULL
+EC,reason,122,UNDEFINED_GENERATOR
+EC,reason,123,UNKNOWN_GROUP
+EC,reason,124,UNKNOWN_ORDER
+EC,reason,127,WRONG_CURVE_PARAMETERS
+EC,reason,125,WRONG_ORDER
diff --git a/src/crypto/err/ecdh.errordata b/src/crypto/err/ecdh.errordata
new file mode 100644
index 0000000..0f1215e
--- /dev/null
+++ b/src/crypto/err/ecdh.errordata
@@ -0,0 +1,4 @@
+ECDH,function,100,ECDH_compute_key
+ECDH,reason,100,KDF_FAILED
+ECDH,reason,101,NO_PRIVATE_VALUE
+ECDH,reason,102,POINT_ARITHMETIC_FAILURE
diff --git a/src/crypto/err/ecdsa.errordata b/src/crypto/err/ecdsa.errordata
new file mode 100644
index 0000000..97c213e
--- /dev/null
+++ b/src/crypto/err/ecdsa.errordata
@@ -0,0 +1,10 @@
+ECDSA,function,100,ECDSA_do_sign_ex
+ECDSA,function,101,ECDSA_do_verify
+ECDSA,function,102,ECDSA_sign_ex
+ECDSA,function,103,digest_to_bn
+ECDSA,function,104,ecdsa_sign_setup
+ECDSA,reason,100,BAD_SIGNATURE
+ECDSA,reason,101,MISSING_PARAMETERS
+ECDSA,reason,102,NEED_NEW_SETUP_VALUES
+ECDSA,reason,103,NOT_IMPLEMENTED
+ECDSA,reason,104,RANDOM_NUMBER_GENERATION_FAILED
diff --git a/src/crypto/err/engine.errordata b/src/crypto/err/engine.errordata
new file mode 100644
index 0000000..1185e88
--- /dev/null
+++ b/src/crypto/err/engine.errordata
@@ -0,0 +1 @@
+ENGINE,reason,100,OPERATION_NOT_SUPPORTED
diff --git a/src/crypto/err/err.c b/src/crypto/err/err.c
index 55b1363..b879a22 100644
--- a/src/crypto/err/err.c
+++ b/src/crypto/err/err.c
@@ -111,8 +111,6 @@
#include <assert.h>
#include <errno.h>
#include <inttypes.h>
-#include <stdarg.h>
-#include <stdio.h>
#include <string.h>
#if defined(OPENSSL_WINDOWS)
@@ -121,37 +119,23 @@
#pragma warning(pop)
#endif
-#include <openssl/lhash.h>
#include <openssl/mem.h>
#include <openssl/thread.h>
+#include "../internal.h"
-/* err_fns contains a pointer to the current error implementation. */
-static const struct ERR_FNS_st *err_fns = NULL;
-extern const struct ERR_FNS_st openssl_err_default_impl;
-#define ERRFN(a) err_fns->a
+extern const uint32_t kOpenSSLFunctionValues[];
+extern const size_t kOpenSSLFunctionValuesLen;
+extern const char kOpenSSLFunctionStringData[];
-/* err_fns_check is an internal function that checks whether "err_fns" is set
- * and if not, sets it to the default. */
-static void err_fns_check(void) {
- /* In practice, this is not a race problem because loading the error strings
- * at init time will cause this pointer to be set before the process goes
- * multithreaded. */
- if (err_fns) {
- return;
- }
-
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- if (!err_fns) {
- err_fns = &openssl_err_default_impl;
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-}
+extern const uint32_t kOpenSSLReasonValues[];
+extern const size_t kOpenSSLReasonValuesLen;
+extern const char kOpenSSLReasonStringData[];
/* err_clear_data frees the optional |data| member of the given error. */
static void err_clear_data(struct err_error_st *error) {
- if (error->data != NULL && (error->flags & ERR_FLAG_MALLOCED) != 0) {
+ if ((error->flags & ERR_FLAG_MALLOCED) != 0) {
OPENSSL_free(error->data);
}
error->data = NULL;
@@ -164,10 +148,45 @@
memset(error, 0, sizeof(struct err_error_st));
}
+/* global_next_library contains the next custom library value to return. */
+static int global_next_library = ERR_NUM_LIBS;
+
+/* global_next_library_mutex protects |global_next_library| from concurrent
+ * updates. */
+static struct CRYPTO_STATIC_MUTEX global_next_library_mutex =
+ CRYPTO_STATIC_MUTEX_INIT;
+
+static void err_state_free(void *statep) {
+ ERR_STATE *state = statep;
+
+ if (state == NULL) {
+ return;
+ }
+
+ unsigned i;
+ for (i = 0; i < ERR_NUM_ERRORS; i++) {
+ err_clear(&state->errors[i]);
+ }
+ OPENSSL_free(state->to_free);
+ OPENSSL_free(state);
+}
+
/* err_get_state gets the ERR_STATE object for the current thread. */
static ERR_STATE *err_get_state(void) {
- err_fns_check();
- return ERRFN(get_state)();
+ ERR_STATE *state = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_ERR);
+ if (state == NULL) {
+ state = OPENSSL_malloc(sizeof(ERR_STATE));
+ if (state == NULL) {
+ return NULL;
+ }
+ memset(state, 0, sizeof(ERR_STATE));
+ if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_ERR, state,
+ err_state_free)) {
+ return NULL;
+ }
+ }
+
+ return state;
}
static uint32_t get_error_values(int inc, int top, const char **file, int *line,
@@ -221,9 +240,7 @@
* error queue. */
if (inc) {
if (error->flags & ERR_FLAG_MALLOCED) {
- if (state->to_free) {
- OPENSSL_free(state->to_free);
- }
+ OPENSSL_free(state->to_free);
state->to_free = error->data;
}
error->data = NULL;
@@ -291,47 +308,29 @@
for (i = 0; i < ERR_NUM_ERRORS; i++) {
err_clear(&state->errors[i]);
}
- if (state->to_free) {
- OPENSSL_free(state->to_free);
- state->to_free = NULL;
- }
+ OPENSSL_free(state->to_free);
+ state->to_free = NULL;
state->top = state->bottom = 0;
}
-static void err_state_free(ERR_STATE *state) {
- unsigned i;
-
- for (i = 0; i < ERR_NUM_ERRORS; i++) {
- err_clear(&state->errors[i]);
- }
- if (state->to_free) {
- OPENSSL_free(state->to_free);
- }
- OPENSSL_free(state);
-}
-
void ERR_remove_thread_state(const CRYPTO_THREADID *tid) {
- CRYPTO_THREADID current;
- ERR_STATE *state;
-
- if (tid == NULL) {
- CRYPTO_THREADID_current(¤t);
- tid = ¤t;
- }
-
- err_fns_check();
- state = ERRFN(release_state)(tid);
- if (state == NULL) {
+ if (tid != NULL) {
+ assert(0);
return;
}
- err_state_free(state);
+ ERR_clear_error();
}
int ERR_get_next_error_library(void) {
- err_fns_check();
- return ERRFN(get_next_library)();
+ int ret;
+
+ CRYPTO_STATIC_MUTEX_lock_write(&global_next_library_mutex);
+ ret = global_next_library++;
+ CRYPTO_STATIC_MUTEX_unlock(&global_next_library_mutex);
+
+ return ret;
}
void ERR_clear_system_error(void) {
@@ -423,53 +422,177 @@
}
}
-/* err_component_error_string returns the error string associated with
- * |packed_error|, which must be of a special form matching the keys inserted
- * into the error hash table. */
-static const char *err_component_error_string(uint32_t packed_error) {
- ERR_STRING_DATA *p;
+// err_string_cmp is a compare function for searching error values with
+// |bsearch| in |err_string_lookup|.
+static int err_string_cmp(const void *a, const void *b) {
+ const uint32_t a_key = *((const uint32_t*) a) >> 15;
+ const uint32_t b_key = *((const uint32_t*) b) >> 15;
- err_fns_check();
- p = ERRFN(get_item)(packed_error);
-
- if (p == NULL) {
- return NULL;
+ if (a_key < b_key) {
+ return -1;
+ } else if (a_key > b_key) {
+ return 1;
+ } else {
+ return 0;
}
- return p->string;
}
+/* err_string_lookup looks up the string associated with |lib| and |key| in
+ * |values| and |string_data|. It returns the string or NULL if not found. */
+static const char *err_string_lookup(uint32_t lib, uint32_t key,
+ const uint32_t *values,
+ size_t num_values,
+ const char *string_data) {
+ /* |values| points to data in err_data.h, which is generated by
+ * err_data_generate.go. It's an array of uint32_t values. Each value has the
+ * following structure:
+ * | lib | key | offset |
+ * |6 bits| 11 bits | 15 bits |
+ *
+ * The |lib| value is a library identifier: one of the |ERR_LIB_*| values.
+ * The |key| is either a function or a reason code, depending on the context.
+ * The |offset| is the number of bytes from the start of |string_data| where
+ * the (NUL terminated) string for this value can be found.
+ *
+ * Values are sorted based on treating the |lib| and |key| part as an
+ * unsigned integer. */
+ if (lib >= (1 << 6) || key >= (1 << 11)) {
+ return NULL;
+ }
+ uint32_t search_key = lib << 26 | key << 15;
+ const uint32_t *result = bsearch(&search_key, values, num_values,
+ sizeof(uint32_t), err_string_cmp);
+ if (result == NULL) {
+ return NULL;
+ }
+
+ return &string_data[(*result) & 0x7fff];
+}
+
+static const char *const kLibraryNames[ERR_NUM_LIBS] = {
+ "invalid library (0)",
+ "unknown library", /* ERR_LIB_NONE */
+ "system library", /* ERR_LIB_SYS */
+ "bignum routines", /* ERR_LIB_BN */
+ "RSA routines", /* ERR_LIB_RSA */
+ "Diffie-Hellman routines", /* ERR_LIB_DH */
+ "public key routines", /* ERR_LIB_EVP */
+ "memory buffer routines", /* ERR_LIB_BUF */
+ "object identifier routines", /* ERR_LIB_OBJ */
+ "PEM routines", /* ERR_LIB_PEM */
+ "DSA routines", /* ERR_LIB_DSA */
+ "X.509 certificate routines", /* ERR_LIB_X509 */
+ "ASN.1 encoding routines", /* ERR_LIB_ASN1 */
+ "configuration file routines", /* ERR_LIB_CONF */
+ "common libcrypto routines", /* ERR_LIB_CRYPTO */
+ "elliptic curve routines", /* ERR_LIB_EC */
+ "SSL routines", /* ERR_LIB_SSL */
+ "BIO routines", /* ERR_LIB_BIO */
+ "PKCS7 routines", /* ERR_LIB_PKCS7 */
+ "PKCS8 routines", /* ERR_LIB_PKCS8 */
+ "X509 V3 routines", /* ERR_LIB_X509V3 */
+ "random number generator", /* ERR_LIB_RAND */
+ "ENGINE routines", /* ERR_LIB_ENGINE */
+ "OCSP routines", /* ERR_LIB_OCSP */
+ "UI routines", /* ERR_LIB_UI */
+ "COMP routines", /* ERR_LIB_COMP */
+ "ECDSA routines", /* ERR_LIB_ECDSA */
+ "ECDH routines", /* ERR_LIB_ECDH */
+ "HMAC routines", /* ERR_LIB_HMAC */
+ "Digest functions", /* ERR_LIB_DIGEST */
+ "Cipher functions", /* ERR_LIB_CIPHER */
+ "User defined functions", /* ERR_LIB_USER */
+ "HKDF functions", /* ERR_LIB_HKDF */
+};
+
const char *ERR_lib_error_string(uint32_t packed_error) {
- return err_component_error_string(ERR_PACK(ERR_GET_LIB(packed_error), 0, 0));
+ const uint32_t lib = ERR_GET_LIB(packed_error);
+
+ if (lib >= ERR_NUM_LIBS) {
+ return NULL;
+ }
+ return kLibraryNames[lib];
}
const char *ERR_func_error_string(uint32_t packed_error) {
- return err_component_error_string(
- ERR_PACK(ERR_GET_LIB(packed_error), ERR_GET_FUNC(packed_error), 0));
+ const uint32_t lib = ERR_GET_LIB(packed_error);
+ const uint32_t func = ERR_GET_FUNC(packed_error);
+
+ if (lib == ERR_LIB_SYS) {
+ switch (func) {
+ case SYS_F_fopen:
+ return "fopen";
+ case SYS_F_fclose:
+ return "fclose";
+ case SYS_F_fread:
+ return "fread";
+ case SYS_F_fwrite:
+ return "fwrite";
+ case SYS_F_socket:
+ return "socket";
+ case SYS_F_setsockopt:
+ return "setsockopt";
+ case SYS_F_connect:
+ return "connect";
+ case SYS_F_getaddrinfo:
+ return "getaddrinfo";
+ default:
+ return NULL;
+ }
+ }
+
+ return err_string_lookup(ERR_GET_LIB(packed_error),
+ ERR_GET_FUNC(packed_error), kOpenSSLFunctionValues,
+ kOpenSSLFunctionValuesLen,
+ kOpenSSLFunctionStringData);
}
const char *ERR_reason_error_string(uint32_t packed_error) {
- const char *reason_str = err_component_error_string(
- ERR_PACK(ERR_GET_LIB(packed_error), 0, ERR_GET_REASON(packed_error)));
+ const uint32_t lib = ERR_GET_LIB(packed_error);
+ const uint32_t reason = ERR_GET_REASON(packed_error);
- if (reason_str != NULL) {
- return reason_str;
+ if (lib == ERR_LIB_SYS) {
+ if (reason < 127) {
+ return strerror(reason);
+ }
+ return NULL;
}
- return err_component_error_string(
- ERR_PACK(0, 0, ERR_GET_REASON(packed_error)));
+ if (reason < ERR_NUM_LIBS) {
+ return kLibraryNames[reason];
+ }
+
+ if (reason < 100) {
+ switch (reason) {
+ case ERR_R_MALLOC_FAILURE:
+ return "malloc failure";
+ case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:
+ return "function should not have been called";
+ case ERR_R_PASSED_NULL_PARAMETER:
+ return "passed a null parameter";
+ case ERR_R_INTERNAL_ERROR:
+ return "internal error";
+ case ERR_R_OVERFLOW:
+ return "overflow";
+ default:
+ return NULL;
+ }
+ }
+
+ return err_string_lookup(lib, reason, kOpenSSLReasonValues,
+ kOpenSSLReasonValuesLen, kOpenSSLReasonStringData);
}
void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) {
- CRYPTO_THREADID current_thread;
char buf[ERR_ERROR_STRING_BUF_LEN];
char buf2[1024];
- unsigned long thread_hash;
const char *file, *data;
int line, flags;
uint32_t packed_error;
- CRYPTO_THREADID_current(¤t_thread);
- thread_hash = CRYPTO_THREADID_hash(¤t_thread);
+ /* thread_hash is the least-significant bits of the |ERR_STATE| pointer value
+ * for this thread. */
+ const unsigned long thread_hash = (uintptr_t) err_get_state();
for (;;) {
packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
@@ -486,6 +609,17 @@
}
}
+static int print_errors_to_file(const char* msg, size_t msg_len, void* ctx) {
+ assert(msg[msg_len] == '\0');
+ FILE* fp = ctx;
+ int res = fputs(msg, fp);
+ return res < 0 ? 0 : 1;
+}
+
+void ERR_print_errors_fp(FILE *file) {
+ ERR_print_errors_cb(print_errors_to_file, file);
+}
+
/* err_set_error_data sets the data on the most recent error. The |flags|
* argument is a combination of the |ERR_FLAG_*| values. */
static void err_set_error_data(char *data, int flags) {
@@ -648,162 +782,10 @@
return 0;
}
-static const char *const kLibraryNames[ERR_NUM_LIBS] = {
- "invalid library (0)",
- "unknown library", /* ERR_LIB_NONE */
- "system library", /* ERR_LIB_SYS */
- "bignum routines", /* ERR_LIB_BN */
- "RSA routines", /* ERR_LIB_RSA */
- "Diffie-Hellman routines", /* ERR_LIB_DH */
- "public key routines", /* ERR_LIB_EVP */
- "memory buffer routines", /* ERR_LIB_BUF */
- "object identifier routines", /* ERR_LIB_OBJ */
- "PEM routines", /* ERR_LIB_PEM */
- "DSA routines", /* ERR_LIB_DSA */
- "X.509 certificate routines", /* ERR_LIB_X509 */
- "ASN.1 encoding routines", /* ERR_LIB_ASN1 */
- "configuration file routines", /* ERR_LIB_CONF */
- "common libcrypto routines", /* ERR_LIB_CRYPTO */
- "elliptic curve routines", /* ERR_LIB_EC */
- "SSL routines", /* ERR_LIB_SSL */
- "BIO routines", /* ERR_LIB_BIO */
- "PKCS7 routines", /* ERR_LIB_PKCS7 */
- "PKCS8 routines", /* ERR_LIB_PKCS8 */
- "X509 V3 routines", /* ERR_LIB_X509V3 */
- "random number generator", /* ERR_LIB_RAND */
- "ENGINE routines", /* ERR_LIB_ENGINE */
- "OCSP routines", /* ERR_LIB_OCSP */
- "UI routines", /* ERR_LIB_UI */
- "COMP routines", /* ERR_LIB_COMP */
- "ECDSA routines", /* ERR_LIB_ECDSA */
- "ECDH routines", /* ERR_LIB_ECDH */
- "HMAC routines", /* ERR_LIB_HMAC */
- "Digest functions", /* ERR_LIB_DIGEST */
- "Cipher functions", /* ERR_LIB_CIPHER */
- "User defined functions", /* ERR_LIB_USER */
- "HKDF functions", /* ERR_LIB_HKDF */
-};
+void ERR_load_crypto_strings(void) {}
-#define NUM_SYS_ERRNOS 127
-
-/* kStaticErrors provides storage for ERR_STRING_DATA values that are created
- * at init time because we assume that ERR_STRING_DATA structures aren't
- * allocated on the heap. */
-static ERR_STRING_DATA kStaticErrors[ERR_NUM_LIBS * 2 + NUM_SYS_ERRNOS];
-
-static const ERR_STRING_DATA kGlobalErrors[] = {
- {ERR_R_MALLOC_FAILURE, "malloc failure"},
- {ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED, "function should not be called"},
- {ERR_R_PASSED_NULL_PARAMETER, "passed a null parameter"},
- {ERR_R_INTERNAL_ERROR, "internal error"},
- {ERR_R_OVERFLOW, "overflow"},
-
- {ERR_PACK(ERR_LIB_SYS, SYS_F_fopen, 0), "fopen"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_fclose, 0), "fclose"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_fread, 0), "fread"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_fwrite, 0), "fwrite"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_socket, 0), "socket"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_setsockopt, 0), "setsockopt"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_connect, 0), "connect"},
- {ERR_PACK(ERR_LIB_SYS, SYS_F_getaddrinfo, 0), "getaddrinfo"},
-
- {0, NULL},
-};
-
-
-extern const ERR_STRING_DATA ASN1_error_string_data[];
-extern const ERR_STRING_DATA BIO_error_string_data[];
-extern const ERR_STRING_DATA BN_error_string_data[];
-extern const ERR_STRING_DATA BUF_error_string_data[];
-extern const ERR_STRING_DATA CIPHER_error_string_data[];
-extern const ERR_STRING_DATA CONF_error_string_data[];
-extern const ERR_STRING_DATA CRYPTO_error_string_data[];
-extern const ERR_STRING_DATA DH_error_string_data[];
-extern const ERR_STRING_DATA DIGEST_error_string_data[];
-extern const ERR_STRING_DATA DSA_error_string_data[];
-extern const ERR_STRING_DATA ECDH_error_string_data[];
-extern const ERR_STRING_DATA ECDSA_error_string_data[];
-extern const ERR_STRING_DATA EC_error_string_data[];
-extern const ERR_STRING_DATA ENGINE_error_string_data[];
-extern const ERR_STRING_DATA EVP_error_string_data[];
-extern const ERR_STRING_DATA HKDF_error_string_data[];
-extern const ERR_STRING_DATA OBJ_error_string_data[];
-extern const ERR_STRING_DATA PEM_error_string_data[];
-extern const ERR_STRING_DATA PKCS8_error_string_data[];
-extern const ERR_STRING_DATA RSA_error_string_data[];
-extern const ERR_STRING_DATA X509V3_error_string_data[];
-extern const ERR_STRING_DATA X509_error_string_data[];
-
-static void err_load_strings(void) {
- unsigned i, j = 0;
-
- err_fns_check();
-
- /* This loop loads strings for the libraries for the ERR_R_*_LIB
- * reasons. */
- for (i = ERR_LIB_NONE; i < ERR_NUM_LIBS; i++) {
- ERR_STRING_DATA *data = &kStaticErrors[j++];
- data->string = kLibraryNames[i];
- data->error = ERR_PACK(i, 0, 0);
- ERRFN(set_item)(data);
-
- data = &kStaticErrors[j++];
- data->string = kLibraryNames[i];
- data->error = ERR_PACK(0, 0, i);
- ERRFN(set_item)(data);
- }
-
- for (i = 1; i < 1 + NUM_SYS_ERRNOS; i++) {
- /* The "SYS" library sets errno values as the reason for its errors.
- * Thus we load the first |NUM_SYS_ERRNOS| errno strings as the
- * reason strings for that library. */
-
- ERR_STRING_DATA *data = &kStaticErrors[j++];
- data->string = strerror(i);
- data->error = ERR_PACK(ERR_LIB_SYS, 0, i);
- ERRFN(set_item)(data);
- }
-
- ERR_load_strings(kGlobalErrors);
-
- ERR_load_strings(ASN1_error_string_data);
- ERR_load_strings(BIO_error_string_data);
- ERR_load_strings(BN_error_string_data);
- ERR_load_strings(BUF_error_string_data);
- ERR_load_strings(CIPHER_error_string_data);
- ERR_load_strings(CONF_error_string_data);
- ERR_load_strings(CRYPTO_error_string_data);
- ERR_load_strings(DH_error_string_data);
- ERR_load_strings(DIGEST_error_string_data);
- ERR_load_strings(DSA_error_string_data);
- ERR_load_strings(ECDH_error_string_data);
- ERR_load_strings(ECDSA_error_string_data);
- ERR_load_strings(EC_error_string_data);
- ERR_load_strings(ENGINE_error_string_data);
- ERR_load_strings(EVP_error_string_data);
- ERR_load_strings(HKDF_error_string_data);
- ERR_load_strings(OBJ_error_string_data);
- ERR_load_strings(PEM_error_string_data);
- ERR_load_strings(PKCS8_error_string_data);
- ERR_load_strings(RSA_error_string_data);
- ERR_load_strings(X509V3_error_string_data);
- ERR_load_strings(X509_error_string_data);
-}
-
-void ERR_load_strings(const ERR_STRING_DATA *str) {
- err_fns_check();
-
- while (str->error) {
- ERRFN(set_item)(str);
- str++;
- }
-}
-
-void ERR_load_crypto_strings(void) { err_load_strings(); }
-
-void ERR_free_strings(void) {
- err_fns_check();
- ERRFN(shutdown)(err_state_free);
-}
+void ERR_free_strings(void) {}
void ERR_load_BIO_strings(void) {}
+
+void ERR_load_ERR_strings(void) {}
diff --git a/src/crypto/err/err_data_generate.go b/src/crypto/err/err_data_generate.go
new file mode 100644
index 0000000..a5b4cb5
--- /dev/null
+++ b/src/crypto/err/err_data_generate.go
@@ -0,0 +1,287 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+package main
+
+import (
+ "bufio"
+ "bytes"
+ "errors"
+ "fmt"
+ "io"
+ "os"
+ "sort"
+ "strconv"
+ "strings"
+)
+
+// libraryNames must be kept in sync with the enum in err.h. The generated code
+// will contain static assertions to enforce this.
+var libraryNames = []string{
+ "NONE",
+ "SYS",
+ "BN",
+ "RSA",
+ "DH",
+ "EVP",
+ "BUF",
+ "OBJ",
+ "PEM",
+ "DSA",
+ "X509",
+ "ASN1",
+ "CONF",
+ "CRYPTO",
+ "EC",
+ "SSL",
+ "BIO",
+ "PKCS7",
+ "PKCS8",
+ "X509V3",
+ "RAND",
+ "ENGINE",
+ "OCSP",
+ "UI",
+ "COMP",
+ "ECDSA",
+ "ECDH",
+ "HMAC",
+ "DIGEST",
+ "CIPHER",
+ "USER",
+ "HKDF",
+}
+
+// stringList is a map from uint32 -> string which can output data for a sorted
+// list as C literals.
+type stringList struct {
+ // entries is an array of keys and offsets into |stringData|. The
+ // offsets are in the bottom 15 bits of each uint32 and the key is the
+ // top 17 bits.
+ entries []uint32
+ // internedStrings contains the same strings as are in |stringData|,
+ // but allows for easy deduplication. It maps a string to its offset in
+ // |stringData|.
+ internedStrings map[string]uint32
+ stringData []byte
+}
+
+func newStringList() *stringList {
+ return &stringList{
+ internedStrings: make(map[string]uint32),
+ }
+}
+
+// offsetMask is the bottom 15 bits. It's a mask that selects the offset from a
+// uint32 in entries.
+const offsetMask = 0x7fff
+
+func (st *stringList) Add(key uint32, value string) error {
+ if key&offsetMask != 0 {
+ return errors.New("need bottom 15 bits of the key for the offset")
+ }
+ offset, ok := st.internedStrings[value]
+ if !ok {
+ offset = uint32(len(st.stringData))
+ if offset&offsetMask != offset {
+ return errors.New("stringList overflow")
+ }
+ st.stringData = append(st.stringData, []byte(value)...)
+ st.stringData = append(st.stringData, 0)
+ st.internedStrings[value] = offset
+ }
+
+ for _, existing := range st.entries {
+ if existing>>15 == key>>15 {
+ panic("duplicate entry")
+ }
+ }
+ st.entries = append(st.entries, key|offset)
+ return nil
+}
+
+// keySlice is a type that implements sorting of entries values.
+type keySlice []uint32
+
+func (ks keySlice) Len() int {
+ return len(ks)
+}
+
+func (ks keySlice) Less(i, j int) bool {
+ return (ks[i] >> 15) < (ks[j] >> 15)
+}
+
+func (ks keySlice) Swap(i, j int) {
+ ks[i], ks[j] = ks[j], ks[i]
+}
+
+func (st *stringList) buildList() []uint32 {
+ sort.Sort(keySlice(st.entries))
+ return st.entries
+}
+
+type stringWriter interface {
+ io.Writer
+ WriteString(string) (int, error)
+}
+
+func (st *stringList) WriteTo(out stringWriter, name string) {
+ list := st.buildList()
+ fmt.Fprintf(os.Stderr, "%s: %d bytes of list and %d bytes of string data.\n", name, 4*len(list), len(st.stringData))
+
+ values := "kOpenSSL" + name + "Values"
+ out.WriteString("const uint32_t " + values + "[] = {\n")
+ for _, v := range list {
+ fmt.Fprintf(out, " 0x%x,\n", v)
+ }
+ out.WriteString("};\n\n")
+ out.WriteString("const size_t " + values + "Len = sizeof(" + values + ") / sizeof(" + values + "[0]);\n\n");
+
+ stringData := "kOpenSSL" + name + "StringData"
+ out.WriteString("const char " + stringData + "[] =\n \"")
+ for i, c := range st.stringData {
+ if c == 0 {
+ out.WriteString("\\0\"\n \"")
+ continue
+ }
+ out.Write(st.stringData[i : i+1])
+ }
+ out.WriteString("\";\n\n")
+}
+
+type errorData struct {
+ functions, reasons *stringList
+ libraryMap map[string]uint32
+}
+
+func (e *errorData) readErrorDataFile(filename string) error {
+ inFile, err := os.Open(filename)
+ if err != nil {
+ return err
+ }
+ defer inFile.Close()
+
+ scanner := bufio.NewScanner(inFile)
+ comma := []byte(",")
+
+ lineNo := 0
+ for scanner.Scan() {
+ lineNo++
+
+ line := scanner.Bytes()
+ if len(line) == 0 {
+ continue
+ }
+ parts := bytes.Split(line, comma)
+ if len(parts) != 4 {
+ return fmt.Errorf("bad line %d in %s: found %d values but want 4", lineNo, filename, len(parts))
+ }
+ libNum, ok := e.libraryMap[string(parts[0])]
+ if !ok {
+ return fmt.Errorf("bad line %d in %s: unknown library", lineNo, filename)
+ }
+ if libNum >= 64 {
+ return fmt.Errorf("bad line %d in %s: library value too large", lineNo, filename)
+ }
+ key, err := strconv.ParseUint(string(parts[2]), 10 /* base */, 32 /* bit size */)
+ if err != nil {
+ return fmt.Errorf("bad line %d in %s: %s", lineNo, filename, err)
+ }
+ if key >= 2048 {
+ return fmt.Errorf("bad line %d in %s: key too large", lineNo, filename)
+ }
+ value := string(parts[3])
+
+ listKey := libNum<<26 | uint32(key)<<15
+
+ switch string(parts[1]) {
+ case "function":
+ err = e.functions.Add(listKey, value)
+ case "reason":
+ err = e.reasons.Add(listKey, value)
+ default:
+ return fmt.Errorf("bad line %d in %s: bad value type", lineNo, filename)
+ }
+
+ if err != nil {
+ return err
+ }
+ }
+
+ return scanner.Err()
+}
+
+func main() {
+ e := &errorData{
+ functions: newStringList(),
+ reasons: newStringList(),
+ libraryMap: make(map[string]uint32),
+ }
+ for i, name := range libraryNames {
+ e.libraryMap[name] = uint32(i) + 1
+ }
+
+ cwd, err := os.Open(".")
+ if err != nil {
+ panic(err)
+ }
+ names, err := cwd.Readdirnames(-1)
+ if err != nil {
+ panic(err)
+ }
+
+ sort.Strings(names)
+ for _, name := range names {
+ if !strings.HasSuffix(name, ".errordata") {
+ continue
+ }
+ if err := e.readErrorDataFile(name); err != nil {
+ panic(err)
+ }
+ }
+
+ out := os.Stdout
+
+ out.WriteString(`/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+ /* This file was generated by err_data_generate.go. */
+
+#include <openssl/base.h>
+#include <openssl/err.h>
+#include <openssl/type_check.h>
+
+
+`)
+
+ for i, name := range libraryNames {
+ fmt.Fprintf(out, "OPENSSL_COMPILE_ASSERT(ERR_LIB_%s == %d, library_values_changed_%d);\n", name, i+1, i+1)
+ }
+ fmt.Fprintf(out, "OPENSSL_COMPILE_ASSERT(ERR_NUM_LIBS == %d, library_values_changed_num);\n", len(libraryNames) + 1)
+ out.WriteString("\n")
+
+ e.functions.WriteTo(out, "Function")
+ e.reasons.WriteTo(out, "Reason")
+}
diff --git a/src/crypto/err/err_impl.c b/src/crypto/err/err_impl.c
deleted file mode 100644
index 32cff35..0000000
--- a/src/crypto/err/err_impl.c
+++ /dev/null
@@ -1,323 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/err.h>
-
-#include <assert.h>
-#include <string.h>
-
-#include <openssl/lhash.h>
-#include <openssl/mem.h>
-
-
-DEFINE_LHASH_OF(ERR_STATE);
-DEFINE_LHASH_OF(ERR_STRING_DATA);
-
-/* state_hash is a map from thread ID to ERR_STATE. It works like thread-local
- * storage. */
-static LHASH_OF(ERR_STATE) *state_hash = NULL;
-
-/* error_hash maps from a packed error to the string for that library /
- * function / reason. */
-static LHASH_OF(ERR_STRING_DATA) *error_hash = NULL;
-
-/* global_next_library contains the next custom library value to return. */
-static int global_next_library = ERR_NUM_LIBS;
-
-/* err_string_data_hash is an lhash hash function for ERR_STRING_DATA. */
-static uint32_t err_string_data_hash(const ERR_STRING_DATA *a) {
- return OPENSSL_hash32(&a->error, sizeof(a->error));
-}
-
-/* err_string_data_cmp is an lhash compare function for ERR_STRING_DATA. */
-static int err_string_data_cmp(const ERR_STRING_DATA *a,
- const ERR_STRING_DATA *b) {
- return ((int)a->error) - ((int)b->error);
-}
-
-/* error_hash_get_write_locked returns the hash that maps from packed error to
- * error string and creates it if need be. The caller must hold a write lock on
- * LOCK_ERR. */
-static LHASH_OF(ERR_STRING_DATA) * error_hash_get_write_locked(void) {
- if (!error_hash) {
- error_hash = lh_ERR_STRING_DATA_new(err_string_data_hash, err_string_data_cmp);
- }
-
- return error_hash;
-}
-
-/* err_get_item returns an ERR_STRING_DATA with an |error| member that
- * equals |packed_error|, or NULL if none can be found. */
-static ERR_STRING_DATA *err_get_item(uint32_t packed_error) {
- ERR_STRING_DATA *ret = NULL, pattern;
-
- pattern.error = packed_error;
-
- CRYPTO_r_lock(CRYPTO_LOCK_ERR);
- if (error_hash) {
- ret = lh_ERR_STRING_DATA_retrieve(error_hash, &pattern);
- }
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
- return ret;
-}
-
-/* err_set_item adds an ERR_STRING_DATA to the global hash of error strings and
- * returns the previous entry with the same |err->error| value, if any. */
-static ERR_STRING_DATA *err_set_item(const ERR_STRING_DATA *err) {
- ERR_STRING_DATA *old_item = NULL;
- LHASH_OF(ERR_STRING_DATA) *hash;
-
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- hash = error_hash_get_write_locked();
- if (hash) {
- lh_ERR_STRING_DATA_insert(hash, &old_item, (ERR_STRING_DATA*) err);
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
- return old_item;
-}
-
-/* err_set_item removes an item from the global hash of error strings for
- * |packed_error| and returns the removed entry, if any. */
-static ERR_STRING_DATA *err_del_item(uint32_t packed_error) {
- ERR_STRING_DATA *old_item = NULL, pattern;
-
- pattern.error = packed_error;
-
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- if (error_hash) {
- old_item = lh_ERR_STRING_DATA_delete(error_hash, &pattern);
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
- return old_item;
-}
-
-
-/* err_state_hash is an lhash hash function for ERR_STATE. */
-static uint32_t err_state_hash(const ERR_STATE *a) {
- return CRYPTO_THREADID_hash(&a->tid);
-}
-
-/* err_state_cmp is an lhash compare function for ERR_STATE. */
-static int err_state_cmp(const ERR_STATE *a, const ERR_STATE *b) {
- return CRYPTO_THREADID_cmp(&a->tid, &b->tid);
-}
-
-
-static ERR_STATE *err_get_state(void) {
- CRYPTO_THREADID tid;
- ERR_STATE pattern, *state, *race_state;
- int insert_result;
- static ERR_STATE fallback;
-
- CRYPTO_THREADID_current(&tid);
- memset(&pattern, 0, sizeof(pattern));
- CRYPTO_THREADID_cpy(&pattern.tid, &tid);
-
- CRYPTO_r_lock(CRYPTO_LOCK_ERR);
- if (state_hash == NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- if (state_hash == NULL) {
- state_hash = lh_ERR_STATE_new(err_state_hash, err_state_cmp);
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
- CRYPTO_r_lock(CRYPTO_LOCK_ERR);
- }
-
- if (state_hash == NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
- return NULL;
- }
-
- state = lh_ERR_STATE_retrieve(state_hash, &pattern);
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
- if (state != NULL) {
- return state;
- }
-
- state = OPENSSL_malloc(sizeof(ERR_STATE));
- if (state == NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
- /* The other error functions don't cope with a failure to get the error
- * state, so we return a dummy value. */
- return &fallback;
- }
-
- memset(state, 0, sizeof(ERR_STATE));
- CRYPTO_THREADID_cpy(&state->tid, &tid);
-
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- insert_result = lh_ERR_STATE_insert(state_hash, &race_state, state);
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
- if (!insert_result) {
- /* Insertion failed because of malloc failure. */
- OPENSSL_free(state);
- return &fallback;
- }
-
- /* We cannot have raced with another thread to insert an ERR_STATE because no
- * other thread should be inserting values for this thread. */
- assert(race_state == NULL);
-
- return state;
-}
-
-static ERR_STATE *err_release_state(const CRYPTO_THREADID *tid) {
- ERR_STATE pattern, *state;
-
- CRYPTO_THREADID_cpy(&pattern.tid, tid);
-
- CRYPTO_r_lock(CRYPTO_LOCK_ERR);
- if (state_hash == NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
- return NULL;
- }
-
- state = lh_ERR_STATE_delete(state_hash, &pattern);
- CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
- return state;
-}
-
-static void err_shutdown(void (*err_state_free_cb)(ERR_STATE*)) {
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- if (error_hash) {
- lh_ERR_STRING_DATA_free(error_hash);
- error_hash = NULL;
- }
- if (state_hash) {
- lh_ERR_STATE_doall(state_hash, err_state_free_cb);
- lh_ERR_STATE_free(state_hash);
- state_hash = NULL;
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-}
-
-static int err_get_next_library(void) {
- int ret;
-
- CRYPTO_w_lock(CRYPTO_LOCK_ERR);
- ret = global_next_library++;
- CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
- return ret;
-}
-
-const struct ERR_FNS_st openssl_err_default_impl = {
- err_shutdown,
- err_get_item,
- err_set_item,
- err_del_item,
- err_get_state,
- err_release_state,
- err_get_next_library,
-};
diff --git a/src/crypto/err/err_test.c b/src/crypto/err/err_test.cc
similarity index 74%
rename from src/crypto/err/err_test.c
rename to src/crypto/err/err_test.cc
index bf36201..98dfb85 100644
--- a/src/crypto/err/err_test.c
+++ b/src/crypto/err/err_test.cc
@@ -20,55 +20,52 @@
#include <openssl/mem.h>
-static int test_overflow(void) {
- unsigned i;
-
- for (i = 0; i < ERR_NUM_ERRORS*2; i++) {
+static bool TestOverflow() {
+ for (unsigned i = 0; i < ERR_NUM_ERRORS*2; i++) {
ERR_put_error(1, 2, i+1, "test", 1);
}
- for (i = 0; i < ERR_NUM_ERRORS - 1; i++) {
+ for (unsigned i = 0; i < ERR_NUM_ERRORS - 1; i++) {
uint32_t err = ERR_get_error();
/* Errors are returned in order they were pushed, with the least recent ones
* removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
* |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive. */
if (err == 0 || ERR_GET_REASON(err) != i + ERR_NUM_ERRORS + 2) {
fprintf(stderr, "ERR_get_error failed at %u\n", i);
- return 0;
+ return false;
}
}
if (ERR_get_error() != 0) {
fprintf(stderr, "ERR_get_error more than the expected number of values.\n");
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_put_error(void) {
- uint32_t peeked_packed_error, packed_error;
- int peeked_line, line, peeked_flags, flags;
- const char *peeked_file, *file, *peeked_data, *data;
-
+static bool TestPutError() {
if (ERR_get_error() != 0) {
fprintf(stderr, "ERR_get_error returned value before an error was added.\n");
- return 0;
+ return false;
}
ERR_put_error(1, 2, 3, "test", 4);
ERR_add_error_data(1, "testing");
- peeked_packed_error = ERR_peek_error_line_data(&peeked_file, &peeked_line,
- &peeked_data, &peeked_flags);
- packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
+ int peeked_line, line, peeked_flags, flags;
+ const char *peeked_file, *file, *peeked_data, *data;
+ uint32_t peeked_packed_error =
+ ERR_peek_error_line_data(&peeked_file, &peeked_line, &peeked_data,
+ &peeked_flags);
+ uint32_t packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
if (peeked_packed_error != packed_error ||
peeked_file != file ||
peeked_data != data ||
peeked_flags != flags) {
fprintf(stderr, "Bad peeked error data returned.\n");
- return 0;
+ return false;
}
if (strcmp(file, "test") != 0 ||
@@ -79,16 +76,16 @@
ERR_GET_REASON(packed_error) != 3 ||
strcmp(data, "testing") != 0) {
fprintf(stderr, "Bad error data returned.\n");
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_clear_error(void) {
+static bool TestClearError() {
if (ERR_get_error() != 0) {
fprintf(stderr, "ERR_get_error returned value before an error was added.\n");
- return 0;
+ return false;
}
ERR_put_error(1, 2, 3, "test", 4);
@@ -96,42 +93,39 @@
if (ERR_get_error() != 0) {
fprintf(stderr, "Error remained after clearing.\n");
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-static int test_print(void) {
- size_t i;
- char buf[256];
- uint32_t packed_error;
-
+static bool TestPrint() {
ERR_put_error(1, 2, 3, "test", 4);
ERR_add_error_data(1, "testing");
- packed_error = ERR_get_error();
+ uint32_t packed_error = ERR_get_error();
- for (i = 0; i <= sizeof(buf); i++) {
+ char buf[256];
+ for (size_t i = 0; i <= sizeof(buf); i++) {
ERR_error_string_n(packed_error, buf, i);
}
- return 1;
+ return true;
}
-static int test_release(void) {
+static bool TestRelease() {
ERR_put_error(1, 2, 3, "test", 4);
ERR_remove_thread_state(NULL);
- return 1;
+ return true;
}
-int main(void) {
+int main() {
CRYPTO_library_init();
- if (!test_overflow() ||
- !test_put_error() ||
- !test_clear_error() ||
- !test_print() ||
- !test_release()) {
+ if (!TestOverflow() ||
+ !TestPutError() ||
+ !TestClearError() ||
+ !TestPrint() ||
+ !TestRelease()) {
return 1;
}
diff --git a/src/crypto/err/evp.errordata b/src/crypto/err/evp.errordata
new file mode 100644
index 0000000..14dd27b
--- /dev/null
+++ b/src/crypto/err/evp.errordata
@@ -0,0 +1,114 @@
+EVP,function,160,EVP_DigestSignAlgorithm
+EVP,function,161,EVP_DigestVerifyInitFromAlgorithm
+EVP,function,162,EVP_PKEY_CTX_ctrl
+EVP,function,163,EVP_PKEY_CTX_dup
+EVP,function,159,EVP_PKEY_CTX_get0_rsa_oaep_label
+EVP,function,164,EVP_PKEY_copy_parameters
+EVP,function,165,EVP_PKEY_decrypt
+EVP,function,166,EVP_PKEY_decrypt_init
+EVP,function,167,EVP_PKEY_derive
+EVP,function,108,EVP_PKEY_derive_init
+EVP,function,168,EVP_PKEY_derive_set_peer
+EVP,function,110,EVP_PKEY_encrypt
+EVP,function,111,EVP_PKEY_encrypt_init
+EVP,function,112,EVP_PKEY_get1_DH
+EVP,function,169,EVP_PKEY_get1_DSA
+EVP,function,114,EVP_PKEY_get1_EC_KEY
+EVP,function,115,EVP_PKEY_get1_RSA
+EVP,function,116,EVP_PKEY_keygen
+EVP,function,170,EVP_PKEY_keygen_init
+EVP,function,171,EVP_PKEY_new
+EVP,function,172,EVP_PKEY_set_type
+EVP,function,120,EVP_PKEY_sign
+EVP,function,121,EVP_PKEY_sign_init
+EVP,function,122,EVP_PKEY_verify
+EVP,function,123,EVP_PKEY_verify_init
+EVP,function,173,check_padding_md
+EVP,function,125,d2i_AutoPrivateKey
+EVP,function,126,d2i_PrivateKey
+EVP,function,127,do_EC_KEY_print
+EVP,function,174,do_dsa_print
+EVP,function,175,do_rsa_print
+EVP,function,129,do_sigver_init
+EVP,function,176,dsa_param_decode
+EVP,function,177,dsa_priv_decode
+EVP,function,178,dsa_priv_encode
+EVP,function,179,dsa_pub_decode
+EVP,function,180,dsa_pub_encode
+EVP,function,181,dsa_sig_print
+EVP,function,130,eckey_param2type
+EVP,function,131,eckey_param_decode
+EVP,function,132,eckey_priv_decode
+EVP,function,133,eckey_priv_encode
+EVP,function,134,eckey_pub_decode
+EVP,function,135,eckey_pub_encode
+EVP,function,136,eckey_type2param
+EVP,function,137,evp_pkey_ctx_new
+EVP,function,138,hmac_signctx
+EVP,function,139,i2d_PublicKey
+EVP,function,182,old_dsa_priv_decode
+EVP,function,140,old_ec_priv_decode
+EVP,function,141,old_rsa_priv_decode
+EVP,function,142,pkey_ec_ctrl
+EVP,function,143,pkey_ec_derive
+EVP,function,144,pkey_ec_keygen
+EVP,function,145,pkey_ec_paramgen
+EVP,function,146,pkey_ec_sign
+EVP,function,158,pkey_hmac_ctrl
+EVP,function,147,pkey_rsa_ctrl
+EVP,function,148,pkey_rsa_decrypt
+EVP,function,149,pkey_rsa_encrypt
+EVP,function,150,pkey_rsa_sign
+EVP,function,151,rsa_algor_to_md
+EVP,function,152,rsa_digest_verify_init_from_algorithm
+EVP,function,153,rsa_mgf1_to_md
+EVP,function,154,rsa_priv_decode
+EVP,function,155,rsa_priv_encode
+EVP,function,156,rsa_pss_to_ctx
+EVP,function,157,rsa_pub_decode
+EVP,reason,151,BN_DECODE_ERROR
+EVP,reason,100,BUFFER_TOO_SMALL
+EVP,reason,101,COMMAND_NOT_SUPPORTED
+EVP,reason,146,CONTEXT_NOT_INITIALISED
+EVP,reason,143,DECODE_ERROR
+EVP,reason,104,DIFFERENT_KEY_TYPES
+EVP,reason,105,DIFFERENT_PARAMETERS
+EVP,reason,147,DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
+EVP,reason,107,EXPECTING_AN_EC_KEY_KEY
+EVP,reason,141,EXPECTING_AN_RSA_KEY
+EVP,reason,109,EXPECTING_A_DH_KEY
+EVP,reason,110,EXPECTING_A_DSA_KEY
+EVP,reason,111,ILLEGAL_OR_UNSUPPORTED_PADDING_MODE
+EVP,reason,112,INVALID_CURVE
+EVP,reason,113,INVALID_DIGEST_LENGTH
+EVP,reason,114,INVALID_DIGEST_TYPE
+EVP,reason,115,INVALID_KEYBITS
+EVP,reason,116,INVALID_MGF1_MD
+EVP,reason,142,INVALID_OPERATION
+EVP,reason,118,INVALID_PADDING_MODE
+EVP,reason,119,INVALID_PSS_PARAMETERS
+EVP,reason,144,INVALID_PSS_SALTLEN
+EVP,reason,121,INVALID_SALT_LENGTH
+EVP,reason,122,INVALID_TRAILER
+EVP,reason,123,KEYS_NOT_SET
+EVP,reason,124,MISSING_PARAMETERS
+EVP,reason,125,NO_DEFAULT_DIGEST
+EVP,reason,126,NO_KEY_SET
+EVP,reason,127,NO_MDC2_SUPPORT
+EVP,reason,128,NO_NID_FOR_CURVE
+EVP,reason,129,NO_OPERATION_SET
+EVP,reason,130,NO_PARAMETERS_SET
+EVP,reason,131,OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE
+EVP,reason,132,OPERATON_NOT_INITIALIZED
+EVP,reason,152,PARAMETER_ENCODING_ERROR
+EVP,reason,133,UNKNOWN_DIGEST
+EVP,reason,134,UNKNOWN_MASK_DIGEST
+EVP,reason,150,UNKNOWN_MESSAGE_DIGEST_ALGORITHM
+EVP,reason,145,UNKNOWN_PUBLIC_KEY_TYPE
+EVP,reason,149,UNKNOWN_SIGNATURE_ALGORITHM
+EVP,reason,138,UNSUPPORTED_ALGORITHM
+EVP,reason,139,UNSUPPORTED_MASK_ALGORITHM
+EVP,reason,140,UNSUPPORTED_MASK_PARAMETER
+EVP,reason,153,UNSUPPORTED_PUBLIC_KEY_TYPE
+EVP,reason,154,UNSUPPORTED_SIGNATURE_TYPE
+EVP,reason,148,WRONG_PUBLIC_KEY_TYPE
diff --git a/src/crypto/err/hkdf.errordata b/src/crypto/err/hkdf.errordata
new file mode 100644
index 0000000..878a802
--- /dev/null
+++ b/src/crypto/err/hkdf.errordata
@@ -0,0 +1,2 @@
+HKDF,function,100,HKDF
+HKDF,reason,100,OUTPUT_TOO_LARGE
diff --git a/src/crypto/err/obj.errordata b/src/crypto/err/obj.errordata
new file mode 100644
index 0000000..74e4629
--- /dev/null
+++ b/src/crypto/err/obj.errordata
@@ -0,0 +1,5 @@
+OBJ,function,100,OBJ_create
+OBJ,function,101,OBJ_dup
+OBJ,function,102,OBJ_nid2obj
+OBJ,function,103,OBJ_txt2obj
+OBJ,reason,100,UNKNOWN_NID
diff --git a/src/crypto/err/pem.errordata b/src/crypto/err/pem.errordata
new file mode 100644
index 0000000..42216a7
--- /dev/null
+++ b/src/crypto/err/pem.errordata
@@ -0,0 +1,39 @@
+PEM,function,100,PEM_ASN1_read
+PEM,function,101,PEM_ASN1_read_bio
+PEM,function,102,PEM_ASN1_write
+PEM,function,103,PEM_ASN1_write_bio
+PEM,function,104,PEM_X509_INFO_read
+PEM,function,105,PEM_X509_INFO_read_bio
+PEM,function,106,PEM_X509_INFO_write_bio
+PEM,function,107,PEM_do_header
+PEM,function,108,PEM_get_EVP_CIPHER_INFO
+PEM,function,109,PEM_read
+PEM,function,110,PEM_read_DHparams
+PEM,function,111,PEM_read_PrivateKey
+PEM,function,112,PEM_read_bio
+PEM,function,113,PEM_read_bio_DHparams
+PEM,function,114,PEM_read_bio_Parameters
+PEM,function,115,PEM_read_bio_PrivateKey
+PEM,function,116,PEM_write
+PEM,function,117,PEM_write_PrivateKey
+PEM,function,118,PEM_write_bio
+PEM,function,119,d2i_PKCS8PrivateKey_bio
+PEM,function,120,d2i_PKCS8PrivateKey_fp
+PEM,function,121,do_pk8pkey
+PEM,function,122,do_pk8pkey_fp
+PEM,function,123,load_iv
+PEM,reason,100,BAD_BASE64_DECODE
+PEM,reason,101,BAD_DECRYPT
+PEM,reason,102,BAD_END_LINE
+PEM,reason,103,BAD_IV_CHARS
+PEM,reason,104,BAD_PASSWORD_READ
+PEM,reason,105,CIPHER_IS_NULL
+PEM,reason,106,ERROR_CONVERTING_PRIVATE_KEY
+PEM,reason,107,NOT_DEK_INFO
+PEM,reason,108,NOT_ENCRYPTED
+PEM,reason,109,NOT_PROC_TYPE
+PEM,reason,110,NO_START_LINE
+PEM,reason,111,READ_KEY
+PEM,reason,112,SHORT_HEADER
+PEM,reason,113,UNSUPPORTED_CIPHER
+PEM,reason,114,UNSUPPORTED_ENCRYPTION
diff --git a/src/crypto/err/pkcs8.errordata b/src/crypto/err/pkcs8.errordata
new file mode 100644
index 0000000..936f3c5
--- /dev/null
+++ b/src/crypto/err/pkcs8.errordata
@@ -0,0 +1,43 @@
+PKCS8,function,100,EVP_PKCS82PKEY
+PKCS8,function,101,EVP_PKEY2PKCS8
+PKCS8,function,102,PKCS12_get_key_and_certs
+PKCS8,function,103,PKCS12_handle_content_info
+PKCS8,function,104,PKCS12_handle_content_infos
+PKCS8,function,105,PKCS5_pbe2_set_iv
+PKCS8,function,106,PKCS5_pbe_set
+PKCS8,function,107,PKCS5_pbe_set0_algor
+PKCS8,function,108,PKCS5_pbkdf2_set
+PKCS8,function,109,PKCS8_decrypt
+PKCS8,function,110,PKCS8_encrypt
+PKCS8,function,111,PKCS8_encrypt_pbe
+PKCS8,function,112,pbe_cipher_init
+PKCS8,function,113,pbe_crypt
+PKCS8,function,114,pkcs12_item_decrypt_d2i
+PKCS8,function,115,pkcs12_item_i2d_encrypt
+PKCS8,function,116,pkcs12_key_gen_raw
+PKCS8,function,117,pkcs12_pbe_keyivgen
+PKCS8,reason,100,BAD_PKCS12_DATA
+PKCS8,reason,101,BAD_PKCS12_VERSION
+PKCS8,reason,102,CIPHER_HAS_NO_OBJECT_IDENTIFIER
+PKCS8,reason,103,CRYPT_ERROR
+PKCS8,reason,104,DECODE_ERROR
+PKCS8,reason,105,ENCODE_ERROR
+PKCS8,reason,106,ENCRYPT_ERROR
+PKCS8,reason,107,ERROR_SETTING_CIPHER_PARAMS
+PKCS8,reason,108,INCORRECT_PASSWORD
+PKCS8,reason,109,KEYGEN_FAILURE
+PKCS8,reason,110,KEY_GEN_ERROR
+PKCS8,reason,111,METHOD_NOT_SUPPORTED
+PKCS8,reason,112,MISSING_MAC
+PKCS8,reason,113,MULTIPLE_PRIVATE_KEYS_IN_PKCS12
+PKCS8,reason,114,PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED
+PKCS8,reason,115,PKCS12_TOO_DEEPLY_NESTED
+PKCS8,reason,116,PRIVATE_KEY_DECODE_ERROR
+PKCS8,reason,117,PRIVATE_KEY_ENCODE_ERROR
+PKCS8,reason,118,TOO_LONG
+PKCS8,reason,119,UNKNOWN_ALGORITHM
+PKCS8,reason,120,UNKNOWN_CIPHER
+PKCS8,reason,121,UNKNOWN_CIPHER_ALGORITHM
+PKCS8,reason,122,UNKNOWN_DIGEST
+PKCS8,reason,123,UNKNOWN_HASH
+PKCS8,reason,124,UNSUPPORTED_PRIVATE_KEY_ALGORITHM
diff --git a/src/crypto/err/rsa.errordata b/src/crypto/err/rsa.errordata
new file mode 100644
index 0000000..64b390d
--- /dev/null
+++ b/src/crypto/err/rsa.errordata
@@ -0,0 +1,69 @@
+RSA,function,100,BN_BLINDING_convert_ex
+RSA,function,101,BN_BLINDING_create_param
+RSA,function,102,BN_BLINDING_invert_ex
+RSA,function,103,BN_BLINDING_new
+RSA,function,104,BN_BLINDING_update
+RSA,function,105,RSA_check_key
+RSA,function,106,RSA_new_method
+RSA,function,107,RSA_padding_add_PKCS1_OAEP_mgf1
+RSA,function,108,RSA_padding_add_PKCS1_PSS_mgf1
+RSA,function,109,RSA_padding_add_PKCS1_type_1
+RSA,function,110,RSA_padding_add_PKCS1_type_2
+RSA,function,111,RSA_padding_add_none
+RSA,function,112,RSA_padding_check_PKCS1_OAEP_mgf1
+RSA,function,113,RSA_padding_check_PKCS1_type_1
+RSA,function,114,RSA_padding_check_PKCS1_type_2
+RSA,function,115,RSA_padding_check_none
+RSA,function,116,RSA_recover_crt_params
+RSA,function,117,RSA_sign
+RSA,function,118,RSA_verify
+RSA,function,119,RSA_verify_PKCS1_PSS_mgf1
+RSA,function,120,decrypt
+RSA,function,121,encrypt
+RSA,function,122,keygen
+RSA,function,123,pkcs1_prefixed_msg
+RSA,function,124,private_transform
+RSA,function,125,rsa_setup_blinding
+RSA,function,126,sign_raw
+RSA,function,127,verify_raw
+RSA,reason,100,BAD_E_VALUE
+RSA,reason,101,BAD_FIXED_HEADER_DECRYPT
+RSA,reason,102,BAD_PAD_BYTE_COUNT
+RSA,reason,103,BAD_RSA_PARAMETERS
+RSA,reason,104,BAD_SIGNATURE
+RSA,reason,105,BLOCK_TYPE_IS_NOT_01
+RSA,reason,106,BN_NOT_INITIALIZED
+RSA,reason,107,CRT_PARAMS_ALREADY_GIVEN
+RSA,reason,108,CRT_VALUES_INCORRECT
+RSA,reason,109,DATA_LEN_NOT_EQUAL_TO_MOD_LEN
+RSA,reason,110,DATA_TOO_LARGE
+RSA,reason,111,DATA_TOO_LARGE_FOR_KEY_SIZE
+RSA,reason,112,DATA_TOO_LARGE_FOR_MODULUS
+RSA,reason,113,DATA_TOO_SMALL
+RSA,reason,114,DATA_TOO_SMALL_FOR_KEY_SIZE
+RSA,reason,115,DIGEST_TOO_BIG_FOR_RSA_KEY
+RSA,reason,116,D_E_NOT_CONGRUENT_TO_1
+RSA,reason,117,EMPTY_PUBLIC_KEY
+RSA,reason,118,FIRST_OCTET_INVALID
+RSA,reason,119,INCONSISTENT_SET_OF_CRT_VALUES
+RSA,reason,120,INTERNAL_ERROR
+RSA,reason,121,INVALID_MESSAGE_LENGTH
+RSA,reason,122,KEY_SIZE_TOO_SMALL
+RSA,reason,123,LAST_OCTET_INVALID
+RSA,reason,124,MODULUS_TOO_LARGE
+RSA,reason,125,NO_PUBLIC_EXPONENT
+RSA,reason,126,NULL_BEFORE_BLOCK_MISSING
+RSA,reason,127,N_NOT_EQUAL_P_Q
+RSA,reason,128,OAEP_DECODING_ERROR
+RSA,reason,129,ONLY_ONE_OF_P_Q_GIVEN
+RSA,reason,130,OUTPUT_BUFFER_TOO_SMALL
+RSA,reason,131,PADDING_CHECK_FAILED
+RSA,reason,132,PKCS_DECODING_ERROR
+RSA,reason,133,SLEN_CHECK_FAILED
+RSA,reason,134,SLEN_RECOVERY_FAILED
+RSA,reason,135,TOO_LONG
+RSA,reason,136,TOO_MANY_ITERATIONS
+RSA,reason,137,UNKNOWN_ALGORITHM_TYPE
+RSA,reason,138,UNKNOWN_PADDING_TYPE
+RSA,reason,139,VALUE_MISSING
+RSA,reason,140,WRONG_SIGNATURE_LENGTH
diff --git a/src/crypto/err/ssl.errordata b/src/crypto/err/ssl.errordata
new file mode 100644
index 0000000..afeaaeb
--- /dev/null
+++ b/src/crypto/err/ssl.errordata
@@ -0,0 +1,376 @@
+SSL,function,100,SSL_CTX_check_private_key
+SSL,function,101,SSL_CTX_new
+SSL,function,272,SSL_CTX_set1_tls_channel_id
+SSL,function,102,SSL_CTX_set_cipher_list
+SSL,function,103,SSL_CTX_set_cipher_list_tls11
+SSL,function,104,SSL_CTX_set_session_id_context
+SSL,function,268,SSL_CTX_set_tmp_dh
+SSL,function,269,SSL_CTX_set_tmp_ecdh
+SSL,function,105,SSL_CTX_use_PrivateKey
+SSL,function,106,SSL_CTX_use_PrivateKey_ASN1
+SSL,function,107,SSL_CTX_use_PrivateKey_file
+SSL,function,108,SSL_CTX_use_RSAPrivateKey
+SSL,function,109,SSL_CTX_use_RSAPrivateKey_ASN1
+SSL,function,110,SSL_CTX_use_RSAPrivateKey_file
+SSL,function,111,SSL_CTX_use_certificate
+SSL,function,112,SSL_CTX_use_certificate_ASN1
+SSL,function,113,SSL_CTX_use_certificate_chain_file
+SSL,function,114,SSL_CTX_use_certificate_file
+SSL,function,115,SSL_CTX_use_psk_identity_hint
+SSL,function,116,SSL_SESSION_new
+SSL,function,117,SSL_SESSION_print_fp
+SSL,function,118,SSL_SESSION_set1_id_context
+SSL,function,119,SSL_SESSION_to_bytes_full
+SSL,function,120,SSL_accept
+SSL,function,121,SSL_add_dir_cert_subjects_to_stack
+SSL,function,122,SSL_add_file_cert_subjects_to_stack
+SSL,function,123,SSL_check_private_key
+SSL,function,124,SSL_clear
+SSL,function,125,SSL_connect
+SSL,function,126,SSL_do_handshake
+SSL,function,127,SSL_load_client_CA_file
+SSL,function,128,SSL_new
+SSL,function,129,SSL_peek
+SSL,function,130,SSL_read
+SSL,function,131,SSL_renegotiate
+SSL,function,273,SSL_set1_tls_channel_id
+SSL,function,132,SSL_set_cipher_list
+SSL,function,133,SSL_set_fd
+SSL,function,134,SSL_set_rfd
+SSL,function,135,SSL_set_session_id_context
+SSL,function,274,SSL_set_tlsext_host_name
+SSL,function,270,SSL_set_tmp_dh
+SSL,function,271,SSL_set_tmp_ecdh
+SSL,function,136,SSL_set_wfd
+SSL,function,137,SSL_shutdown
+SSL,function,138,SSL_use_PrivateKey
+SSL,function,139,SSL_use_PrivateKey_ASN1
+SSL,function,140,SSL_use_PrivateKey_file
+SSL,function,141,SSL_use_RSAPrivateKey
+SSL,function,142,SSL_use_RSAPrivateKey_ASN1
+SSL,function,143,SSL_use_RSAPrivateKey_file
+SSL,function,144,SSL_use_certificate
+SSL,function,145,SSL_use_certificate_ASN1
+SSL,function,146,SSL_use_certificate_file
+SSL,function,147,SSL_use_psk_identity_hint
+SSL,function,148,SSL_write
+SSL,function,149,d2i_SSL_SESSION
+SSL,function,150,d2i_SSL_SESSION_get_octet_string
+SSL,function,151,d2i_SSL_SESSION_get_string
+SSL,function,152,do_ssl3_write
+SSL,function,153,dtls1_accept
+SSL,function,154,dtls1_buffer_record
+SSL,function,155,dtls1_check_timeout_num
+SSL,function,156,dtls1_connect
+SSL,function,157,dtls1_do_write
+SSL,function,263,dtls1_get_buffered_message
+SSL,function,158,dtls1_get_hello_verify
+SSL,function,159,dtls1_get_message
+SSL,function,160,dtls1_get_message_fragment
+SSL,function,265,dtls1_hm_fragment_new
+SSL,function,161,dtls1_preprocess_fragment
+SSL,function,264,dtls1_process_fragment
+SSL,function,162,dtls1_process_record
+SSL,function,163,dtls1_read_bytes
+SSL,function,164,dtls1_send_hello_verify_request
+SSL,function,165,dtls1_write_app_data_bytes
+SSL,function,166,i2d_SSL_SESSION
+SSL,function,167,ssl3_accept
+SSL,function,169,ssl3_cert_verify_hash
+SSL,function,170,ssl3_check_cert_and_algorithm
+SSL,function,171,ssl3_connect
+SSL,function,172,ssl3_ctrl
+SSL,function,173,ssl3_ctx_ctrl
+SSL,function,174,ssl3_digest_cached_records
+SSL,function,175,ssl3_do_change_cipher_spec
+SSL,function,176,ssl3_expect_change_cipher_spec
+SSL,function,177,ssl3_get_cert_status
+SSL,function,178,ssl3_get_cert_verify
+SSL,function,179,ssl3_get_certificate_request
+SSL,function,180,ssl3_get_channel_id
+SSL,function,181,ssl3_get_client_certificate
+SSL,function,182,ssl3_get_client_hello
+SSL,function,183,ssl3_get_client_key_exchange
+SSL,function,184,ssl3_get_finished
+SSL,function,185,ssl3_get_initial_bytes
+SSL,function,186,ssl3_get_message
+SSL,function,187,ssl3_get_new_session_ticket
+SSL,function,188,ssl3_get_next_proto
+SSL,function,189,ssl3_get_record
+SSL,function,190,ssl3_get_server_certificate
+SSL,function,191,ssl3_get_server_done
+SSL,function,192,ssl3_get_server_hello
+SSL,function,193,ssl3_get_server_key_exchange
+SSL,function,194,ssl3_get_v2_client_hello
+SSL,function,195,ssl3_handshake_mac
+SSL,function,275,ssl3_output_cert_chain
+SSL,function,196,ssl3_prf
+SSL,function,197,ssl3_read_bytes
+SSL,function,198,ssl3_read_n
+SSL,function,267,ssl3_record_sequence_update
+SSL,function,266,ssl3_seal_record
+SSL,function,199,ssl3_send_cert_verify
+SSL,function,200,ssl3_send_certificate_request
+SSL,function,201,ssl3_send_channel_id
+SSL,function,202,ssl3_send_client_certificate
+SSL,function,203,ssl3_send_client_hello
+SSL,function,204,ssl3_send_client_key_exchange
+SSL,function,205,ssl3_send_server_certificate
+SSL,function,206,ssl3_send_server_hello
+SSL,function,207,ssl3_send_server_key_exchange
+SSL,function,208,ssl3_setup_read_buffer
+SSL,function,209,ssl3_setup_write_buffer
+SSL,function,210,ssl3_write_bytes
+SSL,function,211,ssl3_write_pending
+SSL,function,212,ssl_add_cert_chain
+SSL,function,213,ssl_add_cert_to_buf
+SSL,function,214,ssl_add_clienthello_renegotiate_ext
+SSL,function,215,ssl_add_clienthello_tlsext
+SSL,function,216,ssl_add_clienthello_use_srtp_ext
+SSL,function,217,ssl_add_serverhello_renegotiate_ext
+SSL,function,218,ssl_add_serverhello_tlsext
+SSL,function,219,ssl_add_serverhello_use_srtp_ext
+SSL,function,220,ssl_build_cert_chain
+SSL,function,221,ssl_bytes_to_cipher_list
+SSL,function,222,ssl_cert_dup
+SSL,function,223,ssl_cert_inst
+SSL,function,224,ssl_cert_new
+SSL,function,225,ssl_check_serverhello_tlsext
+SSL,function,226,ssl_check_srvr_ecc_cert_and_alg
+SSL,function,227,ssl_cipher_process_rulestr
+SSL,function,228,ssl_cipher_strength_sort
+SSL,function,229,ssl_create_cipher_list
+SSL,function,230,ssl_ctx_log_master_secret
+SSL,function,231,ssl_ctx_log_rsa_client_key_exchange
+SSL,function,232,ssl_ctx_make_profiles
+SSL,function,233,ssl_get_new_session
+SSL,function,234,ssl_get_prev_session
+SSL,function,235,ssl_get_server_cert_index
+SSL,function,236,ssl_get_sign_pkey
+SSL,function,237,ssl_init_wbio_buffer
+SSL,function,238,ssl_parse_clienthello_renegotiate_ext
+SSL,function,239,ssl_parse_clienthello_tlsext
+SSL,function,240,ssl_parse_clienthello_use_srtp_ext
+SSL,function,241,ssl_parse_serverhello_renegotiate_ext
+SSL,function,242,ssl_parse_serverhello_tlsext
+SSL,function,243,ssl_parse_serverhello_use_srtp_ext
+SSL,function,244,ssl_scan_clienthello_tlsext
+SSL,function,245,ssl_scan_serverhello_tlsext
+SSL,function,246,ssl_sess_cert_new
+SSL,function,247,ssl_set_cert
+SSL,function,248,ssl_set_pkey
+SSL,function,252,ssl_verify_cert_chain
+SSL,function,253,tls12_check_peer_sigalg
+SSL,function,254,tls1_aead_ctx_init
+SSL,function,255,tls1_cert_verify_mac
+SSL,function,256,tls1_change_cipher_state
+SSL,function,257,tls1_change_cipher_state_aead
+SSL,function,258,tls1_check_duplicate_extensions
+SSL,function,259,tls1_enc
+SSL,function,260,tls1_export_keying_material
+SSL,function,261,tls1_prf
+SSL,function,262,tls1_setup_key_block
+SSL,reason,100,APP_DATA_IN_HANDSHAKE
+SSL,reason,101,ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT
+SSL,reason,102,BAD_ALERT
+SSL,reason,103,BAD_CHANGE_CIPHER_SPEC
+SSL,reason,104,BAD_DATA_RETURNED_BY_CALLBACK
+SSL,reason,105,BAD_DH_P_LENGTH
+SSL,reason,106,BAD_DIGEST_LENGTH
+SSL,reason,107,BAD_ECC_CERT
+SSL,reason,108,BAD_ECPOINT
+SSL,reason,109,BAD_HANDSHAKE_LENGTH
+SSL,reason,110,BAD_HANDSHAKE_RECORD
+SSL,reason,111,BAD_HELLO_REQUEST
+SSL,reason,112,BAD_LENGTH
+SSL,reason,113,BAD_PACKET_LENGTH
+SSL,reason,114,BAD_RSA_ENCRYPT
+SSL,reason,115,BAD_SIGNATURE
+SSL,reason,116,BAD_SRTP_MKI_VALUE
+SSL,reason,117,BAD_SRTP_PROTECTION_PROFILE_LIST
+SSL,reason,118,BAD_SSL_FILETYPE
+SSL,reason,119,BAD_WRITE_RETRY
+SSL,reason,120,BIO_NOT_SET
+SSL,reason,121,BN_LIB
+SSL,reason,272,BUFFER_TOO_SMALL
+SSL,reason,122,CANNOT_SERIALIZE_PUBLIC_KEY
+SSL,reason,123,CA_DN_LENGTH_MISMATCH
+SSL,reason,124,CA_DN_TOO_LONG
+SSL,reason,125,CCS_RECEIVED_EARLY
+SSL,reason,126,CERTIFICATE_VERIFY_FAILED
+SSL,reason,127,CERT_CB_ERROR
+SSL,reason,128,CERT_LENGTH_MISMATCH
+SSL,reason,129,CHANNEL_ID_NOT_P256
+SSL,reason,130,CHANNEL_ID_SIGNATURE_INVALID
+SSL,reason,131,CIPHER_CODE_WRONG_LENGTH
+SSL,reason,132,CIPHER_OR_HASH_UNAVAILABLE
+SSL,reason,133,CLIENTHELLO_PARSE_FAILED
+SSL,reason,134,CLIENTHELLO_TLSEXT
+SSL,reason,135,CONNECTION_REJECTED
+SSL,reason,136,CONNECTION_TYPE_NOT_SET
+SSL,reason,137,COOKIE_MISMATCH
+SSL,reason,138,D2I_ECDSA_SIG
+SSL,reason,139,DATA_BETWEEN_CCS_AND_FINISHED
+SSL,reason,140,DATA_LENGTH_TOO_LONG
+SSL,reason,141,DECODE_ERROR
+SSL,reason,142,DECRYPTION_FAILED
+SSL,reason,143,DECRYPTION_FAILED_OR_BAD_RECORD_MAC
+SSL,reason,144,DH_PUBLIC_VALUE_LENGTH_IS_WRONG
+SSL,reason,145,DIGEST_CHECK_FAILED
+SSL,reason,146,DTLS_MESSAGE_TOO_BIG
+SSL,reason,147,ECC_CERT_NOT_FOR_SIGNING
+SSL,reason,148,EMPTY_SRTP_PROTECTION_PROFILE_LIST
+SSL,reason,149,ENCRYPTED_LENGTH_TOO_LONG
+SSL,reason,150,ERROR_IN_RECEIVED_CIPHER_LIST
+SSL,reason,151,EVP_DIGESTSIGNFINAL_FAILED
+SSL,reason,152,EVP_DIGESTSIGNINIT_FAILED
+SSL,reason,153,EXCESSIVE_MESSAGE_SIZE
+SSL,reason,154,EXTRA_DATA_IN_MESSAGE
+SSL,reason,271,FRAGMENT_MISMATCH
+SSL,reason,155,GOT_A_FIN_BEFORE_A_CCS
+SSL,reason,156,GOT_CHANNEL_ID_BEFORE_A_CCS
+SSL,reason,157,GOT_NEXT_PROTO_BEFORE_A_CCS
+SSL,reason,158,GOT_NEXT_PROTO_WITHOUT_EXTENSION
+SSL,reason,159,HANDSHAKE_FAILURE_ON_CLIENT_HELLO
+SSL,reason,160,HANDSHAKE_RECORD_BEFORE_CCS
+SSL,reason,161,HTTPS_PROXY_REQUEST
+SSL,reason,162,HTTP_REQUEST
+SSL,reason,163,INAPPROPRIATE_FALLBACK
+SSL,reason,164,INVALID_COMMAND
+SSL,reason,165,INVALID_MESSAGE
+SSL,reason,166,INVALID_SSL_SESSION
+SSL,reason,167,INVALID_TICKET_KEYS_LENGTH
+SSL,reason,168,LENGTH_MISMATCH
+SSL,reason,169,LIBRARY_HAS_NO_CIPHERS
+SSL,reason,170,MISSING_DH_KEY
+SSL,reason,171,MISSING_ECDSA_SIGNING_CERT
+SSL,reason,172,MISSING_RSA_CERTIFICATE
+SSL,reason,173,MISSING_RSA_ENCRYPTING_CERT
+SSL,reason,174,MISSING_RSA_SIGNING_CERT
+SSL,reason,175,MISSING_TMP_DH_KEY
+SSL,reason,176,MISSING_TMP_ECDH_KEY
+SSL,reason,177,MIXED_SPECIAL_OPERATOR_WITH_GROUPS
+SSL,reason,178,MTU_TOO_SMALL
+SSL,reason,179,NESTED_GROUP
+SSL,reason,180,NO_CERTIFICATES_RETURNED
+SSL,reason,181,NO_CERTIFICATE_ASSIGNED
+SSL,reason,182,NO_CERTIFICATE_SET
+SSL,reason,183,NO_CIPHERS_AVAILABLE
+SSL,reason,184,NO_CIPHERS_PASSED
+SSL,reason,185,NO_CIPHERS_SPECIFIED
+SSL,reason,186,NO_CIPHER_MATCH
+SSL,reason,187,NO_COMPRESSION_SPECIFIED
+SSL,reason,188,NO_METHOD_SPECIFIED
+SSL,reason,189,NO_P256_SUPPORT
+SSL,reason,190,NO_PRIVATE_KEY_ASSIGNED
+SSL,reason,191,NO_RENEGOTIATION
+SSL,reason,192,NO_REQUIRED_DIGEST
+SSL,reason,193,NO_SHARED_CIPHER
+SSL,reason,194,NO_SHARED_SIGATURE_ALGORITHMS
+SSL,reason,195,NO_SRTP_PROFILES
+SSL,reason,196,NULL_SSL_CTX
+SSL,reason,197,NULL_SSL_METHOD_PASSED
+SSL,reason,198,OLD_SESSION_CIPHER_NOT_RETURNED
+SSL,reason,273,OLD_SESSION_VERSION_NOT_RETURNED
+SSL,reason,199,PACKET_LENGTH_TOO_LONG
+SSL,reason,200,PARSE_TLSEXT
+SSL,reason,201,PATH_TOO_LONG
+SSL,reason,202,PEER_DID_NOT_RETURN_A_CERTIFICATE
+SSL,reason,203,PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE
+SSL,reason,204,PROTOCOL_IS_SHUTDOWN
+SSL,reason,205,PSK_IDENTITY_NOT_FOUND
+SSL,reason,206,PSK_NO_CLIENT_CB
+SSL,reason,207,PSK_NO_SERVER_CB
+SSL,reason,208,READ_BIO_NOT_SET
+SSL,reason,209,READ_TIMEOUT_EXPIRED
+SSL,reason,210,RECORD_LENGTH_MISMATCH
+SSL,reason,211,RECORD_TOO_LARGE
+SSL,reason,212,RENEGOTIATE_EXT_TOO_LONG
+SSL,reason,213,RENEGOTIATION_ENCODING_ERR
+SSL,reason,214,RENEGOTIATION_MISMATCH
+SSL,reason,215,REQUIRED_CIPHER_MISSING
+SSL,reason,216,SCSV_RECEIVED_WHEN_RENEGOTIATING
+SSL,reason,217,SERVERHELLO_TLSEXT
+SSL,reason,218,SESSION_ID_CONTEXT_UNINITIALIZED
+SSL,reason,219,SESSION_MAY_NOT_BE_CREATED
+SSL,reason,220,SIGNATURE_ALGORITHMS_ERROR
+SSL,reason,221,SRTP_COULD_NOT_ALLOCATE_PROFILES
+SSL,reason,222,SRTP_PROTECTION_PROFILE_LIST_TOO_LONG
+SSL,reason,223,SRTP_UNKNOWN_PROTECTION_PROFILE
+SSL,reason,224,SSL3_EXT_INVALID_SERVERNAME
+SSL,reason,225,SSL3_EXT_INVALID_SERVERNAME_TYPE
+SSL,reason,1042,SSLV3_ALERT_BAD_CERTIFICATE
+SSL,reason,1020,SSLV3_ALERT_BAD_RECORD_MAC
+SSL,reason,1045,SSLV3_ALERT_CERTIFICATE_EXPIRED
+SSL,reason,1044,SSLV3_ALERT_CERTIFICATE_REVOKED
+SSL,reason,1046,SSLV3_ALERT_CERTIFICATE_UNKNOWN
+SSL,reason,1000,SSLV3_ALERT_CLOSE_NOTIFY
+SSL,reason,1030,SSLV3_ALERT_DECOMPRESSION_FAILURE
+SSL,reason,1040,SSLV3_ALERT_HANDSHAKE_FAILURE
+SSL,reason,1047,SSLV3_ALERT_ILLEGAL_PARAMETER
+SSL,reason,1041,SSLV3_ALERT_NO_CERTIFICATE
+SSL,reason,1010,SSLV3_ALERT_UNEXPECTED_MESSAGE
+SSL,reason,1043,SSLV3_ALERT_UNSUPPORTED_CERTIFICATE
+SSL,reason,226,SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION
+SSL,reason,227,SSL_HANDSHAKE_FAILURE
+SSL,reason,228,SSL_SESSION_ID_CALLBACK_FAILED
+SSL,reason,229,SSL_SESSION_ID_CONFLICT
+SSL,reason,230,SSL_SESSION_ID_CONTEXT_TOO_LONG
+SSL,reason,231,SSL_SESSION_ID_HAS_BAD_LENGTH
+SSL,reason,1049,TLSV1_ALERT_ACCESS_DENIED
+SSL,reason,1050,TLSV1_ALERT_DECODE_ERROR
+SSL,reason,1021,TLSV1_ALERT_DECRYPTION_FAILED
+SSL,reason,1051,TLSV1_ALERT_DECRYPT_ERROR
+SSL,reason,1060,TLSV1_ALERT_EXPORT_RESTRICTION
+SSL,reason,1086,TLSV1_ALERT_INAPPROPRIATE_FALLBACK
+SSL,reason,1071,TLSV1_ALERT_INSUFFICIENT_SECURITY
+SSL,reason,1080,TLSV1_ALERT_INTERNAL_ERROR
+SSL,reason,1100,TLSV1_ALERT_NO_RENEGOTIATION
+SSL,reason,1070,TLSV1_ALERT_PROTOCOL_VERSION
+SSL,reason,1022,TLSV1_ALERT_RECORD_OVERFLOW
+SSL,reason,1048,TLSV1_ALERT_UNKNOWN_CA
+SSL,reason,1090,TLSV1_ALERT_USER_CANCELLED
+SSL,reason,1114,TLSV1_BAD_CERTIFICATE_HASH_VALUE
+SSL,reason,1113,TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE
+SSL,reason,1111,TLSV1_CERTIFICATE_UNOBTAINABLE
+SSL,reason,1112,TLSV1_UNRECOGNIZED_NAME
+SSL,reason,1110,TLSV1_UNSUPPORTED_EXTENSION
+SSL,reason,232,TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER
+SSL,reason,233,TLS_ILLEGAL_EXPORTER_LABEL
+SSL,reason,234,TLS_INVALID_ECPOINTFORMAT_LIST
+SSL,reason,235,TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
+SSL,reason,236,TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG
+SSL,reason,237,TOO_MANY_EMPTY_FRAGMENTS
+SSL,reason,238,UNABLE_TO_FIND_ECDH_PARAMETERS
+SSL,reason,239,UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS
+SSL,reason,240,UNEXPECTED_GROUP_CLOSE
+SSL,reason,241,UNEXPECTED_MESSAGE
+SSL,reason,242,UNEXPECTED_OPERATOR_IN_GROUP
+SSL,reason,243,UNEXPECTED_RECORD
+SSL,reason,244,UNINITIALIZED
+SSL,reason,245,UNKNOWN_ALERT_TYPE
+SSL,reason,246,UNKNOWN_CERTIFICATE_TYPE
+SSL,reason,247,UNKNOWN_CIPHER_RETURNED
+SSL,reason,248,UNKNOWN_CIPHER_TYPE
+SSL,reason,249,UNKNOWN_DIGEST
+SSL,reason,250,UNKNOWN_KEY_EXCHANGE_TYPE
+SSL,reason,251,UNKNOWN_PROTOCOL
+SSL,reason,252,UNKNOWN_SSL_VERSION
+SSL,reason,253,UNKNOWN_STATE
+SSL,reason,254,UNPROCESSED_HANDSHAKE_DATA
+SSL,reason,255,UNSAFE_LEGACY_RENEGOTIATION_DISABLED
+SSL,reason,256,UNSUPPORTED_CIPHER
+SSL,reason,257,UNSUPPORTED_COMPRESSION_ALGORITHM
+SSL,reason,258,UNSUPPORTED_ELLIPTIC_CURVE
+SSL,reason,259,UNSUPPORTED_PROTOCOL
+SSL,reason,260,UNSUPPORTED_SSL_VERSION
+SSL,reason,261,USE_SRTP_NOT_NEGOTIATED
+SSL,reason,262,WRONG_CERTIFICATE_TYPE
+SSL,reason,263,WRONG_CIPHER_RETURNED
+SSL,reason,264,WRONG_CURVE
+SSL,reason,265,WRONG_MESSAGE_TYPE
+SSL,reason,266,WRONG_SIGNATURE_TYPE
+SSL,reason,267,WRONG_SSL_VERSION
+SSL,reason,268,WRONG_VERSION_NUMBER
+SSL,reason,269,X509_LIB
+SSL,reason,270,X509_VERIFICATION_SETUP_PROBLEMS
diff --git a/src/crypto/err/x509.errordata b/src/crypto/err/x509.errordata
new file mode 100644
index 0000000..1b50e36
--- /dev/null
+++ b/src/crypto/err/x509.errordata
@@ -0,0 +1,96 @@
+X509,function,100,ASN1_digest
+X509,function,101,ASN1_item_sign_ctx
+X509,function,102,ASN1_item_verify
+X509,function,103,NETSCAPE_SPKI_b64_decode
+X509,function,104,NETSCAPE_SPKI_b64_encode
+X509,function,158,PKCS7_get_CRLs
+X509,function,105,PKCS7_get_certificates
+X509,function,106,X509_ATTRIBUTE_create_by_NID
+X509,function,107,X509_ATTRIBUTE_create_by_OBJ
+X509,function,108,X509_ATTRIBUTE_create_by_txt
+X509,function,109,X509_ATTRIBUTE_get0_data
+X509,function,110,X509_ATTRIBUTE_set1_data
+X509,function,111,X509_CRL_add0_revoked
+X509,function,112,X509_CRL_diff
+X509,function,113,X509_CRL_print_fp
+X509,function,114,X509_EXTENSION_create_by_NID
+X509,function,115,X509_EXTENSION_create_by_OBJ
+X509,function,116,X509_INFO_new
+X509,function,117,X509_NAME_ENTRY_create_by_NID
+X509,function,118,X509_NAME_ENTRY_create_by_txt
+X509,function,119,X509_NAME_ENTRY_set_object
+X509,function,120,X509_NAME_add_entry
+X509,function,121,X509_NAME_oneline
+X509,function,122,X509_NAME_print
+X509,function,123,X509_PKEY_new
+X509,function,124,X509_PUBKEY_get
+X509,function,125,X509_PUBKEY_set
+X509,function,126,X509_REQ_check_private_key
+X509,function,127,X509_REQ_to_X509
+X509,function,128,X509_STORE_CTX_get1_issuer
+X509,function,129,X509_STORE_CTX_init
+X509,function,130,X509_STORE_CTX_new
+X509,function,131,X509_STORE_CTX_purpose_inherit
+X509,function,132,X509_STORE_add_cert
+X509,function,133,X509_STORE_add_crl
+X509,function,134,X509_TRUST_add
+X509,function,135,X509_TRUST_set
+X509,function,136,X509_check_private_key
+X509,function,137,X509_get_pubkey_parameters
+X509,function,138,X509_load_cert_crl_file
+X509,function,139,X509_load_cert_file
+X509,function,140,X509_load_crl_file
+X509,function,141,X509_print_ex_fp
+X509,function,142,X509_to_X509_REQ
+X509,function,143,X509_verify_cert
+X509,function,144,X509at_add1_attr
+X509,function,145,X509v3_add_ext
+X509,function,146,add_cert_dir
+X509,function,147,by_file_ctrl
+X509,function,148,check_policy
+X509,function,149,dir_ctrl
+X509,function,150,get_cert_by_subject
+X509,function,151,i2d_DSA_PUBKEY
+X509,function,152,i2d_EC_PUBKEY
+X509,function,153,i2d_RSA_PUBKEY
+X509,function,157,pkcs7_parse_header
+X509,function,154,x509_name_encode
+X509,function,155,x509_name_ex_d2i
+X509,function,156,x509_name_ex_new
+X509,reason,100,AKID_MISMATCH
+X509,reason,101,BAD_PKCS7_VERSION
+X509,reason,102,BAD_X509_FILETYPE
+X509,reason,103,BASE64_DECODE_ERROR
+X509,reason,104,CANT_CHECK_DH_KEY
+X509,reason,105,CERT_ALREADY_IN_HASH_TABLE
+X509,reason,106,CRL_ALREADY_DELTA
+X509,reason,107,CRL_VERIFY_FAILURE
+X509,reason,108,IDP_MISMATCH
+X509,reason,109,INVALID_BIT_STRING_BITS_LEFT
+X509,reason,110,INVALID_DIRECTORY
+X509,reason,111,INVALID_FIELD_NAME
+X509,reason,112,INVALID_TRUST
+X509,reason,113,ISSUER_MISMATCH
+X509,reason,114,KEY_TYPE_MISMATCH
+X509,reason,115,KEY_VALUES_MISMATCH
+X509,reason,116,LOADING_CERT_DIR
+X509,reason,117,LOADING_DEFAULTS
+X509,reason,118,METHOD_NOT_SUPPORTED
+X509,reason,119,NEWER_CRL_NOT_NEWER
+X509,reason,120,NOT_PKCS7_SIGNED_DATA
+X509,reason,121,NO_CERTIFICATES_INCLUDED
+X509,reason,122,NO_CERT_SET_FOR_US_TO_VERIFY
+X509,reason,136,NO_CRLS_INCLUDED
+X509,reason,123,NO_CRL_NUMBER
+X509,reason,124,PUBLIC_KEY_DECODE_ERROR
+X509,reason,125,PUBLIC_KEY_ENCODE_ERROR
+X509,reason,126,SHOULD_RETRY
+X509,reason,127,UNABLE_TO_FIND_PARAMETERS_IN_CHAIN
+X509,reason,128,UNABLE_TO_GET_CERTS_PUBLIC_KEY
+X509,reason,129,UNKNOWN_KEY_TYPE
+X509,reason,130,UNKNOWN_NID
+X509,reason,131,UNKNOWN_PURPOSE_ID
+X509,reason,132,UNKNOWN_TRUST_ID
+X509,reason,133,UNSUPPORTED_ALGORITHM
+X509,reason,134,WRONG_LOOKUP_TYPE
+X509,reason,135,WRONG_TYPE
diff --git a/src/crypto/err/x509v3.errordata b/src/crypto/err/x509v3.errordata
new file mode 100644
index 0000000..059e677
--- /dev/null
+++ b/src/crypto/err/x509v3.errordata
@@ -0,0 +1,120 @@
+X509V3,function,100,SXNET_add_id_INTEGER
+X509V3,function,101,SXNET_add_id_asc
+X509V3,function,102,SXNET_add_id_ulong
+X509V3,function,103,SXNET_get_id_asc
+X509V3,function,104,SXNET_get_id_ulong
+X509V3,function,105,X509V3_EXT_add
+X509V3,function,106,X509V3_EXT_add_alias
+X509V3,function,107,X509V3_EXT_free
+X509V3,function,108,X509V3_EXT_i2d
+X509V3,function,109,X509V3_EXT_nconf
+X509V3,function,110,X509V3_add1_i2d
+X509V3,function,111,X509V3_add_value
+X509V3,function,112,X509V3_get_section
+X509V3,function,113,X509V3_get_string
+X509V3,function,114,X509V3_get_value_bool
+X509V3,function,115,X509V3_parse_list
+X509V3,function,116,X509_PURPOSE_add
+X509V3,function,117,X509_PURPOSE_set
+X509V3,function,118,a2i_GENERAL_NAME
+X509V3,function,119,copy_email
+X509V3,function,120,copy_issuer
+X509V3,function,121,do_dirname
+X509V3,function,122,do_ext_i2d
+X509V3,function,123,do_ext_nconf
+X509V3,function,124,gnames_from_sectname
+X509V3,function,125,hex_to_string
+X509V3,function,126,i2s_ASN1_ENUMERATED
+X509V3,function,127,i2s_ASN1_IA5STRING
+X509V3,function,128,i2s_ASN1_INTEGER
+X509V3,function,129,i2v_AUTHORITY_INFO_ACCESS
+X509V3,function,130,notice_section
+X509V3,function,131,nref_nos
+X509V3,function,132,policy_section
+X509V3,function,133,process_pci_value
+X509V3,function,134,r2i_certpol
+X509V3,function,135,r2i_pci
+X509V3,function,136,s2i_ASN1_IA5STRING
+X509V3,function,137,s2i_ASN1_INTEGER
+X509V3,function,138,s2i_ASN1_OCTET_STRING
+X509V3,function,139,s2i_skey_id
+X509V3,function,140,set_dist_point_name
+X509V3,function,141,string_to_hex
+X509V3,function,142,v2i_ASN1_BIT_STRING
+X509V3,function,143,v2i_AUTHORITY_INFO_ACCESS
+X509V3,function,144,v2i_AUTHORITY_KEYID
+X509V3,function,145,v2i_BASIC_CONSTRAINTS
+X509V3,function,146,v2i_EXTENDED_KEY_USAGE
+X509V3,function,147,v2i_GENERAL_NAMES
+X509V3,function,148,v2i_GENERAL_NAME_ex
+X509V3,function,149,v2i_NAME_CONSTRAINTS
+X509V3,function,150,v2i_POLICY_CONSTRAINTS
+X509V3,function,151,v2i_POLICY_MAPPINGS
+X509V3,function,152,v2i_crld
+X509V3,function,153,v2i_idp
+X509V3,function,154,v2i_issuer_alt
+X509V3,function,155,v2i_subject_alt
+X509V3,function,156,v3_generic_extension
+X509V3,reason,100,BAD_IP_ADDRESS
+X509V3,reason,101,BAD_OBJECT
+X509V3,reason,102,BN_DEC2BN_ERROR
+X509V3,reason,103,BN_TO_ASN1_INTEGER_ERROR
+X509V3,reason,104,CANNOT_FIND_FREE_FUNCTION
+X509V3,reason,105,DIRNAME_ERROR
+X509V3,reason,106,DISTPOINT_ALREADY_SET
+X509V3,reason,107,DUPLICATE_ZONE_ID
+X509V3,reason,108,ERROR_CONVERTING_ZONE
+X509V3,reason,109,ERROR_CREATING_EXTENSION
+X509V3,reason,110,ERROR_IN_EXTENSION
+X509V3,reason,111,EXPECTED_A_SECTION_NAME
+X509V3,reason,112,EXTENSION_EXISTS
+X509V3,reason,113,EXTENSION_NAME_ERROR
+X509V3,reason,114,EXTENSION_NOT_FOUND
+X509V3,reason,115,EXTENSION_SETTING_NOT_SUPPORTED
+X509V3,reason,116,EXTENSION_VALUE_ERROR
+X509V3,reason,117,ILLEGAL_EMPTY_EXTENSION
+X509V3,reason,118,ILLEGAL_HEX_DIGIT
+X509V3,reason,119,INCORRECT_POLICY_SYNTAX_TAG
+X509V3,reason,120,INVALID_BOOLEAN_STRING
+X509V3,reason,121,INVALID_EXTENSION_STRING
+X509V3,reason,122,INVALID_MULTIPLE_RDNS
+X509V3,reason,123,INVALID_NAME
+X509V3,reason,124,INVALID_NULL_ARGUMENT
+X509V3,reason,125,INVALID_NULL_NAME
+X509V3,reason,126,INVALID_NULL_VALUE
+X509V3,reason,127,INVALID_NUMBER
+X509V3,reason,128,INVALID_NUMBERS
+X509V3,reason,129,INVALID_OBJECT_IDENTIFIER
+X509V3,reason,130,INVALID_OPTION
+X509V3,reason,131,INVALID_POLICY_IDENTIFIER
+X509V3,reason,132,INVALID_PROXY_POLICY_SETTING
+X509V3,reason,133,INVALID_PURPOSE
+X509V3,reason,134,INVALID_SECTION
+X509V3,reason,135,INVALID_SYNTAX
+X509V3,reason,136,ISSUER_DECODE_ERROR
+X509V3,reason,137,MISSING_VALUE
+X509V3,reason,138,NEED_ORGANIZATION_AND_NUMBERS
+X509V3,reason,139,NO_CONFIG_DATABASE
+X509V3,reason,140,NO_ISSUER_CERTIFICATE
+X509V3,reason,141,NO_ISSUER_DETAILS
+X509V3,reason,142,NO_POLICY_IDENTIFIER
+X509V3,reason,143,NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED
+X509V3,reason,144,NO_PUBLIC_KEY
+X509V3,reason,145,NO_SUBJECT_DETAILS
+X509V3,reason,146,ODD_NUMBER_OF_DIGITS
+X509V3,reason,147,OPERATION_NOT_DEFINED
+X509V3,reason,148,OTHERNAME_ERROR
+X509V3,reason,149,POLICY_LANGUAGE_ALREADY_DEFINED
+X509V3,reason,150,POLICY_PATH_LENGTH
+X509V3,reason,151,POLICY_PATH_LENGTH_ALREADY_DEFINED
+X509V3,reason,152,POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY
+X509V3,reason,153,SECTION_NOT_FOUND
+X509V3,reason,154,UNABLE_TO_GET_ISSUER_DETAILS
+X509V3,reason,155,UNABLE_TO_GET_ISSUER_KEYID
+X509V3,reason,156,UNKNOWN_BIT_STRING_ARGUMENT
+X509V3,reason,157,UNKNOWN_EXTENSION
+X509V3,reason,158,UNKNOWN_EXTENSION_NAME
+X509V3,reason,159,UNKNOWN_OPTION
+X509V3,reason,160,UNSUPPORTED_OPTION
+X509V3,reason,161,UNSUPPORTED_TYPE
+X509V3,reason,162,USER_TOO_LONG
diff --git a/src/crypto/evp/CMakeLists.txt b/src/crypto/evp/CMakeLists.txt
index 9854a18..6db9752 100644
--- a/src/crypto/evp/CMakeLists.txt
+++ b/src/crypto/evp/CMakeLists.txt
@@ -10,7 +10,7 @@
digestsign.c
evp.c
evp_ctx.c
- evp_error.c
+ p_dsa_asn1.c
p_ec.c
p_ec_asn1.c
p_hmac.c
@@ -23,16 +23,24 @@
add_executable(
+ evp_extra_test
+
+ evp_extra_test.cc
+)
+
+add_executable(
evp_test
- evp_test.c
+ evp_test.cc
+ $<TARGET_OBJECTS:test_support>
)
add_executable(
pbkdf_test
- pbkdf_test.c
+ pbkdf_test.cc
)
+target_link_libraries(evp_extra_test crypto)
target_link_libraries(evp_test crypto)
target_link_libraries(pbkdf_test crypto)
diff --git a/src/crypto/evp/asn1.c b/src/crypto/evp/asn1.c
index 27ae017..3df9f52 100644
--- a/src/crypto/evp/asn1.c
+++ b/src/crypto/evp/asn1.c
@@ -105,7 +105,7 @@
return ret;
err:
- if (ret != NULL && (out == NULL || *out != ret)) {
+ if (out == NULL || *out != ret) {
EVP_PKEY_free(ret);
}
return NULL;
diff --git a/src/crypto/evp/digestsign.c b/src/crypto/evp/digestsign.c
index c86b805..c163d40 100644
--- a/src/crypto/evp/digestsign.c
+++ b/src/crypto/evp/digestsign.c
@@ -65,9 +65,8 @@
/* md_begin_digset is a callback from the |EVP_MD_CTX| code that is called when
* a new digest is begun. */
static int md_begin_digest(EVP_MD_CTX *ctx) {
- int r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
- EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
- return r > 0 || r == -2;
+ return EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
+ EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
}
static const struct evp_md_pctx_ops md_pctx_ops = {
@@ -98,24 +97,24 @@
if (is_verify) {
if (ctx->pctx->pmeth->verifyctx_init) {
- if (ctx->pctx->pmeth->verifyctx_init(ctx->pctx, ctx) <= 0) {
+ if (!ctx->pctx->pmeth->verifyctx_init(ctx->pctx, ctx)) {
return 0;
}
ctx->pctx->operation = EVP_PKEY_OP_VERIFYCTX;
- } else if (EVP_PKEY_verify_init(ctx->pctx) <= 0) {
+ } else if (!EVP_PKEY_verify_init(ctx->pctx)) {
return 0;
}
} else {
if (ctx->pctx->pmeth->signctx_init) {
- if (ctx->pctx->pmeth->signctx_init(ctx->pctx, ctx) <= 0) {
+ if (!ctx->pctx->pmeth->signctx_init(ctx->pctx, ctx)) {
return 0;
}
ctx->pctx->operation = EVP_PKEY_OP_SIGNCTX;
- } else if (EVP_PKEY_sign_init(ctx->pctx) <= 0) {
+ } else if (!EVP_PKEY_sign_init(ctx->pctx)) {
return 0;
}
}
- if (EVP_PKEY_CTX_set_signature_md(ctx->pctx, type) <= 0) {
+ if (!EVP_PKEY_CTX_set_signature_md(ctx->pctx, type)) {
return 0;
}
if (pctx) {
@@ -163,12 +162,12 @@
r = tmp_ctx.pctx->pmeth->signctx(tmp_ctx.pctx, out_sig, out_sig_len, &tmp_ctx);
} else {
r = EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen);
+ if (r) {
+ r = EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, md, mdlen);
+ }
}
EVP_MD_CTX_cleanup(&tmp_ctx);
- if (has_signctx || !r) {
- return r;
- }
- return EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, md, mdlen);
+ return r;
} else {
if (has_signctx) {
return ctx->pctx->pmeth->signctx(ctx->pctx, out_sig, out_sig_len, ctx);
@@ -185,21 +184,21 @@
uint8_t md[EVP_MAX_MD_SIZE];
int r;
unsigned int mdlen;
- const int has_verifyctx = ctx->pctx->pmeth->verifyctx != NULL;
EVP_MD_CTX_init(&tmp_ctx);
if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx)) {
return 0;
}
- if (has_verifyctx) {
+ if (ctx->pctx->pmeth->verifyctx) {
r = tmp_ctx.pctx->pmeth->verifyctx(tmp_ctx.pctx, sig, sig_len, &tmp_ctx);
} else {
r = EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen);
+ if (r) {
+ r = EVP_PKEY_verify(ctx->pctx, sig, sig_len, md, mdlen);
+ }
}
EVP_MD_CTX_cleanup(&tmp_ctx);
- if (has_verifyctx || !r) {
- return r;
- }
- return EVP_PKEY_verify(ctx->pctx, sig, sig_len, md, mdlen);
+
+ return r;
}
diff --git a/src/crypto/evp/evp.c b/src/crypto/evp/evp.c
index 8a1d513..58fd9a9 100644
--- a/src/crypto/evp/evp.c
+++ b/src/crypto/evp/evp.c
@@ -67,10 +67,12 @@
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/rsa.h>
+#include <openssl/thread.h>
#include "internal.h"
+extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD ec_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth;
@@ -109,15 +111,14 @@
}
free_it(pkey);
- if (pkey->attributes) {
- /* TODO(fork): layering: X509_ATTRIBUTE_free is an X.509 function. In
- * practice this path isn't called but should be removed in the future. */
- /*sk_X509_ATTRIBUTE_pop_free(pkey->attributes, X509_ATTRIBUTE_free);*/
- assert(0);
- }
OPENSSL_free(pkey);
}
+EVP_PKEY *EVP_PKEY_up_ref(EVP_PKEY *pkey) {
+ CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+ return pkey;
+}
+
int EVP_PKEY_is_opaque(const EVP_PKEY *pkey) {
if (pkey->ameth && pkey->ameth->pkey_opaque) {
return pkey->ameth->pkey_opaque(pkey);
@@ -142,8 +143,9 @@
/* Compare parameters if the algorithm has them */
if (a->ameth->param_cmp) {
ret = a->ameth->param_cmp(a, b);
- if (ret <= 0)
+ if (ret <= 0) {
return ret;
+ }
}
if (a->ameth->pub_cmp) {
@@ -154,11 +156,6 @@
return -2;
}
-EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) {
- CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
- return pkey;
-}
-
int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {
if (to->type != from->type) {
OPENSSL_PUT_ERROR(EVP, EVP_PKEY_copy_parameters, EVP_R_DIFFERENT_KEY_TYPES);
@@ -213,6 +210,8 @@
return &hmac_asn1_meth;
case EVP_PKEY_EC:
return &ec_asn1_meth;
+ case EVP_PKEY_DSA:
+ return &dsa_asn1_meth;
default:
return NULL;
}
@@ -236,18 +235,19 @@
return NULL;
}
- if (EVP_PKEY_keygen_init(mac_ctx) <= 0 ||
- EVP_PKEY_CTX_ctrl(mac_ctx, -1, EVP_PKEY_OP_KEYGEN,
- EVP_PKEY_CTRL_SET_MAC_KEY, mac_key_len,
- (uint8_t *)mac_key) <= 0 ||
- EVP_PKEY_keygen(mac_ctx, &ret) <= 0) {
+ if (!EVP_PKEY_keygen_init(mac_ctx) ||
+ !EVP_PKEY_CTX_ctrl(mac_ctx, -1, EVP_PKEY_OP_KEYGEN,
+ EVP_PKEY_CTRL_SET_MAC_KEY, mac_key_len,
+ (uint8_t *)mac_key) ||
+ !EVP_PKEY_keygen(mac_ctx, &ret)) {
ret = NULL;
goto merr;
}
merr:
- if (mac_ctx)
+ if (mac_ctx) {
EVP_PKEY_CTX_free(mac_ctx);
+ }
return ret;
}
@@ -323,7 +323,7 @@
}
int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key) {
- return EVP_PKEY_assign(pkey, EVP_PKEY_EC, key);
+ return EVP_PKEY_assign(pkey, EVP_PKEY_DH, key);
}
DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey) {
@@ -435,6 +435,10 @@
0, (void *)out_md);
}
+EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) {
+ return EVP_PKEY_up_ref(pkey);
+}
+
void OpenSSL_add_all_algorithms(void) {}
void EVP_cleanup(void) {}
diff --git a/src/crypto/evp/evp_ctx.c b/src/crypto/evp/evp_ctx.c
index a383725..9f42274 100644
--- a/src/crypto/evp/evp_ctx.c
+++ b/src/crypto/evp/evp_ctx.c
@@ -120,14 +120,12 @@
ret->operation = EVP_PKEY_OP_UNDEFINED;
if (pkey) {
- ret->pkey = EVP_PKEY_dup(pkey);
+ ret->pkey = EVP_PKEY_up_ref(pkey);
}
if (pmeth->init) {
if (pmeth->init(ret) <= 0) {
- if (pkey) {
- EVP_PKEY_free(ret->pkey);
- }
+ EVP_PKEY_free(ret->pkey);
OPENSSL_free(ret);
return NULL;
}
@@ -151,12 +149,8 @@
if (ctx->pmeth && ctx->pmeth->cleanup) {
ctx->pmeth->cleanup(ctx);
}
- if (ctx->pkey) {
- EVP_PKEY_free(ctx->pkey);
- }
- if (ctx->peerkey) {
- EVP_PKEY_free(ctx->peerkey);
- }
+ EVP_PKEY_free(ctx->pkey);
+ EVP_PKEY_free(ctx->peerkey);
OPENSSL_free(ctx);
}
@@ -179,14 +173,14 @@
rctx->operation = pctx->operation;
if (pctx->pkey) {
- rctx->pkey = EVP_PKEY_dup(pctx->pkey);
+ rctx->pkey = EVP_PKEY_up_ref(pctx->pkey);
if (rctx->pkey == NULL) {
goto err;
}
}
if (pctx->peerkey) {
- rctx->peerkey = EVP_PKEY_dup(pctx->peerkey);
+ rctx->peerkey = EVP_PKEY_up_ref(pctx->peerkey);
if (rctx->peerkey == NULL) {
goto err;
}
@@ -212,32 +206,25 @@
int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd,
int p1, void *p2) {
- int ret;
if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl) {
OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
- return -2;
+ return 0;
}
if (keytype != -1 && ctx->pmeth->pkey_id != keytype) {
- return -1;
+ return 0;
}
if (ctx->operation == EVP_PKEY_OP_UNDEFINED) {
OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_NO_OPERATION_SET);
- return -1;
+ return 0;
}
if (optype != -1 && !(ctx->operation & optype)) {
OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_INVALID_OPERATION);
- return -1;
+ return 0;
}
- ret = ctx->pmeth->ctrl(ctx, cmd, p1, p2);
-
- if (ret == -2) {
- OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
- }
-
- return ret;
+ return ctx->pmeth->ctrl(ctx, cmd, p1, p2);
}
int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) {
@@ -434,9 +421,7 @@
return 0;
}
- if (ctx->peerkey) {
- EVP_PKEY_free(ctx->peerkey);
- }
+ EVP_PKEY_free(ctx->peerkey);
ctx->peerkey = peer;
ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);
@@ -446,7 +431,7 @@
return 0;
}
- EVP_PKEY_dup(peer);
+ EVP_PKEY_up_ref(peer);
return 1;
}
diff --git a/src/crypto/evp/evp_error.c b/src/crypto/evp/evp_error.c
deleted file mode 100644
index b0d311e..0000000
--- a/src/crypto/evp/evp_error.c
+++ /dev/null
@@ -1,131 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/evp.h>
-
-const ERR_STRING_DATA EVP_error_string_data[] = {
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DigestSignAlgorithm, 0), "EVP_DigestSignAlgorithm"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DigestVerifyInitFromAlgorithm, 0), "EVP_DigestVerifyInitFromAlgorithm"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_CTX_ctrl, 0), "EVP_PKEY_CTX_ctrl"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_CTX_dup, 0), "EVP_PKEY_CTX_dup"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_copy_parameters, 0), "EVP_PKEY_copy_parameters"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_decrypt, 0), "EVP_PKEY_decrypt"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_decrypt_init, 0), "EVP_PKEY_decrypt_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_derive, 0), "EVP_PKEY_derive"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_derive_init, 0), "EVP_PKEY_derive_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_derive_set_peer, 0), "EVP_PKEY_derive_set_peer"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_encrypt, 0), "EVP_PKEY_encrypt"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_encrypt_init, 0), "EVP_PKEY_encrypt_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_DH, 0), "EVP_PKEY_get1_DH"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_DSA, 0), "EVP_PKEY_get1_DSA"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_EC_KEY, 0), "EVP_PKEY_get1_EC_KEY"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_get1_RSA, 0), "EVP_PKEY_get1_RSA"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_keygen, 0), "EVP_PKEY_keygen"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_keygen_init, 0), "EVP_PKEY_keygen_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_new, 0), "EVP_PKEY_new"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_set_type, 0), "EVP_PKEY_set_type"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_sign, 0), "EVP_PKEY_sign"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_sign_init, 0), "EVP_PKEY_sign_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_verify, 0), "EVP_PKEY_verify"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_PKEY_verify_init, 0), "EVP_PKEY_verify_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_check_padding_md, 0), "check_padding_md"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_d2i_AutoPrivateKey, 0), "d2i_AutoPrivateKey"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_d2i_PrivateKey, 0), "d2i_PrivateKey"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_do_EC_KEY_print, 0), "do_EC_KEY_print"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_do_rsa_print, 0), "do_rsa_print"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_do_sigver_init, 0), "do_sigver_init"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_param2type, 0), "eckey_param2type"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_param_decode, 0), "eckey_param_decode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_priv_decode, 0), "eckey_priv_decode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_priv_encode, 0), "eckey_priv_encode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_pub_decode, 0), "eckey_pub_decode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_pub_encode, 0), "eckey_pub_encode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_eckey_type2param, 0), "eckey_type2param"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_evp_pkey_ctx_new, 0), "evp_pkey_ctx_new"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_hmac_signctx, 0), "hmac_signctx"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_i2d_PublicKey, 0), "i2d_PublicKey"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_old_ec_priv_decode, 0), "old_ec_priv_decode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_old_rsa_priv_decode, 0), "old_rsa_priv_decode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_ctrl, 0), "pkey_ec_ctrl"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_derive, 0), "pkey_ec_derive"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_keygen, 0), "pkey_ec_keygen"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_paramgen, 0), "pkey_ec_paramgen"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_ec_sign, 0), "pkey_ec_sign"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_ctrl, 0), "pkey_rsa_ctrl"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_decrypt, 0), "pkey_rsa_decrypt"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_encrypt, 0), "pkey_rsa_encrypt"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_pkey_rsa_sign, 0), "pkey_rsa_sign"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_algor_to_md, 0), "rsa_algor_to_md"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_digest_verify_init_from_algorithm, 0), "rsa_digest_verify_init_from_algorithm"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_item_verify, 0), "rsa_item_verify"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_mgf1_to_md, 0), "rsa_mgf1_to_md"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_priv_decode, 0), "rsa_priv_decode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_priv_encode, 0), "rsa_priv_encode"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_pss_to_ctx, 0), "rsa_pss_to_ctx"},
- {ERR_PACK(ERR_LIB_EVP, EVP_F_rsa_pub_decode, 0), "rsa_pub_decode"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_BUFFER_TOO_SMALL), "BUFFER_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_COMMAND_NOT_SUPPORTED), "COMMAND_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_CONTEXT_NOT_INITIALISED), "CONTEXT_NOT_INITIALISED"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DECODE_ERROR), "DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_KEY_TYPES), "DIFFERENT_KEY_TYPES"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), "DIFFERENT_PARAMETERS"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED), "DIGEST_AND_KEY_TYPE_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIGEST_DOES_NOT_MATCH), "DIGEST_DOES_NOT_MATCH"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_DSA_KEY), "EXPECTING_AN_DSA_KEY"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_EC_KEY_KEY), "EXPECTING_AN_EC_KEY_KEY"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_AN_RSA_KEY), "EXPECTING_AN_RSA_KEY"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_DH_KEY), "EXPECTING_A_DH_KEY"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPECTING_A_DSA_KEY), "EXPECTING_A_DSA_KEY"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_EXPLICIT_EC_PARAMETERS_NOT_SUPPORTED), "EXPLICIT_EC_PARAMETERS_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "ILLEGAL_OR_UNSUPPORTED_PADDING_MODE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_CURVE), "INVALID_CURVE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_DIGEST_LENGTH), "INVALID_DIGEST_LENGTH"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_DIGEST_TYPE), "INVALID_DIGEST_TYPE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_KEYBITS), "INVALID_KEYBITS"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_MGF1_MD), "INVALID_MGF1_MD"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_OPERATION), "INVALID_OPERATION"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_PADDING_MODE), "INVALID_PADDING_MODE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_PSS_PARAMETERS), "INVALID_PSS_PARAMETERS"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_PSS_SALTLEN), "INVALID_PSS_SALTLEN"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_SALT_LENGTH), "INVALID_SALT_LENGTH"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_TRAILER), "INVALID_TRAILER"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KDF_PARAMETER_ERROR), "KDF_PARAMETER_ERROR"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEYS_NOT_SET), "KEYS_NOT_SET"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_MISSING_PARAMETERS), "MISSING_PARAMETERS"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_DEFAULT_DIGEST), "NO_DEFAULT_DIGEST"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_KEY_SET), "NO_KEY_SET"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_MDC2_SUPPORT), "NO_MDC2_SUPPORT"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_NID_FOR_CURVE), "NO_NID_FOR_CURVE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_OPERATION_SET), "NO_OPERATION_SET"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_NO_PARAMETERS_SET), "NO_PARAMETERS_SET"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED), "OPERATON_NOT_INITIALIZED"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PEER_KEY_ERROR), "PEER_KEY_ERROR"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_SHARED_INFO_ERROR), "SHARED_INFO_ERROR"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "UNKNOWN_DIGEST"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_MASK_DIGEST), "UNKNOWN_MASK_DIGEST"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM), "UNKNOWN_MESSAGE_DIGEST_ALGORITHM"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_PUBLIC_KEY_TYPE), "UNKNOWN_PUBLIC_KEY_TYPE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_SIGNATURE_ALGORITHM), "UNKNOWN_SIGNATURE_ALGORITHM"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_ALGORITHM), "UNSUPPORTED_ALGORITHM"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_MASK_ALGORITHM), "UNSUPPORTED_MASK_ALGORITHM"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_MASK_PARAMETER), "UNSUPPORTED_MASK_PARAMETER"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "UNSUPPORTED_PUBLIC_KEY_TYPE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNSUPPORTED_SIGNATURE_TYPE), "UNSUPPORTED_SIGNATURE_TYPE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_PUBLIC_KEY_TYPE), "WRONG_PUBLIC_KEY_TYPE"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_X931_UNSUPPORTED), "X931_UNSUPPORTED"},
- {0, NULL},
-};
diff --git a/src/crypto/evp/evp_extra_test.cc b/src/crypto/evp/evp_extra_test.cc
new file mode 100644
index 0000000..674547d
--- /dev/null
+++ b/src/crypto/evp/evp_extra_test.cc
@@ -0,0 +1,601 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <vector>
+
+#include <openssl/bytestring.h>
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+#include "../test/scoped_types.h"
+
+
+// kExampleRSAKeyDER is an RSA private key in ASN.1, DER format. Of course, you
+// should never use this key anywhere but in an example.
+static const uint8_t kExampleRSAKeyDER[] = {
+ 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xf8,
+ 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
+ 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37,
+ 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71,
+ 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a,
+ 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4,
+ 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec,
+ 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76,
+ 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8,
+ 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7,
+ 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c,
+ 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
+ 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a, 0x6d, 0xc7,
+ 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5, 0x32, 0x85,
+ 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6, 0x5f, 0xee,
+ 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8, 0x66, 0x85,
+ 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6, 0xa4, 0x0a,
+ 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f, 0xc2, 0x15,
+ 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c, 0x5b, 0x83,
+ 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78, 0x80, 0x1b,
+ 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71, 0x99, 0x73,
+ 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60, 0x1f, 0x99,
+ 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d, 0xb1, 0x02,
+ 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3, 0x40, 0x41,
+ 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d, 0x3d, 0x59,
+ 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18, 0xc6, 0xd9,
+ 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d, 0x9f, 0xef,
+ 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32, 0x46, 0x87,
+ 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc, 0x2c, 0xdf,
+ 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63, 0x55, 0xf5,
+ 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05, 0xcd, 0xb5,
+ 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16, 0xb3, 0x62,
+ 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3, 0x9b, 0x64,
+ 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85, 0xfa, 0xb8,
+ 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97, 0xe8, 0xba,
+ 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7, 0xe7, 0xfe,
+ 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99, 0x75, 0xe7,
+ 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4, 0x9d, 0xfe,
+ 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d, 0xf1, 0xdb,
+ 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40, 0x5a, 0x34,
+ 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26, 0x84, 0x27,
+ 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1, 0xe9, 0xc0,
+ 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c, 0xb9, 0xba,
+ 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30, 0x10, 0x06,
+ 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea, 0x52, 0x2c,
+ 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b, 0xc4, 0x1e,
+ 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e, 0x49, 0xaf,
+ 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9, 0xd1, 0x8a,
+ 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae, 0x17, 0x17,
+ 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d, 0x08, 0xf1,
+ 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
+};
+
+static const uint8_t kExampleDSAKeyDER[] = {
+ 0x30, 0x82, 0x03, 0x56, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
+ 0x9e, 0x12, 0xfa, 0xb3, 0xde, 0x12, 0x21, 0x35, 0x01, 0xdd, 0x82, 0xaa,
+ 0x10, 0xca, 0x2d, 0x10, 0x1d, 0x2d, 0x4e, 0xbf, 0xef, 0x4d, 0x2a, 0x3f,
+ 0x8d, 0xaa, 0x0f, 0xe0, 0xce, 0xda, 0xd8, 0xd6, 0xaf, 0x85, 0x61, 0x6a,
+ 0xa2, 0xf3, 0x25, 0x2c, 0x0a, 0x2b, 0x5a, 0x6d, 0xb0, 0x9e, 0x6f, 0x14,
+ 0x90, 0x0e, 0x0d, 0xdb, 0x83, 0x11, 0x87, 0x6d, 0xd8, 0xf9, 0x66, 0x95,
+ 0x25, 0xf9, 0x9e, 0xd6, 0x59, 0x49, 0xe1, 0x84, 0xd5, 0x06, 0x47, 0x93,
+ 0x27, 0x11, 0x69, 0xa2, 0x28, 0x68, 0x0b, 0x95, 0xec, 0x12, 0xf5, 0x9a,
+ 0x8e, 0x20, 0xb2, 0x1f, 0x2b, 0x58, 0xeb, 0x2a, 0x20, 0x12, 0xd3, 0x5b,
+ 0xde, 0x2e, 0xe3, 0x51, 0x82, 0x2f, 0xe8, 0xf3, 0x2d, 0x0a, 0x33, 0x05,
+ 0x65, 0xdc, 0xce, 0x5c, 0x67, 0x2b, 0x72, 0x59, 0xc1, 0x4b, 0x24, 0x33,
+ 0xd0, 0xb5, 0xb2, 0xca, 0x2b, 0x2d, 0xb0, 0xab, 0x62, 0x6e, 0x8f, 0x13,
+ 0xf4, 0x7f, 0xe0, 0x34, 0x5d, 0x90, 0x4e, 0x72, 0x94, 0xbb, 0x03, 0x8e,
+ 0x9c, 0xe2, 0x1a, 0x9e, 0x58, 0x0b, 0x83, 0x35, 0x62, 0x78, 0x70, 0x6c,
+ 0xfe, 0x76, 0x84, 0x36, 0xc6, 0x9d, 0xe1, 0x49, 0xcc, 0xff, 0x98, 0xb4,
+ 0xaa, 0xb8, 0xcb, 0x4f, 0x63, 0x85, 0xc9, 0xf1, 0x02, 0xce, 0x59, 0x34,
+ 0x6e, 0xae, 0xef, 0x27, 0xe0, 0xad, 0x22, 0x2d, 0x53, 0xd6, 0xe8, 0x9c,
+ 0xc8, 0xcd, 0xe5, 0x77, 0x6d, 0xd0, 0x00, 0x57, 0xb0, 0x3f, 0x2d, 0x88,
+ 0xab, 0x3c, 0xed, 0xba, 0xfd, 0x7b, 0x58, 0x5f, 0x0b, 0x7f, 0x78, 0x35,
+ 0xe1, 0x7a, 0x37, 0x28, 0xbb, 0xf2, 0x5e, 0xa6, 0x25, 0x72, 0xf2, 0x45,
+ 0xdc, 0x11, 0x1f, 0x3c, 0xe3, 0x9c, 0xb6, 0xff, 0xac, 0xc3, 0x1b, 0x0a,
+ 0x27, 0x90, 0xe7, 0xbd, 0xe9, 0x02, 0x24, 0xea, 0x9b, 0x09, 0x31, 0x53,
+ 0x62, 0xaf, 0x3d, 0x2b, 0x02, 0x21, 0x00, 0xf3, 0x81, 0xdc, 0xf5, 0x3e,
+ 0xbf, 0x72, 0x4f, 0x8b, 0x2e, 0x5c, 0xa8, 0x2c, 0x01, 0x0f, 0xb4, 0xb5,
+ 0xed, 0xa9, 0x35, 0x8d, 0x0f, 0xd8, 0x8e, 0xd2, 0x78, 0x58, 0x94, 0x88,
+ 0xb5, 0x4f, 0xc3, 0x02, 0x82, 0x01, 0x00, 0x0c, 0x40, 0x2a, 0x72, 0x5d,
+ 0xcc, 0x3a, 0x62, 0xe0, 0x2b, 0xf4, 0xcf, 0x43, 0xcd, 0x17, 0xf4, 0xa4,
+ 0x93, 0x59, 0x12, 0x20, 0x22, 0x36, 0x69, 0xcf, 0x41, 0x93, 0xed, 0xab,
+ 0x42, 0x3a, 0xd0, 0x8d, 0xfb, 0x55, 0x2e, 0x30, 0x8a, 0x6a, 0x57, 0xa5,
+ 0xff, 0xbc, 0x7c, 0xd0, 0xfb, 0x20, 0x87, 0xf8, 0x1f, 0x8d, 0xf0, 0xcb,
+ 0x08, 0xab, 0x21, 0x33, 0x28, 0x7d, 0x2b, 0x69, 0x68, 0x71, 0x4a, 0x94,
+ 0xf6, 0x33, 0xc9, 0x40, 0x84, 0x5a, 0x48, 0xa3, 0xe1, 0x67, 0x08, 0xdd,
+ 0xe7, 0x61, 0xcc, 0x6a, 0x8e, 0xab, 0x2d, 0x84, 0xdb, 0x21, 0xb6, 0xea,
+ 0x5b, 0x07, 0x68, 0x14, 0x93, 0xcc, 0x9c, 0x31, 0xfb, 0xc3, 0x68, 0xb2,
+ 0x43, 0xf6, 0xdd, 0xf8, 0xc9, 0x32, 0xa8, 0xb4, 0x03, 0x8f, 0x44, 0xe7,
+ 0xb1, 0x5c, 0xa8, 0x76, 0x34, 0x4a, 0x14, 0x78, 0x59, 0xf2, 0xb4, 0x3b,
+ 0x39, 0x45, 0x86, 0x68, 0xad, 0x5e, 0x0a, 0x1a, 0x9a, 0x66, 0x95, 0x46,
+ 0xdd, 0x28, 0x12, 0xe3, 0xb3, 0x61, 0x7a, 0x0a, 0xef, 0x99, 0xd5, 0x8e,
+ 0x3b, 0xb4, 0xcc, 0x87, 0xfd, 0x94, 0x22, 0x5e, 0x01, 0xd2, 0xdc, 0xc4,
+ 0x69, 0xa7, 0x72, 0x68, 0x14, 0x6c, 0x51, 0x91, 0x8f, 0x18, 0xe8, 0xb4,
+ 0xd7, 0x0a, 0xa1, 0xf0, 0xc7, 0x62, 0x3b, 0xcc, 0x52, 0xcf, 0x37, 0x31,
+ 0xd3, 0x86, 0x41, 0xb2, 0xd2, 0x83, 0x0b, 0x7e, 0xec, 0xb2, 0xf0, 0x95,
+ 0x52, 0xff, 0x13, 0x7d, 0x04, 0x6e, 0x49, 0x4e, 0x7f, 0x33, 0xc3, 0x59,
+ 0x00, 0x02, 0xb1, 0x6d, 0x1b, 0x97, 0xd9, 0x36, 0xfd, 0xa2, 0x8f, 0x90,
+ 0xc3, 0xed, 0x3c, 0xa3, 0x53, 0x38, 0x16, 0x8a, 0xc1, 0x6f, 0x77, 0xc3,
+ 0xc5, 0x7a, 0xdc, 0x2e, 0x8f, 0x7c, 0x6c, 0x22, 0x56, 0xe4, 0x1a, 0x5f,
+ 0x65, 0x45, 0x05, 0x90, 0xdb, 0xb5, 0xbc, 0xf0, 0x6d, 0x66, 0x61, 0x02,
+ 0x82, 0x01, 0x00, 0x31, 0x97, 0x31, 0xa1, 0x4e, 0x38, 0x56, 0x88, 0xdb,
+ 0x94, 0x1d, 0xbf, 0x65, 0x5c, 0xda, 0x4b, 0xc2, 0x10, 0xde, 0x74, 0x20,
+ 0x03, 0xce, 0x13, 0x60, 0xf2, 0x25, 0x1d, 0x55, 0x7c, 0x5d, 0x94, 0x82,
+ 0x54, 0x08, 0x53, 0xdb, 0x85, 0x95, 0xbf, 0xdd, 0x5e, 0x50, 0xd5, 0x96,
+ 0xe0, 0x79, 0x51, 0x1b, 0xbf, 0x4d, 0x4e, 0xb9, 0x3a, 0xc5, 0xee, 0xc4,
+ 0x5e, 0x98, 0x75, 0x7b, 0xbe, 0xff, 0x30, 0xe6, 0xd0, 0x7b, 0xa6, 0xf1,
+ 0xbc, 0x29, 0xea, 0xdf, 0xec, 0xf3, 0x8b, 0xfa, 0x83, 0x11, 0x9f, 0x3f,
+ 0xf0, 0x5d, 0x06, 0x51, 0x32, 0xaa, 0x21, 0xfc, 0x26, 0x17, 0xe7, 0x50,
+ 0xc2, 0x16, 0xba, 0xfa, 0x54, 0xb7, 0x7e, 0x1d, 0x2c, 0xa6, 0xa3, 0x41,
+ 0x66, 0x33, 0x94, 0x83, 0xb9, 0xbf, 0xa0, 0x4f, 0xbd, 0xa6, 0xfd, 0x2c,
+ 0x81, 0x58, 0x35, 0x33, 0x39, 0xc0, 0x6d, 0x33, 0x40, 0x56, 0x64, 0x12,
+ 0x5a, 0xcd, 0x35, 0x53, 0x21, 0x78, 0x8f, 0x27, 0x24, 0x37, 0x66, 0x8a,
+ 0xdf, 0x5e, 0x5f, 0x63, 0xfc, 0x8b, 0x2d, 0xef, 0x57, 0xdb, 0x40, 0x25,
+ 0xd5, 0x17, 0x53, 0x0b, 0xe4, 0xa5, 0xae, 0x54, 0xbf, 0x46, 0x4f, 0xa6,
+ 0x79, 0xc3, 0x74, 0xfa, 0x1f, 0x85, 0x34, 0x64, 0x6d, 0xc5, 0x03, 0xeb,
+ 0x72, 0x98, 0x80, 0x7b, 0xc0, 0x8f, 0x35, 0x11, 0xa7, 0x09, 0xeb, 0x51,
+ 0xe0, 0xb0, 0xac, 0x92, 0x14, 0xf2, 0xad, 0x37, 0x95, 0x5a, 0xba, 0x8c,
+ 0xc4, 0xdb, 0xed, 0xc4, 0x4e, 0x8b, 0x8f, 0x84, 0x33, 0x64, 0xf8, 0x57,
+ 0x12, 0xd7, 0x08, 0x7e, 0x90, 0x66, 0xdf, 0x91, 0x50, 0x23, 0xf2, 0x73,
+ 0xc0, 0x6b, 0xb1, 0x15, 0xdd, 0x64, 0xd7, 0xc9, 0x75, 0x17, 0x73, 0x72,
+ 0xda, 0x33, 0xc4, 0x6f, 0xa5, 0x47, 0xa1, 0xcc, 0xd1, 0xc6, 0x62, 0xe5,
+ 0xca, 0xab, 0x5f, 0x2a, 0x8f, 0x6b, 0xcc, 0x02, 0x21, 0x00, 0xb0, 0xc7,
+ 0x68, 0x70, 0x27, 0x43, 0xbc, 0x51, 0x24, 0x29, 0x93, 0xa9, 0x71, 0xa5,
+ 0x28, 0x89, 0x79, 0x54, 0x44, 0xf7, 0xc6, 0x45, 0x22, 0x03, 0xd0, 0xce,
+ 0x84, 0xfe, 0x61, 0x17, 0xd4, 0x6e,
+};
+
+static const uint8_t kMsg[] = {1, 2, 3, 4};
+
+static const uint8_t kSignature[] = {
+ 0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
+ 0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
+ 0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
+ 0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
+ 0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
+ 0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
+ 0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
+ 0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
+ 0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
+ 0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
+ 0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
+};
+
+// kExamplePSSCert is an example self-signed certificate, signed with
+// kExampleRSAKeyDER using RSA-PSS with default hash functions.
+static const uint8_t kExamplePSSCert[] = {
+ 0x30, 0x82, 0x02, 0x62, 0x30, 0x82, 0x01, 0xc6, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x09, 0x00, 0x8d, 0xea, 0x53, 0x24, 0xfa, 0x48, 0x87, 0xf3,
+ 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0a, 0x30, 0x05, 0xa2, 0x03, 0x02, 0x01, 0x6a, 0x30, 0x45, 0x31, 0x0b,
+ 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31,
+ 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f,
+ 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1f,
+ 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72,
+ 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20,
+ 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x30, 0x1e, 0x17, 0x0d, 0x31,
+ 0x34, 0x31, 0x30, 0x30, 0x39, 0x31, 0x39, 0x30, 0x39, 0x35, 0x35, 0x5a,
+ 0x17, 0x0d, 0x31, 0x35, 0x31, 0x30, 0x30, 0x39, 0x31, 0x39, 0x30, 0x39,
+ 0x35, 0x35, 0x5a, 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+ 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74,
+ 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57,
+ 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c,
+ 0x74, 0x64, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
+ 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00,
+ 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4,
+ 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d,
+ 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83,
+ 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c,
+ 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf,
+ 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33,
+ 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7,
+ 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77,
+ 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52,
+ 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c,
+ 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64,
+ 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50, 0x30, 0x4e,
+ 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd0,
+ 0x41, 0xfb, 0x89, 0x41, 0x1e, 0xa7, 0xad, 0x5a, 0xec, 0x34, 0x5d, 0x49,
+ 0x11, 0xf9, 0x55, 0x81, 0x78, 0x1f, 0x13, 0x30, 0x1f, 0x06, 0x03, 0x55,
+ 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xd0, 0x41, 0xfb, 0x89,
+ 0x41, 0x1e, 0xa7, 0xad, 0x5a, 0xec, 0x34, 0x5d, 0x49, 0x11, 0xf9, 0x55,
+ 0x81, 0x78, 0x1f, 0x13, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
+ 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86,
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x05, 0xa2, 0x03, 0x02,
+ 0x01, 0x6a, 0x03, 0x81, 0x81, 0x00, 0x49, 0x4c, 0xb6, 0x45, 0x97, 0x20,
+ 0x35, 0xb3, 0x50, 0x64, 0x0d, 0x3f, 0xec, 0x5f, 0x95, 0xd5, 0x84, 0xcb,
+ 0x11, 0x7c, 0x03, 0xd7, 0xa6, 0xe6, 0xfa, 0x24, 0x95, 0x9f, 0x31, 0xb0,
+ 0xb5, 0xec, 0x66, 0x41, 0x51, 0x18, 0x21, 0x91, 0xbb, 0xe0, 0xaf, 0xf0,
+ 0xc5, 0xb7, 0x59, 0x41, 0xd4, 0xdb, 0xa4, 0xd2, 0x64, 0xa7, 0x54, 0x0f,
+ 0x8c, 0xf7, 0xe1, 0xd3, 0x3b, 0x1a, 0xb7, 0x0e, 0x9d, 0x9a, 0xde, 0x50,
+ 0xa1, 0x9f, 0x0a, 0xf0, 0xda, 0x34, 0x0e, 0x34, 0x7d, 0x76, 0x07, 0xfe,
+ 0x5a, 0xfb, 0xf9, 0x58, 0x9b, 0xc9, 0x50, 0x84, 0x01, 0xa0, 0x05, 0x4d,
+ 0x67, 0x42, 0x0b, 0xf8, 0xe4, 0x05, 0xcf, 0xaf, 0x8b, 0x71, 0x31, 0xf1,
+ 0x0f, 0x6e, 0xc9, 0x24, 0x27, 0x9b, 0xac, 0x04, 0xd7, 0x64, 0x0d, 0x30,
+ 0x4e, 0x11, 0x93, 0x40, 0x39, 0xbb, 0x72, 0xb2, 0xfe, 0x6b, 0xe4, 0xae,
+ 0x8c, 0x16,
+};
+
+// kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
+// PrivateKeyInfo.
+static const uint8_t kExampleRSAKeyPKCS8[] = {
+ 0x30, 0x82, 0x02, 0x76, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+ 0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
+ 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5,
+ 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e,
+ 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34,
+ 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde,
+ 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8,
+ 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b,
+ 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83,
+ 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48,
+ 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a,
+ 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2,
+ 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01,
+ 0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a,
+ 0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5,
+ 0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6,
+ 0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8,
+ 0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6,
+ 0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f,
+ 0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c,
+ 0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78,
+ 0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71,
+ 0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60,
+ 0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d,
+ 0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3,
+ 0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d,
+ 0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18,
+ 0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d,
+ 0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32,
+ 0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc,
+ 0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63,
+ 0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05,
+ 0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16,
+ 0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3,
+ 0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85,
+ 0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97,
+ 0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7,
+ 0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99,
+ 0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4,
+ 0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d,
+ 0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40,
+ 0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26,
+ 0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1,
+ 0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c,
+ 0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30,
+ 0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea,
+ 0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b,
+ 0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e,
+ 0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9,
+ 0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae,
+ 0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d,
+ 0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
+};
+
+// kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
+// structure.
+static const uint8_t kExampleECKeyDER[] = {
+ 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a,
+ 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08,
+ 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a,
+ 0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+ 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69,
+ 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c,
+ 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9,
+ 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18,
+ 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16,
+ 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22,
+ 0xc1,
+};
+
+// kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
+// structure. The private key is equal to the order and will fail to import.
+static const uint8_t kExampleBadECKeyDER[] = {
+ 0x30, 0x66, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48,
+ 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
+ 0x01, 0x07, 0x04, 0x4C, 0x30, 0x4A, 0x02, 0x01, 0x01, 0x04, 0x20, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3,
+ 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, 0xA1, 0x23, 0x03, 0x21, 0x00,
+ 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
+ 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
+};
+
+static ScopedEVP_PKEY LoadExampleRSAKey() {
+ const uint8_t *derp = kExampleRSAKeyDER;
+ ScopedRSA rsa(d2i_RSAPrivateKey(nullptr, &derp, sizeof(kExampleRSAKeyDER)));
+ if (!rsa) {
+ return nullptr;
+ }
+ ScopedEVP_PKEY pkey(EVP_PKEY_new());
+ if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa.get())) {
+ return nullptr;
+ }
+ return pkey;
+}
+
+static bool TestEVP_DigestSignInit(void) {
+ ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+ ScopedEVP_MD_CTX md_ctx;
+ if (!pkey ||
+ !EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
+ !EVP_DigestSignUpdate(md_ctx.get(), kMsg, sizeof(kMsg))) {
+ return false;
+ }
+ // Determine the size of the signature.
+ size_t sig_len = 0;
+ if (!EVP_DigestSignFinal(md_ctx.get(), NULL, &sig_len)) {
+ return false;
+ }
+ // Sanity check for testing.
+ if (sig_len != (size_t)EVP_PKEY_size(pkey.get())) {
+ fprintf(stderr, "sig_len mismatch\n");
+ return false;
+ }
+
+ std::vector<uint8_t> sig;
+ sig.resize(sig_len);
+ if (!EVP_DigestSignFinal(md_ctx.get(), bssl::vector_data(&sig), &sig_len)) {
+ return false;
+ }
+ sig.resize(sig_len);
+
+ // Ensure that the signature round-trips.
+ md_ctx.Reset();
+ if (!EVP_DigestVerifyInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
+ !EVP_DigestVerifyUpdate(md_ctx.get(), kMsg, sizeof(kMsg)) ||
+ !EVP_DigestVerifyFinal(md_ctx.get(), bssl::vector_data(&sig), sig_len)) {
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestEVP_DigestVerifyInit(void) {
+ ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+ ScopedEVP_MD_CTX md_ctx;
+ if (!pkey ||
+ !EVP_DigestVerifyInit(md_ctx.get(), NULL, EVP_sha256(), NULL,
+ pkey.get()) ||
+ !EVP_DigestVerifyUpdate(md_ctx.get(), kMsg, sizeof(kMsg)) ||
+ !EVP_DigestVerifyFinal(md_ctx.get(), kSignature, sizeof(kSignature))) {
+ return false;
+ }
+ return true;
+}
+
+// TestAlgorithmRoundtrip signs a message using an already-initialized
+// |md_ctx|, sampling the AlgorithmIdentifier. It then uses |pkey| and the
+// AlgorithmIdentifier to verify the signature.
+static bool TestAlgorithmRoundtrip(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {
+ if (!EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))) {
+ return false;
+ }
+
+ // Save the algorithm.
+ ScopedX509_ALGOR algor(X509_ALGOR_new());
+ if (!algor || !EVP_DigestSignAlgorithm(md_ctx, algor.get())) {
+ return false;
+ }
+
+ // Determine the size of the signature.
+ size_t sig_len = 0;
+ if (!EVP_DigestSignFinal(md_ctx, NULL, &sig_len)) {
+ return false;
+ }
+ // Sanity check for testing.
+ if (sig_len != (size_t)EVP_PKEY_size(pkey)) {
+ fprintf(stderr, "sig_len mismatch\n");
+ return false;
+ }
+
+ std::vector<uint8_t> sig;
+ sig.resize(sig_len);
+ if (!EVP_DigestSignFinal(md_ctx, bssl::vector_data(&sig), &sig_len)) {
+ return false;
+ }
+ sig.resize(sig_len);
+
+ // Ensure that the signature round-trips.
+ ScopedEVP_MD_CTX md_ctx_verify;
+ if (!EVP_DigestVerifyInitFromAlgorithm(md_ctx_verify.get(), algor.get(),
+ pkey) ||
+ !EVP_DigestVerifyUpdate(md_ctx_verify.get(), kMsg, sizeof(kMsg)) ||
+ !EVP_DigestVerifyFinal(md_ctx_verify.get(), bssl::vector_data(&sig),
+ sig_len)) {
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestEVP_DigestSignAlgorithm(void) {
+ ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+
+ // Test a simple AlgorithmIdentifier.
+ ScopedEVP_MD_CTX md_ctx;
+ if (!pkey ||
+ !EVP_DigestSignInit(md_ctx.get(), NULL, EVP_sha256(), NULL, pkey.get()) ||
+ !TestAlgorithmRoundtrip(md_ctx.get(), pkey.get())) {
+ fprintf(stderr, "RSA with SHA-256 failed\n");
+ return false;
+ }
+
+ // Test RSA-PSS with custom parameters.
+ md_ctx.Reset();
+ EVP_PKEY_CTX *pkey_ctx;
+ if (!EVP_DigestSignInit(md_ctx.get(), &pkey_ctx, EVP_sha256(), NULL,
+ pkey.get()) ||
+ !EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) ||
+ !EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) ||
+ !TestAlgorithmRoundtrip(md_ctx.get(), pkey.get())) {
+ fprintf(stderr, "RSA-PSS failed\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestEVP_DigestVerifyInitFromAlgorithm(void) {
+ CBS cert, cert_body, tbs_cert, algorithm, signature;
+ CBS_init(&cert, kExamplePSSCert, sizeof(kExamplePSSCert));
+ if (!CBS_get_asn1(&cert, &cert_body, CBS_ASN1_SEQUENCE) ||
+ CBS_len(&cert) != 0 ||
+ !CBS_get_any_asn1_element(&cert_body, &tbs_cert, NULL, NULL) ||
+ !CBS_get_asn1_element(&cert_body, &algorithm, CBS_ASN1_SEQUENCE) ||
+ !CBS_get_asn1(&cert_body, &signature, CBS_ASN1_BITSTRING) ||
+ CBS_len(&cert_body) != 0) {
+ fprintf(stderr, "Failed to parse certificate\n");
+ return false;
+ }
+
+ // Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the
+ // leading phase byte is just a zero.
+ uint8_t padding;
+ if (!CBS_get_u8(&signature, &padding) || padding != 0) {
+ fprintf(stderr, "Invalid signature padding\n");
+ return false;
+ }
+
+ const uint8_t *derp = CBS_data(&algorithm);
+ ScopedX509_ALGOR algor(d2i_X509_ALGOR(NULL, &derp, CBS_len(&algorithm)));
+ if (!algor || derp != CBS_data(&algorithm) + CBS_len(&algorithm)) {
+ fprintf(stderr, "Failed to parse algorithm\n");
+ return false;
+ }
+
+ ScopedEVP_PKEY pkey = LoadExampleRSAKey();
+ ScopedEVP_MD_CTX md_ctx;
+ if (!pkey ||
+ !EVP_DigestVerifyInitFromAlgorithm(md_ctx.get(), algor.get(),
+ pkey.get()) ||
+ !EVP_DigestVerifyUpdate(md_ctx.get(), CBS_data(&tbs_cert),
+ CBS_len(&tbs_cert)) ||
+ !EVP_DigestVerifyFinal(md_ctx.get(), CBS_data(&signature),
+ CBS_len(&signature))) {
+ return false;
+ }
+ return true;
+}
+
+static bool Testd2i_AutoPrivateKey(const uint8_t *input, size_t input_len,
+ int expected_id) {
+ const uint8_t *p = input;
+ ScopedEVP_PKEY pkey(d2i_AutoPrivateKey(NULL, &p, input_len));
+ if (!pkey || p != input + input_len) {
+ fprintf(stderr, "d2i_AutoPrivateKey failed\n");
+ return false;
+ }
+
+ if (EVP_PKEY_id(pkey.get()) != expected_id) {
+ fprintf(stderr, "Did not decode expected type\n");
+ return false;
+ }
+
+ return true;
+}
+
+// TestEVP_PKCS82PKEY tests loading a bad key in PKCS8 format.
+static bool TestEVP_PKCS82PKEY(void) {
+ const uint8_t *derp = kExampleBadECKeyDER;
+ ScopedPKCS8_PRIV_KEY_INFO p8inf(
+ d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, sizeof(kExampleBadECKeyDER)));
+ if (!p8inf || derp != kExampleBadECKeyDER + sizeof(kExampleBadECKeyDER)) {
+ fprintf(stderr, "Failed to parse key\n");
+ return false;
+ }
+
+ ScopedEVP_PKEY pkey(EVP_PKCS82PKEY(p8inf.get()));
+ if (pkey) {
+ fprintf(stderr, "Imported invalid EC key\n");
+ return false;
+ }
+
+ return true;
+}
+
+int main(void) {
+ CRYPTO_library_init();
+ ERR_load_crypto_strings();
+
+ if (!TestEVP_DigestSignInit()) {
+ fprintf(stderr, "EVP_DigestSignInit failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!TestEVP_DigestVerifyInit()) {
+ fprintf(stderr, "EVP_DigestVerifyInit failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!TestEVP_DigestSignAlgorithm()) {
+ fprintf(stderr, "EVP_DigestSignInit failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!TestEVP_DigestVerifyInitFromAlgorithm()) {
+ fprintf(stderr, "EVP_DigestVerifyInitFromAlgorithm failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!Testd2i_AutoPrivateKey(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER),
+ EVP_PKEY_RSA)) {
+ fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyDER) failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!Testd2i_AutoPrivateKey(kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8),
+ EVP_PKEY_RSA)) {
+ fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyPKCS8) failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!Testd2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER),
+ EVP_PKEY_EC)) {
+ fprintf(stderr, "d2i_AutoPrivateKey(kExampleECKeyDER) failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!Testd2i_AutoPrivateKey(kExampleDSAKeyDER, sizeof(kExampleDSAKeyDER),
+ EVP_PKEY_DSA)) {
+ fprintf(stderr, "d2i_AutoPrivateKey(kExampleDSAKeyDER) failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ if (!TestEVP_PKCS82PKEY()) {
+ fprintf(stderr, "TestEVP_PKCS82PKEY failed\n");
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/evp/evp_test.c b/src/crypto/evp/evp_test.c
deleted file mode 100644
index 3e74cd5..0000000
--- a/src/crypto/evp/evp_test.c
+++ /dev/null
@@ -1,639 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <openssl/bio.h>
-#include <openssl/bytestring.h>
-#include <openssl/crypto.h>
-#include <openssl/digest.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-#include <openssl/x509.h>
-
-
-/* kExampleRSAKeyDER is an RSA private key in ASN.1, DER format. Of course, you
- * should never use this key anywhere but in an example. */
-static const uint8_t kExampleRSAKeyDER[] = {
- 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xf8,
- 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59,
- 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37,
- 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71,
- 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a,
- 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4,
- 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec,
- 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76,
- 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8,
- 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7,
- 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c,
- 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01,
- 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a, 0x6d, 0xc7,
- 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5, 0x32, 0x85,
- 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6, 0x5f, 0xee,
- 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8, 0x66, 0x85,
- 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6, 0xa4, 0x0a,
- 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f, 0xc2, 0x15,
- 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c, 0x5b, 0x83,
- 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78, 0x80, 0x1b,
- 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71, 0x99, 0x73,
- 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60, 0x1f, 0x99,
- 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d, 0xb1, 0x02,
- 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3, 0x40, 0x41,
- 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d, 0x3d, 0x59,
- 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18, 0xc6, 0xd9,
- 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d, 0x9f, 0xef,
- 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32, 0x46, 0x87,
- 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc, 0x2c, 0xdf,
- 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63, 0x55, 0xf5,
- 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05, 0xcd, 0xb5,
- 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16, 0xb3, 0x62,
- 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3, 0x9b, 0x64,
- 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85, 0xfa, 0xb8,
- 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97, 0xe8, 0xba,
- 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7, 0xe7, 0xfe,
- 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99, 0x75, 0xe7,
- 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4, 0x9d, 0xfe,
- 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d, 0xf1, 0xdb,
- 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40, 0x5a, 0x34,
- 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26, 0x84, 0x27,
- 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1, 0xe9, 0xc0,
- 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c, 0xb9, 0xba,
- 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30, 0x10, 0x06,
- 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea, 0x52, 0x2c,
- 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b, 0xc4, 0x1e,
- 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e, 0x49, 0xaf,
- 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9, 0xd1, 0x8a,
- 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae, 0x17, 0x17,
- 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d, 0x08, 0xf1,
- 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
-};
-
-static const uint8_t kMsg[] = {1, 2, 3, 4};
-
-static const uint8_t kSignature[] = {
- 0xa5, 0xf0, 0x8a, 0x47, 0x5d, 0x3c, 0xb3, 0xcc, 0xa9, 0x79, 0xaf, 0x4d,
- 0x8c, 0xae, 0x4c, 0x14, 0xef, 0xc2, 0x0b, 0x34, 0x36, 0xde, 0xf4, 0x3e,
- 0x3d, 0xbb, 0x4a, 0x60, 0x5c, 0xc8, 0x91, 0x28, 0xda, 0xfb, 0x7e, 0x04,
- 0x96, 0x7e, 0x63, 0x13, 0x90, 0xce, 0xb9, 0xb4, 0x62, 0x7a, 0xfd, 0x09,
- 0x3d, 0xc7, 0x67, 0x78, 0x54, 0x04, 0xeb, 0x52, 0x62, 0x6e, 0x24, 0x67,
- 0xb4, 0x40, 0xfc, 0x57, 0x62, 0xc6, 0xf1, 0x67, 0xc1, 0x97, 0x8f, 0x6a,
- 0xa8, 0xae, 0x44, 0x46, 0x5e, 0xab, 0x67, 0x17, 0x53, 0x19, 0x3a, 0xda,
- 0x5a, 0xc8, 0x16, 0x3e, 0x86, 0xd5, 0xc5, 0x71, 0x2f, 0xfc, 0x23, 0x48,
- 0xd9, 0x0b, 0x13, 0xdd, 0x7b, 0x5a, 0x25, 0x79, 0xef, 0xa5, 0x7b, 0x04,
- 0xed, 0x44, 0xf6, 0x18, 0x55, 0xe4, 0x0a, 0xe9, 0x57, 0x79, 0x5d, 0xd7,
- 0x55, 0xa7, 0xab, 0x45, 0x02, 0x97, 0x60, 0x42,
-};
-
-/* kExamplePSSCert is an example self-signed certificate, signed with
- * kExampleRSAKeyDER using RSA-PSS with default hash functions. */
-static const uint8_t kExamplePSSCert[] = {
- 0x30, 0x82, 0x02, 0x62, 0x30, 0x82, 0x01, 0xc6, 0xa0, 0x03, 0x02, 0x01,
- 0x02, 0x02, 0x09, 0x00, 0x8d, 0xea, 0x53, 0x24, 0xfa, 0x48, 0x87, 0xf3,
- 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
- 0x0a, 0x30, 0x05, 0xa2, 0x03, 0x02, 0x01, 0x6a, 0x30, 0x45, 0x31, 0x0b,
- 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31,
- 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f,
- 0x6d, 0x65, 0x2d, 0x53, 0x74, 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1f,
- 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72,
- 0x6e, 0x65, 0x74, 0x20, 0x57, 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20,
- 0x50, 0x74, 0x79, 0x20, 0x4c, 0x74, 0x64, 0x30, 0x1e, 0x17, 0x0d, 0x31,
- 0x34, 0x31, 0x30, 0x30, 0x39, 0x31, 0x39, 0x30, 0x39, 0x35, 0x35, 0x5a,
- 0x17, 0x0d, 0x31, 0x35, 0x31, 0x30, 0x30, 0x39, 0x31, 0x39, 0x30, 0x39,
- 0x35, 0x35, 0x5a, 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
- 0x04, 0x06, 0x13, 0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
- 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x53, 0x6f, 0x6d, 0x65, 0x2d, 0x53, 0x74,
- 0x61, 0x74, 0x65, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0a,
- 0x0c, 0x18, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x20, 0x57,
- 0x69, 0x64, 0x67, 0x69, 0x74, 0x73, 0x20, 0x50, 0x74, 0x79, 0x20, 0x4c,
- 0x74, 0x64, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
- 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00,
- 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4,
- 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5, 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d,
- 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e, 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83,
- 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34, 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c,
- 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde, 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf,
- 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8, 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33,
- 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b, 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7,
- 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83, 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77,
- 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48, 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52,
- 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a, 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c,
- 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2, 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64,
- 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50, 0x30, 0x4e,
- 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xd0,
- 0x41, 0xfb, 0x89, 0x41, 0x1e, 0xa7, 0xad, 0x5a, 0xec, 0x34, 0x5d, 0x49,
- 0x11, 0xf9, 0x55, 0x81, 0x78, 0x1f, 0x13, 0x30, 0x1f, 0x06, 0x03, 0x55,
- 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xd0, 0x41, 0xfb, 0x89,
- 0x41, 0x1e, 0xa7, 0xad, 0x5a, 0xec, 0x34, 0x5d, 0x49, 0x11, 0xf9, 0x55,
- 0x81, 0x78, 0x1f, 0x13, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04,
- 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x12, 0x06, 0x09, 0x2a, 0x86,
- 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0a, 0x30, 0x05, 0xa2, 0x03, 0x02,
- 0x01, 0x6a, 0x03, 0x81, 0x81, 0x00, 0x49, 0x4c, 0xb6, 0x45, 0x97, 0x20,
- 0x35, 0xb3, 0x50, 0x64, 0x0d, 0x3f, 0xec, 0x5f, 0x95, 0xd5, 0x84, 0xcb,
- 0x11, 0x7c, 0x03, 0xd7, 0xa6, 0xe6, 0xfa, 0x24, 0x95, 0x9f, 0x31, 0xb0,
- 0xb5, 0xec, 0x66, 0x41, 0x51, 0x18, 0x21, 0x91, 0xbb, 0xe0, 0xaf, 0xf0,
- 0xc5, 0xb7, 0x59, 0x41, 0xd4, 0xdb, 0xa4, 0xd2, 0x64, 0xa7, 0x54, 0x0f,
- 0x8c, 0xf7, 0xe1, 0xd3, 0x3b, 0x1a, 0xb7, 0x0e, 0x9d, 0x9a, 0xde, 0x50,
- 0xa1, 0x9f, 0x0a, 0xf0, 0xda, 0x34, 0x0e, 0x34, 0x7d, 0x76, 0x07, 0xfe,
- 0x5a, 0xfb, 0xf9, 0x58, 0x9b, 0xc9, 0x50, 0x84, 0x01, 0xa0, 0x05, 0x4d,
- 0x67, 0x42, 0x0b, 0xf8, 0xe4, 0x05, 0xcf, 0xaf, 0x8b, 0x71, 0x31, 0xf1,
- 0x0f, 0x6e, 0xc9, 0x24, 0x27, 0x9b, 0xac, 0x04, 0xd7, 0x64, 0x0d, 0x30,
- 0x4e, 0x11, 0x93, 0x40, 0x39, 0xbb, 0x72, 0xb2, 0xfe, 0x6b, 0xe4, 0xae,
- 0x8c, 0x16,
-};
-
-/* kExampleRSAKeyPKCS8 is kExampleRSAKeyDER encoded in a PKCS #8
- * PrivateKeyInfo. */
-static const uint8_t kExampleRSAKeyPKCS8[] = {
- 0x30, 0x82, 0x02, 0x76, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
- 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
- 0x02, 0x60, 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81,
- 0x00, 0xf8, 0xb8, 0x6c, 0x83, 0xb4, 0xbc, 0xd9, 0xa8, 0x57, 0xc0, 0xa5,
- 0xb4, 0x59, 0x76, 0x8c, 0x54, 0x1d, 0x79, 0xeb, 0x22, 0x52, 0x04, 0x7e,
- 0xd3, 0x37, 0xeb, 0x41, 0xfd, 0x83, 0xf9, 0xf0, 0xa6, 0x85, 0x15, 0x34,
- 0x75, 0x71, 0x5a, 0x84, 0xa8, 0x3c, 0xd2, 0xef, 0x5a, 0x4e, 0xd3, 0xde,
- 0x97, 0x8a, 0xdd, 0xff, 0xbb, 0xcf, 0x0a, 0xaa, 0x86, 0x92, 0xbe, 0xb8,
- 0x50, 0xe4, 0xcd, 0x6f, 0x80, 0x33, 0x30, 0x76, 0x13, 0x8f, 0xca, 0x7b,
- 0xdc, 0xec, 0x5a, 0xca, 0x63, 0xc7, 0x03, 0x25, 0xef, 0xa8, 0x8a, 0x83,
- 0x58, 0x76, 0x20, 0xfa, 0x16, 0x77, 0xd7, 0x79, 0x92, 0x63, 0x01, 0x48,
- 0x1a, 0xd8, 0x7b, 0x67, 0xf1, 0x52, 0x55, 0x49, 0x4e, 0xd6, 0x6e, 0x4a,
- 0x5c, 0xd7, 0x7a, 0x37, 0x36, 0x0c, 0xde, 0xdd, 0x8f, 0x44, 0xe8, 0xc2,
- 0xa7, 0x2c, 0x2b, 0xb5, 0xaf, 0x64, 0x4b, 0x61, 0x07, 0x02, 0x03, 0x01,
- 0x00, 0x01, 0x02, 0x81, 0x80, 0x74, 0x88, 0x64, 0x3f, 0x69, 0x45, 0x3a,
- 0x6d, 0xc7, 0x7f, 0xb9, 0xa3, 0xc0, 0x6e, 0xec, 0xdc, 0xd4, 0x5a, 0xb5,
- 0x32, 0x85, 0x5f, 0x19, 0xd4, 0xf8, 0xd4, 0x3f, 0x3c, 0xfa, 0xc2, 0xf6,
- 0x5f, 0xee, 0xe6, 0xba, 0x87, 0x74, 0x2e, 0xc7, 0x0c, 0xd4, 0x42, 0xb8,
- 0x66, 0x85, 0x9c, 0x7b, 0x24, 0x61, 0xaa, 0x16, 0x11, 0xf6, 0xb5, 0xb6,
- 0xa4, 0x0a, 0xc9, 0x55, 0x2e, 0x81, 0xa5, 0x47, 0x61, 0xcb, 0x25, 0x8f,
- 0xc2, 0x15, 0x7b, 0x0e, 0x7c, 0x36, 0x9f, 0x3a, 0xda, 0x58, 0x86, 0x1c,
- 0x5b, 0x83, 0x79, 0xe6, 0x2b, 0xcc, 0xe6, 0xfa, 0x2c, 0x61, 0xf2, 0x78,
- 0x80, 0x1b, 0xe2, 0xf3, 0x9d, 0x39, 0x2b, 0x65, 0x57, 0x91, 0x3d, 0x71,
- 0x99, 0x73, 0xa5, 0xc2, 0x79, 0x20, 0x8c, 0x07, 0x4f, 0xe5, 0xb4, 0x60,
- 0x1f, 0x99, 0xa2, 0xb1, 0x4f, 0x0c, 0xef, 0xbc, 0x59, 0x53, 0x00, 0x7d,
- 0xb1, 0x02, 0x41, 0x00, 0xfc, 0x7e, 0x23, 0x65, 0x70, 0xf8, 0xce, 0xd3,
- 0x40, 0x41, 0x80, 0x6a, 0x1d, 0x01, 0xd6, 0x01, 0xff, 0xb6, 0x1b, 0x3d,
- 0x3d, 0x59, 0x09, 0x33, 0x79, 0xc0, 0x4f, 0xde, 0x96, 0x27, 0x4b, 0x18,
- 0xc6, 0xd9, 0x78, 0xf1, 0xf4, 0x35, 0x46, 0xe9, 0x7c, 0x42, 0x7a, 0x5d,
- 0x9f, 0xef, 0x54, 0xb8, 0xf7, 0x9f, 0xc4, 0x33, 0x6c, 0xf3, 0x8c, 0x32,
- 0x46, 0x87, 0x67, 0x30, 0x7b, 0xa7, 0xac, 0xe3, 0x02, 0x41, 0x00, 0xfc,
- 0x2c, 0xdf, 0x0c, 0x0d, 0x88, 0xf5, 0xb1, 0x92, 0xa8, 0x93, 0x47, 0x63,
- 0x55, 0xf5, 0xca, 0x58, 0x43, 0xba, 0x1c, 0xe5, 0x9e, 0xb6, 0x95, 0x05,
- 0xcd, 0xb5, 0x82, 0xdf, 0xeb, 0x04, 0x53, 0x9d, 0xbd, 0xc2, 0x38, 0x16,
- 0xb3, 0x62, 0xdd, 0xa1, 0x46, 0xdb, 0x6d, 0x97, 0x93, 0x9f, 0x8a, 0xc3,
- 0x9b, 0x64, 0x7e, 0x42, 0xe3, 0x32, 0x57, 0x19, 0x1b, 0xd5, 0x6e, 0x85,
- 0xfa, 0xb8, 0x8d, 0x02, 0x41, 0x00, 0xbc, 0x3d, 0xde, 0x6d, 0xd6, 0x97,
- 0xe8, 0xba, 0x9e, 0x81, 0x37, 0x17, 0xe5, 0xa0, 0x64, 0xc9, 0x00, 0xb7,
- 0xe7, 0xfe, 0xf4, 0x29, 0xd9, 0x2e, 0x43, 0x6b, 0x19, 0x20, 0xbd, 0x99,
- 0x75, 0xe7, 0x76, 0xf8, 0xd3, 0xae, 0xaf, 0x7e, 0xb8, 0xeb, 0x81, 0xf4,
- 0x9d, 0xfe, 0x07, 0x2b, 0x0b, 0x63, 0x0b, 0x5a, 0x55, 0x90, 0x71, 0x7d,
- 0xf1, 0xdb, 0xd9, 0xb1, 0x41, 0x41, 0x68, 0x2f, 0x4e, 0x39, 0x02, 0x40,
- 0x5a, 0x34, 0x66, 0xd8, 0xf5, 0xe2, 0x7f, 0x18, 0xb5, 0x00, 0x6e, 0x26,
- 0x84, 0x27, 0x14, 0x93, 0xfb, 0xfc, 0xc6, 0x0f, 0x5e, 0x27, 0xe6, 0xe1,
- 0xe9, 0xc0, 0x8a, 0xe4, 0x34, 0xda, 0xe9, 0xa2, 0x4b, 0x73, 0xbc, 0x8c,
- 0xb9, 0xba, 0x13, 0x6c, 0x7a, 0x2b, 0x51, 0x84, 0xa3, 0x4a, 0xe0, 0x30,
- 0x10, 0x06, 0x7e, 0xed, 0x17, 0x5a, 0x14, 0x00, 0xc9, 0xef, 0x85, 0xea,
- 0x52, 0x2c, 0xbc, 0x65, 0x02, 0x40, 0x51, 0xe3, 0xf2, 0x83, 0x19, 0x9b,
- 0xc4, 0x1e, 0x2f, 0x50, 0x3d, 0xdf, 0x5a, 0xa2, 0x18, 0xca, 0x5f, 0x2e,
- 0x49, 0xaf, 0x6f, 0xcc, 0xfa, 0x65, 0x77, 0x94, 0xb5, 0xa1, 0x0a, 0xa9,
- 0xd1, 0x8a, 0x39, 0x37, 0xf4, 0x0b, 0xa0, 0xd7, 0x82, 0x27, 0x5e, 0xae,
- 0x17, 0x17, 0xa1, 0x1e, 0x54, 0x34, 0xbf, 0x6e, 0xc4, 0x8e, 0x99, 0x5d,
- 0x08, 0xf1, 0x2d, 0x86, 0x9d, 0xa5, 0x20, 0x1b, 0xe5, 0xdf,
-};
-
-/* kExampleECKeyDER is a sample EC private key encoded as an ECPrivateKey
- * structure. */
-static const uint8_t kExampleECKeyDER[] = {
- 0x30, 0x77, 0x02, 0x01, 0x01, 0x04, 0x20, 0x07, 0x0f, 0x08, 0x72, 0x7a,
- 0xd4, 0xa0, 0x4a, 0x9c, 0xdd, 0x59, 0xc9, 0x4d, 0x89, 0x68, 0x77, 0x08,
- 0xb5, 0x6f, 0xc9, 0x5d, 0x30, 0x77, 0x0e, 0xe8, 0xd1, 0xc9, 0xce, 0x0a,
- 0x8b, 0xb4, 0x6a, 0xa0, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
- 0x03, 0x01, 0x07, 0xa1, 0x44, 0x03, 0x42, 0x00, 0x04, 0xe6, 0x2b, 0x69,
- 0xe2, 0xbf, 0x65, 0x9f, 0x97, 0xbe, 0x2f, 0x1e, 0x0d, 0x94, 0x8a, 0x4c,
- 0xd5, 0x97, 0x6b, 0xb7, 0xa9, 0x1e, 0x0d, 0x46, 0xfb, 0xdd, 0xa9, 0xa9,
- 0x1e, 0x9d, 0xdc, 0xba, 0x5a, 0x01, 0xe7, 0xd6, 0x97, 0xa8, 0x0a, 0x18,
- 0xf9, 0xc3, 0xc4, 0xa3, 0x1e, 0x56, 0xe2, 0x7c, 0x83, 0x48, 0xdb, 0x16,
- 0x1a, 0x1c, 0xf5, 0x1d, 0x7e, 0xf1, 0x94, 0x2d, 0x4b, 0xcf, 0x72, 0x22,
- 0xc1,
-};
-
-/* kExampleBadECKeyDER is a sample EC private key encoded as an ECPrivateKey
- * structure. The private key is equal to the order and will fail to import */
-static const uint8_t kExampleBadECKeyDER[] = {
- 0x30, 0x66, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48,
- 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03,
- 0x01, 0x07, 0x04, 0x4C, 0x30, 0x4A, 0x02, 0x01, 0x01, 0x04, 0x20, 0xFF,
- 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3,
- 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, 0xA1, 0x23, 0x03, 0x21, 0x00,
- 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
- 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84,
- 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51
-};
-
-static EVP_PKEY *load_example_rsa_key(void) {
- EVP_PKEY *ret = NULL;
- const uint8_t *derp = kExampleRSAKeyDER;
- EVP_PKEY *pkey = NULL;
- RSA *rsa = NULL;
-
- if (!d2i_RSAPrivateKey(&rsa, &derp, sizeof(kExampleRSAKeyDER))) {
- return NULL;
- }
-
- pkey = EVP_PKEY_new();
- if (pkey == NULL || !EVP_PKEY_set1_RSA(pkey, rsa)) {
- goto out;
- }
-
- ret = pkey;
- pkey = NULL;
-
-out:
- if (pkey) {
- EVP_PKEY_free(pkey);
- }
- if (rsa) {
- RSA_free(rsa);
- }
-
- return ret;
-}
-
-static int test_EVP_DigestSignInit(void) {
- int ret = 0;
- EVP_PKEY *pkey = NULL;
- uint8_t *sig = NULL;
- size_t sig_len = 0;
- EVP_MD_CTX md_ctx, md_ctx_verify;
-
- EVP_MD_CTX_init(&md_ctx);
- EVP_MD_CTX_init(&md_ctx_verify);
-
- pkey = load_example_rsa_key();
- if (pkey == NULL ||
- !EVP_DigestSignInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
- !EVP_DigestSignUpdate(&md_ctx, kMsg, sizeof(kMsg))) {
- goto out;
- }
- /* Determine the size of the signature. */
- if (!EVP_DigestSignFinal(&md_ctx, NULL, &sig_len)) {
- goto out;
- }
- /* Sanity check for testing. */
- if (sig_len != EVP_PKEY_size(pkey)) {
- fprintf(stderr, "sig_len mismatch\n");
- goto out;
- }
-
- sig = malloc(sig_len);
- if (sig == NULL || !EVP_DigestSignFinal(&md_ctx, sig, &sig_len)) {
- goto out;
- }
-
- /* Ensure that the signature round-trips. */
- if (!EVP_DigestVerifyInit(&md_ctx_verify, NULL, EVP_sha256(), NULL, pkey) ||
- !EVP_DigestVerifyUpdate(&md_ctx_verify, kMsg, sizeof(kMsg)) ||
- !EVP_DigestVerifyFinal(&md_ctx_verify, sig, sig_len)) {
- goto out;
- }
-
- ret = 1;
-
-out:
- if (!ret) {
- BIO_print_errors_fp(stderr);
- }
-
- EVP_MD_CTX_cleanup(&md_ctx);
- EVP_MD_CTX_cleanup(&md_ctx_verify);
- if (pkey) {
- EVP_PKEY_free(pkey);
- }
- if (sig) {
- free(sig);
- }
-
- return ret;
-}
-
-static int test_EVP_DigestVerifyInit(void) {
- int ret = 0;
- EVP_PKEY *pkey = NULL;
- EVP_MD_CTX md_ctx;
-
- EVP_MD_CTX_init(&md_ctx);
-
- pkey = load_example_rsa_key();
- if (pkey == NULL ||
- !EVP_DigestVerifyInit(&md_ctx, NULL, EVP_sha256(), NULL, pkey) ||
- !EVP_DigestVerifyUpdate(&md_ctx, kMsg, sizeof(kMsg)) ||
- !EVP_DigestVerifyFinal(&md_ctx, kSignature, sizeof(kSignature))) {
- goto out;
- }
- ret = 1;
-
-out:
- if (!ret) {
- BIO_print_errors_fp(stderr);
- }
-
- EVP_MD_CTX_cleanup(&md_ctx);
- if (pkey) {
- EVP_PKEY_free(pkey);
- }
-
- return ret;
-}
-
-/* test_algorithm_roundtrip signs a message using an already-initialized
- * |md_ctx|, sampling the AlgorithmIdentifier. It then uses |pkey| and the
- * AlgorithmIdentifier to verify the signature. */
-static int test_algorithm_roundtrip(EVP_MD_CTX *md_ctx, EVP_PKEY *pkey) {
- int ret = 0;
- uint8_t *sig = NULL;
- size_t sig_len = 0;
- EVP_MD_CTX md_ctx_verify;
- X509_ALGOR *algor = NULL;
-
- EVP_MD_CTX_init(&md_ctx_verify);
-
- if (!EVP_DigestSignUpdate(md_ctx, kMsg, sizeof(kMsg))) {
- goto out;
- }
-
- /* Save the algorithm. */
- algor = X509_ALGOR_new();
- if (algor == NULL || !EVP_DigestSignAlgorithm(md_ctx, algor)) {
- goto out;
- }
-
- /* Determine the size of the signature. */
- if (!EVP_DigestSignFinal(md_ctx, NULL, &sig_len)) {
- goto out;
- }
- /* Sanity check for testing. */
- if (sig_len != EVP_PKEY_size(pkey)) {
- fprintf(stderr, "sig_len mismatch\n");
- goto out;
- }
-
- sig = malloc(sig_len);
- if (sig == NULL || !EVP_DigestSignFinal(md_ctx, sig, &sig_len)) {
- goto out;
- }
-
- /* Ensure that the signature round-trips. */
- if (!EVP_DigestVerifyInitFromAlgorithm(&md_ctx_verify, algor, pkey) ||
- !EVP_DigestVerifyUpdate(&md_ctx_verify, kMsg, sizeof(kMsg)) ||
- !EVP_DigestVerifyFinal(&md_ctx_verify, sig, sig_len)) {
- goto out;
- }
-
- ret = 1;
-
-out:
- EVP_MD_CTX_cleanup(&md_ctx_verify);
- if (sig) {
- free(sig);
- }
- if (algor) {
- X509_ALGOR_free(algor);
- }
-
- return ret;
-}
-
-static int test_EVP_DigestSignAlgorithm(void) {
- int ret = 0;
- EVP_PKEY *pkey = NULL;
- EVP_MD_CTX md_ctx;
- EVP_PKEY_CTX *pkey_ctx;
-
- EVP_MD_CTX_init(&md_ctx);
-
- pkey = load_example_rsa_key();
- if (pkey == NULL) {
- goto out;
- }
-
- /* Test a simple AlgorithmIdentifier. */
- if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey) ||
- !test_algorithm_roundtrip(&md_ctx, pkey)) {
- fprintf(stderr, "RSA with SHA-256 failed\n");
- goto out;
- }
-
- EVP_MD_CTX_cleanup(&md_ctx);
- EVP_MD_CTX_init(&md_ctx);
-
- /* Test RSA-PSS with custom parameters. */
- if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey) ||
- EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING) != 1 ||
- EVP_PKEY_CTX_set_rsa_mgf1_md(pkey_ctx, EVP_sha512()) != 1 ||
- !test_algorithm_roundtrip(&md_ctx, pkey)) {
- fprintf(stderr, "RSA-PSS failed\n");
- goto out;
- }
-
- ret = 1;
-
-out:
- if (!ret) {
- BIO_print_errors_fp(stderr);
- }
-
- EVP_MD_CTX_cleanup(&md_ctx);
- if (pkey) {
- EVP_PKEY_free(pkey);
- }
-
- return ret;
-}
-
-static int test_EVP_DigestVerifyInitFromAlgorithm(void) {
- int ret = 0;
- CBS cert, cert_body, tbs_cert, algorithm, signature;
- uint8_t padding;
- X509_ALGOR *algor = NULL;
- const uint8_t *derp;
- EVP_PKEY *pkey = NULL;
- EVP_MD_CTX md_ctx;
-
- EVP_MD_CTX_init(&md_ctx);
-
- CBS_init(&cert, kExamplePSSCert, sizeof(kExamplePSSCert));
- if (!CBS_get_asn1(&cert, &cert_body, CBS_ASN1_SEQUENCE) ||
- CBS_len(&cert) != 0 ||
- !CBS_get_any_asn1_element(&cert_body, &tbs_cert, NULL, NULL) ||
- !CBS_get_asn1_element(&cert_body, &algorithm, CBS_ASN1_SEQUENCE) ||
- !CBS_get_asn1(&cert_body, &signature, CBS_ASN1_BITSTRING) ||
- CBS_len(&cert_body) != 0) {
- fprintf(stderr, "Failed to parse certificate\n");
- goto out;
- }
-
- /* Signatures are BIT STRINGs, but they have are multiple of 8 bytes, so the
- leading phase byte is just a zero. */
- if (!CBS_get_u8(&signature, &padding) || padding != 0) {
- fprintf(stderr, "Invalid signature padding\n");
- goto out;
- }
-
- derp = CBS_data(&algorithm);
- if (!d2i_X509_ALGOR(&algor, &derp, CBS_len(&algorithm)) ||
- derp != CBS_data(&algorithm) + CBS_len(&algorithm)) {
- fprintf(stderr, "Failed to parse algorithm\n");
- }
-
- pkey = load_example_rsa_key();
- if (pkey == NULL ||
- !EVP_DigestVerifyInitFromAlgorithm(&md_ctx, algor, pkey) ||
- !EVP_DigestVerifyUpdate(&md_ctx, CBS_data(&tbs_cert),
- CBS_len(&tbs_cert)) ||
- !EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature),
- CBS_len(&signature))) {
- goto out;
- }
- ret = 1;
-
-out:
- if (!ret) {
- BIO_print_errors_fp(stderr);
- }
-
- EVP_MD_CTX_cleanup(&md_ctx);
- if (pkey) {
- EVP_PKEY_free(pkey);
- }
-
- return ret;
-}
-
-static int test_d2i_AutoPrivateKey(const uint8_t *input, size_t input_len,
- int expected_id) {
- int ret = 0;
- const uint8_t *p;
- EVP_PKEY *pkey = NULL;
-
- p = input;
- pkey = d2i_AutoPrivateKey(NULL, &p, input_len);
- if (pkey == NULL || p != input + input_len) {
- fprintf(stderr, "d2i_AutoPrivateKey failed\n");
- goto done;
- }
-
- if (EVP_PKEY_id(pkey) != expected_id) {
- fprintf(stderr, "Did not decode expected type\n");
- goto done;
- }
-
- ret = 1;
-
-done:
- if (!ret) {
- BIO_print_errors_fp(stderr);
- }
-
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
- return ret;
-}
-
-/* Tests loading a bad key in PKCS8 format */
-static int test_EVP_PKCS82PKEY(void) {
- int ret = 0;
- const uint8_t *derp = kExampleBadECKeyDER;
- PKCS8_PRIV_KEY_INFO *p8inf = NULL;
- EVP_PKEY *pkey = NULL;
-
- p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, sizeof(kExampleBadECKeyDER));
-
- if (!p8inf || derp != kExampleBadECKeyDER + sizeof(kExampleBadECKeyDER)) {
- fprintf(stderr, "Failed to parse key\n");
- goto done;
- }
-
- pkey = EVP_PKCS82PKEY(p8inf);
- if (pkey) {
- fprintf(stderr, "Imported invalid EC key\n");
- goto done;
- }
-
- ret = 1;
-
-done:
- if (p8inf != NULL) {
- PKCS8_PRIV_KEY_INFO_free(p8inf);
- }
-
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
-
- return ret;
-}
-
-int main(void) {
- CRYPTO_library_init();
- ERR_load_crypto_strings();
-
- if (!test_EVP_DigestSignInit()) {
- fprintf(stderr, "EVP_DigestSignInit failed\n");
- return 1;
- }
-
- if (!test_EVP_DigestVerifyInit()) {
- fprintf(stderr, "EVP_DigestVerifyInit failed\n");
- return 1;
- }
-
- if (!test_EVP_DigestSignAlgorithm()) {
- fprintf(stderr, "EVP_DigestSignInit failed\n");
- return 1;
- }
-
- if (!test_EVP_DigestVerifyInitFromAlgorithm()) {
- fprintf(stderr, "EVP_DigestVerifyInitFromAlgorithm failed\n");
- return 1;
- }
-
- if (!test_d2i_AutoPrivateKey(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER),
- EVP_PKEY_RSA)) {
- fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyDER) failed\n");
- return 1;
- }
-
- if (!test_d2i_AutoPrivateKey(kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8),
- EVP_PKEY_RSA)) {
- fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyPKCS8) failed\n");
- return 1;
- }
-
- if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER),
- EVP_PKEY_EC)) {
- fprintf(stderr, "d2i_AutoPrivateKey(kExampleECKeyDER) failed\n");
- return 1;
- }
-
- if (!test_EVP_PKCS82PKEY()) {
- fprintf(stderr, "test_EVP_PKCS82PKEY failed\n");
- return 1;
- }
-
- printf("PASS\n");
- return 0;
-}
diff --git a/src/crypto/evp/evp_test.cc b/src/crypto/evp/evp_test.cc
new file mode 100644
index 0000000..239f868
--- /dev/null
+++ b/src/crypto/evp/evp_test.cc
@@ -0,0 +1,262 @@
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <map>
+#include <string>
+#include <vector>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+
+#include "../test/file_test.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+// evp_test dispatches between multiple test types. HMAC tests test the legacy
+// EVP_PKEY_HMAC API. PrivateKey tests take a key name parameter and single
+// block, decode it as a PEM private key, and save it under that key name.
+// Decrypt, Sign, and Verify tests take a previously imported key name as
+// parameter and test their respective operations.
+
+static const EVP_MD *GetDigest(FileTest *t, const std::string &name) {
+ if (name == "MD5") {
+ return EVP_md5();
+ } else if (name == "SHA1") {
+ return EVP_sha1();
+ } else if (name == "SHA224") {
+ return EVP_sha224();
+ } else if (name == "SHA256") {
+ return EVP_sha256();
+ } else if (name == "SHA384") {
+ return EVP_sha384();
+ } else if (name == "SHA512") {
+ return EVP_sha512();
+ }
+ t->PrintLine("Unknown digest: '%s'", name.c_str());
+ return nullptr;
+}
+
+using KeyMap = std::map<std::string, EVP_PKEY*>;
+
+// ImportPrivateKey evaluates a PrivateKey test in |t| and writes the resulting
+// private key to |key_map|.
+static bool ImportPrivateKey(FileTest *t, KeyMap *key_map) {
+ const std::string &key_name = t->GetParameter();
+ if (key_map->count(key_name) > 0) {
+ t->PrintLine("Duplicate key '%s'.", key_name.c_str());
+ return false;
+ }
+ const std::string &block = t->GetBlock();
+ ScopedBIO bio(BIO_new_mem_buf(const_cast<char*>(block.data()), block.size()));
+ if (!bio) {
+ return false;
+ }
+ ScopedEVP_PKEY pkey(PEM_read_bio_PrivateKey(bio.get(), nullptr, 0, nullptr));
+ if (!pkey) {
+ t->PrintLine("Error reading private key.");
+ return false;
+ }
+ (*key_map)[key_name] = pkey.release();
+ return true;
+}
+
+static bool TestHMAC(FileTest *t) {
+ std::string digest_str;
+ if (!t->GetAttribute(&digest_str, "HMAC")) {
+ return false;
+ }
+ const EVP_MD *digest = GetDigest(t, digest_str);
+ if (digest == nullptr) {
+ return false;
+ }
+
+ std::vector<uint8_t> key, input, output;
+ if (!t->GetBytes(&key, "Key") ||
+ !t->GetBytes(&input, "Input") ||
+ !t->GetBytes(&output, "Output")) {
+ return false;
+ }
+
+ ScopedEVP_PKEY pkey(EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, nullptr,
+ bssl::vector_data(&key),
+ key.size()));
+ ScopedEVP_MD_CTX mctx;
+ if (!pkey ||
+ !EVP_DigestSignInit(mctx.get(), nullptr, digest, nullptr, pkey.get()) ||
+ !EVP_DigestSignUpdate(mctx.get(), bssl::vector_data(&input),
+ input.size())) {
+ return false;
+ }
+
+ size_t len;
+ std::vector<uint8_t> actual;
+ if (!EVP_DigestSignFinal(mctx.get(), nullptr, &len)) {
+ return false;
+ }
+ actual.resize(len);
+ if (!EVP_DigestSignFinal(mctx.get(), bssl::vector_data(&actual), &len)) {
+ return false;
+ }
+ actual.resize(len);
+ return t->ExpectBytesEqual(bssl::vector_data(&output), output.size(),
+ bssl::vector_data(&actual), actual.size());
+}
+
+static bool TestEVP(FileTest *t, void *arg) {
+ KeyMap *key_map = reinterpret_cast<KeyMap*>(arg);
+ if (t->GetType() == "PrivateKey") {
+ return ImportPrivateKey(t, key_map);
+ } else if (t->GetType() == "HMAC") {
+ return TestHMAC(t);
+ }
+
+ int (*key_op_init)(EVP_PKEY_CTX *ctx);
+ int (*key_op)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,
+ const uint8_t *in, size_t in_len);
+ if (t->GetType() == "Decrypt") {
+ key_op_init = EVP_PKEY_decrypt_init;
+ key_op = EVP_PKEY_decrypt;
+ } else if (t->GetType() == "Sign") {
+ key_op_init = EVP_PKEY_sign_init;
+ key_op = EVP_PKEY_sign;
+ } else if (t->GetType() == "Verify") {
+ key_op_init = EVP_PKEY_verify_init;
+ key_op = nullptr; // EVP_PKEY_verify is handled differently.
+ } else {
+ t->PrintLine("Unknown test '%s'", t->GetType().c_str());
+ return false;
+ }
+
+ // Load the key.
+ const std::string &key_name = t->GetParameter();
+ if (key_map->count(key_name) == 0) {
+ t->PrintLine("Could not find key '%s'.", key_name.c_str());
+ return false;
+ }
+ EVP_PKEY *key = (*key_map)[key_name];
+
+ std::vector<uint8_t> input, output;
+ if (!t->GetBytes(&input, "Input") ||
+ !t->GetBytes(&output, "Output")) {
+ return false;
+ }
+
+ // Set up the EVP_PKEY_CTX.
+ ScopedEVP_PKEY_CTX ctx(EVP_PKEY_CTX_new(key, nullptr));
+ if (!ctx || !key_op_init(ctx.get())) {
+ return false;
+ }
+ if (t->HasAttribute("Digest")) {
+ const EVP_MD *digest = GetDigest(t, t->GetAttributeOrDie("Digest"));
+ if (digest == nullptr ||
+ !EVP_PKEY_CTX_set_signature_md(ctx.get(), digest)) {
+ return false;
+ }
+ }
+
+ if (t->GetType() == "Verify") {
+ if (!EVP_PKEY_verify(ctx.get(), bssl::vector_data(&output), output.size(),
+ bssl::vector_data(&input), input.size())) {
+ // ECDSA sometimes doesn't push an error code. Push one on the error queue
+ // so it's distinguishable from other errors.
+ ERR_put_error(ERR_LIB_USER, 0, ERR_R_EVP_LIB, __FILE__, __LINE__);
+ return false;
+ }
+ return true;
+ }
+
+ size_t len;
+ std::vector<uint8_t> actual;
+ if (!key_op(ctx.get(), nullptr, &len, bssl::vector_data(&input),
+ input.size())) {
+ return false;
+ }
+ actual.resize(len);
+ if (!key_op(ctx.get(), bssl::vector_data(&actual), &len,
+ bssl::vector_data(&input), input.size())) {
+ return false;
+ }
+ actual.resize(len);
+ if (!t->ExpectBytesEqual(bssl::vector_data(&output), output.size(),
+ bssl::vector_data(&actual), len)) {
+ return false;
+ }
+ return true;
+}
+
+int main(int argc, char **argv) {
+ CRYPTO_library_init();
+ if (argc != 2) {
+ fprintf(stderr, "%s <test file.txt>\n", argv[0]);
+ return 1;
+ }
+
+ KeyMap map;
+ int ret = FileTestMain(TestEVP, &map, argv[1]);
+ // TODO(davidben): When we can rely on a move-aware std::map, make KeyMap a
+ // map of ScopedEVP_PKEY instead.
+ for (const auto &pair : map) {
+ EVP_PKEY_free(pair.second);
+ }
+ return ret;
+}
diff --git a/src/crypto/evp/evp_tests.txt b/src/crypto/evp/evp_tests.txt
new file mode 100644
index 0000000..cccfa4f
--- /dev/null
+++ b/src/crypto/evp/evp_tests.txt
@@ -0,0 +1,174 @@
+# Public key algorithm tests
+
+# Private keys used for PKEY operations.
+
+# RSA 2048 bit key.
+
+PrivateKey = RSA-2048
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV
+n3xz2f+5SglhXC5Lp8Y2zvCN01M+wxhVJbAVx2m5mnfWclv5w1Mqm25fZifV+4UW
+B2jT3anL01l0URcX3D0wnS/EfuQfl+Mq23+d2GShxHZ6Zm7NcbwarPXnUX9LOFlP
+6psF5C1a2pkSAIAT5FMWpNm7jtCGuI0odYusr5ItRqhotIXSOcm66w4rZFknEPQr
+LR6gpLSALAvsqzKPimiwBzvbVG/uqYCdKEmRKzkMFTK8finHZY+BdfrkbzQzL/h7
+yrPkBkm5hXeGnaDqcYNT8HInVIhpE2SHYNEivmduD8SD3SD/wxvalqMZZsmqLnWt
+A95H4cRPAgMBAAECggEAYCl6x5kbFnoG1rJHWLjL4gi+ubLZ7Jc4vYD5Ci41AF3X
+ziktnim6iFvTFv7x8gkTvArJDWsICLJBTYIQREHYYkozzgIzyPeApIs3Wv8C12cS
+IopwJITbP56+zM+77hcJ26GCgA2Unp5CFuC/81WDiPi9kNo3Oh2CdD7D+90UJ/0W
+glplejFpEuhpU2URfKL4RckJQF/KxV+JX8FdIDhsJu54yemQdQKaF4psHkzwwgDo
+qc+yfp0Vb4bmwq3CKxqEoc1cpbJ5CHXXlAfISzUjlcuBzD/tW7BDtp7eDAcgRVAC
+XO6MX0QBcLYSC7SOD3R7zY9SIRCFDfBDxCjf0YcFMQKBgQD2+WG0fLwDXTrt68fe
+hQqVa2Xs25z2B2QGPxWqSFU8WNly/mZ1BW413f3De/O58vYi7icTNyVoScm+8hdv
+6PfD+LuRujdN1TuvPeyBTSvewQwf3IjN0Wh28mse36PwlBl+301C/x+ylxEDuJjK
+hZxCcocIaoQqtBC7ac8tNa9r4wKBgQDUfnJKf/QQSLJwwlJKQQGHi3MVm7c9PbwY
+eyIOY1s1NPluJDoYTZP4YLa/u2txwe2aHh9FhYMCPDAelqaSwaCLU9DsnKkQEA2A
+RR47fcagG6xK7O+N95iEa8I1oIy7os9MBoBMwRIZ6VYIxxTj8UMNSR+tu6MqV1Gg
+T5d0WDTJpQKBgCHyRSu5uV39AoyRS/eZ8cp36JqV1Q08FtOE+EVfi9evnrPfo9WR
+2YQt7yNfdjCo5IwIj/ZkLhAXlFNakz4el2+oUJ/HKLLaDEoaCNf883q6rh/zABrK
+HcG7sF2d/7qhoJ9/se7zgjfZ68zHIrkzhDbd5xGREnmMJoCcGo3sQyBhAoGAH3UQ
+qmLC2N5KPFMoJ4H0HgLQ6LQCrnhDLkScSBEBYaEUA/AtAYgKjcyTgVLXlyGkcRpg
+esRHHr+WSBD5W+R6ReYEmeKfTJdzyDdzQE9gZjdyjC0DUbsDwybIu3OnIef6VEDq
+IXK7oUZfzDDcsNn4mTDoFaoff5cpqFfgDgM43VkCgYBNHw11b+d+AQmaZS9QqIt7
+aF3FvwCYHV0jdv0Mb+Kc1bY4c0R5MFpzrTwVmdOerjuuA1+9b+0Hwo3nBZM4eaBu
+SOamA2hu2OJWCl9q8fLCT69KqWDjghhvFe7c6aJJGucwaA3Uz3eLcPqoaCarMiNH
+fMkTd7GabVourqIZdgvu1Q==
+-----END PRIVATE KEY-----
+
+# EC P-256 key
+
+PrivateKey = P-256
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiocvtiiTxNH/xbnw
++RdYBp+DUuCPoFpJ+NuSbLVyhyWhRANCAAQsFQ9CnOcPIWwlLPXgYs4fY5zV0WXH
++JQkBywnGX14szuSDpXNtmTpkNzwz+oNlOKo5q+dDlgFbmUxBJJbn+bJ
+-----END PRIVATE KEY-----
+
+# RSA tests
+
+Sign = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+
+# Digest too long
+Sign = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF12345"
+Output =
+Error = INVALID_DIGEST_LENGTH
+
+# Digest too short
+Sign = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF12345"
+Output =
+Error = INVALID_DIGEST_LENGTH
+
+# Mismatched digest
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1233"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad
+Error = BAD_SIGNATURE
+
+# Corrupted signature
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1233"
+Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ae
+Error = BLOCK_TYPE_IS_NOT_01
+
+# parameter missing (NOTE: this differs from upstream)
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e75b4f6b37f67edd9c60c800f9ab941c0c157d7d880ca9de40c951d60fd293ae220d4bc510b1572d6e85a1bbbd8605b52e05f1c64fafdae59a1c2fbed214b7844d0134619de62851d5a0522e32e556e5950f3f97b8150e3f0dffee612c924201c27cd9bc8b423a71533380c276d3d59fcba35a2e80a1a192ec266a6c2255012cd86a349fe90a542b355fa3355b04da6cdf1df77f0e7bd44a90e880e1760266d233e465226f5db1c68857847d82072861ee266ddfc2e596845b77e1803274a579835ab5e4975d81d20b7df9cec7795489e4a2bdb8c1cf6a6b359945ac92c
+Error = BAD_SIGNATURE
+
+# embedded digest too long
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+Error = BAD_SIGNATURE
+
+# embedded digest too short
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d
+Error = BAD_SIGNATURE
+
+# Garbage after DigestInfo
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274
+Error = BAD_SIGNATURE
+
+# invalid tag for parameter
+Verify = RSA-2048
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 49525db4d44c755e560cba980b1d85ea604b0e077fcadd4ba44072a3487bbddb835016200a7d8739cce2dc3223d9c20cbdd25059ab02277f1f21318efd18e21038ec89aa9d40680987129e8b41ba33bceb86518bdf47268b921cce2037acabca6575d832499538d6f40cdba0d40bd7f4d8ea6ca6e2eec87f294efc971407857f5d7db09f6a7b31e301f571c6d82a5e3d08d2bb3a36e673d28b910f5bec57f0fcc4d968fd7c94d0b9226dec17f5192ad8b42bcab6f26e1bea1fdc3b958199acb00f14ebcb2a352f3afcedd4c09000128a603bbeb9696dea13040445253972d46237a25c7845e3b464e6984c2348ea1f1210a9ff0b00d2d72b50db00c009bb39f9
+Error = BAD_SIGNATURE
+
+# EC tests
+
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+
+# Digest too long
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF12345"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Digest too short
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF123"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Digest invalid
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1235"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Invalid signature
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# Garbage after signature
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec800
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
+
+# BER signature
+Verify = P-256
+Digest = SHA1
+Input = "0123456789ABCDEF1234"
+Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000
+# This operation fails without an error code, so ERR_R_EVP_LIB is surfaced.
+Error = public key routines
diff --git a/src/crypto/evp/internal.h b/src/crypto/evp/internal.h
index 2b0f608..08a7bfb 100644
--- a/src/crypto/evp/internal.h
+++ b/src/crypto/evp/internal.h
@@ -170,8 +170,49 @@
#define EVP_PKEY_OP_TYPE_GEN (EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN)
+/* EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
+ * arguments can be -1 to specify that any type and operation are acceptable,
+ * otherwise |keytype| must match the type of |ctx| and the bits of |optype|
+ * must intersect the operation flags set on |ctx|.
+ *
+ * The |p1| and |p2| arguments depend on the value of |cmd|.
+ *
+ * It returns one on success and zero on error. */
+OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
+ int cmd, int p1, void *p2);
+
+/* EVP_PKEY_CTRL_DIGESTINIT is an internal value. It's called by
+ * EVP_DigestInit_ex to signal the |EVP_PKEY| that a digest operation is
+ * starting.
+ *
+ * TODO(davidben): This is only needed to support the deprecated HMAC |EVP_PKEY|
+ * types. */
+#define EVP_PKEY_CTRL_DIGESTINIT 3
+
+/* EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
+ * 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
+ * If the return value is <= 0, the key is rejected.
+ * 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
+ * peer key. If the return value is <= 0, the key is rejected.
+ * 2: Is called with |p2| == NULL to test whether the peer's key was used.
+ * (EC)DH always return one in this case.
+ * 3: Is called with |p2| == NULL to set whether the peer's key was used.
+ * (EC)DH always return one in this case. This was only used for GOST. */
+#define EVP_PKEY_CTRL_PEER_KEY 4
+
+/* EVP_PKEY_CTRL_SET_MAC_KEY sets a MAC key. For example, this can be done an
+ * |EVP_PKEY_CTX| prior to calling |EVP_PKEY_keygen| in order to generate an
+ * HMAC |EVP_PKEY| with the given key. It returns one on success and zero on
+ * error. */
+#define EVP_PKEY_CTRL_SET_MAC_KEY 5
+
+/* EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
+ * commands are numbered. */
+#define EVP_PKEY_ALG_CTRL 0x1000
+
#define EVP_PKEY_CTRL_MD 1
#define EVP_PKEY_CTRL_GET_MD 2
+
#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)
#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 2)
#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 3)
@@ -185,6 +226,8 @@
#define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 11)
#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)
+#define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 1)
+
struct evp_pkey_ctx_st {
/* Method associated with this operation */
const EVP_PKEY_METHOD *pmeth;
diff --git a/src/crypto/evp/p_dsa_asn1.c b/src/crypto/evp/p_dsa_asn1.c
new file mode 100644
index 0000000..0ac7da7
--- /dev/null
+++ b/src/crypto/evp/p_dsa_asn1.c
@@ -0,0 +1,569 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 2006.
+ */
+/* ====================================================================
+ * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+
+#include <openssl/evp.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/digest.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/obj.h>
+#include <openssl/x509.h>
+
+#include "../dsa/internal.h"
+#include "internal.h"
+
+
+static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) {
+ const uint8_t *p, *pm;
+ int pklen, pmlen;
+ int ptype;
+ void *pval;
+ ASN1_STRING *pstr;
+ X509_ALGOR *palg;
+ ASN1_INTEGER *public_key = NULL;
+
+ DSA *dsa = NULL;
+
+ if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey)) {
+ return 0;
+ }
+ X509_ALGOR_get0(NULL, &ptype, &pval, palg);
+
+ if (ptype == V_ASN1_SEQUENCE) {
+ pstr = pval;
+ pm = pstr->data;
+ pmlen = pstr->length;
+
+ dsa = d2i_DSAparams(NULL, &pm, pmlen);
+ if (dsa == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_DECODE_ERROR);
+ goto err;
+ }
+ } else if (ptype == V_ASN1_NULL || ptype == V_ASN1_UNDEF) {
+ dsa = DSA_new();
+ if (dsa == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ } else {
+ OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_PARAMETER_ENCODING_ERROR);
+ goto err;
+ }
+
+ public_key = d2i_ASN1_INTEGER(NULL, &p, pklen);
+ if (public_key == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_DECODE_ERROR);
+ goto err;
+ }
+
+ dsa->pub_key = ASN1_INTEGER_to_BN(public_key, NULL);
+ if (dsa->pub_key == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_pub_decode, EVP_R_BN_DECODE_ERROR);
+ goto err;
+ }
+
+ ASN1_INTEGER_free(public_key);
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ return 1;
+
+err:
+ ASN1_INTEGER_free(public_key);
+ DSA_free(dsa);
+ return 0;
+}
+
+static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) {
+ DSA *dsa;
+ void *pval = NULL;
+ uint8_t *penc = NULL;
+ int penclen;
+
+ dsa = pkey->pkey.dsa;
+ dsa->write_params = 0;
+
+ penclen = i2d_DSAPublicKey(dsa, &penc);
+
+ if (penclen <= 0) {
+ OPENSSL_PUT_ERROR(EVP, dsa_pub_encode, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA), V_ASN1_UNDEF, pval,
+ penc, penclen)) {
+ return 1;
+ }
+
+err:
+ OPENSSL_free(penc);
+ ASN1_STRING_free(pval);
+
+ return 0;
+}
+
+static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) {
+ const uint8_t *p, *pm;
+ int pklen, pmlen;
+ int ptype;
+ void *pval;
+ ASN1_STRING *pstr;
+ X509_ALGOR *palg;
+ ASN1_INTEGER *privkey = NULL;
+ BN_CTX *ctx = NULL;
+
+ /* In PKCS#8 DSA: you just get a private key integer and parameters in the
+ * AlgorithmIdentifier the pubkey must be recalculated. */
+
+ STACK_OF(ASN1_TYPE) *ndsa = NULL;
+ DSA *dsa = NULL;
+
+ if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) {
+ return 0;
+ }
+ X509_ALGOR_get0(NULL, &ptype, &pval, palg);
+
+ /* Check for broken DSA PKCS#8, UGH! */
+ if (*p == (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)) {
+ ASN1_TYPE *t1, *t2;
+ ndsa = d2i_ASN1_SEQUENCE_ANY(NULL, &p, pklen);
+ if (ndsa == NULL) {
+ goto decerr;
+ }
+ if (sk_ASN1_TYPE_num(ndsa) != 2) {
+ goto decerr;
+ }
+
+ /* Handle Two broken types:
+ * SEQUENCE {parameters, priv_key}
+ * SEQUENCE {pub_key, priv_key}. */
+
+ t1 = sk_ASN1_TYPE_value(ndsa, 0);
+ t2 = sk_ASN1_TYPE_value(ndsa, 1);
+ if (t1->type == V_ASN1_SEQUENCE) {
+ p8->broken = PKCS8_EMBEDDED_PARAM;
+ pval = t1->value.ptr;
+ } else if (ptype == V_ASN1_SEQUENCE) {
+ p8->broken = PKCS8_NS_DB;
+ } else {
+ goto decerr;
+ }
+
+ if (t2->type != V_ASN1_INTEGER) {
+ goto decerr;
+ }
+
+ privkey = t2->value.integer;
+ } else {
+ const uint8_t *q = p;
+ privkey = d2i_ASN1_INTEGER(NULL, &p, pklen);
+ if (privkey == NULL) {
+ goto decerr;
+ }
+ if (privkey->type == V_ASN1_NEG_INTEGER) {
+ p8->broken = PKCS8_NEG_PRIVKEY;
+ ASN1_INTEGER_free(privkey);
+ privkey = d2i_ASN1_UINTEGER(NULL, &q, pklen);
+ if (privkey == NULL) {
+ goto decerr;
+ }
+ }
+ if (ptype != V_ASN1_SEQUENCE) {
+ goto decerr;
+ }
+ }
+
+ pstr = pval;
+ pm = pstr->data;
+ pmlen = pstr->length;
+ dsa = d2i_DSAparams(NULL, &pm, pmlen);
+ if (dsa == NULL) {
+ goto decerr;
+ }
+ /* We have parameters. Now set private key */
+ dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL);
+ if (dsa->priv_key == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_LIB_BN);
+ goto dsaerr;
+ }
+ /* Calculate public key. */
+ dsa->pub_key = BN_new();
+ if (dsa->pub_key == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_R_MALLOC_FAILURE);
+ goto dsaerr;
+ }
+ ctx = BN_CTX_new();
+ if (ctx == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_R_MALLOC_FAILURE);
+ goto dsaerr;
+ }
+
+ if (!BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, ERR_LIB_BN);
+ goto dsaerr;
+ }
+
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ BN_CTX_free(ctx);
+ sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+ ASN1_INTEGER_free(privkey);
+
+ return 1;
+
+decerr:
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_decode, EVP_R_DECODE_ERROR);
+
+dsaerr:
+ BN_CTX_free(ctx);
+ ASN1_INTEGER_free(privkey);
+ sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
+ DSA_free(dsa);
+ return 0;
+}
+
+static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) {
+ ASN1_STRING *params = NULL;
+ ASN1_INTEGER *prkey = NULL;
+ uint8_t *dp = NULL;
+ int dplen;
+
+ if (!pkey->pkey.dsa || !pkey->pkey.dsa->priv_key) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, EVP_R_MISSING_PARAMETERS);
+ goto err;
+ }
+
+ params = ASN1_STRING_new();
+ if (!params) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ params->length = i2d_DSAparams(pkey->pkey.dsa, ¶ms->data);
+ if (params->length <= 0) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ params->type = V_ASN1_SEQUENCE;
+
+ /* Get private key into integer. */
+ prkey = BN_to_ASN1_INTEGER(pkey->pkey.dsa->priv_key, NULL);
+
+ if (!prkey) {
+ OPENSSL_PUT_ERROR(EVP, dsa_priv_encode, ERR_LIB_BN);
+ goto err;
+ }
+
+ dplen = i2d_ASN1_INTEGER(prkey, &dp);
+
+ ASN1_INTEGER_free(prkey);
+
+ if (!PKCS8_pkey_set0(p8, (ASN1_OBJECT *)OBJ_nid2obj(NID_dsa), 0,
+ V_ASN1_SEQUENCE, params, dp, dplen)) {
+ goto err;
+ }
+
+ return 1;
+
+err:
+ OPENSSL_free(dp);
+ ASN1_STRING_free(params);
+ ASN1_INTEGER_free(prkey);
+ return 0;
+}
+
+static int int_dsa_size(const EVP_PKEY *pkey) {
+ return DSA_size(pkey->pkey.dsa);
+}
+
+static int dsa_bits(const EVP_PKEY *pkey) {
+ return BN_num_bits(pkey->pkey.dsa->p);
+}
+
+static int dsa_missing_parameters(const EVP_PKEY *pkey) {
+ DSA *dsa;
+ dsa = pkey->pkey.dsa;
+ if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {
+ return 1;
+ }
+ return 0;
+}
+
+static int dup_bn_into(BIGNUM **out, BIGNUM *src) {
+ BIGNUM *a;
+
+ a = BN_dup(src);
+ if (a == NULL) {
+ return 0;
+ }
+ BN_free(*out);
+ *out = a;
+
+ return 1;
+}
+
+static int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {
+ if (!dup_bn_into(&to->pkey.dsa->p, from->pkey.dsa->p) ||
+ !dup_bn_into(&to->pkey.dsa->q, from->pkey.dsa->q) ||
+ !dup_bn_into(&to->pkey.dsa->g, from->pkey.dsa->g)) {
+ return 0;
+ }
+
+ return 1;
+}
+
+static int dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {
+ return BN_cmp(a->pkey.dsa->p, b->pkey.dsa->p) == 0 &&
+ BN_cmp(a->pkey.dsa->q, b->pkey.dsa->q) == 0 &&
+ BN_cmp(a->pkey.dsa->g, b->pkey.dsa->g) == 0;
+}
+
+static int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {
+ return BN_cmp(b->pkey.dsa->pub_key, a->pkey.dsa->pub_key) == 0;
+}
+
+static void int_dsa_free(EVP_PKEY *pkey) { DSA_free(pkey->pkey.dsa); }
+
+static void update_buflen(const BIGNUM *b, size_t *pbuflen) {
+ size_t i;
+
+ if (!b) {
+ return;
+ }
+ i = BN_num_bytes(b);
+ if (*pbuflen < i) {
+ *pbuflen = i;
+ }
+}
+
+static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) {
+ uint8_t *m = NULL;
+ int ret = 0;
+ size_t buf_len = 0;
+ const char *ktype = NULL;
+
+ const BIGNUM *priv_key, *pub_key;
+
+ priv_key = NULL;
+ if (ptype == 2) {
+ priv_key = x->priv_key;
+ }
+
+ pub_key = NULL;
+ if (ptype > 0) {
+ pub_key = x->pub_key;
+ }
+
+ ktype = "DSA-Parameters";
+ if (ptype == 2) {
+ ktype = "Private-Key";
+ } else if (ptype == 1) {
+ ktype = "Public-Key";
+ }
+
+ update_buflen(x->p, &buf_len);
+ update_buflen(x->q, &buf_len);
+ update_buflen(x->g, &buf_len);
+ update_buflen(priv_key, &buf_len);
+ update_buflen(pub_key, &buf_len);
+
+ m = (uint8_t *)OPENSSL_malloc(buf_len + 10);
+ if (m == NULL) {
+ OPENSSL_PUT_ERROR(EVP, do_dsa_print, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (priv_key) {
+ if (!BIO_indent(bp, off, 128) ||
+ BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) <= 0) {
+ goto err;
+ }
+ }
+
+ if (!ASN1_bn_print(bp, "priv:", priv_key, m, off) ||
+ !ASN1_bn_print(bp, "pub: ", pub_key, m, off) ||
+ !ASN1_bn_print(bp, "P: ", x->p, m, off) ||
+ !ASN1_bn_print(bp, "Q: ", x->q, m, off) ||
+ !ASN1_bn_print(bp, "G: ", x->g, m, off)) {
+ goto err;
+ }
+ ret = 1;
+
+err:
+ OPENSSL_free(m);
+ return ret;
+}
+
+static int dsa_param_decode(EVP_PKEY *pkey, const uint8_t **pder, int derlen) {
+ DSA *dsa;
+ dsa = d2i_DSAparams(NULL, pder, derlen);
+ if (dsa == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_param_decode, ERR_R_DSA_LIB);
+ return 0;
+ }
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ return 1;
+}
+
+static int dsa_param_encode(const EVP_PKEY *pkey, uint8_t **pder) {
+ return i2d_DSAparams(pkey->pkey.dsa, pder);
+}
+
+static int dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent,
+ ASN1_PCTX *ctx) {
+ return do_dsa_print(bp, pkey->pkey.dsa, indent, 0);
+}
+
+static int dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent,
+ ASN1_PCTX *ctx) {
+ return do_dsa_print(bp, pkey->pkey.dsa, indent, 1);
+}
+
+static int dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent,
+ ASN1_PCTX *ctx) {
+ return do_dsa_print(bp, pkey->pkey.dsa, indent, 2);
+}
+
+static int old_dsa_priv_decode(EVP_PKEY *pkey, const uint8_t **pder,
+ int derlen) {
+ DSA *dsa;
+ dsa = d2i_DSAPrivateKey(NULL, pder, derlen);
+ if (dsa == NULL) {
+ OPENSSL_PUT_ERROR(EVP, old_dsa_priv_decode, ERR_R_DSA_LIB);
+ return 0;
+ }
+ EVP_PKEY_assign_DSA(pkey, dsa);
+ return 1;
+}
+
+static int old_dsa_priv_encode(const EVP_PKEY *pkey, uint8_t **pder) {
+ return i2d_DSAPrivateKey(pkey->pkey.dsa, pder);
+}
+
+static int dsa_sig_print(BIO *bp, const X509_ALGOR *sigalg,
+ const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) {
+ DSA_SIG *dsa_sig;
+ const uint8_t *p;
+
+ if (!sig) {
+ return BIO_puts(bp, "\n") > 0;
+ }
+
+ p = sig->data;
+ dsa_sig = d2i_DSA_SIG(NULL, &p, sig->length);
+ if (dsa_sig == NULL) {
+ return X509_signature_dump(bp, sig, indent);
+ }
+
+ int rv = 0;
+ size_t buf_len = 0;
+ uint8_t *m = NULL;
+
+ update_buflen(dsa_sig->r, &buf_len);
+ update_buflen(dsa_sig->s, &buf_len);
+ m = OPENSSL_malloc(buf_len + 10);
+ if (m == NULL) {
+ OPENSSL_PUT_ERROR(EVP, dsa_sig_print, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ if (BIO_write(bp, "\n", 1) != 1 ||
+ !ASN1_bn_print(bp, "r: ", dsa_sig->r, m, indent) ||
+ !ASN1_bn_print(bp, "s: ", dsa_sig->s, m, indent)) {
+ goto err;
+ }
+ rv = 1;
+
+err:
+ OPENSSL_free(m);
+ DSA_SIG_free(dsa_sig);
+ return rv;
+}
+
+const EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {
+ EVP_PKEY_DSA,
+ EVP_PKEY_DSA,
+ 0,
+
+ "DSA",
+ "OpenSSL DSA method",
+
+ dsa_pub_decode,
+ dsa_pub_encode,
+ dsa_pub_cmp,
+ dsa_pub_print,
+
+ dsa_priv_decode,
+ dsa_priv_encode,
+ dsa_priv_print,
+
+ NULL /* pkey_opaque */,
+ NULL /* pkey_supports_digest */,
+
+ int_dsa_size,
+ dsa_bits,
+
+ dsa_param_decode,
+ dsa_param_encode,
+ dsa_missing_parameters,
+ dsa_copy_parameters,
+ dsa_cmp_parameters,
+ dsa_param_print,
+ dsa_sig_print,
+
+ int_dsa_free,
+ old_dsa_priv_decode,
+ old_dsa_priv_encode,
+};
diff --git a/src/crypto/evp/p_ec.c b/src/crypto/evp/p_ec.c
index c274131..73c00d8 100644
--- a/src/crypto/evp/p_ec.c
+++ b/src/crypto/evp/p_ec.c
@@ -119,9 +119,7 @@
return;
}
- if (dctx->gen_group) {
- EC_GROUP_free(dctx->gen_group);
- }
+ EC_GROUP_free(dctx->gen_group);
OPENSSL_free(dctx);
}
@@ -212,8 +210,7 @@
OPENSSL_PUT_ERROR(EVP, pkey_ec_ctrl, EVP_R_INVALID_CURVE);
return 0;
}
- if (dctx->gen_group)
- EC_GROUP_free(dctx->gen_group);
+ EC_GROUP_free(dctx->gen_group);
dctx->gen_group = group;
return 1;
@@ -240,7 +237,8 @@
return 1;
default:
- return -2;
+ OPENSSL_PUT_ERROR(EVP, pkey_ec_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+ return 0;
}
}
diff --git a/src/crypto/evp/p_ec_asn1.c b/src/crypto/evp/p_ec_asn1.c
index 914cc2f..fbbf4e7 100644
--- a/src/crypto/evp/p_ec_asn1.c
+++ b/src/crypto/evp/p_ec_asn1.c
@@ -142,23 +142,13 @@
}
} else if (ptype == V_ASN1_OBJECT) {
ASN1_OBJECT *poid = pval;
- EC_GROUP *group;
/* type == V_ASN1_OBJECT => the parameters are given
* by an asn1 OID */
- eckey = EC_KEY_new();
+ eckey = EC_KEY_new_by_curve_name(OBJ_obj2nid(poid));
if (eckey == NULL) {
- OPENSSL_PUT_ERROR(EVP, eckey_type2param, ERR_R_MALLOC_FAILURE);
goto err;
}
- group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(poid));
- if (group == NULL) {
- goto err;
- }
- if (EC_KEY_set_group(eckey, group) == 0) {
- goto err;
- }
- EC_GROUP_free(group);
} else {
OPENSSL_PUT_ERROR(EVP, eckey_type2param, EVP_R_DECODE_ERROR);
goto err;
@@ -201,8 +191,9 @@
return 1;
err:
- if (eckey)
+ if (eckey) {
EC_KEY_free(eckey);
+ }
return 0;
}
@@ -235,8 +226,9 @@
eckey = eckey_type2param(ptype, pval);
- if (!eckey)
+ if (!eckey) {
goto ecliberr;
+ }
/* We have parameters now set private key */
if (!d2i_ECPrivateKey(&eckey, &p, pklen)) {
@@ -282,8 +274,9 @@
ecliberr:
OPENSSL_PUT_ERROR(EVP, eckey_priv_decode, ERR_R_EC_LIB);
ecerr:
- if (eckey)
+ if (eckey) {
EC_KEY_free(eckey);
+ }
return 0;
}
@@ -439,10 +432,12 @@
if (ktype == 2) {
priv_key = EC_KEY_get0_private_key(x);
- if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len)
+ if (priv_key && (i = (size_t)BN_num_bytes(priv_key)) > buf_len) {
buf_len = i;
- } else
+ }
+ } else {
priv_key = NULL;
+ }
if (ktype > 0) {
buf_len += 10;
@@ -451,24 +446,27 @@
goto err;
}
}
- if (ktype == 2)
+ if (ktype == 2) {
ecstr = "Private-Key";
- else if (ktype == 1)
+ } else if (ktype == 1) {
ecstr = "Public-Key";
- else
+ } else {
ecstr = "ECDSA-Parameters";
+ }
- if (!BIO_indent(bp, off, 128))
+ if (!BIO_indent(bp, off, 128)) {
goto err;
- if ((order = BN_new()) == NULL)
+ }
+ order = BN_new();
+ if (order == NULL || !EC_GROUP_get_order(group, order, NULL) ||
+ BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0) {
goto err;
- if (!EC_GROUP_get_order(group, order, NULL))
- goto err;
- if (BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0)
- goto err;
+ }
- if ((priv_key != NULL) && !ASN1_bn_print(bp, "priv:", priv_key, buffer, off))
+ if ((priv_key != NULL) &&
+ !ASN1_bn_print(bp, "priv:", priv_key, buffer, off)) {
goto err;
+ }
if (pub_key_bytes != NULL) {
BIO_hexdump(bp, pub_key_bytes, pub_key_bytes_len, off);
}
@@ -479,16 +477,13 @@
ret = 1;
err:
- if (!ret)
+ if (!ret) {
OPENSSL_PUT_ERROR(EVP, do_EC_KEY_print, reason);
- if (pub_key_bytes)
- OPENSSL_free(pub_key_bytes);
- if (order)
- BN_free(order);
- if (ctx)
- BN_CTX_free(ctx);
- if (buffer != NULL)
- OPENSSL_free(buffer);
+ }
+ OPENSSL_free(pub_key_bytes);
+ BN_free(order);
+ BN_CTX_free(ctx);
+ OPENSSL_free(buffer);
return ret;
}
diff --git a/src/crypto/evp/p_hmac.c b/src/crypto/evp/p_hmac.c
index 6d9a909..21703ed 100644
--- a/src/crypto/evp/p_hmac.c
+++ b/src/crypto/evp/p_hmac.c
@@ -204,7 +204,8 @@
break;
default:
- return -2;
+ OPENSSL_PUT_ERROR(EVP, pkey_hmac_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+ return 0;
}
return 1;
}
diff --git a/src/crypto/evp/p_rsa.c b/src/crypto/evp/p_rsa.c
index 31f5aaa..5abc075 100644
--- a/src/crypto/evp/p_rsa.c
+++ b/src/crypto/evp/p_rsa.c
@@ -55,10 +55,12 @@
#include <openssl/evp.h>
+#include <limits.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/buf.h>
+#include <openssl/bytestring.h>
#include <openssl/digest.h>
#include <openssl/err.h>
#include <openssl/mem.h>
@@ -125,9 +127,7 @@
dctx->md = sctx->md;
dctx->mgf1md = sctx->mgf1md;
if (sctx->oaep_label) {
- if (dctx->oaep_label) {
- OPENSSL_free(dctx->oaep_label);
- }
+ OPENSSL_free(dctx->oaep_label);
dctx->oaep_label = BUF_memdup(sctx->oaep_label, sctx->oaep_labellen);
if (!dctx->oaep_label) {
return 0;
@@ -145,15 +145,9 @@
return;
}
- if (rctx->pub_exp) {
- BN_free(rctx->pub_exp);
- }
- if (rctx->tbuf) {
- OPENSSL_free(rctx->tbuf);
- }
- if (rctx->oaep_label) {
- OPENSSL_free(rctx->oaep_label);
- }
+ BN_free(rctx->pub_exp);
+ OPENSSL_free(rctx->tbuf);
+ OPENSSL_free(rctx->oaep_label);
OPENSSL_free(rctx);
}
@@ -369,7 +363,7 @@
0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl,
EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
- return -2;
+ return 0;
}
if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&
rctx->md == NULL) {
@@ -386,13 +380,13 @@
case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:
if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PSS_SALTLEN);
- return -2;
+ return 0;
}
if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {
*(int *)p2 = rctx->saltlen;
} else {
if (p1 < -2) {
- return -2;
+ return 0;
}
rctx->saltlen = p1;
}
@@ -401,14 +395,14 @@
case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:
if (p1 < 256) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_KEYBITS);
- return -2;
+ return 0;
}
rctx->nbits = p1;
return 1;
case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
if (!p2) {
- return -2;
+ return 0;
}
BN_free(rctx->pub_exp);
rctx->pub_exp = p2;
@@ -418,7 +412,7 @@
case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:
if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PADDING_MODE);
- return -2;
+ return 0;
}
if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {
*(const EVP_MD **)p2 = rctx->md;
@@ -443,7 +437,7 @@
if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&
rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_MGF1_MD);
- return -2;
+ return 0;
}
if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {
if (rctx->mgf1md) {
@@ -459,11 +453,9 @@
case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PADDING_MODE);
- return -2;
+ return 0;
}
- if (rctx->oaep_label) {
- OPENSSL_free(rctx->oaep_label);
- }
+ OPENSSL_free(rctx->oaep_label);
if (p2 && p1 > 0) {
/* TODO(fork): this seems wrong. Shouldn't it take a copy of the
* buffer? */
@@ -478,16 +470,17 @@
case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_INVALID_PADDING_MODE);
- return -2;
+ return 0;
}
- *(uint8_t **)p2 = rctx->oaep_label;
- return rctx->oaep_labellen;
+ CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);
+ return 1;
case EVP_PKEY_CTRL_DIGESTINIT:
return 1;
default:
- return -2;
+ OPENSSL_PUT_ERROR(EVP, pkey_rsa_ctrl, EVP_R_COMMAND_NOT_SUPPORTED);
+ return 0;
}
}
@@ -497,8 +490,9 @@
if (!rctx->pub_exp) {
rctx->pub_exp = BN_new();
- if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4))
+ if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {
return 0;
+ }
}
rsa = RSA_new();
if (!rsa) {
@@ -583,7 +577,7 @@
size_t label_len) {
int label_len_int = label_len;
if (((size_t) label_len_int) != label_len) {
- return -2;
+ return 0;
}
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
@@ -593,6 +587,15 @@
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
const uint8_t **out_label) {
- return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
- EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *) out_label);
+ CBS label;
+ if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
+ EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {
+ return -1;
+ }
+ if (CBS_len(&label) > INT_MAX) {
+ OPENSSL_PUT_ERROR(EVP, EVP_PKEY_CTX_get0_rsa_oaep_label, ERR_R_OVERFLOW);
+ return -1;
+ }
+ *out_label = CBS_data(&label);
+ return (int)CBS_len(&label);
}
diff --git a/src/crypto/evp/p_rsa_asn1.c b/src/crypto/evp/p_rsa_asn1.c
index f478d50..1e2d3f6 100644
--- a/src/crypto/evp/p_rsa_asn1.c
+++ b/src/crypto/evp/p_rsa_asn1.c
@@ -245,9 +245,7 @@
ret = 1;
err:
- if (m != NULL) {
- OPENSSL_free(m);
- }
+ OPENSSL_free(m);
return ret;
}
@@ -394,12 +392,8 @@
pss = rsa_pss_decode(sigalg, &maskHash);
rv = rsa_pss_param_print(bp, pss, maskHash, indent);
- if (pss) {
- RSA_PSS_PARAMS_free(pss);
- }
- if (maskHash) {
- X509_ALGOR_free(maskHash);
- }
+ RSA_PSS_PARAMS_free(pss);
+ X509_ALGOR_free(maskHash);
if (!rv) {
return 0;
}
@@ -463,12 +457,11 @@
stmp = NULL;
err:
- if (stmp)
- ASN1_STRING_free(stmp);
- if (algtmp)
- X509_ALGOR_free(algtmp);
- if (*palg)
+ ASN1_STRING_free(stmp);
+ X509_ALGOR_free(algtmp);
+ if (*palg) {
return 1;
+ }
return 0;
}
@@ -518,8 +511,8 @@
EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx);
int saltlen, rv = 0;
- if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0 ||
- EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0 ||
+ if (!EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) ||
+ !EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) ||
!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) {
goto err;
}
@@ -560,12 +553,15 @@
rv = 1;
err:
- if (pss)
+ if (pss) {
RSA_PSS_PARAMS_free(pss);
- if (rv)
+ }
+ if (rv) {
return os;
- if (os)
+ }
+ if (os) {
ASN1_STRING_free(os);
+ }
return NULL;
}
@@ -619,9 +615,9 @@
}
if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey) ||
- EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0 ||
- EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) <= 0 ||
- EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) {
+ !EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) ||
+ !EVP_PKEY_CTX_set_rsa_pss_saltlen(pkctx, saltlen) ||
+ !EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md)) {
goto err;
}
@@ -653,7 +649,7 @@
EVP_MD_CTX *ctx, X509_ALGOR *sigalg) {
int pad_mode;
EVP_PKEY_CTX *pkctx = ctx->pctx;
- if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) {
+ if (!EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode)) {
return EVP_DIGEST_SIGN_ALGORITHM_ERROR;
}
if (pad_mode == RSA_PKCS1_PSS_PADDING) {
diff --git a/src/crypto/evp/pbkdf_test.cc b/src/crypto/evp/pbkdf_test.cc
new file mode 100644
index 0000000..ae2f405
--- /dev/null
+++ b/src/crypto/evp/pbkdf_test.cc
@@ -0,0 +1,179 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+
+
+// Prints out the data buffer as a sequence of hex bytes.
+static void PrintDataHex(const void *data, size_t len) {
+ for (size_t i = 0; i < len; ++i) {
+ fprintf(stderr, "%02x", (int)((const uint8_t *)data)[i]);
+ }
+}
+
+// Helper for testing that PBKDF2 derives the expected key from the given
+// inputs. Returns 1 on success, 0 otherwise.
+static bool TestPBKDF2(const void *password, size_t password_len,
+ const void *salt, size_t salt_len, unsigned iterations,
+ const EVP_MD *digest, size_t key_len,
+ const uint8_t *expected_key) {
+ uint8_t key[64];
+
+ if (key_len > sizeof(key)) {
+ fprintf(stderr, "Output buffer is not large enough.\n");
+ return false;
+ }
+
+ if (!PKCS5_PBKDF2_HMAC((const char *)password, password_len,
+ (const uint8_t *)salt, salt_len, iterations, digest,
+ key_len, key)) {
+ fprintf(stderr, "Call to PKCS5_PBKDF2_HMAC failed\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ if (memcmp(key, expected_key, key_len) != 0) {
+ fprintf(stderr, "Resulting key material does not match expectation\n");
+ fprintf(stderr, "Expected:\n ");
+ PrintDataHex(expected_key, key_len);
+ fprintf(stderr, "\nActual:\n ");
+ PrintDataHex(key, key_len);
+ fprintf(stderr, "\n");
+ return false;
+ }
+
+ return true;
+}
+
+// Tests deriving a key using an empty password (specified both as NULL and as
+// non-NULL). Note that NULL has special meaning to HMAC initialization.
+static bool TestEmptyPassword() {
+ const uint8_t kKey[] = {0xa3, 0x3d, 0xdd, 0xc3, 0x04, 0x78, 0x18,
+ 0x55, 0x15, 0x31, 0x1f, 0x87, 0x52, 0x89,
+ 0x5d, 0x36, 0xea, 0x43, 0x63, 0xa2};
+
+ if (!TestPBKDF2(NULL, 0, "salt", 4, 1, EVP_sha1(), sizeof(kKey), kKey) ||
+ !TestPBKDF2("", 0, "salt", 4, 1, EVP_sha1(), sizeof(kKey), kKey)) {
+ return false;
+ }
+
+ return true;
+}
+
+// Tests deriving a key using an empty salt. Note that the expectation was
+// generated using OpenSSL itself, and hence is not verified.
+static bool TestEmptySalt() {
+ const uint8_t kKey[] = {0x8b, 0xc2, 0xf9, 0x16, 0x7a, 0x81, 0xcd, 0xcf,
+ 0xad, 0x12, 0x35, 0xcd, 0x90, 0x47, 0xf1, 0x13,
+ 0x62, 0x71, 0xc1, 0xf9, 0x78, 0xfc, 0xfc, 0xb3,
+ 0x5e, 0x22, 0xdb, 0xea, 0xfa, 0x46, 0x34, 0xf6};
+
+ if (!TestPBKDF2("password", 8, NULL, 0, 2, EVP_sha256(), sizeof(kKey),
+ kKey) ||
+ !TestPBKDF2("password", 8, "", 0, 2, EVP_sha256(), sizeof(kKey), kKey)) {
+ return false;
+ }
+
+ return true;
+}
+
+// Exercises test vectors taken from https://tools.ietf.org/html/rfc6070.
+// Note that each of these test vectors uses SHA-1 as the digest.
+static bool TestRFC6070Vectors() {
+ const uint8_t kKey1[] = {0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e,
+ 0x71, 0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60,
+ 0x12, 0x06, 0x2f, 0xe0, 0x37, 0xa6};
+ const uint8_t kKey2[] = {0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f,
+ 0x8c, 0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d,
+ 0x41, 0xf0, 0xd8, 0xde, 0x89, 0x57};
+ const uint8_t kKey3[] = {0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
+ 0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3};
+
+ if (!TestPBKDF2("password", 8, "salt", 4, 1, EVP_sha1(), sizeof(kKey1),
+ kKey1) ||
+ !TestPBKDF2("password", 8, "salt", 4, 2, EVP_sha1(), sizeof(kKey2),
+ kKey2) ||
+ !TestPBKDF2("pass\0word", 9, "sa\0lt", 5, 4096, EVP_sha1(),
+ sizeof(kKey3), kKey3)) {
+ return false;
+ }
+
+ return true;
+}
+
+// Tests key derivation using SHA-2 digests.
+static bool TestSHA2() {
+ // This test was taken from:
+ // http://stackoverflow.com/questions/5130513/pbkdf2-hmac-sha2-test-vectors.
+ const uint8_t kKey1[] = {0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43};
+
+ // This test was taken from:
+ // http://stackoverflow.com/questions/15593184/pbkdf2-hmac-sha-512-test-vectors.
+ const uint8_t kKey2[] = {
+ 0x8c, 0x05, 0x11, 0xf4, 0xc6, 0xe5, 0x97, 0xc6, 0xac, 0x63, 0x15,
+ 0xd8, 0xf0, 0x36, 0x2e, 0x22, 0x5f, 0x3c, 0x50, 0x14, 0x95, 0xba,
+ 0x23, 0xb8, 0x68, 0xc0, 0x05, 0x17, 0x4d, 0xc4, 0xee, 0x71, 0x11,
+ 0x5b, 0x59, 0xf9, 0xe6, 0x0c, 0xd9, 0x53, 0x2f, 0xa3, 0x3e, 0x0f,
+ 0x75, 0xae, 0xfe, 0x30, 0x22, 0x5c, 0x58, 0x3a, 0x18, 0x6c, 0xd8,
+ 0x2b, 0xd4, 0xda, 0xea, 0x97, 0x24, 0xa3, 0xd3, 0xb8};
+
+ if (!TestPBKDF2("password", 8, "salt", 4, 2, EVP_sha256(), sizeof(kKey1),
+ kKey1) ||
+ !TestPBKDF2("passwordPASSWORDpassword", 24,
+ "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, 4096,
+ EVP_sha512(), sizeof(kKey2), kKey2)) {
+ return false;
+ }
+
+ return true;
+}
+
+int main(void) {
+ CRYPTO_library_init();
+ ERR_load_crypto_strings();
+
+ if (!TestEmptyPassword()) {
+ fprintf(stderr, "TestEmptyPassword failed\n");
+ return 1;
+ }
+
+ if (!TestEmptySalt()) {
+ fprintf(stderr, "TestEmptySalt failed\n");
+ return 1;
+ }
+
+ if (!TestRFC6070Vectors()) {
+ fprintf(stderr, "TestRFC6070Vectors failed\n");
+ return 1;
+ }
+
+ if (!TestSHA2()) {
+ fprintf(stderr, "TestSHA2 failed\n");
+ return 1;
+ }
+
+ printf("PASS\n");
+ ERR_free_strings();
+ return 0;
+}
diff --git a/src/crypto/evp/sign.c b/src/crypto/evp/sign.c
index 1faf7c6..ced86bd 100644
--- a/src/crypto/evp/sign.c
+++ b/src/crypto/evp/sign.c
@@ -92,9 +92,9 @@
EVP_MD_CTX_cleanup(&tmp_ctx);
pkctx = EVP_PKEY_CTX_new(pkey, NULL);
- if (!pkctx || EVP_PKEY_sign_init(pkctx) <= 0 ||
- EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0 ||
- EVP_PKEY_sign(pkctx, sig, &sig_len, m, m_len) <= 0) {
+ if (!pkctx || !EVP_PKEY_sign_init(pkctx) ||
+ !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) ||
+ !EVP_PKEY_sign(pkctx, sig, &sig_len, m, m_len)) {
goto out;
}
*out_sig_len = sig_len;
@@ -138,8 +138,8 @@
pkctx = EVP_PKEY_CTX_new(pkey, NULL);
if (!pkctx ||
- EVP_PKEY_verify_init(pkctx) <= 0 ||
- EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) <= 0) {
+ !EVP_PKEY_verify_init(pkctx) ||
+ !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest)) {
goto out;
}
ret = EVP_PKEY_verify(pkctx, sig, sig_len, m, m_len);
diff --git a/src/crypto/ex_data.c b/src/crypto/ex_data.c
index 0c2503e..10fefc8 100644
--- a/src/crypto/ex_data.c
+++ b/src/crypto/ex_data.c
@@ -108,47 +108,65 @@
#include <openssl/ex_data.h>
+#include <assert.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
#include <openssl/err.h>
+#include <openssl/lhash.h>
+#include <openssl/mem.h>
+#include <openssl/stack.h>
#include <openssl/thread.h>
-#include "crypto_error.h"
#include "internal.h"
-/* global_impl is the implementation that we use at runtime. */
-static const CRYPTO_EX_DATA_IMPL *global_impl = NULL;
+struct crypto_ex_data_func_st {
+ long argl; /* Arbitary long */
+ void *argp; /* Arbitary void pointer */
+ CRYPTO_EX_new *new_func;
+ CRYPTO_EX_free *free_func;
+ CRYPTO_EX_dup *dup_func;
+};
-/* ex_data_default_impl is a the default implementation, defined in
- * ex_data_impl.c. */
-extern const CRYPTO_EX_DATA_IMPL ex_data_default_impl;
-
-/* get_impl returns the current ex_data implementatation. */
-static const CRYPTO_EX_DATA_IMPL *get_impl(void) {
- const CRYPTO_EX_DATA_IMPL *impl;
-
- CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
- impl = global_impl;
- CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
-
- if (impl != NULL) {
- return impl;
- }
-
- CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
- if (global_impl == NULL) {
- global_impl = &ex_data_default_impl;
- }
- impl = global_impl;
- CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
- return impl;
-}
-
-int CRYPTO_get_ex_new_index(int class_value, long argl, void *argp,
- CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
+int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index,
+ long argl, void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,
CRYPTO_EX_free *free_func) {
- const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
- return impl->get_new_index(class_value, argl, argp, new_func, dup_func,
- free_func);
+ CRYPTO_EX_DATA_FUNCS *funcs;
+ int ret = 0;
+
+ funcs = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
+ if (funcs == NULL) {
+ OPENSSL_PUT_ERROR(CRYPTO, CRYPTO_get_ex_new_index, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ funcs->argl = argl;
+ funcs->argp = argp;
+ funcs->new_func = new_func;
+ funcs->dup_func = dup_func;
+ funcs->free_func = free_func;
+
+ CRYPTO_STATIC_MUTEX_lock_write(&ex_data_class->lock);
+
+ if (ex_data_class->meth == NULL) {
+ ex_data_class->meth = sk_CRYPTO_EX_DATA_FUNCS_new_null();
+ }
+
+ if (ex_data_class->meth == NULL ||
+ !sk_CRYPTO_EX_DATA_FUNCS_push(ex_data_class->meth, funcs)) {
+ OPENSSL_PUT_ERROR(CRYPTO, CRYPTO_get_ex_new_index, ERR_R_MALLOC_FAILURE);
+ OPENSSL_free(funcs);
+ goto err;
+ }
+
+ *out_index = sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth) - 1;
+ ret = 1;
+
+err:
+ CRYPTO_STATIC_MUTEX_unlock(&ex_data_class->lock);
+ return ret;
}
int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val) {
@@ -183,45 +201,113 @@
return sk_void_value(ad->sk, idx);
}
-int CRYPTO_ex_data_new_class(void) {
- const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
- return impl->new_class();
-}
+/* get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
+ * for the given class. If there are some pointers, it sets |*out| to point to
+ * a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
+ * success or zero on error. */
+static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out,
+ CRYPTO_EX_DATA_CLASS *ex_data_class) {
+ size_t n;
-int CRYPTO_new_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
- const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
- return impl->new_ex_data(class_value, obj, ad);
-}
+ *out = NULL;
-int CRYPTO_dup_ex_data(int class_value, CRYPTO_EX_DATA *to,
- const CRYPTO_EX_DATA *from) {
- const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
- return impl->dup_ex_data(class_value, to, from);
-}
-
-void CRYPTO_free_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
- const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
- impl->free_ex_data(class_value, obj, ad);
-}
-
-const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void) {
- return get_impl();
-}
-
-int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *impl) {
- int ret = 0;
-
- CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
- if (global_impl == NULL) {
- ret = 1;
- global_impl = impl;
+ /* CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
+ * shallow copy of the list under lock and then use the structures without
+ * the lock held. */
+ CRYPTO_STATIC_MUTEX_lock_read(&ex_data_class->lock);
+ n = sk_CRYPTO_EX_DATA_FUNCS_num(ex_data_class->meth);
+ if (n > 0) {
+ *out = sk_CRYPTO_EX_DATA_FUNCS_dup(ex_data_class->meth);
}
- CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
+ CRYPTO_STATIC_MUTEX_unlock(&ex_data_class->lock);
- return ret;
+ if (n > 0 && *out == NULL) {
+ OPENSSL_PUT_ERROR(CRYPTO, get_func_pointers, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ return 1;
}
-void CRYPTO_cleanup_all_ex_data(void) {
- const CRYPTO_EX_DATA_IMPL *const impl = get_impl();
- impl->cleanup();
+int CRYPTO_new_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
+ CRYPTO_EX_DATA *ad) {
+ STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
+ size_t i;
+
+ ad->sk = NULL;
+
+ if (!get_func_pointers(&func_pointers, ex_data_class)) {
+ return 0;
+ }
+
+ for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
+ CRYPTO_EX_DATA_FUNCS *func_pointer =
+ sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
+ if (func_pointer->new_func) {
+ func_pointer->new_func(obj, NULL, ad, i, func_pointer->argl,
+ func_pointer->argp);
+ }
+ }
+
+ sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
+
+ return 1;
}
+
+int CRYPTO_dup_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, CRYPTO_EX_DATA *to,
+ const CRYPTO_EX_DATA *from) {
+ STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
+ size_t i;
+
+ if (!from->sk) {
+ /* In this case, |from| is blank, which is also the initial state of |to|,
+ * so there's nothing to do. */
+ return 1;
+ }
+
+ if (!get_func_pointers(&func_pointers, ex_data_class)) {
+ return 0;
+ }
+
+ for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
+ CRYPTO_EX_DATA_FUNCS *func_pointer =
+ sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
+ void *ptr = CRYPTO_get_ex_data(from, i);
+ if (func_pointer->dup_func) {
+ func_pointer->dup_func(to, from, &ptr, i, func_pointer->argl,
+ func_pointer->argp);
+ }
+ CRYPTO_set_ex_data(to, i, ptr);
+ }
+
+ sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
+
+ return 1;
+}
+
+void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,
+ CRYPTO_EX_DATA *ad) {
+ STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
+ size_t i;
+
+ if (!get_func_pointers(&func_pointers, ex_data_class)) {
+ return;
+ }
+
+ for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
+ CRYPTO_EX_DATA_FUNCS *func_pointer =
+ sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
+ if (func_pointer->free_func) {
+ void *ptr = CRYPTO_get_ex_data(ad, i);
+ func_pointer->free_func(obj, ptr, ad, i, func_pointer->argl,
+ func_pointer->argp);
+ }
+ }
+
+ sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
+
+ sk_void_free(ad->sk);
+ ad->sk = NULL;
+}
+
+void CRYPTO_cleanup_all_ex_data(void) {}
diff --git a/src/crypto/ex_data_impl.c b/src/crypto/ex_data_impl.c
deleted file mode 100644
index f55b369..0000000
--- a/src/crypto/ex_data_impl.c
+++ /dev/null
@@ -1,401 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
-
-#include <openssl/ex_data.h>
-
-#include <assert.h>
-
-#include <openssl/err.h>
-#include <openssl/lhash.h>
-#include <openssl/mem.h>
-#include <openssl/stack.h>
-#include <openssl/thread.h>
-
-#include "crypto_error.h"
-#include "internal.h"
-
-typedef struct crypto_ex_data_func_st {
- long argl; /* Arbitary long */
- void *argp; /* Arbitary void pointer */
- CRYPTO_EX_new *new_func;
- CRYPTO_EX_free *free_func;
- CRYPTO_EX_dup *dup_func;
-} CRYPTO_EX_DATA_FUNCS;
-
-typedef struct st_ex_class_item {
- STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
- int class_value;
-} EX_CLASS_ITEM;
-
-static LHASH_OF(EX_CLASS_ITEM) *global_classes = NULL;
-
-static int global_next_class = 100;
-
-static int new_class(void) {
- int ret;
- CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
- ret = global_next_class++;
- CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-
- return ret;
-}
-
-/* class_hash is a hash function used by an LHASH of |EX_CLASS_ITEM|
- * structures. */
-static uint32_t class_hash(const EX_CLASS_ITEM *a) {
- return a->class_value;
-}
-
-/* class_cmp is a comparison function for an LHASH of |EX_CLASS_ITEM|
- * structures. */
-static int class_cmp(const EX_CLASS_ITEM *a, const EX_CLASS_ITEM *b) {
- return a->class_value - b->class_value;
-}
-
-/* data_funcs_free is a callback function from |sk_pop_free| that frees a
- * |CRYPTO_EX_DATA_FUNCS|. */
-static void data_funcs_free(CRYPTO_EX_DATA_FUNCS *funcs) {
- OPENSSL_free(funcs);
-}
-
-/* class_free is a callback function from lh_doall to free the EX_CLASS_ITEM
- * structures. */
-static void class_free(EX_CLASS_ITEM *item) {
- sk_CRYPTO_EX_DATA_FUNCS_pop_free(item->meth, data_funcs_free);
- OPENSSL_free(item);
-}
-
-static LHASH_OF(EX_CLASS_ITEM) *get_classes(void) {
- LHASH_OF(EX_CLASS_ITEM) *ret;
-
- CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
- ret = global_classes;
- CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
-
- if (ret != NULL) {
- return ret;
- }
-
- CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
- if (global_classes == NULL) {
- global_classes = lh_EX_CLASS_ITEM_new(class_hash, class_cmp);
- }
- ret = global_classes;
- CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-
- return ret;
-}
-
-static void cleanup(void) {
- LHASH_OF(EX_CLASS_ITEM) *classes = get_classes();
-
- if (classes != NULL) {
- lh_EX_CLASS_ITEM_doall(classes, class_free);
- lh_EX_CLASS_ITEM_free(classes);
- }
-
- global_classes = NULL;
-}
-
-static EX_CLASS_ITEM *get_class(int class_value) {
- LHASH_OF(EX_CLASS_ITEM) *const classes = get_classes();
- EX_CLASS_ITEM template, *class_item;
- int ok = 0;
-
- if (classes == NULL) {
- return NULL;
- }
-
- CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
- template.class_value = class_value;
- class_item = lh_EX_CLASS_ITEM_retrieve(classes, &template);
- if (class_item != NULL) {
- ok = 1;
- } else {
- class_item = OPENSSL_malloc(sizeof(EX_CLASS_ITEM));
- if (class_item) {
- class_item->class_value = class_value;
- class_item->meth = sk_CRYPTO_EX_DATA_FUNCS_new_null();
- if (class_item->meth != NULL) {
- EX_CLASS_ITEM *old_data;
- ok = lh_EX_CLASS_ITEM_insert(classes, &old_data, class_item);
- assert(old_data == NULL);
- }
- }
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
-
- if (!ok) {
- if (class_item) {
- if (class_item->meth) {
- sk_CRYPTO_EX_DATA_FUNCS_free(class_item->meth);
- }
- OPENSSL_free(class_item);
- class_item = NULL;
- }
-
- OPENSSL_PUT_ERROR(CRYPTO, get_class, ERR_R_MALLOC_FAILURE);
- }
-
- return class_item;
-}
-
-static int get_new_index(int class_value, long argl, void *argp,
- CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func) {
- EX_CLASS_ITEM *const item = get_class(class_value);
- CRYPTO_EX_DATA_FUNCS *funcs;
- int ret = -1;
-
- if (!item) {
- return -1;
- }
-
- funcs = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS));
- if (funcs == NULL) {
- OPENSSL_PUT_ERROR(CRYPTO, get_new_index, ERR_R_MALLOC_FAILURE);
- return -1;
- }
-
- funcs->argl = argl;
- funcs->argp = argp;
- funcs->new_func = new_func;
- funcs->dup_func = dup_func;
- funcs->free_func = free_func;
-
- CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
-
- if (!sk_CRYPTO_EX_DATA_FUNCS_push(item->meth, funcs)) {
- OPENSSL_PUT_ERROR(CRYPTO, get_new_index, ERR_R_MALLOC_FAILURE);
- OPENSSL_free(funcs);
- goto err;
- }
-
- ret = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth) - 1;
-
-err:
- CRYPTO_w_unlock(CRYPTO_LOCK_EX_DATA);
- return ret;
-}
-
-/* get_func_pointers takes a copy of the CRYPTO_EX_DATA_FUNCS pointers, if any,
- * for the given class. If there are some pointers, it sets |*out| to point to
- * a fresh stack of them. Otherwise it sets |*out| to NULL. It returns one on
- * success or zero on error. */
-static int get_func_pointers(STACK_OF(CRYPTO_EX_DATA_FUNCS) **out,
- int class_value) {
- EX_CLASS_ITEM *const item = get_class(class_value);
- size_t n;
-
- if (!item) {
- return 0;
- }
-
- *out = NULL;
-
- /* CRYPTO_EX_DATA_FUNCS structures are static once set, so we can take a
- * shallow copy of the list under lock and then use the structures without
- * the lock held. */
- CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);
- n = sk_CRYPTO_EX_DATA_FUNCS_num(item->meth);
- if (n > 0) {
- *out = sk_CRYPTO_EX_DATA_FUNCS_dup(item->meth);
- }
- CRYPTO_r_unlock(CRYPTO_LOCK_EX_DATA);
-
- if (n > 0 && *out == NULL) {
- OPENSSL_PUT_ERROR(CRYPTO, get_func_pointers, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- return 1;
-}
-
-static int new_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
- STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
- size_t i;
-
- ad->sk = NULL;
-
- if (!get_func_pointers(&func_pointers, class_value)) {
- return 0;
- }
-
- for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
- CRYPTO_EX_DATA_FUNCS *func_pointer =
- sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
- if (func_pointer->new_func) {
- func_pointer->new_func(obj, NULL, ad, i, func_pointer->argl,
- func_pointer->argp);
- }
- }
-
- sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
-
- return 1;
-}
-
-static int dup_ex_data(int class_value, CRYPTO_EX_DATA *to,
- const CRYPTO_EX_DATA *from) {
- STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
- size_t i;
-
- if (!from->sk) {
- /* In this case, |from| is blank, which is also the initial state of |to|,
- * so there's nothing to do. */
- return 1;
- }
-
- if (!get_func_pointers(&func_pointers, class_value)) {
- return 0;
- }
-
- for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
- CRYPTO_EX_DATA_FUNCS *func_pointer =
- sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
- void *ptr = CRYPTO_get_ex_data(from, i);
- if (func_pointer->dup_func) {
- func_pointer->dup_func(to, from, &ptr, i, func_pointer->argl,
- func_pointer->argp);
- }
- CRYPTO_set_ex_data(to, i, ptr);
- }
-
- sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
-
- return 1;
-}
-
-static void free_ex_data(int class_value, void *obj, CRYPTO_EX_DATA *ad) {
- STACK_OF(CRYPTO_EX_DATA_FUNCS) *func_pointers;
- size_t i;
-
- if (!get_func_pointers(&func_pointers, class_value)) {
- return;
- }
-
- for (i = 0; i < sk_CRYPTO_EX_DATA_FUNCS_num(func_pointers); i++) {
- CRYPTO_EX_DATA_FUNCS *func_pointer =
- sk_CRYPTO_EX_DATA_FUNCS_value(func_pointers, i);
- if (func_pointer->free_func) {
- void *ptr = CRYPTO_get_ex_data(ad, i);
- func_pointer->free_func(obj, ptr, ad, i, func_pointer->argl,
- func_pointer->argp);
- }
- }
-
- sk_CRYPTO_EX_DATA_FUNCS_free(func_pointers);
-
- if (ad->sk) {
- sk_void_free(ad->sk);
- ad->sk = NULL;
- }
-}
-
-const CRYPTO_EX_DATA_IMPL ex_data_default_impl = {
- new_class, cleanup, get_new_index, new_ex_data, dup_ex_data, free_ex_data};
diff --git a/src/crypto/hkdf/CMakeLists.txt b/src/crypto/hkdf/CMakeLists.txt
index 9666172..f8dd748 100644
--- a/src/crypto/hkdf/CMakeLists.txt
+++ b/src/crypto/hkdf/CMakeLists.txt
@@ -6,7 +6,6 @@
OBJECT
hkdf.c
- hkdf_error.c
)
add_executable(
diff --git a/src/crypto/hkdf/hkdf_error.c b/src/crypto/hkdf/hkdf_error.c
deleted file mode 100644
index e1928d6..0000000
--- a/src/crypto/hkdf/hkdf_error.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/hkdf.h>
-
-const ERR_STRING_DATA HKDF_error_string_data[] = {
- {ERR_PACK(ERR_LIB_HKDF, HKDF_F_HKDF, 0), "HKDF"},
- {ERR_PACK(ERR_LIB_HKDF, 0, HKDF_R_OUTPUT_TOO_LARGE), "OUTPUT_TOO_LARGE"},
- {0, NULL},
-};
diff --git a/src/crypto/hkdf/hkdf_test.c b/src/crypto/hkdf/hkdf_test.c
index 7467fe0..63070dc 100644
--- a/src/crypto/hkdf/hkdf_test.c
+++ b/src/crypto/hkdf/hkdf_test.c
@@ -15,7 +15,6 @@
#include <stdio.h>
#include <string.h>
-#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/digest.h>
#include <openssl/err.h>
@@ -224,7 +223,7 @@
if (!HKDF(buf, test->out_len, test->md_func(), test->ikm, test->ikm_len,
test->salt, test->salt_len, test->info, test->info_len)) {
fprintf(stderr, "Call to HKDF failed\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 1;
}
if (memcmp(buf, test->out, test->out_len) != 0) {
diff --git a/src/crypto/hmac/CMakeLists.txt b/src/crypto/hmac/CMakeLists.txt
index e15c956..1a08c55 100644
--- a/src/crypto/hmac/CMakeLists.txt
+++ b/src/crypto/hmac/CMakeLists.txt
@@ -12,7 +12,8 @@
add_executable(
hmac_test
- hmac_test.c
+ hmac_test.cc
+ $<TARGET_OBJECTS:test_support>
)
target_link_libraries(hmac_test crypto)
diff --git a/src/crypto/hmac/hmac.c b/src/crypto/hmac/hmac.c
index f179fed..b1b2623 100644
--- a/src/crypto/hmac/hmac.c
+++ b/src/crypto/hmac/hmac.c
@@ -76,7 +76,7 @@
}
HMAC_CTX_init(&ctx);
- if (!HMAC_Init(&ctx, key, key_len, evp_md) ||
+ if (!HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) ||
!HMAC_Update(&ctx, data, data_len) ||
!HMAC_Final(&ctx, out, out_len)) {
out = NULL;
@@ -88,7 +88,6 @@
void HMAC_CTX_init(HMAC_CTX *ctx) {
ctx->md = NULL;
- ctx->key_length = 0;
EVP_MD_CTX_init(&ctx->i_ctx);
EVP_MD_CTX_init(&ctx->o_ctx);
EVP_MD_CTX_init(&ctx->md_ctx);
@@ -103,71 +102,66 @@
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_MD *md, ENGINE *impl) {
- unsigned i, reset = 0;
- uint8_t pad[HMAC_MAX_MD_CBLOCK];
-
- if (md != NULL) {
- if (ctx->md == NULL && key == NULL && ctx->key_length == 0) {
- /* TODO(eroman): Change the API instead of this hack.
- * If a key hasn't yet been assigned to the context, then default to using
- * an all-zero key. This is to work around callers of
- * HMAC_Init_ex(key=NULL, key_len=0) intending to set a zero-length key.
- * Rather than resulting in uninitialized memory reads, it will
- * predictably use a zero key. */
- memset(ctx->key, 0, sizeof(ctx->key));
- }
- reset = 1;
- ctx->md = md;
- } else {
+ if (md == NULL) {
md = ctx->md;
}
- if (key != NULL) {
+ /* If either |key| is non-NULL or |md| has changed, initialize with a new key
+ * rather than rewinding the previous one.
+ *
+ * TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is
+ * ambiguous between using the empty key and reusing the previous key. There
+ * exist callers which intend the latter, but the former is an awkward edge
+ * case. Fix to API to avoid this. */
+ if (md != ctx->md || key != NULL) {
+ size_t i;
+ uint8_t pad[HMAC_MAX_MD_CBLOCK];
+ uint8_t key_block[HMAC_MAX_MD_CBLOCK];
+ unsigned key_block_len;
+
size_t block_size = EVP_MD_block_size(md);
- reset = 1;
- assert(block_size <= sizeof(ctx->key));
+ assert(block_size <= sizeof(key_block));
if (block_size < key_len) {
+ /* Long keys are hashed. */
if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->md_ctx, key, key_len) ||
- !EVP_DigestFinal_ex(&(ctx->md_ctx), ctx->key, &ctx->key_length)) {
- goto err;
+ !EVP_DigestFinal_ex(&ctx->md_ctx, key_block, &key_block_len)) {
+ return 0;
}
} else {
- assert(key_len >= 0 && key_len <= sizeof(ctx->key));
- memcpy(ctx->key, key, key_len);
- ctx->key_length = key_len;
+ assert(key_len >= 0 && key_len <= sizeof(key_block));
+ memcpy(key_block, key, key_len);
+ key_block_len = (unsigned)key_len;
}
- if (ctx->key_length != HMAC_MAX_MD_CBLOCK) {
- memset(&ctx->key[ctx->key_length], 0, sizeof(ctx->key) - ctx->key_length);
+ /* Keys are then padded with zeros. */
+ if (key_block_len != HMAC_MAX_MD_CBLOCK) {
+ memset(&key_block[key_block_len], 0, sizeof(key_block) - key_block_len);
}
- }
- if (reset) {
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++) {
- pad[i] = 0x36 ^ ctx->key[i];
+ pad[i] = 0x36 ^ key_block[i];
}
if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md))) {
- goto err;
+ return 0;
}
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++) {
- pad[i] = 0x5c ^ ctx->key[i];
+ pad[i] = 0x5c ^ key_block[i];
}
if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl) ||
!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md))) {
- goto err;
+ return 0;
}
+
+ ctx->md = md;
}
if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx)) {
- goto err;
+ return 0;
}
return 1;
-
-err:
- return 0;
}
int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len) {
@@ -200,8 +194,6 @@
return 0;
}
- memcpy(dest->key, src->key, HMAC_MAX_MD_CBLOCK);
- dest->key_length = src->key_length;
dest->md = src->md;
return 1;
}
diff --git a/src/crypto/hmac/hmac_test.c b/src/crypto/hmac/hmac_test.c
deleted file mode 100644
index ecc418a..0000000
--- a/src/crypto/hmac/hmac_test.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.] */
-
-#include <assert.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/crypto.h>
-#include <openssl/digest.h>
-#include <openssl/hmac.h>
-
-
-struct test_st {
- uint8_t key[16];
- size_t key_len;
- uint8_t data[64];
- size_t data_len;
- const char *hex_digest;
-};
-
-#define NUM_TESTS 4
-
-static const struct test_st kTests[NUM_TESTS] = {
- {
- "", 0, "More text test vectors to stuff up EBCDIC machines :-)", 54,
- "e9139d1e6ee064ef8cf514fc7dc83e86",
- },
- {
- {
- 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
- 0x0b, 0x0b, 0x0b, 0x0b,
- },
- 16,
- "Hi There",
- 8,
- "9294727a3638bb1c13f48ef8158bfc9d",
- },
- {
- "Jefe", 4, "what do ya want for nothing?", 28,
- "750c783e6ab0b503eaa86e310a5db738",
- },
- {
- {
- 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa,
- 0xaa, 0xaa, 0xaa, 0xaa,
- },
- 16,
- {
- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
- 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd,
- 0xdd, 0xdd,
- },
- 50,
- "56be34521d144c88dbb8c733f0e8b3f6",
- },
-};
-
-static char *to_hex(const uint8_t *md, size_t md_len) {
- size_t i;
- static char buf[80];
-
- for (i = 0; i < md_len; i++) {
- sprintf(&(buf[i * 2]), "%02x", md[i]);
- }
- return buf;
-}
-
-int main(int argc, char *argv[]) {
- unsigned i;
- char *p;
- int err = 0;
- uint8_t out[EVP_MAX_MD_SIZE];
- unsigned out_len;
-
- CRYPTO_library_init();
-
- for (i = 0; i < NUM_TESTS; i++) {
- const struct test_st *test = &kTests[i];
-
- /* Test using the one-shot API. */
- if (NULL == HMAC(EVP_md5(), test->key, test->key_len, test->data,
- test->data_len, out, &out_len)) {
- fprintf(stderr, "%u: HMAC failed.\n", i);
- err++;
- continue;
- }
- p = to_hex(out, out_len);
- if (strcmp(p, test->hex_digest) != 0) {
- fprintf(stderr, "%u: got %s instead of %s\n", i, p, test->hex_digest);
- err++;
- }
-
- /* Test using HMAC_CTX. */
- HMAC_CTX ctx;
- HMAC_CTX_init(&ctx);
- if (!HMAC_Init_ex(&ctx, test->key, test->key_len, EVP_md5(), NULL) ||
- !HMAC_Update(&ctx, test->data, test->data_len) ||
- !HMAC_Final(&ctx, out, &out_len)) {
- fprintf(stderr, "%u: HMAC failed.\n", i);
- err++;
- HMAC_CTX_cleanup(&ctx);
- continue;
- }
- p = to_hex(out, out_len);
- if (strcmp(p, test->hex_digest) != 0) {
- fprintf(stderr, "%u: got %s instead of %s\n", i, p, test->hex_digest);
- err++;
- }
-
- /* Test that an HMAC_CTX may be reset with the same key. */
- if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_md5(), NULL) ||
- !HMAC_Update(&ctx, test->data, test->data_len) ||
- !HMAC_Final(&ctx, out, &out_len)) {
- fprintf(stderr, "%u: HMAC failed.\n", i);
- err++;
- HMAC_CTX_cleanup(&ctx);
- continue;
- }
- p = to_hex(out, out_len);
- if (strcmp(p, test->hex_digest) != 0) {
- fprintf(stderr, "%u: got %s instead of %s\n", i, p, test->hex_digest);
- err++;
- }
-
- HMAC_CTX_cleanup(&ctx);
- }
-
- /* Test that HMAC() uses the empty key when called with key = NULL. */
- const struct test_st *test = &kTests[0];
- assert(test->key_len == 0);
- if (NULL == HMAC(EVP_md5(), NULL, 0, test->data, test->data_len, out,
- &out_len)) {
- fprintf(stderr, "HMAC failed.\n");
- err++;
- } else {
- p = to_hex(out, out_len);
- if (strcmp(p, test->hex_digest) != 0) {
- fprintf(stderr, "got %s instead of %s\n", p, test->hex_digest);
- err++;
- }
- }
-
- /* Test that HMAC_Init, etc., uses the empty key when called initially with
- * key = NULL. */
- assert(test->key_len == 0);
- HMAC_CTX ctx;
- HMAC_CTX_init(&ctx);
- if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_md5(), NULL) ||
- !HMAC_Update(&ctx, test->data, test->data_len) ||
- !HMAC_Final(&ctx, out, &out_len)) {
- fprintf(stderr, "HMAC failed.\n");
- err++;
- } else {
- p = to_hex(out, out_len);
- if (strcmp(p, test->hex_digest) != 0) {
- fprintf(stderr, "got %s instead of %s\n", p, test->hex_digest);
- err++;
- }
- }
- HMAC_CTX_cleanup(&ctx);
-
- if (err) {
- return 1;
- }
-
- printf("PASS\n");
- return 0;
-}
diff --git a/src/crypto/hmac/hmac_test.cc b/src/crypto/hmac/hmac_test.cc
new file mode 100644
index 0000000..d438b70
--- /dev/null
+++ b/src/crypto/hmac/hmac_test.cc
@@ -0,0 +1,171 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <string>
+#include <vector>
+
+#include <openssl/crypto.h>
+#include <openssl/digest.h>
+#include <openssl/hmac.h>
+
+#include "../test/file_test.h"
+#include "../test/scoped_types.h"
+#include "../test/stl_compat.h"
+
+
+static const EVP_MD *GetDigest(const std::string &name) {
+ if (name == "MD5") {
+ return EVP_md5();
+ } else if (name == "SHA1") {
+ return EVP_sha1();
+ } else if (name == "SHA224") {
+ return EVP_sha224();
+ } else if (name == "SHA256") {
+ return EVP_sha256();
+ } else if (name == "SHA384") {
+ return EVP_sha384();
+ } else if (name == "SHA512") {
+ return EVP_sha512();
+ }
+ return nullptr;
+}
+
+static bool TestHMAC(FileTest *t, void *arg) {
+ std::string digest_str;
+ if (!t->GetAttribute(&digest_str, "HMAC")) {
+ return false;
+ }
+ const EVP_MD *digest = GetDigest(digest_str);
+ if (digest == nullptr) {
+ t->PrintLine("Unknown digest '%s'", digest_str.c_str());
+ return false;
+ }
+
+ std::vector<uint8_t> key, input, output;
+ if (!t->GetBytes(&key, "Key") ||
+ !t->GetBytes(&input, "Input") ||
+ !t->GetBytes(&output, "Output")) {
+ return false;
+ }
+
+ // Test using the one-shot API.
+ uint8_t mac[EVP_MAX_MD_SIZE];
+ unsigned mac_len;
+ if (nullptr == HMAC(digest, bssl::vector_data(&key), key.size(),
+ bssl::vector_data(&input), input.size(), mac,
+ &mac_len) ||
+ !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+ mac_len)) {
+ t->PrintLine("One-shot API failed.");
+ return false;
+ }
+
+ // Test using HMAC_CTX.
+ ScopedHMAC_CTX ctx;
+ if (!HMAC_Init_ex(ctx.get(), bssl::vector_data(&key), key.size(), digest,
+ nullptr) ||
+ !HMAC_Update(ctx.get(), bssl::vector_data(&input), input.size()) ||
+ !HMAC_Final(ctx.get(), mac, &mac_len) ||
+ !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+ mac_len)) {
+ t->PrintLine("HMAC_CTX failed.");
+ return false;
+ }
+
+ // Test that an HMAC_CTX may be reset with the same key.
+ if (!HMAC_Init_ex(ctx.get(), nullptr, 0, digest, nullptr) ||
+ !HMAC_Update(ctx.get(), bssl::vector_data(&input), input.size()) ||
+ !HMAC_Final(ctx.get(), mac, &mac_len) ||
+ !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+ mac_len)) {
+ t->PrintLine("HMAC_CTX with reset failed.");
+ return false;
+ }
+
+ // Test feeding the input in byte by byte.
+ if (!HMAC_Init_ex(ctx.get(), nullptr, 0, nullptr, nullptr)) {
+ t->PrintLine("HMAC_CTX streaming failed.");
+ return false;
+ }
+ for (size_t i = 0; i < input.size(); i++) {
+ if (!HMAC_Update(ctx.get(), &input[i], 1)) {
+ t->PrintLine("HMAC_CTX streaming failed.");
+ return false;
+ }
+ }
+ if (!HMAC_Final(ctx.get(), mac, &mac_len) ||
+ !t->ExpectBytesEqual(bssl::vector_data(&output), output.size(), mac,
+ mac_len)) {
+ t->PrintLine("HMAC_CTX streaming failed.");
+ return false;
+ }
+
+ return true;
+}
+
+int main(int argc, char *argv[]) {
+ CRYPTO_library_init();
+
+ if (argc != 2) {
+ fprintf(stderr, "%s <test file.txt>\n", argv[0]);
+ return 1;
+ }
+
+ return FileTestMain(TestHMAC, nullptr, argv[1]);
+}
diff --git a/src/crypto/hmac/hmac_tests.txt b/src/crypto/hmac/hmac_tests.txt
new file mode 100644
index 0000000..9caa3c9
--- /dev/null
+++ b/src/crypto/hmac/hmac_tests.txt
@@ -0,0 +1,102 @@
+# This test file is shared between evp_test and hmac_test, to test the legacy
+# EVP_PKEY_HMAC API.
+
+HMAC = MD5
+# Note: The empty key results in passing NULL to HMAC_Init_ex, so this tests
+# that HMAC_CTX and HMAC treat NULL as the empty key initially.
+Key =
+Input = "More text test vectors to stuff up EBCDIC machines :-)"
+Output = e9139d1e6ee064ef8cf514fc7dc83e86
+
+# HMAC tests from RFC2104
+HMAC = MD5
+Key = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+Input = "Hi There"
+Output = 9294727a3638bb1c13f48ef8158bfc9d
+
+HMAC = MD5
+Key = "Jefe"
+Input = "what do ya want for nothing?"
+Output = 750c783e6ab0b503eaa86e310a5db738
+
+HMAC = MD5
+Key = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+Input = DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+Output = 56be34521d144c88dbb8c733f0e8b3f6
+
+# HMAC tests from NIST test data
+
+HMAC = SHA1
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = 5FD596EE78D5553C8FF4E72D266DFD192366DA29
+
+HMAC = SHA1
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F10111213
+Output = 4C99FF0CB1B31BD33F8431DBAF4D17FCD356A807
+
+HMAC = SHA1
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Output = 2D51B2F7750E410584662E38F133435F4C4FD42A
+
+HMAC = SHA224
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = C7405E3AE058E8CD30B08B4140248581ED174CB34E1224BCC1EFC81B
+
+HMAC = SHA224
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B
+Output = E3D249A8CFB67EF8B7A169E9A0A599714A2CECBA65999A51BEB8FBBE
+
+HMAC = SHA224
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Output = 91C52509E5AF8531601AE6230099D90BEF88AAEFB961F4080ABC014D
+
+HMAC = SHA256
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = 8BB9A1DB9806F20DF7F77B82138C7914D174D59E13DC4D0169C9057B133E1D62
+
+HMAC = SHA256
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
+Output = A28CF43130EE696A98F14A37678B56BCFCBDD9E5CF69717FECF5480F0EBDF790
+
+HMAC = SHA256
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F60616263
+Output = BDCCB6C72DDEADB500AE768386CB38CC41C63DBB0878DDB9C7A38A431B78378D
+
+HMAC = SHA384
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
+Output = 63C5DAA5E651847CA897C95814AB830BEDEDC7D25E83EEF9195CD45857A37F448947858F5AF50CC2B1B730DDF29671A9
+
+HMAC = SHA384
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F
+Output = 6EB242BDBB582CA17BEBFA481B1E23211464D2B7F8C20B9FF2201637B93646AF5AE9AC316E98DB45D9CAE773675EEED0
+
+HMAC = SHA384
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+Output = 5B664436DF69B0CA22551231A3F0A3D5B4F97991713CFA84BFF4D0792EFF96C27DCCBBB6F79B65D548B40E8564CEF594
+
+HMAC = SHA512
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F
+Output = FC25E240658CA785B7A811A8D3F7B4CA48CFA26A8A366BF2CD1F836B05FCB024BD36853081811D6CEA4216EBAD79DA1CFCB95EA4586B8A0CE356596A55FB1347
+
+HMAC = SHA512
+Input = "Sample message for keylen<blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F
+Output = FD44C18BDA0BB0A6CE0E82B031BF2818F6539BD56EC00BDC10A8A2D730B3634DE2545D639B0F2CF710D0692C72A1896F1F211C2B922D1A96C392E07E7EA9FEDC
+
+HMAC = SHA512
+Input = "Sample message for keylen=blocklen"
+Key = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7
+Output = D93EC8D2DE1AD2A9957CB9B83F14E76AD6B5E0CCE285079A127D3B14BCCB7AA7286D4AC0D4CE64215F2BC9E6870B33D97438BE4AAA20CDA5C5A912B48B8E27F3
diff --git a/src/crypto/internal.h b/src/crypto/internal.h
index 4336e65..42125db 100644
--- a/src/crypto/internal.h
+++ b/src/crypto/internal.h
@@ -110,26 +110,62 @@
#define OPENSSL_HEADER_CRYPTO_INTERNAL_H
#include <openssl/ex_data.h>
+#include <openssl/thread.h>
+
+#if defined(OPENSSL_NO_THREADS)
+#elif defined(OPENSSL_WINDOWS)
+#pragma warning(push, 3)
+#include <windows.h>
+#pragma warning(pop)
+#else
+#include <pthread.h>
+#endif
#if defined(__cplusplus)
extern "C" {
#endif
-/* st_CRYPTO_EX_DATA_IMPL contains an ex_data implementation. See the comments
- * in ex_data.h for details of the behaviour of each of the functions. */
-struct st_CRYPTO_EX_DATA_IMPL {
- int (*new_class)(void);
- void (*cleanup)(void);
+/* MSVC's C4701 warning about the use of *potentially*--as opposed to
+ * *definitely*--uninitialized values sometimes has false positives. Usually
+ * the false positives can and should be worked around by simplifying the
+ * control flow. When that is not practical, annotate the function containing
+ * the code that triggers the warning with
+ * OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS after its parameters:
+ *
+ * void f() OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS {
+ * ...
+ * }
+ *
+ * Note that MSVC's control flow analysis seems to operate on a whole-function
+ * basis, so the annotation must be placed on the entire function, not just a
+ * block within the function. */
+#if defined(_MSC_VER)
+#define OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS \
+ __pragma(warning(suppress:4701))
+#else
+#define OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
+#endif
- int (*get_new_index)(int class_value, long argl, void *argp,
- CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
- int (*new_ex_data)(int class_value, void *obj, CRYPTO_EX_DATA *ad);
- int (*dup_ex_data)(int class_value, CRYPTO_EX_DATA *to,
- const CRYPTO_EX_DATA *from);
- void (*free_ex_data)(int class_value, void *obj, CRYPTO_EX_DATA *ad);
-};
+/* MSVC will sometimes correctly detect unreachable code and issue a warning,
+ * which breaks the build since we treat errors as warnings, in some rare cases
+ * where we want to allow the dead code to continue to exist. In these
+ * situations, annotate the function containing the unreachable code with
+ * OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS after its parameters:
+ *
+ * void f() OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS {
+ * ...
+ * }
+ *
+ * Note that MSVC's reachability analysis seems to operate on a whole-function
+ * basis, so the annotation must be placed on the entire function, not just a
+ * block within the function. */
+#if defined(_MSC_VER)
+#define OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS \
+ __pragma(warning(suppress:4702))
+#else
+#define OPENSSL_SUPPRESS_UNREACHABLE_CODE_WARNINGS
+#endif
#if defined(_MSC_VER)
@@ -295,6 +331,185 @@
}
+/* Thread-safe initialisation. */
+
+#if defined(OPENSSL_NO_THREADS)
+typedef uint32_t CRYPTO_once_t;
+#define CRYPTO_ONCE_INIT 0
+#elif defined(OPENSSL_WINDOWS)
+typedef LONG CRYPTO_once_t;
+#define CRYPTO_ONCE_INIT 0
+#else
+typedef pthread_once_t CRYPTO_once_t;
+#define CRYPTO_ONCE_INIT PTHREAD_ONCE_INIT
+#endif
+
+/* CRYPTO_once calls |init| exactly once per process. This is thread-safe: if
+ * concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument
+ * then they will block until |init| completes, but |init| will have only been
+ * called once.
+ *
+ * The |once| argument must be a |CRYPTO_once_t| that has been initialised with
+ * the value |CRYPTO_ONCE_INIT|. */
+OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void));
+
+
+/* Locks.
+ *
+ * Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in
+ * structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as
+ * a global lock. A global lock must be initialised to the value
+ * |CRYPTO_STATIC_MUTEX_INIT|.
+ *
+ * |CRYPTO_MUTEX| can appear in public structures and so is defined in
+ * thread.h.
+ *
+ * The global lock is a different type because there's no static initialiser
+ * value on Windows for locks, so global locks have to be coupled with a
+ * |CRYPTO_once_t| to ensure that the lock is setup before use. This is done
+ * automatically by |CRYPTO_STATIC_MUTEX_lock_*|. */
+
+#if defined(OPENSSL_NO_THREADS)
+struct CRYPTO_STATIC_MUTEX {};
+#define CRYPTO_STATIC_MUTEX_INIT {}
+#elif defined(OPENSSL_WINDOWS)
+struct CRYPTO_STATIC_MUTEX {
+ CRYPTO_once_t once;
+ CRITICAL_SECTION lock;
+};
+#define CRYPTO_STATIC_MUTEX_INIT { CRYPTO_ONCE_INIT, { 0 } }
+#else
+struct CRYPTO_STATIC_MUTEX {
+ pthread_rwlock_t lock;
+};
+#define CRYPTO_STATIC_MUTEX_INIT { PTHREAD_RWLOCK_INITIALIZER }
+#endif
+
+/* CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a
+ * |CRYPTO_STATIC_MUTEX|. */
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a
+ * read lock, but none may have a write lock. (On Windows, read locks are
+ * actually fully exclusive.) */
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type
+ * of lock on it. */
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_unlock unlocks |lock|. */
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_MUTEX_cleanup releases all resources held by |lock|. */
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock);
+
+/* CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also
+ * have a read lock, but none may have a write lock. The |lock| variable does
+ * not need to be initialised by any function, but must have been statically
+ * initialised with |CRYPTO_STATIC_MUTEX_INIT|. */
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock);
+
+/* CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has
+ * any type of lock on it. The |lock| variable does not need to be initialised
+ * by any function, but must have been statically initialised with
+ * |CRYPTO_STATIC_MUTEX_INIT|. */
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock);
+
+/* CRYPTO_STATIC_MUTEX_unlock unlocks |lock|. */
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock);
+
+
+/* Thread local storage. */
+
+/* thread_local_data_t enumerates the types of thread-local data that can be
+ * stored. */
+typedef enum {
+ OPENSSL_THREAD_LOCAL_ERR = 0,
+ OPENSSL_THREAD_LOCAL_RAND,
+ OPENSSL_THREAD_LOCAL_TEST,
+ NUM_OPENSSL_THREAD_LOCALS,
+} thread_local_data_t;
+
+/* thread_local_destructor_t is the type of a destructor function that will be
+ * called when a thread exits and its thread-local storage needs to be freed. */
+typedef void (*thread_local_destructor_t)(void *);
+
+/* CRYPTO_get_thread_local gets the pointer value that is stored for the
+ * current thread for the given index, or NULL if none has been set. */
+OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value);
+
+/* CRYPTO_set_thread_local sets a pointer value for the current thread at the
+ * given index. This function should only be called once per thread for a given
+ * |index|: rather than update the pointer value itself, update the data that
+ * is pointed to.
+ *
+ * The destructor function will be called when a thread exits to free this
+ * thread-local data. All calls to |CRYPTO_set_thread_local| with the same
+ * |index| should have the same |destructor| argument. The destructor may be
+ * called with a NULL argument if a thread that never set a thread-local
+ * pointer for |index|, exits. The destructor may be called concurrently with
+ * different arguments.
+ *
+ * This function returns one on success or zero on error. If it returns zero
+ * then |destructor| has been called with |value| already. */
+OPENSSL_EXPORT int CRYPTO_set_thread_local(
+ thread_local_data_t index, void *value,
+ thread_local_destructor_t destructor);
+
+
+/* ex_data */
+
+typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS;
+
+/* CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which
+ * supports ex_data. It should defined as a static global within the module
+ * which defines that type. */
+typedef struct {
+ struct CRYPTO_STATIC_MUTEX lock;
+ STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth;
+} CRYPTO_EX_DATA_CLASS;
+
+#define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_STATIC_MUTEX_INIT, NULL}
+
+/* CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes
+ * it to |*out_index|. Each class of object should provide a wrapper function
+ * that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and
+ * zero otherwise. */
+OPENSSL_EXPORT int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class,
+ int *out_index, long argl,
+ void *argp, CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,
+ CRYPTO_EX_free *free_func);
+
+/* CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class
+ * of object should provide a wrapper function. */
+OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);
+
+/* CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL
+ * if no such index exists. Each class of object should provide a wrapper
+ * function. */
+OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);
+
+/* CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA| which is
+ * embedded inside of |obj| which is of class |ex_data_class|. Returns one on
+ * success and zero otherwise. */
+OPENSSL_EXPORT int CRYPTO_new_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
+ void *obj, CRYPTO_EX_DATA *ad);
+
+/* CRYPTO_dup_ex_data duplicates |from| into a freshly allocated
+ * |CRYPTO_EX_DATA|, |to|. Both of which are inside objects of the given
+ * class. It returns one on success and zero otherwise. */
+OPENSSL_EXPORT int CRYPTO_dup_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
+ CRYPTO_EX_DATA *to,
+ const CRYPTO_EX_DATA *from);
+
+/* CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an
+ * object of the given class. */
+OPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
+ void *obj, CRYPTO_EX_DATA *ad);
+
+
#if defined(__cplusplus)
} /* extern C */
#endif
diff --git a/src/crypto/lhash/make_macros.sh b/src/crypto/lhash/make_macros.sh
index 79d1e57..8a876af 100644
--- a/src/crypto/lhash/make_macros.sh
+++ b/src/crypto/lhash/make_macros.sh
@@ -1,6 +1,9 @@
#!/bin/sh
-cat > lhash_macros.h << EOF
+include_dir=../../include/openssl
+out=${include_dir}/lhash_macros.h
+
+cat > $out << EOF
/* Copyright (c) 2014, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -24,7 +27,7 @@
output_lhash () {
type=$1
- cat >> lhash_macros.h << EOF
+ cat >> $out << EOF
/* ${type} */
#define lh_${type}_new(hash, comp)\\
((LHASH_OF(${type})*) lh_new(CHECKED_CAST(lhash_hash_func, uint32_t (*) (const ${type} *), hash), CHECKED_CAST(lhash_cmp_func, int (*) (const ${type} *a, const ${type} *b), comp)))
@@ -54,11 +57,11 @@
EOF
}
-lhash_types=$(cat lhash.h | grep '^ \* LHASH_OF:' | sed -e 's/.*LHASH_OF://' -e 's/ .*//')
+lhash_types=$(cat ${include_dir}/lhash.h | grep '^ \* LHASH_OF:' | sed -e 's/.*LHASH_OF://' -e 's/ .*//')
for type in $lhash_types; do
echo Hash of ${type}
output_lhash "${type}"
done
-clang-format -i lhash_macros.h
+clang-format -i $out
diff --git a/src/crypto/md4/md4.c b/src/crypto/md4/md4.c
index 8fb357b..6150b96 100644
--- a/src/crypto/md4/md4.c
+++ b/src/crypto/md4/md4.c
@@ -56,6 +56,7 @@
#include <openssl/md4.h>
+#include <stdlib.h>
#include <string.h>
diff --git a/src/crypto/modes/asm/ghash-armv4.pl b/src/crypto/modes/asm/ghash-armv4.pl
index b324641..25a4e27 100644
--- a/src/crypto/modes/asm/ghash-armv4.pl
+++ b/src/crypto/modes/asm/ghash-armv4.pl
@@ -42,8 +42,8 @@
# below and combine it with reduction algorithm from x86 module.
# Performance improvement over previous version varies from 65% on
# Snapdragon S4 to 110% on Cortex A9. In absolute terms Cortex A8
-# processes one byte in 8.45 cycles, A9 - in 10.2, Snapdragon S4 -
-# in 9.33.
+# processes one byte in 8.45 cycles, A9 - in 10.2, A15 - in 7.63,
+# Snapdragon S4 - in 9.33.
#
# Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
# Polynomial Multiplication on ARM Processors using the NEON Engine.
@@ -71,8 +71,20 @@
# *native* byte order on current platform. See gcm128.c for working
# example...
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
$Xi="r0"; # argument block
$Htbl="r1";
@@ -129,6 +141,11 @@
.text
.code 32
+#ifdef __APPLE__
+#define ldrplb ldrbpl
+#define ldrneb ldrbne
+#endif
+
.type rem_4bit,%object
.align 5
rem_4bit:
@@ -370,7 +387,8 @@
}
$code.=<<___;
-#if __ARM_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7
+.arch armv7-a
.fpu neon
.global gcm_init_neon
@@ -378,9 +396,9 @@
.type gcm_init_neon,%function
.align 4
gcm_init_neon:
- vld1.64 $IN#hi,[r1,:64]! @ load H
+ vld1.64 $IN#hi,[r1]! @ load H
vmov.i8 $t0,#0xe1
- vld1.64 $IN#lo,[r1,:64]
+ vld1.64 $IN#lo,[r1]
vshl.i64 $t0#hi,#57
vshr.u64 $t0#lo,#63 @ t0=0xc2....01
vdup.8 $t1,$IN#hi[7]
@@ -392,7 +410,7 @@
veor $IN,$IN,$t0 @ twisted H
vstmia r0,{$IN}
- bx lr
+ ret @ bx lr
.size gcm_init_neon,.-gcm_init_neon
.global gcm_gmult_neon
@@ -400,8 +418,8 @@
.type gcm_gmult_neon,%function
.align 4
gcm_gmult_neon:
- vld1.64 $IN#hi,[$Xi,:64]! @ load Xi
- vld1.64 $IN#lo,[$Xi,:64]!
+ vld1.64 $IN#hi,[$Xi]! @ load Xi
+ vld1.64 $IN#lo,[$Xi]!
vmov.i64 $k48,#0x0000ffffffffffff
vldmia $Htbl,{$Hlo-$Hhi} @ load twisted H
vmov.i64 $k32,#0x00000000ffffffff
@@ -419,8 +437,8 @@
.type gcm_ghash_neon,%function
.align 4
gcm_ghash_neon:
- vld1.64 $Xl#hi,[$Xi,:64]! @ load Xi
- vld1.64 $Xl#lo,[$Xi,:64]!
+ vld1.64 $Xl#hi,[$Xi]! @ load Xi
+ vld1.64 $Xl#lo,[$Xi]!
vmov.i64 $k48,#0x0000ffffffffffff
vldmia $Htbl,{$Hlo-$Hhi} @ load twisted H
vmov.i64 $k32,#0x00000000ffffffff
@@ -475,10 +493,10 @@
vrev64.8 $Xl,$Xl
#endif
sub $Xi,#16
- vst1.64 $Xl#hi,[$Xi,:64]! @ write out Xi
- vst1.64 $Xl#lo,[$Xi,:64]
+ vst1.64 $Xl#hi,[$Xi]! @ write out Xi
+ vst1.64 $Xl#lo,[$Xi]
- bx lr
+ ret @ bx lr
.size gcm_ghash_neon,.-gcm_ghash_neon
#endif
___
@@ -494,6 +512,7 @@
s/\`([^\`]*)\`/eval $1/geo;
s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
+ s/\bret\b/bx lr/go or
s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
print $_,"\n";
diff --git a/src/crypto/modes/asm/ghash-x86.pl b/src/crypto/modes/asm/ghash-x86.pl
index eb6d55e..23a5527 100644
--- a/src/crypto/modes/asm/ghash-x86.pl
+++ b/src/crypto/modes/asm/ghash-x86.pl
@@ -131,8 +131,8 @@
&asm_init($ARGV[0],"ghash-x86.pl",$x86only = $ARGV[$#ARGV] eq "386");
-$sse2=1;
-#for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+$sse2=0;
+for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
($Zhh,$Zhl,$Zlh,$Zll) = ("ebp","edx","ecx","ebx");
$inp = "edi";
diff --git a/src/crypto/modes/asm/ghashv8-armx.pl b/src/crypto/modes/asm/ghashv8-armx.pl
index 08c8775..686951f 100644
--- a/src/crypto/modes/asm/ghashv8-armx.pl
+++ b/src/crypto/modes/asm/ghashv8-armx.pl
@@ -16,17 +16,31 @@
# other assembly modules. Just like aesv8-armx.pl this module
# supports both AArch32 and AArch64 execution modes.
#
+# July 2014
+#
+# Implement 2x aggregated reduction [see ghash-x86.pl for background
+# information].
+#
# Current performance in cycles per processed byte:
#
# PMULL[2] 32-bit NEON(*)
-# Apple A7 1.76 5.62
-# Cortex-A53 1.45 8.39
-# Cortex-A57 2.22 7.61
+# Apple A7 0.92 5.62
+# Cortex-A53 1.01 8.39
+# Cortex-A57 1.17 7.61
+# Denver 0.71 6.02
#
# (*) presented for reference/comparison purposes;
$flavour = shift;
-open STDOUT,">".shift;
+$output = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$Xi="x0"; # argument block
$Htbl="x1";
@@ -37,121 +51,122 @@
{
my ($Xl,$Xm,$Xh,$IN)=map("q$_",(0..3));
-my ($t0,$t1,$t2,$t3,$H,$Hhl)=map("q$_",(8..14));
+my ($t0,$t1,$t2,$xC2,$H,$Hhl,$H2)=map("q$_",(8..14));
$code=<<___;
#include "arm_arch.h"
.text
___
-$code.=<<___ if ($flavour =~ /64/);
+$code.=<<___ if ($flavour =~ /64/);
#if !defined(__clang__)
-.arch armv8-a+crypto
+.arch armv8-a+crypto
#endif
___
$code.=".fpu neon\n.code 32\n" if ($flavour !~ /64/);
+################################################################################
+# void gcm_init_v8(u128 Htable[16],const u64 H[2]);
+#
+# input: 128-bit H - secret parameter E(K,0^128)
+# output: precomputed table filled with degrees of twisted H;
+# H is twisted to handle reverse bitness of GHASH;
+# only few of 16 slots of Htable[16] are used;
+# data is opaque to outside world (which allows to
+# optimize the code independently);
+#
$code.=<<___;
.global gcm_init_v8
.type gcm_init_v8,%function
.align 4
gcm_init_v8:
- vld1.64 {$t1},[x1] @ load H
- vmov.i8 $t0,#0xe1
+ vld1.64 {$t1},[x1] @ load input H
+ vmov.i8 $xC2,#0xe1
+ vshl.i64 $xC2,$xC2,#57 @ 0xc2.0
vext.8 $IN,$t1,$t1,#8
- vshl.i64 $t0,$t0,#57
- vshr.u64 $t2,$t0,#63
- vext.8 $t0,$t2,$t0,#8 @ t0=0xc2....01
+ vshr.u64 $t2,$xC2,#63
vdup.32 $t1,${t1}[1]
- vshr.u64 $t3,$IN,#63
+ vext.8 $t0,$t2,$xC2,#8 @ t0=0xc2....01
+ vshr.u64 $t2,$IN,#63
vshr.s32 $t1,$t1,#31 @ broadcast carry bit
- vand $t3,$t3,$t0
+ vand $t2,$t2,$t0
vshl.i64 $IN,$IN,#1
- vext.8 $t3,$t3,$t3,#8
+ vext.8 $t2,$t2,$t2,#8
vand $t0,$t0,$t1
- vorr $IN,$IN,$t3 @ H<<<=1
- veor $IN,$IN,$t0 @ twisted H
- vst1.64 {$IN},[x0]
+ vorr $IN,$IN,$t2 @ H<<<=1
+ veor $H,$IN,$t0 @ twisted H
+ vst1.64 {$H},[x0],#16 @ store Htable[0]
+
+ @ calculate H^2
+ vext.8 $t0,$H,$H,#8 @ Karatsuba pre-processing
+ vpmull.p64 $Xl,$H,$H
+ veor $t0,$t0,$H
+ vpmull2.p64 $Xh,$H,$H
+ vpmull.p64 $Xm,$t0,$t0
+
+ vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing
+ veor $t2,$Xl,$Xh
+ veor $Xm,$Xm,$t1
+ veor $Xm,$Xm,$t2
+ vpmull.p64 $t2,$Xl,$xC2 @ 1st phase
+
+ vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result
+ vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl
+ veor $Xl,$Xm,$t2
+
+ vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase
+ vpmull.p64 $Xl,$Xl,$xC2
+ veor $t2,$t2,$Xh
+ veor $H2,$Xl,$t2
+
+ vext.8 $t1,$H2,$H2,#8 @ Karatsuba pre-processing
+ veor $t1,$t1,$H2
+ vext.8 $Hhl,$t0,$t1,#8 @ pack Karatsuba pre-processed
+ vst1.64 {$Hhl-$H2},[x0] @ store Htable[1..2]
ret
.size gcm_init_v8,.-gcm_init_v8
-
+___
+################################################################################
+# void gcm_gmult_v8(u64 Xi[2],const u128 Htable[16]);
+#
+# input: Xi - current hash value;
+# Htable - table precomputed in gcm_init_v8;
+# output: Xi - next hash value Xi;
+#
+$code.=<<___;
.global gcm_gmult_v8
.type gcm_gmult_v8,%function
.align 4
gcm_gmult_v8:
vld1.64 {$t1},[$Xi] @ load Xi
- vmov.i8 $t3,#0xe1
- vld1.64 {$H},[$Htbl] @ load twisted H
- vshl.u64 $t3,$t3,#57
+ vmov.i8 $xC2,#0xe1
+ vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ...
+ vshl.u64 $xC2,$xC2,#57
#ifndef __ARMEB__
vrev64.8 $t1,$t1
#endif
- vext.8 $Hhl,$H,$H,#8
- mov $len,#0
vext.8 $IN,$t1,$t1,#8
- mov $inc,#0
- veor $Hhl,$Hhl,$H @ Karatsuba pre-processing
- mov $inp,$Xi
- b .Lgmult_v8
-.size gcm_gmult_v8,.-gcm_gmult_v8
-.global gcm_ghash_v8
-.type gcm_ghash_v8,%function
-.align 4
-gcm_ghash_v8:
- vld1.64 {$Xl},[$Xi] @ load [rotated] Xi
- subs $len,$len,#16
- vmov.i8 $t3,#0xe1
- mov $inc,#16
- vld1.64 {$H},[$Htbl] @ load twisted H
- cclr $inc,eq
- vext.8 $Xl,$Xl,$Xl,#8
- vshl.u64 $t3,$t3,#57
- vld1.64 {$t1},[$inp],$inc @ load [rotated] inp
- vext.8 $Hhl,$H,$H,#8
-#ifndef __ARMEB__
- vrev64.8 $Xl,$Xl
- vrev64.8 $t1,$t1
-#endif
- veor $Hhl,$Hhl,$H @ Karatsuba pre-processing
- vext.8 $IN,$t1,$t1,#8
- b .Loop_v8
-
-.align 4
-.Loop_v8:
- vext.8 $t2,$Xl,$Xl,#8
- veor $IN,$IN,$Xl @ inp^=Xi
- veor $t1,$t1,$t2 @ $t1 is rotated inp^Xi
-
-.Lgmult_v8:
vpmull.p64 $Xl,$H,$IN @ H.lo·Xi.lo
veor $t1,$t1,$IN @ Karatsuba pre-processing
vpmull2.p64 $Xh,$H,$IN @ H.hi·Xi.hi
- subs $len,$len,#16
vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)·(Xi.lo+Xi.hi)
- cclr $inc,eq
vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing
veor $t2,$Xl,$Xh
veor $Xm,$Xm,$t1
- vld1.64 {$t1},[$inp],$inc @ load [rotated] inp
veor $Xm,$Xm,$t2
- vpmull.p64 $t2,$Xl,$t3 @ 1st phase
+ vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction
vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result
vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl
-#ifndef __ARMEB__
- vrev64.8 $t1,$t1
-#endif
veor $Xl,$Xm,$t2
- vext.8 $IN,$t1,$t1,#8
- vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase
- vpmull.p64 $Xl,$Xl,$t3
+ vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction
+ vpmull.p64 $Xl,$Xl,$xC2
veor $t2,$t2,$Xh
veor $Xl,$Xl,$t2
- b.hs .Loop_v8
#ifndef __ARMEB__
vrev64.8 $Xl,$Xl
@@ -160,6 +175,168 @@
vst1.64 {$Xl},[$Xi] @ write out Xi
ret
+.size gcm_gmult_v8,.-gcm_gmult_v8
+___
+################################################################################
+# void gcm_ghash_v8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len);
+#
+# input: table precomputed in gcm_init_v8;
+# current hash value Xi;
+# pointer to input data;
+# length of input data in bytes, but divisible by block size;
+# output: next hash value Xi;
+#
+$code.=<<___;
+.global gcm_ghash_v8
+.type gcm_ghash_v8,%function
+.align 4
+gcm_ghash_v8:
+___
+$code.=<<___ if ($flavour !~ /64/);
+ vstmdb sp!,{d8-d15} @ 32-bit ABI says so
+___
+$code.=<<___;
+ vld1.64 {$Xl},[$Xi] @ load [rotated] Xi
+ @ "[rotated]" means that
+ @ loaded value would have
+ @ to be rotated in order to
+ @ make it appear as in
+ @ alorithm specification
+ subs $len,$len,#32 @ see if $len is 32 or larger
+ mov $inc,#16 @ $inc is used as post-
+ @ increment for input pointer;
+ @ as loop is modulo-scheduled
+ @ $inc is zeroed just in time
+ @ to preclude oversteping
+ @ inp[len], which means that
+ @ last block[s] are actually
+ @ loaded twice, but last
+ @ copy is not processed
+ vld1.64 {$H-$Hhl},[$Htbl],#32 @ load twisted H, ..., H^2
+ vmov.i8 $xC2,#0xe1
+ vld1.64 {$H2},[$Htbl]
+ cclr $inc,eq @ is it time to zero $inc?
+ vext.8 $Xl,$Xl,$Xl,#8 @ rotate Xi
+ vld1.64 {$t0},[$inp],#16 @ load [rotated] I[0]
+ vshl.u64 $xC2,$xC2,#57 @ compose 0xc2.0 constant
+#ifndef __ARMEB__
+ vrev64.8 $t0,$t0
+ vrev64.8 $Xl,$Xl
+#endif
+ vext.8 $IN,$t0,$t0,#8 @ rotate I[0]
+ b.lo .Lodd_tail_v8 @ $len was less than 32
+___
+{ my ($Xln,$Xmn,$Xhn,$In) = map("q$_",(4..7));
+ #######
+ # Xi+2 =[H*(Ii+1 + Xi+1)] mod P =
+ # [(H*Ii+1) + (H*Xi+1)] mod P =
+ # [(H*Ii+1) + H^2*(Ii+Xi)] mod P
+ #
+$code.=<<___;
+ vld1.64 {$t1},[$inp],$inc @ load [rotated] I[1]
+#ifndef __ARMEB__
+ vrev64.8 $t1,$t1
+#endif
+ vext.8 $In,$t1,$t1,#8
+ veor $IN,$IN,$Xl @ I[i]^=Xi
+ vpmull.p64 $Xln,$H,$In @ H·Ii+1
+ veor $t1,$t1,$In @ Karatsuba pre-processing
+ vpmull2.p64 $Xhn,$H,$In
+ b .Loop_mod2x_v8
+
+.align 4
+.Loop_mod2x_v8:
+ vext.8 $t2,$IN,$IN,#8
+ subs $len,$len,#32 @ is there more data?
+ vpmull.p64 $Xl,$H2,$IN @ H^2.lo·Xi.lo
+ cclr $inc,lo @ is it time to zero $inc?
+
+ vpmull.p64 $Xmn,$Hhl,$t1
+ veor $t2,$t2,$IN @ Karatsuba pre-processing
+ vpmull2.p64 $Xh,$H2,$IN @ H^2.hi·Xi.hi
+ veor $Xl,$Xl,$Xln @ accumulate
+ vpmull2.p64 $Xm,$Hhl,$t2 @ (H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)
+ vld1.64 {$t0},[$inp],$inc @ load [rotated] I[i+2]
+
+ veor $Xh,$Xh,$Xhn
+ cclr $inc,eq @ is it time to zero $inc?
+ veor $Xm,$Xm,$Xmn
+
+ vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing
+ veor $t2,$Xl,$Xh
+ veor $Xm,$Xm,$t1
+ vld1.64 {$t1},[$inp],$inc @ load [rotated] I[i+3]
+#ifndef __ARMEB__
+ vrev64.8 $t0,$t0
+#endif
+ veor $Xm,$Xm,$t2
+ vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction
+
+#ifndef __ARMEB__
+ vrev64.8 $t1,$t1
+#endif
+ vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result
+ vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl
+ vext.8 $In,$t1,$t1,#8
+ vext.8 $IN,$t0,$t0,#8
+ veor $Xl,$Xm,$t2
+ vpmull.p64 $Xln,$H,$In @ H·Ii+1
+ veor $IN,$IN,$Xh @ accumulate $IN early
+
+ vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction
+ vpmull.p64 $Xl,$Xl,$xC2
+ veor $IN,$IN,$t2
+ veor $t1,$t1,$In @ Karatsuba pre-processing
+ veor $IN,$IN,$Xl
+ vpmull2.p64 $Xhn,$H,$In
+ b.hs .Loop_mod2x_v8 @ there was at least 32 more bytes
+
+ veor $Xh,$Xh,$t2
+ vext.8 $IN,$t0,$t0,#8 @ re-construct $IN
+ adds $len,$len,#32 @ re-construct $len
+ veor $Xl,$Xl,$Xh @ re-construct $Xl
+ b.eq .Ldone_v8 @ is $len zero?
+___
+}
+$code.=<<___;
+.Lodd_tail_v8:
+ vext.8 $t2,$Xl,$Xl,#8
+ veor $IN,$IN,$Xl @ inp^=Xi
+ veor $t1,$t0,$t2 @ $t1 is rotated inp^Xi
+
+ vpmull.p64 $Xl,$H,$IN @ H.lo·Xi.lo
+ veor $t1,$t1,$IN @ Karatsuba pre-processing
+ vpmull2.p64 $Xh,$H,$IN @ H.hi·Xi.hi
+ vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)·(Xi.lo+Xi.hi)
+
+ vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing
+ veor $t2,$Xl,$Xh
+ veor $Xm,$Xm,$t1
+ veor $Xm,$Xm,$t2
+ vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction
+
+ vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result
+ vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl
+ veor $Xl,$Xm,$t2
+
+ vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction
+ vpmull.p64 $Xl,$Xl,$xC2
+ veor $t2,$t2,$Xh
+ veor $Xl,$Xl,$t2
+
+.Ldone_v8:
+#ifndef __ARMEB__
+ vrev64.8 $Xl,$Xl
+#endif
+ vext.8 $Xl,$Xl,$Xl,#8
+ vst1.64 {$Xl},[$Xi] @ write out Xi
+
+___
+$code.=<<___ if ($flavour !~ /64/);
+ vldmia sp!,{d8-d15} @ 32-bit ABI says so
+___
+$code.=<<___;
+ ret
.size gcm_ghash_v8,.-gcm_ghash_v8
___
}
@@ -226,7 +403,7 @@
foreach(split("\n",$code)) {
s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
- s/\/\/\s?/@ /o; # new->old style commentary
+ s/\/\/\s?/@ /o; # new->old style commentary
# fix up remainig new-style suffixes
s/\],#[0-9]+/]!/o;
@@ -238,7 +415,7 @@
s/^(\s+)b\./$1b/o or
s/^(\s+)ret/$1bx\tlr/o;
- print $_,"\n";
+ print $_,"\n";
}
}
diff --git a/src/crypto/modes/cbc.c b/src/crypto/modes/cbc.c
index a2ad26c..ba4805b 100644
--- a/src/crypto/modes/cbc.c
+++ b/src/crypto/modes/cbc.c
@@ -128,8 +128,9 @@
((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
while (len >= 16) {
(*block)(in, out, key);
- for (n = 0; n < 16; ++n)
+ for (n = 0; n < 16; ++n) {
out[n] ^= iv[n];
+ }
iv = in;
len -= 16;
in += 16;
@@ -140,8 +141,9 @@
size_t *out_t = (size_t *)out, *iv_t = (size_t *)iv;
(*block)(in, out, key);
- for (n = 0; n < 16 / sizeof(size_t); n++)
+ for (n = 0; n < 16 / sizeof(size_t); n++) {
out_t[n] ^= iv_t[n];
+ }
iv = in;
len -= 16;
in += 16;
diff --git a/src/crypto/modes/ctr.c b/src/crypto/modes/ctr.c
index 61832ba..306b6f7 100644
--- a/src/crypto/modes/ctr.c
+++ b/src/crypto/modes/ctr.c
@@ -121,8 +121,9 @@
while (len >= 16) {
(*block)(ivec, ecount_buf, key);
ctr128_inc(ivec);
- for (; n < 16; n += sizeof(size_t))
+ for (; n < 16; n += sizeof(size_t)) {
*(size_t *)(out + n) = *(size_t *)(in + n) ^ *(size_t *)(ecount_buf + n);
+ }
len -= 16;
out += 16;
in += 16;
@@ -162,7 +163,8 @@
unsigned int *num, ctr128_f func) {
unsigned int n, ctr32;
- assert(in && out && key && ecount_buf && num);
+ assert(key && ecount_buf && num);
+ assert(len == 0 || (in && out));
assert(*num < 16);
n = *num;
@@ -179,8 +181,9 @@
/* 1<<28 is just a not-so-small yet not-so-large number...
* Below condition is practically never met, but it has to
* be checked for code correctness. */
- if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28))
+ if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {
blocks = (1U << 28);
+ }
/* As (*func) operates on 32-bit counter, caller
* has to handle overflow. 'if' below detects the
* overflow, which is then handled by limiting the
@@ -194,8 +197,9 @@
/* (*func) does not update ivec, caller does: */
PUTU32(ivec + 12, ctr32);
/* ... overflow was detected, propogate carry. */
- if (ctr32 == 0)
+ if (ctr32 == 0) {
ctr96_inc(ivec);
+ }
blocks *= 16;
len -= blocks;
out += blocks;
diff --git a/src/crypto/modes/gcm.c b/src/crypto/modes/gcm.c
index eeaeeff..b1c10b3 100644
--- a/src/crypto/modes/gcm.c
+++ b/src/crypto/modes/gcm.c
@@ -620,8 +620,9 @@
#endif
if (len) {
n = (unsigned int)len;
- for (i = 0; i < len; ++i)
+ for (i = 0; i < len; ++i) {
ctx->Xi.c[i] ^= aad[i];
+ }
}
ctx->ares = n;
@@ -1123,10 +1124,11 @@
GHASH(ctx, in, GHASH_CHUNK);
(*stream)(in, out, GHASH_CHUNK / 16, key, ctx->Yi.c);
ctr += GHASH_CHUNK / 16;
- if (is_endian.little)
+ if (is_endian.little) {
PUTU32(ctx->Yi.c + 12, ctr);
- else
+ } else {
ctx->Yi.d[3] = ctr;
+ }
out += GHASH_CHUNK;
in += GHASH_CHUNK;
len -= GHASH_CHUNK;
@@ -1140,8 +1142,9 @@
#else
while (j--) {
size_t k;
- for (k = 0; k < 16; ++k)
+ for (k = 0; k < 16; ++k) {
ctx->Xi.c[k] ^= in[k];
+ }
GCM_MUL(ctx, Xi);
in += 16;
}
@@ -1150,10 +1153,11 @@
#endif
(*stream)(in, out, j, key, ctx->Yi.c);
ctr += (unsigned int)j;
- if (is_endian.little)
+ if (is_endian.little) {
PUTU32(ctx->Yi.c + 12, ctr);
- else
+ } else {
ctx->Yi.d[3] = ctr;
+ }
out += i;
in += i;
len -= i;
@@ -1161,10 +1165,11 @@
if (len) {
(*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
++ctr;
- if (is_endian.little)
+ if (is_endian.little) {
PUTU32(ctx->Yi.c + 12, ctr);
- else
+ } else {
ctx->Yi.d[3] = ctr;
+ }
while (len--) {
uint8_t c = in[n];
ctx->Xi.c[n] ^= c;
diff --git a/src/crypto/modes/gcm_test.c b/src/crypto/modes/gcm_test.c
index 29f9d95..3548c81 100644
--- a/src/crypto/modes/gcm_test.c
+++ b/src/crypto/modes/gcm_test.c
@@ -294,9 +294,7 @@
return 1;
err:
- if (buf) {
- OPENSSL_free(buf);
- }
+ OPENSSL_free(buf);
return 0;
}
@@ -391,27 +389,13 @@
ret = 1;
out:
- if (key) {
- OPENSSL_free(key);
- }
- if (plaintext) {
- OPENSSL_free(plaintext);
- }
- if (additional_data) {
- OPENSSL_free(additional_data);
- }
- if (nonce) {
- OPENSSL_free(nonce);
- }
- if (ciphertext) {
- OPENSSL_free(ciphertext);
- }
- if (tag) {
- OPENSSL_free(tag);
- }
- if (out) {
- OPENSSL_free(out);
- }
+ OPENSSL_free(key);
+ OPENSSL_free(plaintext);
+ OPENSSL_free(additional_data);
+ OPENSSL_free(nonce);
+ OPENSSL_free(ciphertext);
+ OPENSSL_free(tag);
+ OPENSSL_free(out);
return ret;
}
diff --git a/src/crypto/modes/internal.h b/src/crypto/modes/internal.h
index 9662e0d..d12405e 100644
--- a/src/crypto/modes/internal.h
+++ b/src/crypto/modes/internal.h
@@ -121,6 +121,9 @@
#endif
#elif defined(_MSC_VER)
#if _MSC_VER >= 1300
+#pragma warning(push, 3)
+#include <intrin.h>
+#pragma warning(pop)
#pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
#define BSWAP8(x) _byteswap_uint64((uint64_t)(x))
#define BSWAP4(x) _byteswap_ulong((uint32_t)(x))
diff --git a/src/crypto/obj/CMakeLists.txt b/src/crypto/obj/CMakeLists.txt
index ade603d..a27e504 100644
--- a/src/crypto/obj/CMakeLists.txt
+++ b/src/crypto/obj/CMakeLists.txt
@@ -7,5 +7,4 @@
obj.c
obj_xref.c
- obj_error.c
)
diff --git a/src/crypto/obj/obj.c b/src/crypto/obj/obj.c
index b04321b..511aba3 100644
--- a/src/crypto/obj/obj.c
+++ b/src/crypto/obj/obj.c
@@ -68,21 +68,26 @@
#include <openssl/thread.h>
#include "obj_dat.h"
+#include "../internal.h"
-/* These globals are protected by CRYPTO_LOCK_OBJ. */
+
+static struct CRYPTO_STATIC_MUTEX global_added_lock = CRYPTO_STATIC_MUTEX_INIT;
+/* These globals are protected by |global_added_lock|. */
static LHASH_OF(ASN1_OBJECT) *global_added_by_data = NULL;
static LHASH_OF(ASN1_OBJECT) *global_added_by_nid = NULL;
static LHASH_OF(ASN1_OBJECT) *global_added_by_short_name = NULL;
static LHASH_OF(ASN1_OBJECT) *global_added_by_long_name = NULL;
+static struct CRYPTO_STATIC_MUTEX global_next_nid_lock =
+ CRYPTO_STATIC_MUTEX_INIT;
static unsigned global_next_nid = NUM_NID;
static int obj_next_nid(void) {
int ret;
- CRYPTO_w_lock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_lock_write(&global_next_nid_lock);
ret = global_next_nid++;
- CRYPTO_w_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_next_nid_lock);
return ret;
}
@@ -130,7 +135,7 @@
if (o->sn != NULL) {
sn = OPENSSL_strdup(o->sn);
- if (sn) {
+ if (sn == NULL) {
goto err;
}
}
@@ -145,15 +150,9 @@
err:
OPENSSL_PUT_ERROR(OBJ, OBJ_dup, ERR_R_MALLOC_FAILURE);
- if (ln != NULL) {
- OPENSSL_free(ln);
- }
- if (sn != NULL) {
- OPENSSL_free(sn);
- }
- if (data != NULL) {
- OPENSSL_free(data);
- }
+ OPENSSL_free(ln);
+ OPENSSL_free(sn);
+ OPENSSL_free(data);
OPENSSL_free(r);
return NULL;
}
@@ -195,17 +194,17 @@
return obj->nid;
}
- CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
if (global_added_by_data != NULL) {
ASN1_OBJECT *match;
match = lh_ASN1_OBJECT_retrieve(global_added_by_data, obj);
if (match != NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
return match->nid;
}
}
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
nid_ptr = bsearch(obj, kNIDsInOIDOrder, NUM_OBJ, sizeof(unsigned), obj_cmp);
if (nid_ptr == NULL) {
@@ -237,18 +236,18 @@
int OBJ_sn2nid(const char *short_name) {
const unsigned int *nid_ptr;
- CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
if (global_added_by_short_name != NULL) {
ASN1_OBJECT *match, template;
template.sn = short_name;
match = lh_ASN1_OBJECT_retrieve(global_added_by_short_name, &template);
if (match != NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
return match->nid;
}
}
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
nid_ptr = bsearch(short_name, kNIDsInShortNameOrder, NUM_SN, sizeof(unsigned), short_name_cmp);
if (nid_ptr == NULL) {
@@ -271,18 +270,18 @@
int OBJ_ln2nid(const char *long_name) {
const unsigned int *nid_ptr;
- CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
if (global_added_by_long_name != NULL) {
ASN1_OBJECT *match, template;
template.ln = long_name;
match = lh_ASN1_OBJECT_retrieve(global_added_by_long_name, &template);
if (match != NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
return match->nid;
}
}
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
nid_ptr = bsearch(long_name, kNIDsInLongNameOrder, NUM_LN, sizeof(unsigned), long_name_cmp);
if (nid_ptr == NULL) {
@@ -324,18 +323,18 @@
return &kObjects[nid];
}
- CRYPTO_r_lock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock);
if (global_added_by_nid != NULL) {
ASN1_OBJECT *match, template;
template.nid = nid;
match = lh_ASN1_OBJECT_retrieve(global_added_by_nid, &template);
if (match != NULL) {
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
return match;
}
}
- CRYPTO_r_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
err:
OPENSSL_PUT_ERROR(OBJ, OBJ_nid2obj, OBJ_R_UNKNOWN_NID);
@@ -543,15 +542,11 @@
}
}
- if (bl) {
- BN_free(bl);
- }
+ BN_free(bl);
return n;
err:
- if (bl) {
- BN_free(bl);
- }
+ BN_free(bl);
return -1;
}
@@ -600,7 +595,7 @@
obj->flags &= ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
ASN1_OBJECT_FLAG_DYNAMIC_DATA);
- CRYPTO_w_lock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_lock_write(&global_added_lock);
if (global_added_by_nid == NULL) {
global_added_by_nid = lh_ASN1_OBJECT_new(hash_nid, cmp_nid);
global_added_by_data = lh_ASN1_OBJECT_new(hash_data, cmp_data);
@@ -623,7 +618,7 @@
if (obj->ln != NULL) {
ok &= lh_ASN1_OBJECT_insert(global_added_by_long_name, &old_object, obj);
}
- CRYPTO_w_unlock(CRYPTO_LOCK_OBJ);
+ CRYPTO_STATIC_MUTEX_unlock(&global_added_lock);
return ok;
}
@@ -662,12 +657,8 @@
op = NULL;
err:
- if (op != NULL) {
- ASN1_OBJECT_free(op);
- }
- if (buf != NULL) {
- OPENSSL_free(buf);
- }
+ ASN1_OBJECT_free(op);
+ OPENSSL_free(buf);
return ret;
}
diff --git a/src/crypto/obj/obj_error.c b/src/crypto/obj/obj_error.c
deleted file mode 100644
index 1ec9771..0000000
--- a/src/crypto/obj/obj_error.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/obj.h>
-
-const ERR_STRING_DATA OBJ_error_string_data[] = {
- {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_create, 0), "OBJ_create"},
- {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_dup, 0), "OBJ_dup"},
- {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_nid2obj, 0), "OBJ_nid2obj"},
- {ERR_PACK(ERR_LIB_OBJ, OBJ_F_OBJ_txt2obj, 0), "OBJ_txt2obj"},
- {ERR_PACK(ERR_LIB_OBJ, 0, OBJ_R_UNKNOWN_NID), "UNKNOWN_NID"},
- {0, NULL},
-};
diff --git a/src/crypto/pem/CMakeLists.txt b/src/crypto/pem/CMakeLists.txt
index 3275b15..720ba2f 100644
--- a/src/crypto/pem/CMakeLists.txt
+++ b/src/crypto/pem/CMakeLists.txt
@@ -6,7 +6,6 @@
OBJECT
pem_all.c
- pem_error.c
pem_info.c
pem_lib.c
pem_oth.c
diff --git a/src/crypto/pem/pem_error.c b/src/crypto/pem/pem_error.c
deleted file mode 100644
index 2745f4c..0000000
--- a/src/crypto/pem/pem_error.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/pem.h>
-
-const ERR_STRING_DATA PEM_error_string_data[] = {
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_read, 0), "PEM_ASN1_read"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_read_bio, 0), "PEM_ASN1_read_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_write, 0), "PEM_ASN1_write"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_ASN1_write_bio, 0), "PEM_ASN1_write_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_read, 0), "PEM_X509_INFO_read"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_read_bio, 0), "PEM_X509_INFO_read_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_write_bio, 0), "PEM_X509_INFO_write_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_do_header, 0), "PEM_do_header"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_get_EVP_CIPHER_INFO, 0), "PEM_get_EVP_CIPHER_INFO"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read, 0), "PEM_read"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_DHparams, 0), "PEM_read_DHparams"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_PrivateKey, 0), "PEM_read_PrivateKey"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio, 0), "PEM_read_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio_DHparams, 0), "PEM_read_bio_DHparams"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio_Parameters, 0), "PEM_read_bio_Parameters"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_read_bio_PrivateKey, 0), "PEM_read_bio_PrivateKey"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_write, 0), "PEM_write"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_write_PrivateKey, 0), "PEM_write_PrivateKey"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_write_bio, 0), "PEM_write_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_d2i_PKCS8PrivateKey_bio, 0), "d2i_PKCS8PrivateKey_bio"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_d2i_PKCS8PrivateKey_fp, 0), "d2i_PKCS8PrivateKey_fp"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_do_pk8pkey, 0), "do_pk8pkey"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_do_pk8pkey_fp, 0), "do_pk8pkey_fp"},
- {ERR_PACK(ERR_LIB_PEM, PEM_F_load_iv, 0), "load_iv"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_BASE64_DECODE), "BAD_BASE64_DECODE"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_DECRYPT), "BAD_DECRYPT"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_END_LINE), "BAD_END_LINE"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_IV_CHARS), "BAD_IV_CHARS"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_MAGIC_NUMBER), "BAD_MAGIC_NUMBER"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_PASSWORD_READ), "BAD_PASSWORD_READ"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BAD_VERSION_NUMBER), "BAD_VERSION_NUMBER"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_BIO_WRITE_FAILURE), "BIO_WRITE_FAILURE"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_CIPHER_IS_NULL), "CIPHER_IS_NULL"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_ERROR_CONVERTING_PRIVATE_KEY), "ERROR_CONVERTING_PRIVATE_KEY"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_EXPECTING_PRIVATE_KEY_BLOB), "EXPECTING_PRIVATE_KEY_BLOB"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_EXPECTING_PUBLIC_KEY_BLOB), "EXPECTING_PUBLIC_KEY_BLOB"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_INCONSISTENT_HEADER), "INCONSISTENT_HEADER"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_KEYBLOB_HEADER_PARSE_ERROR), "KEYBLOB_HEADER_PARSE_ERROR"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_KEYBLOB_TOO_SHORT), "KEYBLOB_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NOT_DEK_INFO), "NOT_DEK_INFO"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NOT_ENCRYPTED), "NOT_ENCRYPTED"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NOT_PROC_TYPE), "NOT_PROC_TYPE"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_NO_START_LINE), "NO_START_LINE"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PROBLEMS_GETTING_PASSWORD), "PROBLEMS_GETTING_PASSWORD"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PUBLIC_KEY_NO_RSA), "PUBLIC_KEY_NO_RSA"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PVK_DATA_TOO_SHORT), "PVK_DATA_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_PVK_TOO_SHORT), "PVK_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_READ_KEY), "READ_KEY"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_SHORT_HEADER), "SHORT_HEADER"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_CIPHER), "UNSUPPORTED_CIPHER"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_ENCRYPTION), "UNSUPPORTED_ENCRYPTION"},
- {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS), "UNSUPPORTED_KEY_COMPONENTS"},
- {0, NULL},
-};
diff --git a/src/crypto/pem/pem_lib.c b/src/crypto/pem/pem_lib.c
index ff72c44..48e3297 100644
--- a/src/crypto/pem/pem_lib.c
+++ b/src/crypto/pem/pem_lib.c
@@ -363,10 +363,11 @@
|| !EVP_EncryptUpdate(&ctx,data,&j,data,i)
|| !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i))
ret = 0;
+ else
+ i += j;
EVP_CIPHER_CTX_cleanup(&ctx);
if (ret == 0)
goto err;
- i+=j;
}
else
{
diff --git a/src/crypto/pem/pem_pk8.c b/src/crypto/pem/pem_pk8.c
index 18cfb92..383a524 100644
--- a/src/crypto/pem/pem_pk8.c
+++ b/src/crypto/pem/pem_pk8.c
@@ -59,6 +59,7 @@
#include <openssl/buf.h>
#include <openssl/err.h>
#include <openssl/evp.h>
+#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/pkcs8.h>
#include <openssl/rand.h>
diff --git a/src/crypto/perlasm/arm-xlate.pl b/src/crypto/perlasm/arm-xlate.pl
new file mode 100755
index 0000000..81ceb31
--- /dev/null
+++ b/src/crypto/perlasm/arm-xlate.pl
@@ -0,0 +1,165 @@
+#!/usr/bin/env perl
+
+# ARM assembler distiller by <appro>.
+
+my $flavour = shift;
+my $output = shift;
+open STDOUT,">$output" || die "can't open $output: $!";
+
+$flavour = "linux32" if (!$flavour or $flavour eq "void");
+
+my %GLOBALS;
+my $dotinlocallabels=($flavour=~/linux/)?1:0;
+
+################################################################
+# directives which need special treatment on different platforms
+################################################################
+my $arch = sub {
+ if ($flavour =~ /linux/) { ".arch\t".join(',',@_); }
+ else { ""; }
+};
+my $fpu = sub {
+ if ($flavour =~ /linux/) { ".fpu\t".join(',',@_); }
+ else { ""; }
+};
+my $hidden = sub {
+ if ($flavour =~ /ios/) { ".private_extern\t".join(',',@_); }
+ else { ".hidden\t".join(',',@_); }
+};
+my $comm = sub {
+ my @args = split(/,\s*/,shift);
+ my $name = @args[0];
+ my $global = \$GLOBALS{$name};
+ my $ret;
+
+ if ($flavour =~ /ios32/) {
+ $ret = ".comm\t_$name,@args[1]\n";
+ $ret .= ".non_lazy_symbol_pointer\n";
+ $ret .= "$name:\n";
+ $ret .= ".indirect_symbol\t_$name\n";
+ $ret .= ".long\t0";
+ $name = "_$name";
+ } else { $ret = ".comm\t".join(',',@args); }
+
+ $$global = $name;
+ $ret;
+};
+my $globl = sub {
+ my $name = shift;
+ my $global = \$GLOBALS{$name};
+ my $ret;
+
+ SWITCH: for ($flavour) {
+ /ios/ && do { $name = "_$name";
+ last;
+ };
+ }
+
+ $ret = ".globl $name" if (!$ret);
+ $$global = $name;
+ $ret;
+};
+my $global = $globl;
+my $extern = sub {
+ &$globl(@_);
+ return; # return nothing
+};
+my $type = sub {
+ if ($flavour =~ /linux/) { ".type\t".join(',',@_); }
+ else { ""; }
+};
+my $size = sub {
+ if ($flavour =~ /linux/) { ".size\t".join(',',@_); }
+ else { ""; }
+};
+my $inst = sub {
+ if ($flavour =~ /linux/) { ".inst\t".join(',',@_); }
+ else { ".long\t".join(',',@_); }
+};
+my $asciz = sub {
+ my $line = join(",",@_);
+ if ($line =~ /^"(.*)"$/)
+ { ".byte " . join(",",unpack("C*",$1),0) . "\n.align 2"; }
+ else
+ { ""; }
+};
+
+sub range {
+ my ($r,$sfx,$start,$end) = @_;
+
+ join(",",map("$r$_$sfx",($start..$end)));
+}
+
+sub expand_line {
+ my $line = shift;
+ my @ret = ();
+
+ pos($line)=0;
+
+ while ($line =~ m/\G[^@\/\{\"]*/g) {
+ if ($line =~ m/\G(@|\/\/|$)/gc) {
+ last;
+ }
+ elsif ($line =~ m/\G\{/gc) {
+ my $saved_pos = pos($line);
+ $line =~ s/\G([rdqv])([0-9]+)([^\-]*)\-\1([0-9]+)\3/range($1,$3,$2,$4)/e;
+ pos($line) = $saved_pos;
+ $line =~ m/\G[^\}]*\}/g;
+ }
+ elsif ($line =~ m/\G\"/gc) {
+ $line =~ m/\G[^\"]*\"/g;
+ }
+ }
+
+ $line =~ s/\b(\w+)/$GLOBALS{$1} or $1/ge;
+
+ return $line;
+}
+
+while($line=<>) {
+
+ if ($line =~ m/^\s*(#|@|\/\/)/) { print $line; next; }
+
+ $line =~ s|/\*.*\*/||; # get rid of C-style comments...
+ $line =~ s|^\s+||; # ... and skip white spaces in beginning...
+ $line =~ s|\s+$||; # ... and at the end
+
+ {
+ $line =~ s|[\b\.]L(\w{2,})|L$1|g; # common denominator for Locallabel
+ $line =~ s|\bL(\w{2,})|\.L$1|g if ($dotinlocallabels);
+ }
+
+ {
+ $line =~ s|(^[\.\w]+)\:\s*||;
+ my $label = $1;
+ if ($label) {
+ printf "%s:",($GLOBALS{$label} or $label);
+ }
+ }
+
+ if ($line !~ m/^[#@]/) {
+ $line =~ s|^\s*(\.?)(\S+)\s*||;
+ my $c = $1; $c = "\t" if ($c eq "");
+ my $mnemonic = $2;
+ my $opcode;
+ if ($mnemonic =~ m/([^\.]+)\.([^\.]+)/) {
+ $opcode = eval("\$$1_$2");
+ } else {
+ $opcode = eval("\$$mnemonic");
+ }
+
+ my $arg=expand_line($line);
+
+ if (ref($opcode) eq 'CODE') {
+ $line = &$opcode($arg);
+ } elsif ($mnemonic) {
+ $line = $c.$mnemonic;
+ $line.= "\t$arg" if ($arg ne "");
+ }
+ }
+
+ print $line if ($line);
+ print "\n";
+}
+
+close STDOUT;
diff --git a/src/crypto/perlasm/ppc-xlate.pl b/src/crypto/perlasm/ppc-xlate.pl
deleted file mode 100755
index 3c1caac..0000000
--- a/src/crypto/perlasm/ppc-xlate.pl
+++ /dev/null
@@ -1,167 +0,0 @@
-#!/usr/bin/env perl
-
-# PowerPC assembler distiller by <appro>.
-
-my $flavour = shift;
-my $output = shift;
-open STDOUT,">$output" || die "can't open $output: $!";
-
-my %GLOBALS;
-my $dotinlocallabels=($flavour=~/linux/)?1:0;
-
-################################################################
-# directives which need special treatment on different platforms
-################################################################
-my $globl = sub {
- my $junk = shift;
- my $name = shift;
- my $global = \$GLOBALS{$name};
- my $ret;
-
- $name =~ s|^[\.\_]||;
-
- SWITCH: for ($flavour) {
- /aix/ && do { $name = ".$name";
- last;
- };
- /osx/ && do { $name = "_$name";
- last;
- };
- /linux.*(32|64le)/
- && do { $ret .= ".globl $name\n";
- $ret .= ".type $name,\@function";
- last;
- };
- /linux.*64/ && do { $ret .= ".globl $name\n";
- $ret .= ".type $name,\@function\n";
- $ret .= ".section \".opd\",\"aw\"\n";
- $ret .= ".align 3\n";
- $ret .= "$name:\n";
- $ret .= ".quad .$name,.TOC.\@tocbase,0\n";
- $ret .= ".previous\n";
-
- $name = ".$name";
- last;
- };
- }
-
- $ret = ".globl $name" if (!$ret);
- $$global = $name;
- $ret;
-};
-my $text = sub {
- my $ret = ($flavour =~ /aix/) ? ".csect" : ".text";
- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/);
- $ret;
-};
-my $machine = sub {
- my $junk = shift;
- my $arch = shift;
- if ($flavour =~ /osx/)
- { $arch =~ s/\"//g;
- $arch = ($flavour=~/64/) ? "ppc970-64" : "ppc970" if ($arch eq "any");
- }
- ".machine $arch";
-};
-my $size = sub {
- if ($flavour =~ /linux/)
- { shift;
- my $name = shift; $name =~ s|^[\.\_]||;
- my $ret = ".size $name,.-".($flavour=~/64$/?".":"").$name;
- $ret .= "\n.size .$name,.-.$name" if ($flavour=~/64$/);
- $ret;
- }
- else
- { ""; }
-};
-my $asciz = sub {
- shift;
- my $line = join(",",@_);
- if ($line =~ /^"(.*)"$/)
- { ".byte " . join(",",unpack("C*",$1),0) . "\n.align 2"; }
- else
- { ""; }
-};
-
-################################################################
-# simplified mnemonics not handled by at least one assembler
-################################################################
-my $cmplw = sub {
- my $f = shift;
- my $cr = 0; $cr = shift if ($#_>1);
- # Some out-of-date 32-bit GNU assembler just can't handle cmplw...
- ($flavour =~ /linux.*32/) ?
- " .long ".sprintf "0x%x",31<<26|$cr<<23|$_[0]<<16|$_[1]<<11|64 :
- " cmplw ".join(',',$cr,@_);
-};
-my $bdnz = sub {
- my $f = shift;
- my $bo = $f=~/[\+\-]/ ? 16+9 : 16; # optional "to be taken" hint
- " bc $bo,0,".shift;
-} if ($flavour!~/linux/);
-my $bltlr = sub {
- my $f = shift;
- my $bo = $f=~/\-/ ? 12+2 : 12; # optional "not to be taken" hint
- ($flavour =~ /linux/) ? # GNU as doesn't allow most recent hints
- " .long ".sprintf "0x%x",19<<26|$bo<<21|16<<1 :
- " bclr $bo,0";
-};
-my $bnelr = sub {
- my $f = shift;
- my $bo = $f=~/\-/ ? 4+2 : 4; # optional "not to be taken" hint
- ($flavour =~ /linux/) ? # GNU as doesn't allow most recent hints
- " .long ".sprintf "0x%x",19<<26|$bo<<21|2<<16|16<<1 :
- " bclr $bo,2";
-};
-my $beqlr = sub {
- my $f = shift;
- my $bo = $f=~/-/ ? 12+2 : 12; # optional "not to be taken" hint
- ($flavour =~ /linux/) ? # GNU as doesn't allow most recent hints
- " .long ".sprintf "0x%X",19<<26|$bo<<21|2<<16|16<<1 :
- " bclr $bo,2";
-};
-# GNU assembler can't handle extrdi rA,rS,16,48, or when sum of last two
-# arguments is 64, with "operand out of range" error.
-my $extrdi = sub {
- my ($f,$ra,$rs,$n,$b) = @_;
- $b = ($b+$n)&63; $n = 64-$n;
- " rldicl $ra,$rs,$b,$n";
-};
-
-while($line=<>) {
-
- $line =~ s|[#!;].*$||; # get rid of asm-style comments...
- $line =~ s|/\*.*\*/||; # ... and C-style comments...
- $line =~ s|^\s+||; # ... and skip white spaces in beginning...
- $line =~ s|\s+$||; # ... and at the end
-
- {
- $line =~ s|\b\.L(\w+)|L$1|g; # common denominator for Locallabel
- $line =~ s|\bL(\w+)|\.L$1|g if ($dotinlocallabels);
- }
-
- {
- $line =~ s|(^[\.\w]+)\:\s*||;
- my $label = $1;
- if ($label) {
- printf "%s:",($GLOBALS{$label} or $label);
- printf "\n.localentry\t$GLOBALS{$label},0" if ($GLOBALS{$label} && $flavour =~ /linux.*64le/);
- }
- }
-
- {
- $line =~ s|^\s*(\.?)(\w+)([\.\+\-]?)\s*||;
- my $c = $1; $c = "\t" if ($c eq "");
- my $mnemonic = $2;
- my $f = $3;
- my $opcode = eval("\$$mnemonic");
- $line =~ s|\bc?[rf]([0-9]+)\b|$1|g if ($c ne "." and $flavour !~ /osx/);
- if (ref($opcode) eq 'CODE') { $line = &$opcode($f,split(',',$line)); }
- elsif ($mnemonic) { $line = $c.$mnemonic.$f."\t".$line; }
- }
-
- print $line if ($line);
- print "\n";
-}
-
-close STDOUT;
diff --git a/src/crypto/perlasm/sparcv9_modes.pl b/src/crypto/perlasm/sparcv9_modes.pl
deleted file mode 100644
index 6b47bb1..0000000
--- a/src/crypto/perlasm/sparcv9_modes.pl
+++ /dev/null
@@ -1,1680 +0,0 @@
-#!/usr/bin/env perl
-
-# Specific modes implementations for SPARC Architecture 2011. There
-# is T4 dependency though, an ASI value that is not specified in the
-# Architecture Manual. But as SPARC universe is rather monocultural,
-# we imply that processor capable of executing crypto instructions
-# can handle the ASI in question as well. This means that we ought to
-# keep eyes open when new processors emerge...
-#
-# As for above mentioned ASI. It's so called "block initializing
-# store" which cancels "read" in "read-update-write" on cache lines.
-# This is "cooperative" optimization, as it reduces overall pressure
-# on memory interface. Benefits can't be observed/quantified with
-# usual benchmarks, on the contrary you can notice that single-thread
-# performance for parallelizable modes is ~1.5% worse for largest
-# block sizes [though few percent better for not so long ones]. All
-# this based on suggestions from David Miller.
-
-sub asm_init { # to be called with @ARGV as argument
- for (@_) { $::abibits=64 if (/\-m64/ || /\-xarch\=v9/); }
- if ($::abibits==64) { $::bias=2047; $::frame=192; $::size_t_cc="%xcc"; }
- else { $::bias=0; $::frame=112; $::size_t_cc="%icc"; }
-}
-
-# unified interface
-my ($inp,$out,$len,$key,$ivec)=map("%i$_",(0..5));
-# local variables
-my ($ileft,$iright,$ooff,$omask,$ivoff,$blk_init)=map("%l$_",(0..7));
-
-sub alg_cbc_encrypt_implement {
-my ($alg,$bits) = @_;
-
-$::code.=<<___;
-.globl ${alg}${bits}_t4_cbc_encrypt
-.align 32
-${alg}${bits}_t4_cbc_encrypt:
- save %sp, -$::frame, %sp
- sub $inp, $out, $blk_init ! $inp!=$out
-___
-$::code.=<<___ if (!$::evp);
- andcc $ivec, 7, $ivoff
- alignaddr $ivec, %g0, $ivec
-
- ldd [$ivec + 0], %f0 ! load ivec
- bz,pt %icc, 1f
- ldd [$ivec + 8], %f2
- ldd [$ivec + 16], %f4
- faligndata %f0, %f2, %f0
- faligndata %f2, %f4, %f2
-1:
-___
-$::code.=<<___ if ($::evp);
- ld [$ivec + 0], %f0
- ld [$ivec + 4], %f1
- ld [$ivec + 8], %f2
- ld [$ivec + 12], %f3
-___
-$::code.=<<___;
- prefetch [$inp], 20
- prefetch [$inp + 63], 20
- call _${alg}${bits}_load_enckey
- and $inp, 7, $ileft
- andn $inp, 7, $inp
- sll $ileft, 3, $ileft
- mov 64, $iright
- mov 0xff, $omask
- sub $iright, $ileft, $iright
- and $out, 7, $ooff
- cmp $len, 127
- movrnz $ooff, 0, $blk_init ! if ( $out&7 ||
- movleu $::size_t_cc, 0, $blk_init ! $len<128 ||
- brnz,pn $blk_init, .L${bits}cbc_enc_blk ! $inp==$out)
- srl $omask, $ooff, $omask
-
- alignaddrl $out, %g0, $out
- srlx $len, 4, $len
- prefetch [$out], 22
-
-.L${bits}_cbc_enc_loop:
- ldx [$inp + 0], %o0
- brz,pt $ileft, 4f
- ldx [$inp + 8], %o1
-
- ldx [$inp + 16], %o2
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- sllx %o1, $ileft, %o1
- or %g1, %o0, %o0
- srlx %o2, $iright, %o2
- or %o2, %o1, %o1
-4:
- xor %g4, %o0, %o0 ! ^= rk[0]
- xor %g5, %o1, %o1
- movxtod %o0, %f12
- movxtod %o1, %f14
-
- fxor %f12, %f0, %f0 ! ^= ivec
- fxor %f14, %f2, %f2
- prefetch [$out + 63], 22
- prefetch [$inp + 16+63], 20
- call _${alg}${bits}_encrypt_1x
- add $inp, 16, $inp
-
- brnz,pn $ooff, 2f
- sub $len, 1, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- brnz,pt $len, .L${bits}_cbc_enc_loop
- add $out, 16, $out
-___
-$::code.=<<___ if ($::evp);
- st %f0, [$ivec + 0]
- st %f1, [$ivec + 4]
- st %f2, [$ivec + 8]
- st %f3, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, 3f
- nop
-
- std %f0, [$ivec + 0] ! write out ivec
- std %f2, [$ivec + 8]
-___
-$::code.=<<___;
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f4 ! handle unaligned output
- faligndata %f0, %f2, %f6
- faligndata %f2, %f2, %f8
-
- stda %f4, [$out + $omask]0xc0 ! partial store
- std %f6, [$out + 8]
- add $out, 16, $out
- orn %g0, $omask, $omask
- stda %f8, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_cbc_enc_loop+4
- orn %g0, $omask, $omask
-___
-$::code.=<<___ if ($::evp);
- st %f0, [$ivec + 0]
- st %f1, [$ivec + 4]
- st %f2, [$ivec + 8]
- st %f3, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, 3f
- nop
-
- std %f0, [$ivec + 0] ! write out ivec
- std %f2, [$ivec + 8]
- ret
- restore
-
-.align 16
-3: alignaddrl $ivec, $ivoff, %g0 ! handle unaligned ivec
- mov 0xff, $omask
- srl $omask, $ivoff, $omask
- faligndata %f0, %f0, %f4
- faligndata %f0, %f2, %f6
- faligndata %f2, %f2, %f8
- stda %f4, [$ivec + $omask]0xc0
- std %f6, [$ivec + 8]
- add $ivec, 16, $ivec
- orn %g0, $omask, $omask
- stda %f8, [$ivec + $omask]0xc0
-___
-$::code.=<<___;
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}cbc_enc_blk:
- add $out, $len, $blk_init
- and $blk_init, 63, $blk_init ! tail
- sub $len, $blk_init, $len
- add $blk_init, 15, $blk_init ! round up to 16n
- srlx $len, 4, $len
- srl $blk_init, 4, $blk_init
-
-.L${bits}_cbc_enc_blk_loop:
- ldx [$inp + 0], %o0
- brz,pt $ileft, 5f
- ldx [$inp + 8], %o1
-
- ldx [$inp + 16], %o2
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- sllx %o1, $ileft, %o1
- or %g1, %o0, %o0
- srlx %o2, $iright, %o2
- or %o2, %o1, %o1
-5:
- xor %g4, %o0, %o0 ! ^= rk[0]
- xor %g5, %o1, %o1
- movxtod %o0, %f12
- movxtod %o1, %f14
-
- fxor %f12, %f0, %f0 ! ^= ivec
- fxor %f14, %f2, %f2
- prefetch [$inp + 16+63], 20
- call _${alg}${bits}_encrypt_1x
- add $inp, 16, $inp
- sub $len, 1, $len
-
- stda %f0, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f2, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- brnz,pt $len, .L${bits}_cbc_enc_blk_loop
- add $out, 8, $out
-
- membar #StoreLoad|#StoreStore
- brnz,pt $blk_init, .L${bits}_cbc_enc_loop
- mov $blk_init, $len
-___
-$::code.=<<___ if ($::evp);
- st %f0, [$ivec + 0]
- st %f1, [$ivec + 4]
- st %f2, [$ivec + 8]
- st %f3, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, 3b
- nop
-
- std %f0, [$ivec + 0] ! write out ivec
- std %f2, [$ivec + 8]
-___
-$::code.=<<___;
- ret
- restore
-.type ${alg}${bits}_t4_cbc_encrypt,#function
-.size ${alg}${bits}_t4_cbc_encrypt,.-${alg}${bits}_t4_cbc_encrypt
-___
-}
-
-sub alg_cbc_decrypt_implement {
-my ($alg,$bits) = @_;
-
-$::code.=<<___;
-.globl ${alg}${bits}_t4_cbc_decrypt
-.align 32
-${alg}${bits}_t4_cbc_decrypt:
- save %sp, -$::frame, %sp
- sub $inp, $out, $blk_init ! $inp!=$out
-___
-$::code.=<<___ if (!$::evp);
- andcc $ivec, 7, $ivoff
- alignaddr $ivec, %g0, $ivec
-
- ldd [$ivec + 0], %f12 ! load ivec
- bz,pt %icc, 1f
- ldd [$ivec + 8], %f14
- ldd [$ivec + 16], %f0
- faligndata %f12, %f14, %f12
- faligndata %f14, %f0, %f14
-1:
-___
-$::code.=<<___ if ($::evp);
- ld [$ivec + 0], %f12 ! load ivec
- ld [$ivec + 4], %f13
- ld [$ivec + 8], %f14
- ld [$ivec + 12], %f15
-___
-$::code.=<<___;
- prefetch [$inp], 20
- prefetch [$inp + 63], 20
- call _${alg}${bits}_load_deckey
- and $inp, 7, $ileft
- andn $inp, 7, $inp
- sll $ileft, 3, $ileft
- mov 64, $iright
- mov 0xff, $omask
- sub $iright, $ileft, $iright
- and $out, 7, $ooff
- cmp $len, 255
- movrnz $ooff, 0, $blk_init ! if ( $out&7 ||
- movleu $::size_t_cc, 0, $blk_init ! $len<256 ||
- brnz,pn $blk_init, .L${bits}cbc_dec_blk ! $inp==$out)
- srl $omask, $ooff, $omask
-
- andcc $len, 16, %g0 ! is number of blocks even?
- srlx $len, 4, $len
- alignaddrl $out, %g0, $out
- bz %icc, .L${bits}_cbc_dec_loop2x
- prefetch [$out], 22
-.L${bits}_cbc_dec_loop:
- ldx [$inp + 0], %o0
- brz,pt $ileft, 4f
- ldx [$inp + 8], %o1
-
- ldx [$inp + 16], %o2
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- sllx %o1, $ileft, %o1
- or %g1, %o0, %o0
- srlx %o2, $iright, %o2
- or %o2, %o1, %o1
-4:
- xor %g4, %o0, %o2 ! ^= rk[0]
- xor %g5, %o1, %o3
- movxtod %o2, %f0
- movxtod %o3, %f2
-
- prefetch [$out + 63], 22
- prefetch [$inp + 16+63], 20
- call _${alg}${bits}_decrypt_1x
- add $inp, 16, $inp
-
- fxor %f12, %f0, %f0 ! ^= ivec
- fxor %f14, %f2, %f2
- movxtod %o0, %f12
- movxtod %o1, %f14
-
- brnz,pn $ooff, 2f
- sub $len, 1, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- brnz,pt $len, .L${bits}_cbc_dec_loop2x
- add $out, 16, $out
-___
-$::code.=<<___ if ($::evp);
- st %f12, [$ivec + 0]
- st %f13, [$ivec + 4]
- st %f14, [$ivec + 8]
- st %f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, .L${bits}_cbc_dec_unaligned_ivec
- nop
-
- std %f12, [$ivec + 0] ! write out ivec
- std %f14, [$ivec + 8]
-___
-$::code.=<<___;
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f4 ! handle unaligned output
- faligndata %f0, %f2, %f6
- faligndata %f2, %f2, %f8
-
- stda %f4, [$out + $omask]0xc0 ! partial store
- std %f6, [$out + 8]
- add $out, 16, $out
- orn %g0, $omask, $omask
- stda %f8, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_cbc_dec_loop2x+4
- orn %g0, $omask, $omask
-___
-$::code.=<<___ if ($::evp);
- st %f12, [$ivec + 0]
- st %f13, [$ivec + 4]
- st %f14, [$ivec + 8]
- st %f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, .L${bits}_cbc_dec_unaligned_ivec
- nop
-
- std %f12, [$ivec + 0] ! write out ivec
- std %f14, [$ivec + 8]
-___
-$::code.=<<___;
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}_cbc_dec_loop2x:
- ldx [$inp + 0], %o0
- ldx [$inp + 8], %o1
- ldx [$inp + 16], %o2
- brz,pt $ileft, 4f
- ldx [$inp + 24], %o3
-
- ldx [$inp + 32], %o4
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- or %g1, %o0, %o0
- sllx %o1, $ileft, %o1
- srlx %o2, $iright, %g1
- or %g1, %o1, %o1
- sllx %o2, $ileft, %o2
- srlx %o3, $iright, %g1
- or %g1, %o2, %o2
- sllx %o3, $ileft, %o3
- srlx %o4, $iright, %o4
- or %o4, %o3, %o3
-4:
- xor %g4, %o0, %o4 ! ^= rk[0]
- xor %g5, %o1, %o5
- movxtod %o4, %f0
- movxtod %o5, %f2
- xor %g4, %o2, %o4
- xor %g5, %o3, %o5
- movxtod %o4, %f4
- movxtod %o5, %f6
-
- prefetch [$out + 63], 22
- prefetch [$inp + 32+63], 20
- call _${alg}${bits}_decrypt_2x
- add $inp, 32, $inp
-
- movxtod %o0, %f8
- movxtod %o1, %f10
- fxor %f12, %f0, %f0 ! ^= ivec
- fxor %f14, %f2, %f2
- movxtod %o2, %f12
- movxtod %o3, %f14
- fxor %f8, %f4, %f4
- fxor %f10, %f6, %f6
-
- brnz,pn $ooff, 2f
- sub $len, 2, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- std %f4, [$out + 16]
- std %f6, [$out + 24]
- brnz,pt $len, .L${bits}_cbc_dec_loop2x
- add $out, 32, $out
-___
-$::code.=<<___ if ($::evp);
- st %f12, [$ivec + 0]
- st %f13, [$ivec + 4]
- st %f14, [$ivec + 8]
- st %f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, .L${bits}_cbc_dec_unaligned_ivec
- nop
-
- std %f12, [$ivec + 0] ! write out ivec
- std %f14, [$ivec + 8]
-___
-$::code.=<<___;
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f8 ! handle unaligned output
- faligndata %f0, %f2, %f0
- faligndata %f2, %f4, %f2
- faligndata %f4, %f6, %f4
- faligndata %f6, %f6, %f6
- stda %f8, [$out + $omask]0xc0 ! partial store
- std %f0, [$out + 8]
- std %f2, [$out + 16]
- std %f4, [$out + 24]
- add $out, 32, $out
- orn %g0, $omask, $omask
- stda %f6, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_cbc_dec_loop2x+4
- orn %g0, $omask, $omask
-___
-$::code.=<<___ if ($::evp);
- st %f12, [$ivec + 0]
- st %f13, [$ivec + 4]
- st %f14, [$ivec + 8]
- st %f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, .L${bits}_cbc_dec_unaligned_ivec
- nop
-
- std %f12, [$ivec + 0] ! write out ivec
- std %f14, [$ivec + 8]
- ret
- restore
-
-.align 16
-.L${bits}_cbc_dec_unaligned_ivec:
- alignaddrl $ivec, $ivoff, %g0 ! handle unaligned ivec
- mov 0xff, $omask
- srl $omask, $ivoff, $omask
- faligndata %f12, %f12, %f0
- faligndata %f12, %f14, %f2
- faligndata %f14, %f14, %f4
- stda %f0, [$ivec + $omask]0xc0
- std %f2, [$ivec + 8]
- add $ivec, 16, $ivec
- orn %g0, $omask, $omask
- stda %f4, [$ivec + $omask]0xc0
-___
-$::code.=<<___;
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}cbc_dec_blk:
- add $out, $len, $blk_init
- and $blk_init, 63, $blk_init ! tail
- sub $len, $blk_init, $len
- add $blk_init, 15, $blk_init ! round up to 16n
- srlx $len, 4, $len
- srl $blk_init, 4, $blk_init
- sub $len, 1, $len
- add $blk_init, 1, $blk_init
-
-.L${bits}_cbc_dec_blk_loop2x:
- ldx [$inp + 0], %o0
- ldx [$inp + 8], %o1
- ldx [$inp + 16], %o2
- brz,pt $ileft, 5f
- ldx [$inp + 24], %o3
-
- ldx [$inp + 32], %o4
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- or %g1, %o0, %o0
- sllx %o1, $ileft, %o1
- srlx %o2, $iright, %g1
- or %g1, %o1, %o1
- sllx %o2, $ileft, %o2
- srlx %o3, $iright, %g1
- or %g1, %o2, %o2
- sllx %o3, $ileft, %o3
- srlx %o4, $iright, %o4
- or %o4, %o3, %o3
-5:
- xor %g4, %o0, %o4 ! ^= rk[0]
- xor %g5, %o1, %o5
- movxtod %o4, %f0
- movxtod %o5, %f2
- xor %g4, %o2, %o4
- xor %g5, %o3, %o5
- movxtod %o4, %f4
- movxtod %o5, %f6
-
- prefetch [$inp + 32+63], 20
- call _${alg}${bits}_decrypt_2x
- add $inp, 32, $inp
- subcc $len, 2, $len
-
- movxtod %o0, %f8
- movxtod %o1, %f10
- fxor %f12, %f0, %f0 ! ^= ivec
- fxor %f14, %f2, %f2
- movxtod %o2, %f12
- movxtod %o3, %f14
- fxor %f8, %f4, %f4
- fxor %f10, %f6, %f6
-
- stda %f0, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f2, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f4, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f6, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- bgu,pt $::size_t_cc, .L${bits}_cbc_dec_blk_loop2x
- add $out, 8, $out
-
- add $blk_init, $len, $len
- andcc $len, 1, %g0 ! is number of blocks even?
- membar #StoreLoad|#StoreStore
- bnz,pt %icc, .L${bits}_cbc_dec_loop
- srl $len, 0, $len
- brnz,pn $len, .L${bits}_cbc_dec_loop2x
- nop
-___
-$::code.=<<___ if ($::evp);
- st %f12, [$ivec + 0] ! write out ivec
- st %f13, [$ivec + 4]
- st %f14, [$ivec + 8]
- st %f15, [$ivec + 12]
-___
-$::code.=<<___ if (!$::evp);
- brnz,pn $ivoff, 3b
- nop
-
- std %f12, [$ivec + 0] ! write out ivec
- std %f14, [$ivec + 8]
-___
-$::code.=<<___;
- ret
- restore
-.type ${alg}${bits}_t4_cbc_decrypt,#function
-.size ${alg}${bits}_t4_cbc_decrypt,.-${alg}${bits}_t4_cbc_decrypt
-___
-}
-
-sub alg_ctr32_implement {
-my ($alg,$bits) = @_;
-
-$::code.=<<___;
-.globl ${alg}${bits}_t4_ctr32_encrypt
-.align 32
-${alg}${bits}_t4_ctr32_encrypt:
- save %sp, -$::frame, %sp
-
- prefetch [$inp], 20
- prefetch [$inp + 63], 20
- call _${alg}${bits}_load_enckey
- sllx $len, 4, $len
-
- ld [$ivec + 0], %l4 ! counter
- ld [$ivec + 4], %l5
- ld [$ivec + 8], %l6
- ld [$ivec + 12], %l7
-
- sllx %l4, 32, %o5
- or %l5, %o5, %o5
- sllx %l6, 32, %g1
- xor %o5, %g4, %g4 ! ^= rk[0]
- xor %g1, %g5, %g5
- movxtod %g4, %f14 ! most significant 64 bits
-
- sub $inp, $out, $blk_init ! $inp!=$out
- and $inp, 7, $ileft
- andn $inp, 7, $inp
- sll $ileft, 3, $ileft
- mov 64, $iright
- mov 0xff, $omask
- sub $iright, $ileft, $iright
- and $out, 7, $ooff
- cmp $len, 255
- movrnz $ooff, 0, $blk_init ! if ( $out&7 ||
- movleu $::size_t_cc, 0, $blk_init ! $len<256 ||
- brnz,pn $blk_init, .L${bits}_ctr32_blk ! $inp==$out)
- srl $omask, $ooff, $omask
-
- andcc $len, 16, %g0 ! is number of blocks even?
- alignaddrl $out, %g0, $out
- bz %icc, .L${bits}_ctr32_loop2x
- srlx $len, 4, $len
-.L${bits}_ctr32_loop:
- ldx [$inp + 0], %o0
- brz,pt $ileft, 4f
- ldx [$inp + 8], %o1
-
- ldx [$inp + 16], %o2
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- sllx %o1, $ileft, %o1
- or %g1, %o0, %o0
- srlx %o2, $iright, %o2
- or %o2, %o1, %o1
-4:
- xor %g5, %l7, %g1 ! ^= rk[0]
- add %l7, 1, %l7
- movxtod %g1, %f2
- srl %l7, 0, %l7 ! clruw
- prefetch [$out + 63], 22
- prefetch [$inp + 16+63], 20
-___
-$::code.=<<___ if ($alg eq "aes");
- aes_eround01 %f16, %f14, %f2, %f4
- aes_eround23 %f18, %f14, %f2, %f2
-___
-$::code.=<<___ if ($alg eq "cmll");
- camellia_f %f16, %f2, %f14, %f2
- camellia_f %f18, %f14, %f2, %f0
-___
-$::code.=<<___;
- call _${alg}${bits}_encrypt_1x+8
- add $inp, 16, $inp
-
- movxtod %o0, %f10
- movxtod %o1, %f12
- fxor %f10, %f0, %f0 ! ^= inp
- fxor %f12, %f2, %f2
-
- brnz,pn $ooff, 2f
- sub $len, 1, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- brnz,pt $len, .L${bits}_ctr32_loop2x
- add $out, 16, $out
-
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f4 ! handle unaligned output
- faligndata %f0, %f2, %f6
- faligndata %f2, %f2, %f8
- stda %f4, [$out + $omask]0xc0 ! partial store
- std %f6, [$out + 8]
- add $out, 16, $out
- orn %g0, $omask, $omask
- stda %f8, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_ctr32_loop2x+4
- orn %g0, $omask, $omask
-
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}_ctr32_loop2x:
- ldx [$inp + 0], %o0
- ldx [$inp + 8], %o1
- ldx [$inp + 16], %o2
- brz,pt $ileft, 4f
- ldx [$inp + 24], %o3
-
- ldx [$inp + 32], %o4
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- or %g1, %o0, %o0
- sllx %o1, $ileft, %o1
- srlx %o2, $iright, %g1
- or %g1, %o1, %o1
- sllx %o2, $ileft, %o2
- srlx %o3, $iright, %g1
- or %g1, %o2, %o2
- sllx %o3, $ileft, %o3
- srlx %o4, $iright, %o4
- or %o4, %o3, %o3
-4:
- xor %g5, %l7, %g1 ! ^= rk[0]
- add %l7, 1, %l7
- movxtod %g1, %f2
- srl %l7, 0, %l7 ! clruw
- xor %g5, %l7, %g1
- add %l7, 1, %l7
- movxtod %g1, %f6
- srl %l7, 0, %l7 ! clruw
- prefetch [$out + 63], 22
- prefetch [$inp + 32+63], 20
-___
-$::code.=<<___ if ($alg eq "aes");
- aes_eround01 %f16, %f14, %f2, %f8
- aes_eround23 %f18, %f14, %f2, %f2
- aes_eround01 %f16, %f14, %f6, %f10
- aes_eround23 %f18, %f14, %f6, %f6
-___
-$::code.=<<___ if ($alg eq "cmll");
- camellia_f %f16, %f2, %f14, %f2
- camellia_f %f16, %f6, %f14, %f6
- camellia_f %f18, %f14, %f2, %f0
- camellia_f %f18, %f14, %f6, %f4
-___
-$::code.=<<___;
- call _${alg}${bits}_encrypt_2x+16
- add $inp, 32, $inp
-
- movxtod %o0, %f8
- movxtod %o1, %f10
- movxtod %o2, %f12
- fxor %f8, %f0, %f0 ! ^= inp
- movxtod %o3, %f8
- fxor %f10, %f2, %f2
- fxor %f12, %f4, %f4
- fxor %f8, %f6, %f6
-
- brnz,pn $ooff, 2f
- sub $len, 2, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- std %f4, [$out + 16]
- std %f6, [$out + 24]
- brnz,pt $len, .L${bits}_ctr32_loop2x
- add $out, 32, $out
-
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f8 ! handle unaligned output
- faligndata %f0, %f2, %f0
- faligndata %f2, %f4, %f2
- faligndata %f4, %f6, %f4
- faligndata %f6, %f6, %f6
-
- stda %f8, [$out + $omask]0xc0 ! partial store
- std %f0, [$out + 8]
- std %f2, [$out + 16]
- std %f4, [$out + 24]
- add $out, 32, $out
- orn %g0, $omask, $omask
- stda %f6, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_ctr32_loop2x+4
- orn %g0, $omask, $omask
-
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}_ctr32_blk:
- add $out, $len, $blk_init
- and $blk_init, 63, $blk_init ! tail
- sub $len, $blk_init, $len
- add $blk_init, 15, $blk_init ! round up to 16n
- srlx $len, 4, $len
- srl $blk_init, 4, $blk_init
- sub $len, 1, $len
- add $blk_init, 1, $blk_init
-
-.L${bits}_ctr32_blk_loop2x:
- ldx [$inp + 0], %o0
- ldx [$inp + 8], %o1
- ldx [$inp + 16], %o2
- brz,pt $ileft, 5f
- ldx [$inp + 24], %o3
-
- ldx [$inp + 32], %o4
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- or %g1, %o0, %o0
- sllx %o1, $ileft, %o1
- srlx %o2, $iright, %g1
- or %g1, %o1, %o1
- sllx %o2, $ileft, %o2
- srlx %o3, $iright, %g1
- or %g1, %o2, %o2
- sllx %o3, $ileft, %o3
- srlx %o4, $iright, %o4
- or %o4, %o3, %o3
-5:
- xor %g5, %l7, %g1 ! ^= rk[0]
- add %l7, 1, %l7
- movxtod %g1, %f2
- srl %l7, 0, %l7 ! clruw
- xor %g5, %l7, %g1
- add %l7, 1, %l7
- movxtod %g1, %f6
- srl %l7, 0, %l7 ! clruw
- prefetch [$inp + 32+63], 20
-___
-$::code.=<<___ if ($alg eq "aes");
- aes_eround01 %f16, %f14, %f2, %f8
- aes_eround23 %f18, %f14, %f2, %f2
- aes_eround01 %f16, %f14, %f6, %f10
- aes_eround23 %f18, %f14, %f6, %f6
-___
-$::code.=<<___ if ($alg eq "cmll");
- camellia_f %f16, %f2, %f14, %f2
- camellia_f %f16, %f6, %f14, %f6
- camellia_f %f18, %f14, %f2, %f0
- camellia_f %f18, %f14, %f6, %f4
-___
-$::code.=<<___;
- call _${alg}${bits}_encrypt_2x+16
- add $inp, 32, $inp
- subcc $len, 2, $len
-
- movxtod %o0, %f8
- movxtod %o1, %f10
- movxtod %o2, %f12
- fxor %f8, %f0, %f0 ! ^= inp
- movxtod %o3, %f8
- fxor %f10, %f2, %f2
- fxor %f12, %f4, %f4
- fxor %f8, %f6, %f6
-
- stda %f0, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f2, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f4, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f6, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- bgu,pt $::size_t_cc, .L${bits}_ctr32_blk_loop2x
- add $out, 8, $out
-
- add $blk_init, $len, $len
- andcc $len, 1, %g0 ! is number of blocks even?
- membar #StoreLoad|#StoreStore
- bnz,pt %icc, .L${bits}_ctr32_loop
- srl $len, 0, $len
- brnz,pn $len, .L${bits}_ctr32_loop2x
- nop
-
- ret
- restore
-.type ${alg}${bits}_t4_ctr32_encrypt,#function
-.size ${alg}${bits}_t4_ctr32_encrypt,.-${alg}${bits}_t4_ctr32_encrypt
-___
-}
-
-sub alg_xts_implement {
-my ($alg,$bits,$dir) = @_;
-my ($inp,$out,$len,$key1,$key2,$ivec)=map("%i$_",(0..5));
-my $rem=$ivec;
-
-$::code.=<<___;
-.globl ${alg}${bits}_t4_xts_${dir}crypt
-.align 32
-${alg}${bits}_t4_xts_${dir}crypt:
- save %sp, -$::frame-16, %sp
-
- mov $ivec, %o0
- add %fp, $::bias-16, %o1
- call ${alg}_t4_encrypt
- mov $key2, %o2
-
- add %fp, $::bias-16, %l7
- ldxa [%l7]0x88, %g2
- add %fp, $::bias-8, %l7
- ldxa [%l7]0x88, %g3 ! %g3:%g2 is tweak
-
- sethi %hi(0x76543210), %l7
- or %l7, %lo(0x76543210), %l7
- bmask %l7, %g0, %g0 ! byte swap mask
-
- prefetch [$inp], 20
- prefetch [$inp + 63], 20
- call _${alg}${bits}_load_${dir}ckey
- and $len, 15, $rem
- and $len, -16, $len
-___
-$code.=<<___ if ($dir eq "de");
- mov 0, %l7
- movrnz $rem, 16, %l7
- sub $len, %l7, $len
-___
-$code.=<<___;
-
- sub $inp, $out, $blk_init ! $inp!=$out
- and $inp, 7, $ileft
- andn $inp, 7, $inp
- sll $ileft, 3, $ileft
- mov 64, $iright
- mov 0xff, $omask
- sub $iright, $ileft, $iright
- and $out, 7, $ooff
- cmp $len, 255
- movrnz $ooff, 0, $blk_init ! if ( $out&7 ||
- movleu $::size_t_cc, 0, $blk_init ! $len<256 ||
- brnz,pn $blk_init, .L${bits}_xts_${dir}blk ! $inp==$out)
- srl $omask, $ooff, $omask
-
- andcc $len, 16, %g0 ! is number of blocks even?
-___
-$code.=<<___ if ($dir eq "de");
- brz,pn $len, .L${bits}_xts_${dir}steal
-___
-$code.=<<___;
- alignaddrl $out, %g0, $out
- bz %icc, .L${bits}_xts_${dir}loop2x
- srlx $len, 4, $len
-.L${bits}_xts_${dir}loop:
- ldx [$inp + 0], %o0
- brz,pt $ileft, 4f
- ldx [$inp + 8], %o1
-
- ldx [$inp + 16], %o2
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- sllx %o1, $ileft, %o1
- or %g1, %o0, %o0
- srlx %o2, $iright, %o2
- or %o2, %o1, %o1
-4:
- movxtod %g2, %f12
- movxtod %g3, %f14
- bshuffle %f12, %f12, %f12
- bshuffle %f14, %f14, %f14
-
- xor %g4, %o0, %o0 ! ^= rk[0]
- xor %g5, %o1, %o1
- movxtod %o0, %f0
- movxtod %o1, %f2
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
-
- prefetch [$out + 63], 22
- prefetch [$inp + 16+63], 20
- call _${alg}${bits}_${dir}crypt_1x
- add $inp, 16, $inp
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
-
- srax %g3, 63, %l7 ! next tweak value
- addcc %g2, %g2, %g2
- and %l7, 0x87, %l7
- addxc %g3, %g3, %g3
- xor %l7, %g2, %g2
-
- brnz,pn $ooff, 2f
- sub $len, 1, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- brnz,pt $len, .L${bits}_xts_${dir}loop2x
- add $out, 16, $out
-
- brnz,pn $rem, .L${bits}_xts_${dir}steal
- nop
-
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f4 ! handle unaligned output
- faligndata %f0, %f2, %f6
- faligndata %f2, %f2, %f8
- stda %f4, [$out + $omask]0xc0 ! partial store
- std %f6, [$out + 8]
- add $out, 16, $out
- orn %g0, $omask, $omask
- stda %f8, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_xts_${dir}loop2x+4
- orn %g0, $omask, $omask
-
- brnz,pn $rem, .L${bits}_xts_${dir}steal
- nop
-
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}_xts_${dir}loop2x:
- ldx [$inp + 0], %o0
- ldx [$inp + 8], %o1
- ldx [$inp + 16], %o2
- brz,pt $ileft, 4f
- ldx [$inp + 24], %o3
-
- ldx [$inp + 32], %o4
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- or %g1, %o0, %o0
- sllx %o1, $ileft, %o1
- srlx %o2, $iright, %g1
- or %g1, %o1, %o1
- sllx %o2, $ileft, %o2
- srlx %o3, $iright, %g1
- or %g1, %o2, %o2
- sllx %o3, $ileft, %o3
- srlx %o4, $iright, %o4
- or %o4, %o3, %o3
-4:
- movxtod %g2, %f12
- movxtod %g3, %f14
- bshuffle %f12, %f12, %f12
- bshuffle %f14, %f14, %f14
-
- srax %g3, 63, %l7 ! next tweak value
- addcc %g2, %g2, %g2
- and %l7, 0x87, %l7
- addxc %g3, %g3, %g3
- xor %l7, %g2, %g2
-
- movxtod %g2, %f8
- movxtod %g3, %f10
- bshuffle %f8, %f8, %f8
- bshuffle %f10, %f10, %f10
-
- xor %g4, %o0, %o0 ! ^= rk[0]
- xor %g5, %o1, %o1
- xor %g4, %o2, %o2 ! ^= rk[0]
- xor %g5, %o3, %o3
- movxtod %o0, %f0
- movxtod %o1, %f2
- movxtod %o2, %f4
- movxtod %o3, %f6
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
- fxor %f8, %f4, %f4 ! ^= tweak[0]
- fxor %f10, %f6, %f6
-
- prefetch [$out + 63], 22
- prefetch [$inp + 32+63], 20
- call _${alg}${bits}_${dir}crypt_2x
- add $inp, 32, $inp
-
- movxtod %g2, %f8
- movxtod %g3, %f10
-
- srax %g3, 63, %l7 ! next tweak value
- addcc %g2, %g2, %g2
- and %l7, 0x87, %l7
- addxc %g3, %g3, %g3
- xor %l7, %g2, %g2
-
- bshuffle %f8, %f8, %f8
- bshuffle %f10, %f10, %f10
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
- fxor %f8, %f4, %f4
- fxor %f10, %f6, %f6
-
- brnz,pn $ooff, 2f
- sub $len, 2, $len
-
- std %f0, [$out + 0]
- std %f2, [$out + 8]
- std %f4, [$out + 16]
- std %f6, [$out + 24]
- brnz,pt $len, .L${bits}_xts_${dir}loop2x
- add $out, 32, $out
-
- fsrc2 %f4, %f0
- fsrc2 %f6, %f2
- brnz,pn $rem, .L${bits}_xts_${dir}steal
- nop
-
- ret
- restore
-
-.align 16
-2: ldxa [$inp]0x82, %o0 ! avoid read-after-write hazard
- ! and ~3x deterioration
- ! in inp==out case
- faligndata %f0, %f0, %f8 ! handle unaligned output
- faligndata %f0, %f2, %f10
- faligndata %f2, %f4, %f12
- faligndata %f4, %f6, %f14
- faligndata %f6, %f6, %f0
-
- stda %f8, [$out + $omask]0xc0 ! partial store
- std %f10, [$out + 8]
- std %f12, [$out + 16]
- std %f14, [$out + 24]
- add $out, 32, $out
- orn %g0, $omask, $omask
- stda %f0, [$out + $omask]0xc0 ! partial store
-
- brnz,pt $len, .L${bits}_xts_${dir}loop2x+4
- orn %g0, $omask, $omask
-
- fsrc2 %f4, %f0
- fsrc2 %f6, %f2
- brnz,pn $rem, .L${bits}_xts_${dir}steal
- nop
-
- ret
- restore
-
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-.align 32
-.L${bits}_xts_${dir}blk:
- add $out, $len, $blk_init
- and $blk_init, 63, $blk_init ! tail
- sub $len, $blk_init, $len
- add $blk_init, 15, $blk_init ! round up to 16n
- srlx $len, 4, $len
- srl $blk_init, 4, $blk_init
- sub $len, 1, $len
- add $blk_init, 1, $blk_init
-
-.L${bits}_xts_${dir}blk2x:
- ldx [$inp + 0], %o0
- ldx [$inp + 8], %o1
- ldx [$inp + 16], %o2
- brz,pt $ileft, 5f
- ldx [$inp + 24], %o3
-
- ldx [$inp + 32], %o4
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- or %g1, %o0, %o0
- sllx %o1, $ileft, %o1
- srlx %o2, $iright, %g1
- or %g1, %o1, %o1
- sllx %o2, $ileft, %o2
- srlx %o3, $iright, %g1
- or %g1, %o2, %o2
- sllx %o3, $ileft, %o3
- srlx %o4, $iright, %o4
- or %o4, %o3, %o3
-5:
- movxtod %g2, %f12
- movxtod %g3, %f14
- bshuffle %f12, %f12, %f12
- bshuffle %f14, %f14, %f14
-
- srax %g3, 63, %l7 ! next tweak value
- addcc %g2, %g2, %g2
- and %l7, 0x87, %l7
- addxc %g3, %g3, %g3
- xor %l7, %g2, %g2
-
- movxtod %g2, %f8
- movxtod %g3, %f10
- bshuffle %f8, %f8, %f8
- bshuffle %f10, %f10, %f10
-
- xor %g4, %o0, %o0 ! ^= rk[0]
- xor %g5, %o1, %o1
- xor %g4, %o2, %o2 ! ^= rk[0]
- xor %g5, %o3, %o3
- movxtod %o0, %f0
- movxtod %o1, %f2
- movxtod %o2, %f4
- movxtod %o3, %f6
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
- fxor %f8, %f4, %f4 ! ^= tweak[0]
- fxor %f10, %f6, %f6
-
- prefetch [$inp + 32+63], 20
- call _${alg}${bits}_${dir}crypt_2x
- add $inp, 32, $inp
-
- movxtod %g2, %f8
- movxtod %g3, %f10
-
- srax %g3, 63, %l7 ! next tweak value
- addcc %g2, %g2, %g2
- and %l7, 0x87, %l7
- addxc %g3, %g3, %g3
- xor %l7, %g2, %g2
-
- bshuffle %f8, %f8, %f8
- bshuffle %f10, %f10, %f10
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
- fxor %f8, %f4, %f4
- fxor %f10, %f6, %f6
-
- stda %f0, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f2, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f4, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- add $out, 8, $out
- stda %f6, [$out]0xe2 ! ASI_BLK_INIT, T4-specific
- bgu,pt $::size_t_cc, .L${bits}_xts_${dir}blk2x
- add $out, 8, $out
-
- add $blk_init, $len, $len
- andcc $len, 1, %g0 ! is number of blocks even?
- membar #StoreLoad|#StoreStore
- bnz,pt %icc, .L${bits}_xts_${dir}loop
- srl $len, 0, $len
- brnz,pn $len, .L${bits}_xts_${dir}loop2x
- nop
-
- fsrc2 %f4, %f0
- fsrc2 %f6, %f2
- brnz,pn $rem, .L${bits}_xts_${dir}steal
- nop
-
- ret
- restore
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-___
-$code.=<<___ if ($dir eq "en");
-.align 32
-.L${bits}_xts_${dir}steal:
- std %f0, [%fp + $::bias-16] ! copy of output
- std %f2, [%fp + $::bias-8]
-
- srl $ileft, 3, $ileft
- add %fp, $::bias-16, %l7
- add $inp, $ileft, $inp ! original $inp+$len&-15
- add $out, $ooff, $out ! original $out+$len&-15
- mov 0, $ileft
- nop ! align
-
-.L${bits}_xts_${dir}stealing:
- ldub [$inp + $ileft], %o0
- ldub [%l7 + $ileft], %o1
- dec $rem
- stb %o0, [%l7 + $ileft]
- stb %o1, [$out + $ileft]
- brnz $rem, .L${bits}_xts_${dir}stealing
- inc $ileft
-
- mov %l7, $inp
- sub $out, 16, $out
- mov 0, $ileft
- sub $out, $ooff, $out
- ba .L${bits}_xts_${dir}loop ! one more time
- mov 1, $len ! $rem is 0
-___
-$code.=<<___ if ($dir eq "de");
-.align 32
-.L${bits}_xts_${dir}steal:
- ldx [$inp + 0], %o0
- brz,pt $ileft, 8f
- ldx [$inp + 8], %o1
-
- ldx [$inp + 16], %o2
- sllx %o0, $ileft, %o0
- srlx %o1, $iright, %g1
- sllx %o1, $ileft, %o1
- or %g1, %o0, %o0
- srlx %o2, $iright, %o2
- or %o2, %o1, %o1
-8:
- srax %g3, 63, %l7 ! next tweak value
- addcc %g2, %g2, %o2
- and %l7, 0x87, %l7
- addxc %g3, %g3, %o3
- xor %l7, %o2, %o2
-
- movxtod %o2, %f12
- movxtod %o3, %f14
- bshuffle %f12, %f12, %f12
- bshuffle %f14, %f14, %f14
-
- xor %g4, %o0, %o0 ! ^= rk[0]
- xor %g5, %o1, %o1
- movxtod %o0, %f0
- movxtod %o1, %f2
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
-
- call _${alg}${bits}_${dir}crypt_1x
- add $inp, 16, $inp
-
- fxor %f12, %f0, %f0 ! ^= tweak[0]
- fxor %f14, %f2, %f2
-
- std %f0, [%fp + $::bias-16]
- std %f2, [%fp + $::bias-8]
-
- srl $ileft, 3, $ileft
- add %fp, $::bias-16, %l7
- add $inp, $ileft, $inp ! original $inp+$len&-15
- add $out, $ooff, $out ! original $out+$len&-15
- mov 0, $ileft
- add $out, 16, $out
- nop ! align
-
-.L${bits}_xts_${dir}stealing:
- ldub [$inp + $ileft], %o0
- ldub [%l7 + $ileft], %o1
- dec $rem
- stb %o0, [%l7 + $ileft]
- stb %o1, [$out + $ileft]
- brnz $rem, .L${bits}_xts_${dir}stealing
- inc $ileft
-
- mov %l7, $inp
- sub $out, 16, $out
- mov 0, $ileft
- sub $out, $ooff, $out
- ba .L${bits}_xts_${dir}loop ! one more time
- mov 1, $len ! $rem is 0
-___
-$code.=<<___;
- ret
- restore
-.type ${alg}${bits}_t4_xts_${dir}crypt,#function
-.size ${alg}${bits}_t4_xts_${dir}crypt,.-${alg}${bits}_t4_xts_${dir}crypt
-___
-}
-
-# Purpose of these subroutines is to explicitly encode VIS instructions,
-# so that one can compile the module without having to specify VIS
-# extentions on compiler command line, e.g. -xarch=v9 vs. -xarch=v9a.
-# Idea is to reserve for option to produce "universal" binary and let
-# programmer detect if current CPU is VIS capable at run-time.
-sub unvis {
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my ($ref,$opf);
-my %visopf = ( "faligndata" => 0x048,
- "bshuffle" => 0x04c,
- "fnot2" => 0x066,
- "fxor" => 0x06c,
- "fsrc2" => 0x078 );
-
- $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
- if ($opf=$visopf{$mnemonic}) {
- foreach ($rs1,$rs2,$rd) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($1&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
-
- return sprintf ".word\t0x%08x !%s",
- 0x81b00000|$rd<<25|$rs1<<14|$opf<<5|$rs2,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub unvis3 {
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my %bias = ( "g" => 0, "o" => 8, "l" => 16, "i" => 24 );
-my ($ref,$opf);
-my %visopf = ( "addxc" => 0x011,
- "addxccc" => 0x013,
- "umulxhi" => 0x016,
- "alignaddr" => 0x018,
- "bmask" => 0x019,
- "alignaddrl" => 0x01a );
-
- $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
- if ($opf=$visopf{$mnemonic}) {
- foreach ($rs1,$rs2,$rd) {
- return $ref if (!/%([goli])([0-9])/);
- $_=$bias{$1}+$2;
- }
-
- return sprintf ".word\t0x%08x !%s",
- 0x81b00000|$rd<<25|$rs1<<14|$opf<<5|$rs2,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub unaes_round { # 4-argument instructions
-my ($mnemonic,$rs1,$rs2,$rs3,$rd)=@_;
-my ($ref,$opf);
-my %aesopf = ( "aes_eround01" => 0,
- "aes_eround23" => 1,
- "aes_dround01" => 2,
- "aes_dround23" => 3,
- "aes_eround01_l"=> 4,
- "aes_eround23_l"=> 5,
- "aes_dround01_l"=> 6,
- "aes_dround23_l"=> 7,
- "aes_kexpand1" => 8 );
-
- $ref = "$mnemonic\t$rs1,$rs2,$rs3,$rd";
-
- if (defined($opf=$aesopf{$mnemonic})) {
- $rs3 = ($rs3 =~ /%f([0-6]*[02468])/) ? (($1|$1>>5)&31) : $rs3;
- foreach ($rs1,$rs2,$rd) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($1&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
-
- return sprintf ".word\t0x%08x !%s",
- 2<<30|$rd<<25|0x19<<19|$rs1<<14|$rs3<<9|$opf<<5|$rs2,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub unaes_kexpand { # 3-argument instructions
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my ($ref,$opf);
-my %aesopf = ( "aes_kexpand0" => 0x130,
- "aes_kexpand2" => 0x131 );
-
- $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
- if (defined($opf=$aesopf{$mnemonic})) {
- foreach ($rs1,$rs2,$rd) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($1&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
-
- return sprintf ".word\t0x%08x !%s",
- 2<<30|$rd<<25|0x36<<19|$rs1<<14|$opf<<5|$rs2,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub uncamellia_f { # 4-argument instructions
-my ($mnemonic,$rs1,$rs2,$rs3,$rd)=@_;
-my ($ref,$opf);
-
- $ref = "$mnemonic\t$rs1,$rs2,$rs3,$rd";
-
- if (1) {
- $rs3 = ($rs3 =~ /%f([0-6]*[02468])/) ? (($1|$1>>5)&31) : $rs3;
- foreach ($rs1,$rs2,$rd) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($1&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
-
- return sprintf ".word\t0x%08x !%s",
- 2<<30|$rd<<25|0x19<<19|$rs1<<14|$rs3<<9|0xc<<5|$rs2,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub uncamellia3 { # 3-argument instructions
-my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my ($ref,$opf);
-my %cmllopf = ( "camellia_fl" => 0x13c,
- "camellia_fli" => 0x13d );
-
- $ref = "$mnemonic\t$rs1,$rs2,$rd";
-
- if (defined($opf=$cmllopf{$mnemonic})) {
- foreach ($rs1,$rs2,$rd) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($1&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
-
- return sprintf ".word\t0x%08x !%s",
- 2<<30|$rd<<25|0x36<<19|$rs1<<14|$opf<<5|$rs2,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub unmovxtox { # 2-argument instructions
-my ($mnemonic,$rs,$rd)=@_;
-my %bias = ( "g" => 0, "o" => 8, "l" => 16, "i" => 24, "f" => 0 );
-my ($ref,$opf);
-my %movxopf = ( "movdtox" => 0x110,
- "movstouw" => 0x111,
- "movstosw" => 0x113,
- "movxtod" => 0x118,
- "movwtos" => 0x119 );
-
- $ref = "$mnemonic\t$rs,$rd";
-
- if (defined($opf=$movxopf{$mnemonic})) {
- foreach ($rs,$rd) {
- return $ref if (!/%([fgoli])([0-9]{1,2})/);
- $_=$bias{$1}+$2;
- if ($2>=32) {
- return $ref if ($2&1);
- # re-encode for upper double register addressing
- $_=($2|$2>>5)&31;
- }
- }
-
- return sprintf ".word\t0x%08x !%s",
- 2<<30|$rd<<25|0x36<<19|$opf<<5|$rs,
- $ref;
- } else {
- return $ref;
- }
-}
-
-sub undes {
-my ($mnemonic)=shift;
-my @args=@_;
-my ($ref,$opf);
-my %desopf = ( "des_round" => 0b1001,
- "des_ip" => 0b100110100,
- "des_iip" => 0b100110101,
- "des_kexpand" => 0b100110110 );
-
- $ref = "$mnemonic\t".join(",",@_);
-
- if (defined($opf=$desopf{$mnemonic})) { # 4-arg
- if ($mnemonic eq "des_round") {
- foreach (@args[0..3]) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($1&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
- return sprintf ".word\t0x%08x !%s",
- 2<<30|0b011001<<19|$opf<<5|$args[0]<<14|$args[1]|$args[2]<<9|$args[3]<<25,
- $ref;
- } elsif ($mnemonic eq "des_kexpand") { # 3-arg
- foreach (@args[0..2]) {
- return $ref if (!/(%f)?([0-9]{1,2})/);
- $_=$2;
- if ($2>=32) {
- return $ref if ($2&1);
- # re-encode for upper double register addressing
- $_=($2|$2>>5)&31;
- }
- }
- return sprintf ".word\t0x%08x !%s",
- 2<<30|0b110110<<19|$opf<<5|$args[0]<<14|$args[1]|$args[2]<<25,
- $ref;
- } else { # 2-arg
- foreach (@args[0..1]) {
- return $ref if (!/%f([0-9]{1,2})/);
- $_=$1;
- if ($1>=32) {
- return $ref if ($2&1);
- # re-encode for upper double register addressing
- $_=($1|$1>>5)&31;
- }
- }
- return sprintf ".word\t0x%08x !%s",
- 2<<30|0b110110<<19|$opf<<5|$args[0]<<14|$args[1]<<25,
- $ref;
- }
- } else {
- return $ref;
- }
-}
-
-sub emit_assembler {
- foreach (split("\n",$::code)) {
- s/\`([^\`]*)\`/eval $1/ge;
-
- s/\b(f[a-z]+2[sd]*)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})\s*$/$1\t%f0,$2,$3/go;
-
- s/\b(aes_[edk][^\s]*)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*([%fx0-9]+),\s*(%f[0-9]{1,2})/
- &unaes_round($1,$2,$3,$4,$5)
- /geo or
- s/\b(aes_kexpand[02])\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})/
- &unaes_kexpand($1,$2,$3,$4)
- /geo or
- s/\b(camellia_f)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*([%fx0-9]+),\s*(%f[0-9]{1,2})/
- &uncamellia_f($1,$2,$3,$4,$5)
- /geo or
- s/\b(camellia_[^s]+)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})/
- &uncamellia3($1,$2,$3,$4)
- /geo or
- s/\b(des_\w+)\s+(%f[0-9]{1,2}),\s*([%fx0-9]+)(?:,\s*(%f[0-9]{1,2})(?:,\s*(%f[0-9]{1,2}))?)?/
- &undes($1,$2,$3,$4,$5)
- /geo or
- s/\b(mov[ds]to\w+)\s+(%f[0-9]{1,2}),\s*(%[goli][0-7])/
- &unmovxtox($1,$2,$3)
- /geo or
- s/\b(mov[xw]to[ds])\s+(%[goli][0-7]),\s*(%f[0-9]{1,2})/
- &unmovxtox($1,$2,$3)
- /geo or
- s/\b([fb][^\s]*)\s+(%f[0-9]{1,2}),\s*(%f[0-9]{1,2}),\s*(%f[0-9]{1,2})/
- &unvis($1,$2,$3,$4)
- /geo or
- s/\b(umulxhi|bmask|addxc[c]{0,2}|alignaddr[l]*)\s+(%[goli][0-7]),\s*(%[goli][0-7]),\s*(%[goli][0-7])/
- &unvis3($1,$2,$3,$4)
- /geo;
-
- print $_,"\n";
- }
-}
-
-1;
diff --git a/src/crypto/perlasm/x86masm.pl b/src/crypto/perlasm/x86masm.pl
index a491529..b7f49d1 100644
--- a/src/crypto/perlasm/x86masm.pl
+++ b/src/crypto/perlasm/x86masm.pl
@@ -18,10 +18,10 @@
if ($opcode =~ /lea/ && @arg[1] =~ s/.*PTR\s+(\(.*\))$/OFFSET $1/) # no []
{ $opcode="mov"; }
- elsif ($opcode !~ /movq/)
+ elsif ($opcode !~ /mov[dq]$/)
{ # fix xmm references
- $arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[1]=~/\bxmm[0-7]\b/i);
- $arg[1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i);
+ $arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[-1]=~/\bxmm[0-7]\b/i);
+ $arg[-1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i);
}
&::emit($opcode,@arg);
@@ -160,16 +160,13 @@
{ push(@out,"PUBLIC\t".&::LABEL($_[0],$nmdecor.$_[0])."\n"); }
sub ::data_byte
-{ push(@out,("DB\t").join(',',@_)."\n"); }
+{ push(@out,("DB\t").join(',',splice(@_,0,16))."\n") while(@_); }
sub ::data_short
-{ push(@out,("DW\t").join(',',@_)."\n"); }
+{ push(@out,("DW\t").join(',',splice(@_,0,8))."\n") while(@_); }
sub ::data_word
-{ # MASM can't handle long lines, so emit one word at a time.
- foreach(@_)
- { push(@out,"DD\t$_\n"); }
-}
+{ push(@out,("DD\t").join(',',splice(@_,0,4))."\n") while(@_); }
sub ::align
{ push(@out,"ALIGN\t$_[0]\n"); }
diff --git a/src/crypto/pkcs8/CMakeLists.txt b/src/crypto/pkcs8/CMakeLists.txt
index 1886fce..c0f2746 100644
--- a/src/crypto/pkcs8/CMakeLists.txt
+++ b/src/crypto/pkcs8/CMakeLists.txt
@@ -9,13 +9,12 @@
p8_pkey.c
p5_pbe.c
p5_pbev2.c
- pkcs8_error.c
)
add_executable(
pkcs12_test
- pkcs12_test.c
+ pkcs12_test.cc
)
target_link_libraries(pkcs12_test crypto)
diff --git a/src/crypto/pkcs8/pkcs12_test.c b/src/crypto/pkcs8/pkcs12_test.cc
similarity index 96%
rename from src/crypto/pkcs8/pkcs12_test.c
rename to src/crypto/pkcs8/pkcs12_test.cc
index 2292b77..8b265cd 100644
--- a/src/crypto/pkcs8/pkcs12_test.c
+++ b/src/crypto/pkcs8/pkcs12_test.cc
@@ -13,7 +13,6 @@
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <stdio.h>
-#include <stdlib.h>
#include <openssl/bio.h>
#include <openssl/bytestring.h>
@@ -24,6 +23,8 @@
#include <openssl/stack.h>
#include <openssl/x509.h>
+#include "../test/scoped_types.h"
+
/* kPKCS12DER contains sample PKCS#12 data generated by OpenSSL with:
* openssl pkcs12 -export -inkey key.pem -in cacert.pem */
@@ -680,81 +681,76 @@
0xfe, 0x3a, 0x66, 0x47, 0x40, 0x49, 0x02, 0x02, 0x07, 0xd0,
};
-static int test(const char *name, const uint8_t *der, size_t der_len) {
+static bool Test(const char *name, const uint8_t *der, size_t der_len) {
+ ScopedX509Stack certs(sk_X509_new_null());
+ if (!certs) {
+ return false;
+ }
+
CBS pkcs12;
- EVP_PKEY *key;
- STACK_OF(X509) *certs;
-
- certs = sk_X509_new_null();
-
+ EVP_PKEY *key = nullptr;
CBS_init(&pkcs12, der, der_len);
- if (!PKCS12_get_key_and_certs(&key, certs, &pkcs12, "foo")) {
+ if (!PKCS12_get_key_and_certs(&key, certs.get(), &pkcs12, "foo")) {
fprintf(stderr, "PKCS12 failed on %s data.\n", name);
- BIO_print_errors_fp(stderr);
- return 0;
+ ERR_print_errors_fp(stderr);
+ return false;
}
+ ScopedEVP_PKEY delete_key(key);
- if (sk_X509_num(certs) != 1 || key == NULL) {
+ if (sk_X509_num(certs.get()) != 1 || key == nullptr) {
fprintf(stderr, "Bad result from %s data.\n", name);
- return 0;
+ return false;
}
- sk_X509_pop_free(certs, X509_free);
- EVP_PKEY_free(key);
-
- return 1;
+ return true;
}
-static int test_compat(const uint8_t *der, size_t der_len) {
- PKCS12 *p12;
- X509 *cert = NULL;
- STACK_OF(X509) *ca_certs = NULL;
- EVP_PKEY *key;
- BIO *bio;
-
- bio = BIO_new_mem_buf((void*) der, der_len);
-
- p12 = d2i_PKCS12_bio(bio, NULL);
- if (p12 == NULL) {
- fprintf(stderr, "PKCS12_parse failed.\n");
- BIO_print_errors_fp(stderr);
- return 0;
- }
- BIO_free(bio);
-
- if (!PKCS12_parse(p12, "foo", &key, &cert, &ca_certs)) {
- fprintf(stderr, "PKCS12_parse failed.\n");
- BIO_print_errors_fp(stderr);
- return 0;
+static bool TestCompat(const uint8_t *der, size_t der_len) {
+ ScopedBIO bio(BIO_new_mem_buf((void*) der, der_len));
+ if (!bio) {
+ return false;
}
- if (key == NULL || cert == NULL) {
+ ScopedPKCS12 p12(d2i_PKCS12_bio(bio.get(), nullptr));
+ if (!p12) {
+ fprintf(stderr, "PKCS12_parse failed.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ EVP_PKEY *key = nullptr;
+ X509 *cert = nullptr;
+ STACK_OF(X509) *ca_certs = nullptr;
+ if (!PKCS12_parse(p12.get(), "foo", &key, &cert, &ca_certs)) {
+ fprintf(stderr, "PKCS12_parse failed.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+ ScopedEVP_PKEY delete_key(key);
+ ScopedX509 delete_cert(cert);
+ ScopedX509Stack delete_ca_certs(ca_certs);
+
+ if (key == nullptr || cert == nullptr) {
fprintf(stderr, "Bad result from PKCS12_parse.\n");
- return 0;
+ return false;
}
- EVP_PKEY_free(key);
- X509_free(cert);
-
if (sk_X509_num(ca_certs) != 0) {
fprintf(stderr, "Bad result from PKCS12_parse.\n");
- return 0;
+ return false;
}
- sk_X509_free(ca_certs);
- PKCS12_free(p12);
-
- return 1;
+ return true;
}
int main(int argc, char **argv) {
CRYPTO_library_init();
ERR_load_crypto_strings();
- if (!test("OpenSSL", kOpenSSL, sizeof(kOpenSSL)) ||
- !test("NSS", kNSS, sizeof(kNSS)) ||
- !test("Windows", kWindows, sizeof(kWindows)) ||
- !test_compat(kWindows, sizeof(kWindows))) {
+ if (!Test("OpenSSL", kOpenSSL, sizeof(kOpenSSL)) ||
+ !Test("NSS", kNSS, sizeof(kNSS)) ||
+ !Test("Windows", kWindows, sizeof(kWindows)) ||
+ !TestCompat(kWindows, sizeof(kWindows))) {
return 1;
}
diff --git a/src/crypto/pkcs8/pkcs8.c b/src/crypto/pkcs8/pkcs8.c
index 0b1dfba..843c74d 100644
--- a/src/crypto/pkcs8/pkcs8.c
+++ b/src/crypto/pkcs8/pkcs8.c
@@ -123,23 +123,28 @@
Ai = OPENSSL_malloc(u);
B = OPENSSL_malloc(v + 1);
Slen = v * ((salt_len + v - 1) / v);
- if (pass_raw_len)
+ if (pass_raw_len) {
Plen = v * ((pass_raw_len + v - 1) / v);
- else
+ } else {
Plen = 0;
+ }
Ilen = Slen + Plen;
I = OPENSSL_malloc(Ilen);
Ij = BN_new();
Bpl1 = BN_new();
- if (!D || !Ai || !B || !I || !Ij || !Bpl1)
+ if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
goto err;
- for (i = 0; i < v; i++)
+ }
+ for (i = 0; i < v; i++) {
D[i] = id;
+ }
p = I;
- for (i = 0; i < Slen; i++)
+ for (i = 0; i < Slen; i++) {
*p++ = salt[i % salt_len];
- for (i = 0; i < Plen; i++)
+ }
+ for (i = 0; i < Plen; i++) {
*p++ = pass_raw[i % pass_raw_len];
+ }
for (;;) {
if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
!EVP_DigestUpdate(&ctx, D, v) ||
@@ -161,31 +166,33 @@
}
out_len -= u;
out += u;
- for (j = 0; j < v; j++)
+ for (j = 0; j < v; j++) {
B[j] = Ai[j % u];
+ }
/* Work out B + 1 first then can use B as tmp space */
- if (!BN_bin2bn(B, v, Bpl1))
+ if (!BN_bin2bn(B, v, Bpl1) ||
+ !BN_add_word(Bpl1, 1)) {
goto err;
- if (!BN_add_word(Bpl1, 1))
- goto err;
+ }
for (j = 0; j < Ilen; j += v) {
- if (!BN_bin2bn(I + j, v, Ij))
+ if (!BN_bin2bn(I + j, v, Ij) ||
+ !BN_add(Ij, Ij, Bpl1) ||
+ !BN_bn2bin(Ij, B)) {
goto err;
- if (!BN_add(Ij, Ij, Bpl1))
- goto err;
- if (!BN_bn2bin(Ij, B))
- goto err;
+ }
Ijlen = BN_num_bytes(Ij);
/* If more than 2^(v*8) - 1 cut off MSB */
if (Ijlen > v) {
- if (!BN_bn2bin(Ij, B))
+ if (!BN_bn2bin(Ij, B)) {
goto err;
+ }
memcpy(I + j, B + 1, v);
/* If less than v bytes pad with zeroes */
} else if (Ijlen < v) {
memset(I + j, 0, v - Ijlen);
- if (!BN_bn2bin(Ij, I + j + v - Ijlen))
+ if (!BN_bn2bin(Ij, I + j + v - Ijlen)) {
goto err;
+ }
} else if (!BN_bn2bin(Ij, I + j)) {
goto err;
}
@@ -427,7 +434,7 @@
pass_len = strlen(pass);
}
if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {
- OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_asc, PKCS8_R_DECODE_ERROR);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS8_decrypt, PKCS8_R_DECODE_ERROR);
return NULL;
}
}
@@ -491,7 +498,7 @@
pass_len = strlen(pass);
}
if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {
- OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_asc, PKCS8_R_DECODE_ERROR);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt, PKCS8_R_DECODE_ERROR);
return NULL;
}
}
@@ -547,8 +554,9 @@
ASN1_OBJECT *algoid;
char obj_tmp[80];
- if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8))
+ if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) {
return NULL;
+ }
pkey = EVP_PKEY_new();
if (pkey == NULL) {
@@ -683,9 +691,7 @@
ret = 1;
err:
- if (der_bytes != NULL) {
- OPENSSL_free(der_bytes);
- }
+ OPENSSL_free(der_bytes);
return ret;
}
@@ -699,7 +705,8 @@
if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||
!CBS_get_asn1(content_info, &wrapped_contents,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,
+ PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
@@ -884,27 +891,28 @@
if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
CBS_len(&in) != 0 ||
!CBS_get_asn1_uint64(&pfx, &version)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
if (version < 3) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_VERSION);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
+ PKCS8_R_BAD_PKCS12_VERSION);
goto err;
}
if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
if (CBS_len(&pfx) == 0) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_MISSING_MAC);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_MISSING_MAC);
goto err;
}
if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
@@ -913,7 +921,7 @@
if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
!CBS_get_asn1(&authsafe, &wrapped_authsafes,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
@@ -921,13 +929,13 @@
* latter indicates that it's signed by a public key, which isn't
* supported. */
if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse,
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
goto err;
}
if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
@@ -935,7 +943,7 @@
ctx.out_certs = out_certs;
if (!ascii_to_ucs2(password, strlen(password), &ctx.password,
&ctx.password_len)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_DECODE_ERROR);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_DECODE_ERROR);
goto err;
}
@@ -954,7 +962,7 @@
!CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||
!CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
@@ -963,7 +971,8 @@
if (CBS_len(&mac_data) > 0) {
if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
iterations > INT_MAX) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
+ PKCS8_R_BAD_PKCS12_DATA);
goto err;
}
}
@@ -971,7 +980,7 @@
hash_nid = OBJ_cbs2nid(&hash_oid);
if (hash_nid == NID_undef ||
(md = EVP_get_digestbynid(hash_nid)) == NULL) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_UNKNOWN_HASH);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_UNKNOWN_HASH);
goto err;
}
@@ -987,7 +996,8 @@
}
if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {
- OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_INCORRECT_PASSWORD);
+ OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,
+ PKCS8_R_INCORRECT_PASSWORD);
goto err;
}
}
@@ -1000,17 +1010,11 @@
ret = 1;
err:
- if (ctx.password) {
- OPENSSL_free(ctx.password);
- }
- if (der_bytes) {
- OPENSSL_free(der_bytes);
- }
+ OPENSSL_free(ctx.password);
+ OPENSSL_free(der_bytes);
if (!ret) {
- if (*out_key) {
- EVP_PKEY_free(*out_key);
- *out_key = NULL;
- }
+ EVP_PKEY_free(*out_key);
+ *out_key = NULL;
while (sk_X509_num(out_certs) > original_out_certs_len) {
X509 *x509 = sk_X509_pop(out_certs);
X509_free(x509);
diff --git a/src/crypto/pkcs8/pkcs8_error.c b/src/crypto/pkcs8/pkcs8_error.c
deleted file mode 100644
index 3041658..0000000
--- a/src/crypto/pkcs8/pkcs8_error.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/pkcs8.h>
-
-const ERR_STRING_DATA PKCS8_error_string_data[] = {
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_EVP_PKCS82PKEY, 0), "EVP_PKCS82PKEY"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_EVP_PKEY2PKCS8, 0), "EVP_PKEY2PKCS8"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_get_key_and_certs, 0), "PKCS12_get_key_and_certs"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_handle_content_info, 0), "PKCS12_handle_content_info"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_handle_content_infos, 0), "PKCS12_handle_content_infos"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS12_parse, 0), "PKCS12_parse"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbe2_set_iv, 0), "PKCS5_pbe2_set_iv"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbe_set, 0), "PKCS5_pbe_set"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbe_set0_algor, 0), "PKCS5_pbe_set0_algor"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS5_pbkdf2_set, 0), "PKCS5_pbkdf2_set"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS8_decrypt, 0), "PKCS8_decrypt"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS8_encrypt, 0), "PKCS8_encrypt"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_PKCS8_encrypt_pbe, 0), "PKCS8_encrypt_pbe"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pbe_cipher_init, 0), "pbe_cipher_init"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pbe_crypt, 0), "pbe_crypt"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_item_decrypt_d2i, 0), "pkcs12_item_decrypt_d2i"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_item_i2d_encrypt, 0), "pkcs12_item_i2d_encrypt"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_key_gen_asc, 0), "pkcs12_key_gen_asc"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_key_gen_raw, 0), "pkcs12_key_gen_raw"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_key_gen_uni, 0), "pkcs12_key_gen_uni"},
- {ERR_PACK(ERR_LIB_PKCS8, PKCS8_F_pkcs12_pbe_keyivgen, 0), "pkcs12_pbe_keyivgen"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_BAD_MAC), "BAD_MAC"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_BAD_PKCS12_DATA), "BAD_PKCS12_DATA"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_BAD_PKCS12_VERSION), "BAD_PKCS12_VERSION"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER), "CIPHER_HAS_NO_OBJECT_IDENTIFIER"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_CRYPT_ERROR), "CRYPT_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_DECODE_ERROR), "DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_ENCODE_ERROR), "ENCODE_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_ENCRYPT_ERROR), "ENCRYPT_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_ERROR_SETTING_CIPHER_PARAMS), "ERROR_SETTING_CIPHER_PARAMS"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_INCORRECT_PASSWORD), "INCORRECT_PASSWORD"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_KEYGEN_FAILURE), "KEYGEN_FAILURE"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_KEY_GEN_ERROR), "KEY_GEN_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_METHOD_NOT_SUPPORTED), "METHOD_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_MISSING_MAC), "MISSING_MAC"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12), "MULTIPLE_PRIVATE_KEYS_IN_PKCS12"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED), "PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PKCS12_TOO_DEEPLY_NESTED), "PKCS12_TOO_DEEPLY_NESTED"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PRIVATE_KEY_DECODE_ERROR), "PRIVATE_KEY_DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_PRIVATE_KEY_ENCODE_ERROR), "PRIVATE_KEY_ENCODE_ERROR"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_TOO_LONG), "TOO_LONG"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_ALGORITHM), "UNKNOWN_ALGORITHM"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_CIPHER), "UNKNOWN_CIPHER"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM), "UNKNOWN_CIPHER_ALGORITHM"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_DIGEST), "UNKNOWN_DIGEST"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNKNOWN_HASH), "UNKNOWN_HASH"},
- {ERR_PACK(ERR_LIB_PKCS8, 0, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM), "UNSUPPORTED_PRIVATE_KEY_ALGORITHM"},
- {0, NULL},
-};
diff --git a/src/crypto/poly1305/poly1305.c b/src/crypto/poly1305/poly1305.c
index bf5cd5e..5a49e2d 100644
--- a/src/crypto/poly1305/poly1305.c
+++ b/src/crypto/poly1305/poly1305.c
@@ -132,19 +132,23 @@
b = (uint32_t)(t[4] >> 26);
state->h0 += b * 5;
- if (len >= 16)
+ if (len >= 16) {
goto poly1305_donna_16bytes;
+ }
/* final bytes */
poly1305_donna_atmost15bytes:
- if (!len)
+ if (!len) {
return;
+ }
- for (j = 0; j < len; j++)
+ for (j = 0; j < len; j++) {
mp[j] = in[j];
+ }
mp[j++] = 1;
- for (; j < 16; j++)
+ for (; j < 16; j++) {
mp[j] = 0;
+ }
len = 0;
t0 = U8TO32_LE(mp + 0);
@@ -221,10 +225,12 @@
if (state->buf_used) {
unsigned int todo = 16 - state->buf_used;
- if (todo > in_len)
+ if (todo > in_len) {
todo = in_len;
- for (i = 0; i < todo; i++)
+ }
+ for (i = 0; i < todo; i++) {
state->buf[state->buf_used + i] = in[i];
+ }
state->buf_used += todo;
in_len -= todo;
in += todo;
@@ -243,8 +249,9 @@
}
if (in_len) {
- for (i = 0; i < in_len; i++)
+ for (i = 0; i < in_len; i++) {
state->buf[i] = in[i];
+ }
state->buf_used = in_len;
}
}
@@ -262,8 +269,9 @@
}
#endif
- if (state->buf_used)
+ if (state->buf_used) {
poly1305_update(state, state->buf, state->buf_used);
+ }
b = state->h0 >> 26;
state->h0 = state->h0 & 0x3ffffff;
diff --git a/src/crypto/poly1305/poly1305_arm.c b/src/crypto/poly1305/poly1305_arm.c
index 61ebec5..c06eded 100644
--- a/src/crypto/poly1305/poly1305_arm.c
+++ b/src/crypto/poly1305/poly1305_arm.c
@@ -135,13 +135,15 @@
int i;
uint8_t t[17];
- for (i = 0; (i < 16) && (i < xlen); i++)
+ for (i = 0; (i < 16) && (i < xlen); i++) {
t[i] = x[i];
+ }
xlen -= i;
x += i;
t[i++] = 1;
- for (; i < 17; i++)
+ for (; i < 17; i++) {
t[i] = 0;
+ }
r->v[0] = 0x3ffffff & load32(t);
r->v[2] = 0x3ffffff & (load32(t + 3) >> 2);
@@ -150,19 +152,22 @@
r->v[8] = load32(t + 13);
if (xlen) {
- for (i = 0; (i < 16) && (i < xlen); i++)
+ for (i = 0; (i < 16) && (i < xlen); i++) {
t[i] = x[i];
+ }
t[i++] = 1;
- for (; i < 17; i++)
+ for (; i < 17; i++) {
t[i] = 0;
+ }
r->v[1] = 0x3ffffff & load32(t);
r->v[3] = 0x3ffffff & (load32(t + 3) >> 2);
r->v[5] = 0x3ffffff & (load32(t + 6) >> 4);
r->v[7] = 0x3ffffff & (load32(t + 9) >> 6);
r->v[9] = load32(t + 13);
- } else
+ } else {
r->v[1] = r->v[3] = r->v[5] = r->v[7] = r->v[9] = 0;
+ }
}
static const fe1305x2 zero __attribute__((aligned(16)));
@@ -188,8 +193,9 @@
r->v[7] = r->v[6] = 0x3f03fff & ((*(uint32_t *)(key + 9)) >> 6);
r->v[9] = r->v[8] = 0x00fffff & ((*(uint32_t *)(key + 12)) >> 8);
- for (j = 0; j < 10; j++)
+ for (j = 0; j < 10; j++) {
h->v[j] = 0; /* XXX: should fast-forward a bit */
+ }
addmulmod(precomp, r, r, &zero); /* precompute r^2 */
addmulmod(precomp + 1, precomp, precomp, &zero); /* precompute r^4 */
@@ -209,10 +215,12 @@
if (st->buf_used) {
unsigned int todo = 32 - st->buf_used;
- if (todo > in_len)
+ if (todo > in_len) {
todo = in_len;
- for (i = 0; i < todo; i++)
+ }
+ for (i = 0; i < todo; i++) {
st->buf[st->buf_used + i] = in[i];
+ }
st->buf_used += todo;
in_len -= todo;
in += todo;
@@ -220,24 +228,27 @@
if (st->buf_used == sizeof(st->buf) && in_len) {
addmulmod(h, h, precomp, &zero);
fe1305x2_frombytearray(c, st->buf, sizeof(st->buf));
- for (i = 0; i < 10; i++)
+ for (i = 0; i < 10; i++) {
h->v[i] += c->v[i];
+ }
st->buf_used = 0;
}
}
while (in_len > 32) {
unsigned int tlen = 1048576;
- if (in_len < tlen)
+ if (in_len < tlen) {
tlen = in_len;
+ }
tlen -= blocks(h, precomp, in, tlen);
in_len -= tlen;
in += tlen;
}
if (in_len) {
- for (i = 0; i < in_len; i++)
+ for (i = 0; i < in_len; i++) {
st->buf[i] = in[i];
+ }
st->buf_used = in_len;
}
}
diff --git a/src/crypto/poly1305/poly1305_vec.c b/src/crypto/poly1305/poly1305_vec.c
index 89fcacb..07578d0 100644
--- a/src/crypto/poly1305/poly1305_vec.c
+++ b/src/crypto/poly1305/poly1305_vec.c
@@ -727,8 +727,9 @@
bytes -= want;
m += want;
st->leftover += want;
- if ((st->leftover < 32) || (bytes == 0))
+ if ((st->leftover < 32) || (bytes == 0)) {
return;
+ }
poly1305_first_block(st, st->buffer);
st->leftover = 0;
}
@@ -742,8 +743,9 @@
bytes -= want;
m += want;
st->leftover += want;
- if (st->leftover < 64)
+ if (st->leftover < 64) {
return;
+ }
poly1305_blocks(st, st->buffer, 64);
st->leftover = 0;
}
@@ -791,8 +793,9 @@
s1 = r1 * (5 << 2);
s2 = r2 * (5 << 2);
- if (leftover < 16)
+ if (leftover < 16) {
goto poly1305_donna_atmost15bytes;
+ }
poly1305_donna_atleast16bytes:
t0 = U8TO64_LE(m + 0);
@@ -821,13 +824,15 @@
m += 16;
leftover -= 16;
- if (leftover >= 16)
+ if (leftover >= 16) {
goto poly1305_donna_atleast16bytes;
+ }
/* final bytes */
poly1305_donna_atmost15bytes:
- if (!leftover)
+ if (!leftover) {
goto poly1305_donna_finish;
+ }
m[leftover++] = 1;
poly1305_block_zero(m + leftover, 16 - leftover);
diff --git a/src/crypto/rand/CMakeLists.txt b/src/crypto/rand/CMakeLists.txt
index 23c1b24..374d8f1 100644
--- a/src/crypto/rand/CMakeLists.txt
+++ b/src/crypto/rand/CMakeLists.txt
@@ -1,5 +1,13 @@
include_directories(. .. ../../include)
+if (${ARCH} STREQUAL "x86_64")
+ set(
+ RAND_ARCH_SOURCES
+
+ rdrand-x86_64.${ASM_EXT}
+ )
+endif()
+
add_library(
rand
@@ -8,4 +16,9 @@
rand.c
urandom.c
windows.c
+ hwrand.c
+
+ ${RAND_ARCH_SOURCES}
)
+
+perlasm(rdrand-x86_64.${ASM_EXT} asm/rdrand-x86_64.pl)
diff --git a/src/crypto/rand/asm/rdrand-x86_64.pl b/src/crypto/rand/asm/rdrand-x86_64.pl
new file mode 100644
index 0000000..a917611
--- /dev/null
+++ b/src/crypto/rand/asm/rdrand-x86_64.pl
@@ -0,0 +1,25 @@
+#!/usr/bin/env perl
+
+$flavour = shift;
+$output = shift;
+if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
+die "can't locate x86_64-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+print<<___;
+.text
+
+.globl CRYPTO_rdrand
+.type CRYPTO_rdrand,\@function,1
+.align 16
+CRYPTO_rdrand:
+ .byte 0x48, 0x0f, 0xc7, 0xf0
+ retq
+___
+
+close STDOUT; # flush
diff --git a/src/crypto/rand/hwrand.c b/src/crypto/rand/hwrand.c
new file mode 100644
index 0000000..73d3de7
--- /dev/null
+++ b/src/crypto/rand/hwrand.c
@@ -0,0 +1,56 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/cpu.h>
+
+
+#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)
+
+int CRYPTO_have_hwrand(void) {
+ return (OPENSSL_ia32cap_P[1] & (1u << 30)) != 0;
+}
+
+/* CRYPTO_rdrand is defined in asm/rdrand-x86_64.pl */
+extern uint64_t CRYPTO_rdrand(void);
+
+void CRYPTO_hwrand(uint8_t *buf, size_t len) {
+ while (len >= 8) {
+ uint64_t rand = CRYPTO_rdrand();
+ memcpy(buf, &rand, sizeof(rand));
+ len -= sizeof(rand);
+ buf += sizeof(rand);
+ }
+
+ if (len > 0) {
+ uint64_t rand = CRYPTO_rdrand();
+ memcpy(buf, &rand, len);
+ }
+}
+
+#else
+
+int CRYPTO_have_hwrand(void) {
+ return 0;
+}
+
+void CRYPTO_hwrand(uint8_t *buf, size_t len) {
+ abort();
+}
+
+#endif
diff --git a/src/crypto/rand/internal.h b/src/crypto/rand/internal.h
new file mode 100644
index 0000000..1cca7f3
--- /dev/null
+++ b/src/crypto/rand/internal.h
@@ -0,0 +1,40 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
+#define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating
+ * system. */
+void CRYPTO_sysrand(uint8_t *buf, size_t len);
+
+/* CRYPTO_have_hwrand returns one iff |CRYPTO_hwrand| can be called to generate
+ * hardware entropy. */
+int CRYPTO_have_hwrand(void);
+
+/* CRYPTO_hwrand fills |len| bytes at |buf| with entropy from the hardware.
+ * This function can only be called if |CRYPTO_have_hwrand| returns one. */
+void CRYPTO_hwrand(uint8_t *buf, size_t len);
+
+
+#if defined(__cplusplus)
+} /* extern C */
+#endif
+
+#endif /* OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H */
diff --git a/src/crypto/rand/rand.c b/src/crypto/rand/rand.c
index efd6c0a..ae30edb 100644
--- a/src/crypto/rand/rand.c
+++ b/src/crypto/rand/rand.c
@@ -14,6 +14,134 @@
#include <openssl/rand.h>
+#include <string.h>
+
+#include <openssl/mem.h>
+
+#include "internal.h"
+#include "../internal.h"
+
+
+/* It's assumed that the operating system always has an unfailing source of
+ * entropy which is accessed via |CRYPTO_sysrand|. (If the operating system
+ * entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we
+ * don't try to handle it.)
+ *
+ * In addition, the hardware may provide a low-latency RNG. Intel's rdrand
+ * instruction is the canonical example of this. When a hardware RNG is
+ * available we don't need to worry about an RNG failure arising from fork()ing
+ * the process or moving a VM, so we can keep thread-local RNG state and XOR
+ * the hardware entropy in.
+ *
+ * (We assume that the OS entropy is safe from fork()ing and VM duplication.
+ * This might be a bit of a leap of faith, esp on Windows, but there's nothing
+ * that we can do about it.) */
+
+/* rand_thread_state contains the per-thread state for the RNG. This is only
+ * used if the system has support for a hardware RNG. */
+struct rand_thread_state {
+ uint8_t key[32];
+ uint64_t calls_used;
+ size_t bytes_used;
+ uint8_t partial_block[64];
+ unsigned partial_block_used;
+};
+
+/* kMaxCallsPerRefresh is the maximum number of |RAND_bytes| calls that we'll
+ * serve before reading a new key from the operating system. This only applies
+ * if we have a hardware RNG. */
+static const unsigned kMaxCallsPerRefresh = 1024;
+
+/* kMaxBytesPerRefresh is the maximum number of bytes that we'll return from
+ * |RAND_bytes| before reading a new key from the operating system. This only
+ * applies if we have a hardware RNG. */
+static const uint64_t kMaxBytesPerRefresh = 1024 * 1024;
+
+/* rand_thread_state_free frees a |rand_thread_state|. This is called when a
+ * thread exits. */
+static void rand_thread_state_free(void *state) {
+ if (state == NULL) {
+ return;
+ }
+
+ OPENSSL_cleanse(state, sizeof(struct rand_thread_state));
+ OPENSSL_free(state);
+}
+
+extern void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
+ const uint8_t key[32], const uint8_t nonce[8],
+ size_t counter);
+
+int RAND_bytes(uint8_t *buf, size_t len) {
+ if (len == 0) {
+ return 1;
+ }
+
+ if (!CRYPTO_have_hwrand()) {
+ /* Without a hardware RNG to save us from address-space duplication, the OS
+ * entropy is used directly. */
+ CRYPTO_sysrand(buf, len);
+ return 1;
+ }
+
+ struct rand_thread_state *state =
+ CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND);
+ if (state == NULL) {
+ state = OPENSSL_malloc(sizeof(struct rand_thread_state));
+ if (state == NULL ||
+ !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,
+ rand_thread_state_free)) {
+ CRYPTO_sysrand(buf, len);
+ return 1;
+ }
+
+ state->calls_used = kMaxCallsPerRefresh;
+ }
+
+ if (state->calls_used >= kMaxCallsPerRefresh ||
+ state->bytes_used >= kMaxBytesPerRefresh) {
+ CRYPTO_sysrand(state->key, sizeof(state->key));
+ state->calls_used = 0;
+ state->bytes_used = 0;
+ state->partial_block_used = sizeof(state->partial_block);
+ }
+
+ CRYPTO_hwrand(buf, len);
+
+ if (len >= sizeof(state->partial_block)) {
+ size_t remaining = len;
+ while (remaining > 0) {
+ // kMaxBytesPerCall is only 2GB, while ChaCha can handle 256GB. But this
+ // is sufficient and easier on 32-bit.
+ static const size_t kMaxBytesPerCall = 0x80000000;
+ size_t todo = remaining;
+ if (todo > kMaxBytesPerCall) {
+ todo = kMaxBytesPerCall;
+ }
+ CRYPTO_chacha_20(buf, buf, todo, state->key,
+ (uint8_t *)&state->calls_used, 0);
+ buf += todo;
+ remaining -= todo;
+ state->calls_used++;
+ }
+ } else {
+ if (sizeof(state->partial_block) - state->partial_block_used < len) {
+ CRYPTO_chacha_20(state->partial_block, state->partial_block,
+ sizeof(state->partial_block), state->key,
+ (uint8_t *)&state->calls_used, 0);
+ state->partial_block_used = 0;
+ }
+
+ unsigned i;
+ for (i = 0; i < len; i++) {
+ buf[i] ^= state->partial_block[state->partial_block_used++];
+ }
+ state->calls_used++;
+ }
+ state->bytes_used += len;
+
+ return 1;
+}
int RAND_pseudo_bytes(uint8_t *buf, size_t len) {
return RAND_bytes(buf, len);
diff --git a/src/crypto/rand/urandom.c b/src/crypto/rand/urandom.c
index 2ad4af0..788a979 100644
--- a/src/crypto/rand/urandom.c
+++ b/src/crypto/rand/urandom.c
@@ -19,13 +19,15 @@
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
-#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <openssl/thread.h>
#include <openssl/mem.h>
+#include "internal.h"
+#include "../internal.h"
+
/* This file implements a PRNG by reading from /dev/urandom, optionally with a
* fork-safe buffer.
@@ -73,23 +75,26 @@
/* rand_bytes_per_buf is the number of actual entropy bytes in a buffer. */
static const size_t rand_bytes_per_buf = BUF_SIZE - sizeof(struct rand_buffer);
+static struct CRYPTO_STATIC_MUTEX global_lock = CRYPTO_STATIC_MUTEX_INIT;
+
/* list_head is the start of a global, linked-list of rand_buffer objects. It's
- * protected by CRYPTO_LOCK_RAND. */
+ * protected by |global_lock|. */
static struct rand_buffer *list_head;
/* urandom_fd is a file descriptor to /dev/urandom. It's protected by
- * CRYPTO_LOCK_RAND. */
+ * |global_lock|. */
static int urandom_fd = -2;
/* urandom_buffering controls whether buffering is enabled (1) or not (0). This
- * is protected by CRYPTO_LOCK_RAND. */
+ * is protected by |global_lock|. */
static int urandom_buffering = 0;
/* urandom_get_fd_locked returns a file descriptor to /dev/urandom. The caller
- * of this function must hold CRYPTO_LOCK_RAND. */
+ * of this function must hold |global_lock|. */
static int urandom_get_fd_locked(void) {
- if (urandom_fd != -2)
+ if (urandom_fd != -2) {
return urandom_fd;
+ }
urandom_fd = open("/dev/urandom", O_RDONLY);
return urandom_fd;
@@ -100,7 +105,7 @@
void RAND_cleanup(void) {
struct rand_buffer *cur;
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
while ((cur = list_head)) {
list_head = cur->next;
OPENSSL_free(cur);
@@ -110,7 +115,7 @@
}
urandom_fd = -2;
list_head = NULL;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_unlock(&global_lock);
}
/* read_full reads exactly |len| bytes from |fd| into |out| and returns 1. In
@@ -133,36 +138,34 @@
return 1;
}
-/* urandom_rand_pseudo_bytes puts |num| random bytes into |out|. It returns
- * one on success and zero otherwise. */
-int RAND_bytes(uint8_t *out, size_t requested) {
+/* CRYPTO_sysrand puts |num| random bytes into |out|. */
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
int fd;
struct rand_buffer *buf;
size_t todo;
pid_t pid, ppid;
if (requested == 0) {
- return 1;
+ return;
}
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
fd = urandom_get_fd_locked();
if (fd < 0) {
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_unlock(&global_lock);
abort();
- return 0;
+ return;
}
/* If buffering is not enabled, or if the request is large, then the
* result comes directly from urandom. */
if (!urandom_buffering || requested > BUF_SIZE / 2) {
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_unlock(&global_lock);
if (!read_full(fd, out, requested)) {
abort();
- return 0;
}
- return 1;
+ return;
}
pid = getpid();
@@ -174,8 +177,8 @@
rand_bytes_per_buf - buf->used >= requested) {
memcpy(out, &buf->rand[buf->used], requested);
buf->used += requested;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
- return 1;
+ CRYPTO_STATIC_MUTEX_unlock(&global_lock);
+ return;
}
/* If we don't immediately have enough entropy with the correct
@@ -184,10 +187,14 @@
if (buf) {
list_head = buf->next;
}
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_unlock(&global_lock);
if (!buf) {
buf = (struct rand_buffer *)OPENSSL_malloc(BUF_SIZE);
+ if (!buf) {
+ abort();
+ return;
+ }
/* The buffer doesn't contain any random bytes yet
* so we mark it as fully used so that it will be
* filled below. */
@@ -204,7 +211,7 @@
/* We have forked and so cannot use these bytes as they
* may have been used in another process. */
OPENSSL_free(buf);
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
}
while (requested > 0) {
@@ -224,18 +231,17 @@
if (!read_full(fd, buf->rand, rand_bytes_per_buf)) {
OPENSSL_free(buf);
abort();
- return 0;
+ return;
}
buf->used = 0;
}
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+ CRYPTO_STATIC_MUTEX_lock_write(&global_lock);
assert(list_head != buf);
buf->next = list_head;
list_head = buf;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
- return 1;
+ CRYPTO_STATIC_MUTEX_unlock(&global_lock);
}
#endif /* !OPENSSL_WINDOWS */
diff --git a/src/crypto/rand/windows.c b/src/crypto/rand/windows.c
index e8b2d78..7bfcb1d 100644
--- a/src/crypto/rand/windows.c
+++ b/src/crypto/rand/windows.c
@@ -27,16 +27,18 @@
* "Community Additions" comment on MSDN here:
* http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx */
#define SystemFunction036 NTAPI SystemFunction036
-#include <ntsecapi.h>
+#include <NTSecAPI.h>
#undef SystemFunction036
#pragma warning(pop)
+#include "internal.h"
+
void RAND_cleanup(void) {
}
-int RAND_bytes(uint8_t *out, size_t requested) {
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
while (requested > 0) {
ULONG output_bytes_this_pass = ULONG_MAX;
if (requested < output_bytes_this_pass) {
@@ -48,7 +50,7 @@
requested -= output_bytes_this_pass;
out += output_bytes_this_pass;
}
- return 1;
+ return;
}
#endif /* OPENSSL_WINDOWS */
diff --git a/src/crypto/rc4/asm/rc4-x86_64.pl b/src/crypto/rc4/asm/rc4-x86_64.pl
index 2c52ac0..db46242 100644
--- a/src/crypto/rc4/asm/rc4-x86_64.pl
+++ b/src/crypto/rc4/asm/rc4-x86_64.pl
@@ -502,32 +502,6 @@
mov %eax,-4($dat)
ret
.size asm_RC4_set_key,.-asm_RC4_set_key
-
-.globl RC4_options
-.type RC4_options,\@abi-omnipotent
-.align 16
-RC4_options:
- lea .Lopts(%rip),%rax
- mov OPENSSL_ia32cap_P(%rip),%rdx
- mov (%rdx),%edx
- bt \$20,%edx
- jc .L8xchar
- bt \$30,%edx
- jnc .Ldone
- add \$25,%rax
- ret
-.L8xchar:
- add \$12,%rax
-.Ldone:
- ret
-.align 64
-.Lopts:
-.asciz "rc4(8x,int)"
-.asciz "rc4(8x,char)"
-.asciz "rc4(16x,int)"
-.asciz "RC4 for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
-.align 64
-.size RC4_options,.-RC4_options
___
# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
diff --git a/src/crypto/rc4/rc4.c b/src/crypto/rc4/rc4.c
index 00b59c8..2a98fd0 100644
--- a/src/crypto/rc4/rc4.c
+++ b/src/crypto/rc4/rc4.c
@@ -67,8 +67,6 @@
#error "Unknown word size"
#endif
-#define RC4_INT uint32_t
-
/* RC4 as implemented from a posting from
* Newsgroups: sci.crypt
@@ -78,44 +76,14 @@
* Date: Wed, 14 Sep 1994 06:35:31 GMT */
void RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out) {
- register RC4_INT *d;
- register RC4_INT x, y, tx, ty;
+ uint32_t *d;
+ uint32_t x, y, tx, ty;
size_t i;
x = key->x;
y = key->y;
d = key->data;
-#if defined(RC4_CHUNK)
-/* The original reason for implementing this(*) was the fact that
- * pre-21164a Alpha CPUs don't have byte load/store instructions
- * and e.g. a byte store has to be done with 64-bit load, shift,
- * and, or and finally 64-bit store. Peaking data and operating
- * at natural word size made it possible to reduce amount of
- * instructions as well as to perform early read-ahead without
- * suffering from RAW (read-after-write) hazard. This resulted
- * in ~40%(**) performance improvement on 21064 box with gcc.
- * But it's not only Alpha users who win here:-) Thanks to the
- * early-n-wide read-ahead this implementation also exhibits
- * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
- * on sizeof(RC4_INT)).
- *
- * (*) "this" means code which recognizes the case when input
- * and output pointers appear to be aligned at natural CPU
- * word boundary
- * (**) i.e. according to 'apps/openssl speed rc4' benchmark,
- * crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
- *
- * Cavets.
- *
- * - RC4_CHUNK="unsigned long long" should be a #1 choice for
- * UltraSPARC. Unfortunately gcc generates very slow code
- * (2.5-3 times slower than one generated by Sun's WorkShop
- * C) and therefore gcc (at least 2.95 and earlier) should
- * always be told that RC4_CHUNK="unsigned long".
- *
- * <appro@fy.chalmers.se> */
-
#define RC4_STEP \
(x = (x + 1) & 0xff, tx = d[x], y = (tx + y) & 0xff, ty = d[y], d[y] = tx, \
d[x] = ty, (RC4_CHUNK)d[(tx + ty) & 0xff])
@@ -255,7 +223,6 @@
return;
}
}
-#endif
#define LOOP(in, out) \
x = ((x + 1) & 0xff); \
tx = d[x]; \
@@ -285,34 +252,42 @@
in += 8;
out += 8;
#endif
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
}
}
i = len & 0x07;
if (i) {
for (;;) {
RC4_LOOP(in, out, 0);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
RC4_LOOP(in, out, 1);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
RC4_LOOP(in, out, 2);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
RC4_LOOP(in, out, 3);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
RC4_LOOP(in, out, 4);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
RC4_LOOP(in, out, 5);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
RC4_LOOP(in, out, 6);
- if (--i == 0)
+ if (--i == 0) {
break;
+ }
}
}
key->x = x;
@@ -320,9 +295,9 @@
}
void RC4_set_key(RC4_KEY *rc4key, unsigned len, const uint8_t *key) {
- register RC4_INT tmp;
- register int id1, id2;
- register RC4_INT *d;
+ uint32_t tmp;
+ int id1, id2;
+ uint32_t *d;
unsigned int i;
d = &rc4key->data[0];
diff --git a/src/crypto/rsa/CMakeLists.txt b/src/crypto/rsa/CMakeLists.txt
index b3d8fa4..c438e1d 100644
--- a/src/crypto/rsa/CMakeLists.txt
+++ b/src/crypto/rsa/CMakeLists.txt
@@ -10,7 +10,6 @@
blinding.c
padding.c
rsa_asn1.c
- rsa_error.c
)
add_executable(
diff --git a/src/crypto/rsa/blinding.c b/src/crypto/rsa/blinding.c
index 06f87a7..245142b 100644
--- a/src/crypto/rsa/blinding.c
+++ b/src/crypto/rsa/blinding.c
@@ -113,6 +113,7 @@
#include <openssl/bn.h>
#include <openssl/mem.h>
#include <openssl/err.h>
+#include <openssl/thread.h>
#include "internal.h"
@@ -124,7 +125,6 @@
BIGNUM *Ai;
BIGNUM *e;
BIGNUM *mod; /* just a reference */
- CRYPTO_THREADID tid;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
@@ -167,13 +167,10 @@
* to indicate that this is never-used fresh blinding
* that does not need updating before first use. */
ret->counter = -1;
- CRYPTO_THREADID_current(&ret->tid);
return ret;
err:
- if (ret != NULL) {
- BN_BLINDING_free(ret);
- }
+ BN_BLINDING_free(ret);
return NULL;
}
@@ -182,14 +179,10 @@
return;
}
- if (r->A != NULL)
- BN_free(r->A);
- if (r->Ai != NULL)
- BN_free(r->Ai);
- if (r->e != NULL)
- BN_free(r->e);
- if (r->mod != NULL)
- BN_free(r->mod);
+ BN_free(r->A);
+ BN_free(r->Ai);
+ BN_free(r->e);
+ BN_free(r->mod);
OPENSSL_free(r);
}
@@ -282,8 +275,6 @@
return ret;
}
-CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *b) { return &b->tid; }
-
unsigned long BN_BLINDING_get_flags(const BN_BLINDING *b) { return b->flags; }
void BN_BLINDING_set_flags(BN_BLINDING *b, unsigned long flags) {
@@ -316,9 +307,7 @@
}
if (e != NULL) {
- if (ret->e != NULL) {
- BN_free(ret->e);
- }
+ BN_free(ret->e);
ret->e = BN_dup(e);
}
if (ret->e == NULL) {
@@ -367,7 +356,7 @@
return ret;
err:
- if (b == NULL && ret != NULL) {
+ if (b == NULL) {
BN_BLINDING_free(ret);
ret = NULL;
}
@@ -413,6 +402,7 @@
BIGNUM *e, *n;
BN_CTX *ctx;
BN_BLINDING *ret = NULL;
+ BN_MONT_CTX *mont_ctx = NULL;
if (in_ctx == NULL) {
ctx = BN_CTX_new();
@@ -444,19 +434,19 @@
BN_with_flags(n, rsa->n, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
- ctx)) {
+ mont_ctx =
+ BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx);
+ if (mont_ctx == NULL) {
goto err;
}
}
ret = BN_BLINDING_create_param(NULL, e, n, ctx, rsa->meth->bn_mod_exp,
- rsa->_method_mod_n);
+ mont_ctx);
if (ret == NULL) {
OPENSSL_PUT_ERROR(RSA, rsa_setup_blinding, ERR_R_BN_LIB);
goto err;
}
- CRYPTO_THREADID_current(BN_BLINDING_thread_id(ret));
err:
BN_CTX_end(ctx);
diff --git a/src/crypto/rsa/internal.h b/src/crypto/rsa/internal.h
index 3dd4f04..d15f2a5 100644
--- a/src/crypto/rsa/internal.h
+++ b/src/crypto/rsa/internal.h
@@ -60,7 +60,7 @@
#include <openssl/base.h>
#include <openssl/asn1.h>
-#include <openssl/thread.h>
+
#if defined(__cplusplus)
extern "C" {
@@ -81,7 +81,6 @@
int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *);
int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *);
-CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
BN_BLINDING *BN_BLINDING_create_param(
diff --git a/src/crypto/rsa/padding.c b/src/crypto/rsa/padding.c
index 66fdf13..0a725f1 100644
--- a/src/crypto/rsa/padding.c
+++ b/src/crypto/rsa/padding.c
@@ -443,9 +443,7 @@
ret = 1;
out:
- if (dbmask != NULL) {
- OPENSSL_free(dbmask);
- }
+ OPENSSL_free(dbmask);
return ret;
}
@@ -544,9 +542,7 @@
OPENSSL_PUT_ERROR(RSA, RSA_padding_check_PKCS1_OAEP_mgf1,
RSA_R_OAEP_DECODING_ERROR);
err:
- if (db != NULL) {
- OPENSSL_free(db);
- }
+ OPENSSL_free(db);
return -1;
}
@@ -620,8 +616,9 @@
if (MSBits) {
DB[0] &= 0xFF >> (8 - MSBits);
}
- for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++)
+ for (i = 0; DB[i] == 0 && i < (maskedDBLen - 1); i++) {
;
+ }
if (DB[i++] != 0x1) {
OPENSSL_PUT_ERROR(RSA, RSA_verify_PKCS1_PSS_mgf1,
RSA_R_SLEN_RECOVERY_FAILED);
@@ -652,9 +649,7 @@
}
err:
- if (DB) {
- OPENSSL_free(DB);
- }
+ OPENSSL_free(DB);
EVP_MD_CTX_cleanup(&ctx);
return ret;
@@ -771,9 +766,7 @@
ret = 1;
err:
- if (salt) {
- OPENSSL_free(salt);
- }
+ OPENSSL_free(salt);
return ret;
}
diff --git a/src/crypto/rsa/rsa.c b/src/crypto/rsa/rsa.c
index 66002cc..5cc48ed 100644
--- a/src/crypto/rsa/rsa.c
+++ b/src/crypto/rsa/rsa.c
@@ -64,12 +64,16 @@
#include <openssl/ex_data.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
+#include <openssl/thread.h>
#include "internal.h"
+#include "../internal.h"
extern const RSA_METHOD RSA_default_method;
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
RSA *RSA_new(void) { return RSA_new_method(NULL); }
RSA *RSA_new_method(const ENGINE *engine) {
@@ -92,15 +96,16 @@
rsa->references = 1;
rsa->flags = rsa->meth->flags;
+ CRYPTO_MUTEX_init(&rsa->lock);
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, rsa, &rsa->ex_data)) {
+ if (!CRYPTO_new_ex_data(&g_ex_data_class, rsa, &rsa->ex_data)) {
METHOD_unref(rsa->meth);
OPENSSL_free(rsa);
return NULL;
}
if (rsa->meth->init && !rsa->meth->init(rsa)) {
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, rsa, &rsa->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
METHOD_unref(rsa->meth);
OPENSSL_free(rsa);
return NULL;
@@ -125,31 +130,22 @@
}
METHOD_unref(rsa->meth);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, rsa, &rsa->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, rsa, &rsa->ex_data);
- if (rsa->n != NULL)
- BN_clear_free(rsa->n);
- if (rsa->e != NULL)
- BN_clear_free(rsa->e);
- if (rsa->d != NULL)
- BN_clear_free(rsa->d);
- if (rsa->p != NULL)
- BN_clear_free(rsa->p);
- if (rsa->q != NULL)
- BN_clear_free(rsa->q);
- if (rsa->dmp1 != NULL)
- BN_clear_free(rsa->dmp1);
- if (rsa->dmq1 != NULL)
- BN_clear_free(rsa->dmq1);
- if (rsa->iqmp != NULL)
- BN_clear_free(rsa->iqmp);
+ BN_clear_free(rsa->n);
+ BN_clear_free(rsa->e);
+ BN_clear_free(rsa->d);
+ BN_clear_free(rsa->p);
+ BN_clear_free(rsa->q);
+ BN_clear_free(rsa->dmp1);
+ BN_clear_free(rsa->dmq1);
+ BN_clear_free(rsa->iqmp);
for (u = 0; u < rsa->num_blindings; u++) {
BN_BLINDING_free(rsa->blindings[u]);
}
- if (rsa->blindings != NULL)
- OPENSSL_free(rsa->blindings);
- if (rsa->blindings_inuse != NULL)
- OPENSSL_free(rsa->blindings_inuse);
+ OPENSSL_free(rsa->blindings);
+ OPENSSL_free(rsa->blindings_inuse);
+ CRYPTO_MUTEX_cleanup(&rsa->lock);
OPENSSL_free(rsa);
}
@@ -271,8 +267,12 @@
int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp, new_func,
- dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+ dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int RSA_set_ex_data(RSA *d, int idx, void *arg) {
@@ -338,12 +338,6 @@
0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},
},
{
- NID_ripemd160,
- 14,
- {0x30, 0x20, 0x30, 0x08, 0x06, 0x06, 0x28, 0xcf, 0x06, 0x03, 0x00, 0x31,
- 0x04, 0x14},
- },
- {
NID_undef, 0, {0},
},
};
@@ -357,15 +351,11 @@
int *is_alloced, int hash_nid, const uint8_t *msg,
size_t msg_len) {
unsigned i;
- const uint8_t* prefix = NULL;
- unsigned prefix_len;
- uint8_t *signed_msg;
- unsigned signed_msg_len;
if (hash_nid == NID_md5_sha1) {
/* Special case: SSL signature, just check the length. */
if (msg_len != SSL_SIG_LENGTH) {
- OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_INVALID_MESSAGE_LENGTH);
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_INVALID_MESSAGE_LENGTH);
return 0;
}
@@ -377,38 +367,39 @@
for (i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {
const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];
- if (sig_prefix->nid == hash_nid) {
- prefix = sig_prefix->bytes;
- prefix_len = sig_prefix->len;
- break;
+ if (sig_prefix->nid != hash_nid) {
+ continue;
}
+
+ const uint8_t* prefix = sig_prefix->bytes;
+ unsigned prefix_len = sig_prefix->len;
+ unsigned signed_msg_len;
+ uint8_t *signed_msg;
+
+ signed_msg_len = prefix_len + msg_len;
+ if (signed_msg_len < prefix_len) {
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_TOO_LONG);
+ return 0;
+ }
+
+ signed_msg = OPENSSL_malloc(signed_msg_len);
+ if (!signed_msg) {
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ memcpy(signed_msg, prefix, prefix_len);
+ memcpy(signed_msg + prefix_len, msg, msg_len);
+
+ *out_msg = signed_msg;
+ *out_msg_len = signed_msg_len;
+ *is_alloced = 1;
+
+ return 1;
}
- if (prefix == NULL) {
- OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_UNKNOWN_ALGORITHM_TYPE);
- return 0;
- }
-
- signed_msg_len = prefix_len + msg_len;
- if (signed_msg_len < prefix_len) {
- OPENSSL_PUT_ERROR(RSA, RSA_sign, RSA_R_TOO_LONG);
- return 0;
- }
-
- signed_msg = OPENSSL_malloc(signed_msg_len);
- if (!signed_msg) {
- OPENSSL_PUT_ERROR(RSA, RSA_sign, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- memcpy(signed_msg, prefix, prefix_len);
- memcpy(signed_msg + prefix_len, msg, msg_len);
-
- *out_msg = signed_msg;
- *out_msg_len = signed_msg_len;
- *is_alloced = 1;
-
- return 1;
+ OPENSSL_PUT_ERROR(RSA, pkcs1_prefixed_msg, RSA_R_UNKNOWN_ALGORITHM_TYPE);
+ return 0;
}
int RSA_sign(int hash_nid, const uint8_t *in, unsigned in_len, uint8_t *out,
@@ -495,9 +486,7 @@
ret = 1;
out:
- if (buf != NULL) {
- OPENSSL_free(buf);
- }
+ OPENSSL_free(buf);
if (signed_msg_is_alloced) {
OPENSSL_free(signed_msg);
}
@@ -505,10 +494,6 @@
}
static void bn_free_and_null(BIGNUM **bn) {
- if (*bn == NULL) {
- return;
- }
-
BN_free(*bn);
*bn = NULL;
}
diff --git a/src/crypto/rsa/rsa_error.c b/src/crypto/rsa/rsa_error.c
deleted file mode 100644
index 3c8ebe4..0000000
--- a/src/crypto/rsa/rsa_error.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/rsa.h>
-
-const ERR_STRING_DATA RSA_error_string_data[] = {
- {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_convert_ex, 0), "BN_BLINDING_convert_ex"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_create_param, 0), "BN_BLINDING_create_param"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_invert_ex, 0), "BN_BLINDING_invert_ex"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_new, 0), "BN_BLINDING_new"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_BN_BLINDING_update, 0), "BN_BLINDING_update"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_check_key, 0), "RSA_check_key"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_new_method, 0), "RSA_new_method"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1, 0), "RSA_padding_add_PKCS1_OAEP_mgf1"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_PSS_mgf1, 0), "RSA_padding_add_PKCS1_PSS_mgf1"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_type_1, 0), "RSA_padding_add_PKCS1_type_1"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_PKCS1_type_2, 0), "RSA_padding_add_PKCS1_type_2"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_SSLv23, 0), "RSA_padding_add_SSLv23"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_add_none, 0), "RSA_padding_add_none"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1, 0), "RSA_padding_check_PKCS1_OAEP_mgf1"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_PKCS1_type_1, 0), "RSA_padding_check_PKCS1_type_1"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_PKCS1_type_2, 0), "RSA_padding_check_PKCS1_type_2"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_SSLv23, 0), "RSA_padding_check_SSLv23"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_padding_check_none, 0), "RSA_padding_check_none"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_recover_crt_params, 0), "RSA_recover_crt_params"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_sign, 0), "RSA_sign"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_verify, 0), "RSA_verify"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_verify_PKCS1_PSS_mgf1, 0), "RSA_verify_PKCS1_PSS_mgf1"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_decrypt, 0), "decrypt"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_encrypt, 0), "encrypt"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_keygen, 0), "keygen"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_pkcs1_prefixed_msg, 0), "pkcs1_prefixed_msg"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_private_transform, 0), "private_transform"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_rsa_setup_blinding, 0), "rsa_setup_blinding"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_sign_raw, 0), "sign_raw"},
- {ERR_PACK(ERR_LIB_RSA, RSA_F_verify_raw, 0), "verify_raw"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_E_VALUE), "BAD_E_VALUE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_FIXED_HEADER_DECRYPT), "BAD_FIXED_HEADER_DECRYPT"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_PAD_BYTE_COUNT), "BAD_PAD_BYTE_COUNT"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_RSA_PARAMETERS), "BAD_RSA_PARAMETERS"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BAD_SIGNATURE), "BAD_SIGNATURE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BLOCK_TYPE_IS_NOT_01), "BLOCK_TYPE_IS_NOT_01"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BLOCK_TYPE_IS_NOT_02), "BLOCK_TYPE_IS_NOT_02"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_BN_NOT_INITIALIZED), "BN_NOT_INITIALIZED"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_CRT_PARAMS_ALREADY_GIVEN), "CRT_PARAMS_ALREADY_GIVEN"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_CRT_VALUES_INCORRECT), "CRT_VALUES_INCORRECT"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN), "DATA_LEN_NOT_EQUAL_TO_MOD_LEN"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_LARGE), "DATA_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE), "DATA_TOO_LARGE_FOR_KEY_SIZE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "DATA_TOO_LARGE_FOR_MODULUS"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_SMALL), "DATA_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "DATA_TOO_SMALL_FOR_KEY_SIZE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "DIGEST_TOO_BIG_FOR_RSA_KEY"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_D_E_NOT_CONGRUENT_TO_1), "D_E_NOT_CONGRUENT_TO_1"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_EMPTY_PUBLIC_KEY), "EMPTY_PUBLIC_KEY"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_FIRST_OCTET_INVALID), "FIRST_OCTET_INVALID"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES), "INCONSISTENT_SET_OF_CRT_VALUES"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_INTERNAL_ERROR), "INTERNAL_ERROR"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_INVALID_MESSAGE_LENGTH), "INVALID_MESSAGE_LENGTH"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_KEY_SIZE_TOO_SMALL), "KEY_SIZE_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_LAST_OCTET_INVALID), "LAST_OCTET_INVALID"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MODULUS_TOO_LARGE), "MODULUS_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "NO_PUBLIC_EXPONENT"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), "NULL_BEFORE_BLOCK_MISSING"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_NOT_EQUAL_P_Q), "N_NOT_EQUAL_P_Q"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), "OAEP_DECODING_ERROR"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_ONLY_ONE_OF_P_Q_GIVEN), "ONLY_ONE_OF_P_Q_GIVEN"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OUTPUT_BUFFER_TOO_SMALL), "OUTPUT_BUFFER_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), "PADDING_CHECK_FAILED"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PKCS_DECODING_ERROR), "PKCS_DECODING_ERROR"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SLEN_CHECK_FAILED), "SLEN_CHECK_FAILED"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SLEN_RECOVERY_FAILED), "SLEN_RECOVERY_FAILED"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_SSLV3_ROLLBACK_ATTACK), "SSLV3_ROLLBACK_ATTACK"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_TOO_LONG), "TOO_LONG"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_TOO_MANY_ITERATIONS), "TOO_MANY_ITERATIONS"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNKNOWN_ALGORITHM_TYPE), "UNKNOWN_ALGORITHM_TYPE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNKNOWN_PADDING_TYPE), "UNKNOWN_PADDING_TYPE"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "VALUE_MISSING"},
- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_WRONG_SIGNATURE_LENGTH), "WRONG_SIGNATURE_LENGTH"},
- {0, NULL},
-};
diff --git a/src/crypto/rsa/rsa_impl.c b/src/crypto/rsa/rsa_impl.c
index d950d50..e14f0f5 100644
--- a/src/crypto/rsa/rsa_impl.c
+++ b/src/crypto/rsa/rsa_impl.c
@@ -61,8 +61,10 @@
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
#include "internal.h"
+#include "../internal.h"
#define OPENSSL_RSA_MAX_MODULUS_BITS 16384
@@ -72,15 +74,9 @@
static int finish(RSA *rsa) {
- if (rsa->_method_mod_n != NULL) {
- BN_MONT_CTX_free(rsa->_method_mod_n);
- }
- if (rsa->_method_mod_p != NULL) {
- BN_MONT_CTX_free(rsa->_method_mod_p);
- }
- if (rsa->_method_mod_q != NULL) {
- BN_MONT_CTX_free(rsa->_method_mod_q);
- }
+ BN_MONT_CTX_free(rsa->_method_mod_n);
+ BN_MONT_CTX_free(rsa->_method_mod_p);
+ BN_MONT_CTX_free(rsa->_method_mod_q);
return 1;
}
@@ -165,13 +161,14 @@
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
- ctx)) {
+ if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
+ NULL) {
goto err;
}
}
- if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) {
+ if (!rsa->meth->bn_mod_exp(result, f, rsa->e, rsa->n, ctx,
+ rsa->_method_mod_n)) {
goto err;
}
@@ -217,37 +214,20 @@
uint8_t *new_blindings_inuse;
char overflow = 0;
- CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
- if (rsa->num_blindings > 0) {
- unsigned i, starting_index;
- CRYPTO_THREADID threadid;
+ CRYPTO_MUTEX_lock_write(&rsa->lock);
- /* We start searching the array at a value based on the
- * threadid in order to try avoid bouncing the BN_BLINDING
- * values around different threads. It's harmless if
- * threadid.val is always set to zero. */
- CRYPTO_THREADID_current(&threadid);
- starting_index = threadid.val % rsa->num_blindings;
-
- for (i = starting_index;;) {
- if (rsa->blindings_inuse[i] == 0) {
- rsa->blindings_inuse[i] = 1;
- ret = rsa->blindings[i];
- *index_used = i;
- break;
- }
- i++;
- if (i == rsa->num_blindings) {
- i = 0;
- }
- if (i == starting_index) {
- break;
- }
+ unsigned i;
+ for (i = 0; i < rsa->num_blindings; i++) {
+ if (rsa->blindings_inuse[i] == 0) {
+ rsa->blindings_inuse[i] = 1;
+ ret = rsa->blindings[i];
+ *index_used = i;
+ break;
}
}
if (ret != NULL) {
- CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_unlock(&rsa->lock);
return ret;
}
@@ -256,7 +236,7 @@
/* We didn't find a free BN_BLINDING to use so increase the length of
* the arrays by one and use the newly created element. */
- CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_unlock(&rsa->lock);
ret = rsa_setup_blinding(rsa, ctx);
if (ret == NULL) {
return NULL;
@@ -269,7 +249,7 @@
return ret;
}
- CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_lock_write(&rsa->lock);
new_blindings =
OPENSSL_malloc(sizeof(BN_BLINDING *) * (rsa->num_blindings + 1));
@@ -288,24 +268,20 @@
new_blindings_inuse[rsa->num_blindings] = 1;
*index_used = rsa->num_blindings;
- if (rsa->blindings != NULL) {
- OPENSSL_free(rsa->blindings);
- }
+ OPENSSL_free(rsa->blindings);
rsa->blindings = new_blindings;
- if (rsa->blindings_inuse != NULL) {
- OPENSSL_free(rsa->blindings_inuse);
- }
+ OPENSSL_free(rsa->blindings_inuse);
rsa->blindings_inuse = new_blindings_inuse;
rsa->num_blindings++;
- CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_unlock(&rsa->lock);
return ret;
err2:
OPENSSL_free(new_blindings);
err1:
- CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_unlock(&rsa->lock);
BN_BLINDING_free(ret);
return NULL;
}
@@ -320,9 +296,9 @@
return;
}
- CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_lock_write(&rsa->lock);
rsa->blindings_inuse[blinding_index] = 0;
- CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
+ CRYPTO_MUTEX_unlock(&rsa->lock);
}
/* signing */
@@ -360,8 +336,7 @@
}
if (!RSA_private_transform(rsa, out, buf, rsa_size)) {
- OPENSSL_PUT_ERROR(RSA, sign_raw, ERR_R_INTERNAL_ERROR);
- goto err;
+ goto err;
}
*out_len = rsa_size;
@@ -400,7 +375,6 @@
}
if (!RSA_private_transform(rsa, buf, in, rsa_size)) {
- OPENSSL_PUT_ERROR(RSA, decrypt, ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -497,8 +471,8 @@
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
- ctx)) {
+ if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
+ NULL) {
goto err;
}
}
@@ -601,8 +575,8 @@
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
- ctx)) {
+ if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n,
+ ctx) == NULL) {
goto err;
}
}
@@ -663,18 +637,20 @@
BN_with_flags(q, rsa->q, BN_FLG_CONSTTIME);
if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx)) {
+ if (BN_MONT_CTX_set_locked(&rsa->_method_mod_p, &rsa->lock, p, ctx) ==
+ NULL) {
goto err;
}
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx)) {
+ if (BN_MONT_CTX_set_locked(&rsa->_method_mod_q, &rsa->lock, q, ctx) ==
+ NULL) {
goto err;
}
}
}
if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) {
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n,
- ctx)) {
+ if (BN_MONT_CTX_set_locked(&rsa->_method_mod_n, &rsa->lock, rsa->n, ctx) ==
+ NULL) {
goto err;
}
}
@@ -814,65 +790,79 @@
bitsq = bits - bitsp;
/* We need the RSA components non-NULL */
- if (!rsa->n && ((rsa->n = BN_new()) == NULL))
+ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) {
goto err;
- if (!rsa->d && ((rsa->d = BN_new()) == NULL))
+ }
+ if (!rsa->d && ((rsa->d = BN_new()) == NULL)) {
goto err;
- if (!rsa->e && ((rsa->e = BN_new()) == NULL))
+ }
+ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) {
goto err;
- if (!rsa->p && ((rsa->p = BN_new()) == NULL))
+ }
+ if (!rsa->p && ((rsa->p = BN_new()) == NULL)) {
goto err;
- if (!rsa->q && ((rsa->q = BN_new()) == NULL))
+ }
+ if (!rsa->q && ((rsa->q = BN_new()) == NULL)) {
goto err;
- if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL))
+ }
+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_new()) == NULL)) {
goto err;
- if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL))
+ }
+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_new()) == NULL)) {
goto err;
- if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL))
+ }
+ if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) {
goto err;
+ }
BN_copy(rsa->e, e_value);
/* generate p and q */
for (;;) {
- if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
+ if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb) ||
+ !BN_sub(r2, rsa->p, BN_value_one()) ||
+ !BN_gcd(r1, r2, rsa->e, ctx)) {
goto err;
- if (!BN_sub(r2, rsa->p, BN_value_one()))
- goto err;
- if (!BN_gcd(r1, r2, rsa->e, ctx))
- goto err;
- if (BN_is_one(r1))
+ }
+ if (BN_is_one(r1)) {
break;
- if (!BN_GENCB_call(cb, 2, n++))
+ }
+ if (!BN_GENCB_call(cb, 2, n++)) {
goto err;
+ }
}
- if (!BN_GENCB_call(cb, 3, 0))
+ if (!BN_GENCB_call(cb, 3, 0)) {
goto err;
+ }
for (;;) {
/* When generating ridiculously small keys, we can get stuck
* continually regenerating the same prime values. Check for
* this and bail if it happens 3 times. */
unsigned int degenerate = 0;
do {
- if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
+ if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) {
goto err;
+ }
} while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3));
if (degenerate == 3) {
ok = 0; /* we set our own err */
OPENSSL_PUT_ERROR(RSA, keygen, RSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
- if (!BN_sub(r2, rsa->q, BN_value_one()))
+ if (!BN_sub(r2, rsa->q, BN_value_one()) ||
+ !BN_gcd(r1, r2, rsa->e, ctx)) {
goto err;
- if (!BN_gcd(r1, r2, rsa->e, ctx))
- goto err;
- if (BN_is_one(r1))
+ }
+ if (BN_is_one(r1)) {
break;
- if (!BN_GENCB_call(cb, 2, n++))
+ }
+ if (!BN_GENCB_call(cb, 2, n++)) {
goto err;
+ }
}
- if (!BN_GENCB_call(cb, 3, 1))
+ if (!BN_GENCB_call(cb, 3, 1)) {
goto err;
+ }
if (BN_cmp(rsa->p, rsa->q) < 0) {
tmp = rsa->p;
rsa->p = rsa->q;
@@ -880,39 +870,47 @@
}
/* calculate n */
- if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) {
goto err;
+ }
/* calculate d */
- if (!BN_sub(r1, rsa->p, BN_value_one()))
+ if (!BN_sub(r1, rsa->p, BN_value_one())) {
goto err; /* p-1 */
- if (!BN_sub(r2, rsa->q, BN_value_one()))
+ }
+ if (!BN_sub(r2, rsa->q, BN_value_one())) {
goto err; /* q-1 */
- if (!BN_mul(r0, r1, r2, ctx))
+ }
+ if (!BN_mul(r0, r1, r2, ctx)) {
goto err; /* (p-1)(q-1) */
+ }
pr0 = &local_r0;
BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
- if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
+ if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx)) {
goto err; /* d */
+ }
/* set up d for correct BN_FLG_CONSTTIME flag */
d = &local_d;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
/* calculate d mod (p-1) */
- if (!BN_mod(rsa->dmp1, d, r1, ctx))
+ if (!BN_mod(rsa->dmp1, d, r1, ctx)) {
goto err;
+ }
/* calculate d mod (q-1) */
- if (!BN_mod(rsa->dmq1, d, r2, ctx))
+ if (!BN_mod(rsa->dmq1, d, r2, ctx)) {
goto err;
+ }
/* calculate inverse of q mod p */
p = &local_p;
BN_with_flags(p, rsa->p, BN_FLG_CONSTTIME);
- if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx))
+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, p, ctx)) {
goto err;
+ }
ok = 1;
diff --git a/src/crypto/rsa/rsa_test.c b/src/crypto/rsa/rsa_test.c
index 75489e0..318cf3f 100644
--- a/src/crypto/rsa/rsa_test.c
+++ b/src/crypto/rsa/rsa_test.c
@@ -56,9 +56,9 @@
#include <openssl/rsa.h>
+#include <stdlib.h>
#include <string.h>
-#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
@@ -249,13 +249,13 @@
if (!RSA_generate_key_ex(key, 512, &e, NULL)) {
fprintf(stderr, "RSA_generate_key_ex failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
if (!BN_add(key->p, key->p, BN_value_one())) {
fprintf(stderr, "BN error.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
@@ -292,19 +292,21 @@
if (!RSA_check_key(key)) {
fprintf(stderr, "RSA_check_key failed with only d given.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
goto err;
}
- if (!RSA_sign(NID_md5, kDummyHash, sizeof(kDummyHash), buf, &buf_len, key)) {
+ if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
+ key)) {
fprintf(stderr, "RSA_sign failed with only d given.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
goto err;
}
- if (!RSA_verify(NID_md5, kDummyHash, sizeof(kDummyHash), buf, buf_len, key)) {
+ if (!RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, buf_len,
+ key)) {
fprintf(stderr, "RSA_verify failed with only d given.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
goto err;
}
@@ -331,13 +333,13 @@
key1 = RSA_new();
if (!RSA_generate_key_ex(key1, 512, e, NULL)) {
fprintf(stderr, "RSA_generate_key_ex failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
if (!RSA_check_key(key1)) {
fprintf(stderr, "RSA_check_key failed with original key.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
@@ -349,7 +351,7 @@
if (!RSA_recover_crt_params(key2)) {
fprintf(stderr, "RSA_recover_crt_params failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
@@ -359,21 +361,21 @@
if (!RSA_check_key(key2)) {
fprintf(stderr, "RSA_check_key failed with recovered key.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
- if (!RSA_sign(NID_md5, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
+ if (!RSA_sign(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, &buf_len,
key2)) {
fprintf(stderr, "RSA_sign failed with recovered key.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
- if (!RSA_verify(NID_md5, kDummyHash, sizeof(kDummyHash), buf, buf_len,
+ if (!RSA_verify(NID_sha256, kDummyHash, sizeof(kDummyHash), buf, buf_len,
key2)) {
fprintf(stderr, "RSA_verify failed with recovered key.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 0;
}
@@ -478,8 +480,9 @@
int b;
unsigned char saved = ctext[n];
for (b = 0; b < 256; ++b) {
- if (b == saved)
+ if (b == saved) {
continue;
+ }
ctext[n] = b;
num =
RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_OAEP_PADDING);
diff --git a/src/crypto/sha/asm/sha1-586.pl b/src/crypto/sha/asm/sha1-586.pl
index 8377299..4895eb3 100644
--- a/src/crypto/sha/asm/sha1-586.pl
+++ b/src/crypto/sha/asm/sha1-586.pl
@@ -450,7 +450,7 @@
&sub ("esp",32);
&movdqu ($ABCD,&QWP(0,$ctx));
- &movd ($E,&QWP(16,$ctx));
+ &movd ($E,&DWP(16,$ctx));
&and ("esp",-32);
&movdqa ($BSWAP,&QWP(0x50,$tmp1)); # byte-n-word swap
diff --git a/src/crypto/sha/asm/sha1-armv4-large.pl b/src/crypto/sha/asm/sha1-armv4-large.pl
index 1ffa041..a20d336 100644
--- a/src/crypto/sha/asm/sha1-armv4-large.pl
+++ b/src/crypto/sha/asm/sha1-armv4-large.pl
@@ -60,14 +60,28 @@
# is ~2.5x larger and there are some redundant instructions executed
# when processing last block, improvement is not as big for smallest
# blocks, only ~30%. Snapdragon S4 is a tad faster, 6.4 cycles per
-# byte, which is also >80% faster than integer-only code.
+# byte, which is also >80% faster than integer-only code. Cortex-A15
+# is even faster spending 5.6 cycles per byte outperforming integer-
+# only code by factor of 2.
# May 2014.
#
# Add ARMv8 code path performing at 2.35 cpb on Apple A7.
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
$ctx="r0";
$inp="r1";
@@ -178,6 +192,9 @@
sub r3,pc,#8 @ sha1_block_data_order
ldr r12,.LOPENSSL_armcap
ldr r12,[r3,r12] @ OPENSSL_armcap_P
+#ifdef __APPLE__
+ ldr r12,[r12]
+#endif
tst r12,#ARMV8_SHA1
bne .LARMv8
tst r12,#ARMV7_NEON
diff --git a/src/crypto/sha/asm/sha1-armv8.pl b/src/crypto/sha/asm/sha1-armv8.pl
index deb1238..a8c08c2 100644
--- a/src/crypto/sha/asm/sha1-armv8.pl
+++ b/src/crypto/sha/asm/sha1-armv8.pl
@@ -14,13 +14,25 @@
#
# hardware-assisted software(*)
# Apple A7 2.31 4.13 (+14%)
-# Cortex-A53 2.19 8.73 (+108%)
+# Cortex-A53 2.24 8.03 (+97%)
# Cortex-A57 2.35 7.88 (+74%)
+# Denver 2.13 3.97 (+0%)(**)
+# X-Gene 8.80 (+200%)
#
# (*) Software results are presented mostly for reference purposes.
+# (**) Keep in mind that Denver relies on binary translation, which
+# optimizes compiler output at run-time.
$flavour = shift;
-open STDOUT,">".shift;
+$output = shift;
+
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
($ctx,$inp,$num)=("x0","x1","x2");
@Xw=map("w$_",(3..17,19));
@@ -154,6 +166,7 @@
.text
+.extern OPENSSL_armcap_P
.globl sha1_block_data_order
.type sha1_block_data_order,%function
.align 6
diff --git a/src/crypto/sha/asm/sha256-armv4.pl b/src/crypto/sha/asm/sha256-armv4.pl
index 398376e..778c3d9 100644
--- a/src/crypto/sha/asm/sha256-armv4.pl
+++ b/src/crypto/sha/asm/sha256-armv4.pl
@@ -5,6 +5,8 @@
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
+#
+# Permission to use under GPL terms is granted.
# ====================================================================
# SHA256 block procedure for ARMv4. May 2007.
@@ -35,8 +37,20 @@
#
# Add ARMv8 code path performing at 2.0 cpb on Apple A7.
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
$ctx="r0"; $t0="r0";
$inp="r1"; $t4="r1";
@@ -71,7 +85,9 @@
eor $t0,$e,$e,ror#`$Sigma1[1]-$Sigma1[0]`
add $a,$a,$t2 @ h+=Maj(a,b,c) from the past
eor $t0,$t0,$e,ror#`$Sigma1[2]-$Sigma1[0]` @ Sigma1(e)
+# ifndef __ARMEB__
rev $t1,$t1
+# endif
#else
@ ldrb $t1,[$inp,#3] @ $i
add $a,$a,$t2 @ h+=Maj(a,b,c) from the past
@@ -151,10 +167,25 @@
}
$code=<<___;
-#include "arm_arch.h"
+#ifndef __KERNEL__
+# include "arm_arch.h"
+#else
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
+#endif
.text
+#if __ARM_ARCH__<7
.code 32
+#else
+.syntax unified
+# if defined(__thumb2__) && !defined(__APPLE__)
+# define adrl adr
+.thumb
+# else
+.code 32
+# endif
+#endif
.type K256,%object
.align 5
@@ -177,25 +208,33 @@
.word 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
.size K256,.-K256
.word 0 @ terminator
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
.LOPENSSL_armcap:
-.word OPENSSL_armcap_P-sha256_block_data_order
+.word OPENSSL_armcap_P-.Lsha256_block_data_order
#endif
.align 5
.global sha256_block_data_order
.type sha256_block_data_order,%function
sha256_block_data_order:
+.Lsha256_block_data_order:
+#if __ARM_ARCH__<7
sub r3,pc,#8 @ sha256_block_data_order
- add $len,$inp,$len,lsl#6 @ len to point at the end of inp
-#if __ARM_MAX_ARCH__>=7
+#else
+ adr r3,sha256_block_data_order
+#endif
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
ldr r12,.LOPENSSL_armcap
ldr r12,[r3,r12] @ OPENSSL_armcap_P
+#ifdef __APPLE__
+ ldr r12,[r12]
+#endif
tst r12,#ARMV8_SHA256
bne .LARMv8
tst r12,#ARMV7_NEON
bne .LNEON
#endif
+ add $len,$inp,$len,lsl#6 @ len to point at the end of inp
stmdb sp!,{$ctx,$inp,$len,r4-r11,lr}
ldmia $ctx,{$A,$B,$C,$D,$E,$F,$G,$H}
sub $Ktbl,r3,#256+32 @ K256
@@ -213,6 +252,9 @@
$code.=".Lrounds_16_xx:\n";
for (;$i<32;$i++) { &BODY_16_XX($i,@V); unshift(@V,pop(@V)); }
$code.=<<___;
+#if __ARM_ARCH__>=7
+ ite eq @ Thumb2 thing, sanity check in ARM
+#endif
ldreq $t3,[sp,#16*4] @ pull ctx
bne .Lrounds_16_xx
@@ -429,16 +471,19 @@
.arch armv7-a
.fpu neon
+.global sha256_block_data_order_neon
.type sha256_block_data_order_neon,%function
.align 4
sha256_block_data_order_neon:
.LNEON:
stmdb sp!,{r4-r12,lr}
+ sub $H,sp,#16*4+16
+ adr $Ktbl,K256
+ bic $H,$H,#15 @ align for 128-bit stores
mov $t2,sp
- sub sp,sp,#16*4+16 @ alloca
- sub $Ktbl,r3,#256+32 @ K256
- bic sp,sp,#15 @ align for 128-bit stores
+ mov sp,$H @ alloca
+ add $len,$inp,$len,lsl#6 @ len to point at the end of inp
vld1.8 {@X[0]},[$inp]!
vld1.8 {@X[1]},[$inp]!
@@ -490,11 +535,13 @@
ldr $t0,[sp,#72]
sub $Ktbl,$Ktbl,#256 @ rewind $Ktbl
teq $inp,$t0
+ it eq
subeq $inp,$inp,#64 @ avoid SEGV
vld1.8 {@X[0]},[$inp]! @ load next input block
vld1.8 {@X[1]},[$inp]!
vld1.8 {@X[2]},[$inp]!
vld1.8 {@X[3]},[$inp]!
+ it ne
strne $inp,[sp,#68]
mov $Xfer,sp
___
@@ -526,10 +573,12 @@
str $D,[$t1],#4
stmia $t1,{$E-$H}
+ ittte ne
movne $Xfer,sp
ldrne $t1,[sp,#0]
eorne $t2,$t2,$t2
ldreq sp,[sp,#76] @ restore original sp
+ itt ne
eorne $t3,$B,$C
bne .L_00_48
@@ -548,13 +597,28 @@
my $Ktbl="r3";
$code.=<<___;
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
+
+# if defined(__thumb2__) && !defined(__APPLE__)
+# define INST(a,b,c,d) .byte c,d|0xc,a,b
+# else
+# define INST(a,b,c,d) .byte a,b,c,d
+# endif
+
.type sha256_block_data_order_armv8,%function
.align 5
sha256_block_data_order_armv8:
.LARMv8:
vld1.32 {$ABCD,$EFGH},[$ctx]
- sub $Ktbl,r3,#sha256_block_data_order-K256
+# ifdef __APPLE__
+ sub $Ktbl,$Ktbl,#256+32
+# elif defined(__thumb2__)
+ adr $Ktbl,.LARMv8
+ sub $Ktbl,$Ktbl,#.LARMv8-K256
+# else
+ adrl $Ktbl,K256
+# endif
+ add $len,$inp,$len,lsl#6 @ len to point at the end of inp
.Loop_v8:
vld1.8 {@MSG[0]-@MSG[1]},[$inp]!
@@ -607,6 +671,7 @@
vadd.i32 $ABCD,$ABCD,$ABCD_SAVE
vadd.i32 $EFGH,$EFGH,$EFGH_SAVE
+ it ne
bne .Loop_v8
vst1.32 {$ABCD,$EFGH},[$ctx]
@@ -619,12 +684,20 @@
$code.=<<___;
.asciz "SHA256 block transform for ARMv4/NEON/ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
.align 2
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
.comm OPENSSL_armcap_P,4,4
.hidden OPENSSL_armcap_P
#endif
___
+open SELF,$0;
+while(<SELF>) {
+ next if (/^#!/);
+ last if (!s/^#/@/ and !/^$/);
+ print;
+}
+close SELF;
+
{ my %opcode = (
"sha256h" => 0xf3000c40, "sha256h2" => 0xf3100c40,
"sha256su0" => 0xf3ba03c0, "sha256su1" => 0xf3200c40 );
@@ -639,7 +712,7 @@
# since ARMv7 instructions are always encoded little-endian.
# correct solution is to use .inst directive, but older
# assemblers don't implement it:-(
- sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
+ sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
$word&0xff,($word>>8)&0xff,
($word>>16)&0xff,($word>>24)&0xff,
$mnemonic,$arg;
diff --git a/src/crypto/sha/asm/sha512-armv4.pl b/src/crypto/sha/asm/sha512-armv4.pl
index bfe28c4..2964a39 100644
--- a/src/crypto/sha/asm/sha512-armv4.pl
+++ b/src/crypto/sha/asm/sha512-armv4.pl
@@ -5,6 +5,8 @@
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
+#
+# Permission to use under GPL terms is granted.
# ====================================================================
# SHA512 block procedure for ARMv4. September 2007.
@@ -34,16 +36,9 @@
# terms it's 22.6 cycles per byte, which is disappointing result.
# Technical writers asserted that 3-way S4 pipeline can sustain
# multiple NEON instructions per cycle, but dual NEON issue could
-# not be observed, and for NEON-only sequences IPC(*) was found to
-# be limited by 1:-( 0.33 and 0.66 were measured for sequences with
-# ILPs(*) of 1 and 2 respectively. This in turn means that you can
-# even find yourself striving, as I did here, for achieving IPC
-# adequate to one delivered by Cortex A8 [for reference, it's
-# 0.5 for ILP of 1, and 1 for higher ILPs].
-#
-# (*) ILP, instruction-level parallelism, how many instructions
-# *can* execute at the same time. IPC, instructions per cycle,
-# indicates how many instructions actually execute.
+# not be observed, see http://www.openssl.org/~appro/Snapdragon-S4.html
+# for further details. On side note Cortex-A15 processes one byte in
+# 16 cycles.
# Byte order [in]dependence. =========================================
#
@@ -55,8 +50,20 @@
$lo="LO";
# ====================================================================
-while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
-open STDOUT,">$output";
+$flavour = shift;
+if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; }
+else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} }
+
+if ($flavour && $flavour ne "void") {
+ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+ ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+ ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+ die "can't locate arm-xlate.pl";
+
+ open STDOUT,"| \"$^X\" $xlate $flavour $output";
+} else {
+ open STDOUT,">$output";
+}
$ctx="r0"; # parameter block
$inp="r1";
@@ -143,6 +150,9 @@
teq $t0,#$magic
ldr $t3,[sp,#$Coff+0] @ c.lo
+#if __ARM_ARCH__>=7
+ it eq @ Thumb2 thing, sanity check in ARM
+#endif
orreq $Ktbl,$Ktbl,#1
@ Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))
@ LO lo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25
@@ -180,7 +190,17 @@
___
}
$code=<<___;
-#include "arm_arch.h"
+#ifndef __KERNEL__
+# include "arm_arch.h"
+# define VFP_ABI_PUSH vstmdb sp!,{d8-d15}
+# define VFP_ABI_POP vldmia sp!,{d8-d15}
+#else
+# define __ARM_ARCH__ __LINUX_ARM_ARCH__
+# define __ARM_MAX_ARCH__ 7
+# define VFP_ABI_PUSH
+# define VFP_ABI_POP
+#endif
+
#ifdef __ARMEL__
# define LO 0
# define HI 4
@@ -192,7 +212,18 @@
#endif
.text
+#if __ARM_ARCH__<7 || defined(__APPLE__)
.code 32
+#else
+.syntax unified
+# ifdef __thumb2__
+# define adrl adr
+.thumb
+# else
+.code 32
+# endif
+#endif
+
.type K512,%object
.align 5
K512:
@@ -237,9 +268,9 @@
WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a)
WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817)
.size K512,.-K512
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
.LOPENSSL_armcap:
-.word OPENSSL_armcap_P-sha512_block_data_order
+.word OPENSSL_armcap_P-.Lsha512_block_data_order
.skip 32-4
#else
.skip 32
@@ -248,14 +279,22 @@
.global sha512_block_data_order
.type sha512_block_data_order,%function
sha512_block_data_order:
+.Lsha512_block_data_order:
+#if __ARM_ARCH__<7
sub r3,pc,#8 @ sha512_block_data_order
- add $len,$inp,$len,lsl#7 @ len to point at the end of inp
-#if __ARM_MAX_ARCH__>=7
+#else
+ adr r3,sha512_block_data_order
+#endif
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
ldr r12,.LOPENSSL_armcap
ldr r12,[r3,r12] @ OPENSSL_armcap_P
+#ifdef __APPLE__
+ ldr r12,[r12]
+#endif
tst r12,#1
bne .LNEON
#endif
+ add $len,$inp,$len,lsl#7 @ len to point at the end of inp
stmdb sp!,{r4-r12,lr}
sub $Ktbl,r3,#672 @ K512
sub sp,sp,#9*8
@@ -369,6 +408,9 @@
___
&BODY_00_15(0x17);
$code.=<<___;
+#if __ARM_ARCH__>=7
+ ittt eq @ Thumb2 thing, sanity check in ARM
+#endif
ldreq $t0,[sp,#`$Xoff+8*(16-1)`+0]
ldreq $t1,[sp,#`$Xoff+8*(16-1)`+4]
beq .L16_79
@@ -453,6 +495,7 @@
moveq pc,lr @ be binary compatible with V4, yet
bx lr @ interoperable with Thumb ISA:-)
#endif
+.size sha512_block_data_order,.-sha512_block_data_order
___
{
@@ -559,11 +602,15 @@
.arch armv7-a
.fpu neon
+.global sha512_block_data_order_neon
+.type sha512_block_data_order_neon,%function
.align 4
+sha512_block_data_order_neon:
.LNEON:
dmb @ errata #451034 on early Cortex A8
- vstmdb sp!,{d8-d15} @ ABI specification says so
- sub $Ktbl,r3,#672 @ K512
+ add $len,$inp,$len,lsl#7 @ len to point at the end of inp
+ adr $Ktbl,K512
+ VFP_ABI_PUSH
vldmia $ctx,{$A-$H} @ load context
.Loop_neon:
___
@@ -588,16 +635,16 @@
sub $Ktbl,#640 @ rewind K512
bne .Loop_neon
- vldmia sp!,{d8-d15} @ epilogue
+ VFP_ABI_POP
ret @ bx lr
+.size sha512_block_data_order_neon,.-sha512_block_data_order_neon
#endif
___
}
$code.=<<___;
-.size sha512_block_data_order,.-sha512_block_data_order
.asciz "SHA512 block transform for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
.align 2
-#if __ARM_MAX_ARCH__>=7
+#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)
.comm OPENSSL_armcap_P,4,4
.hidden OPENSSL_armcap_P
#endif
@@ -606,5 +653,14 @@
$code =~ s/\`([^\`]*)\`/eval $1/gem;
$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4
$code =~ s/\bret\b/bx lr/gm;
+
+open SELF,$0;
+while(<SELF>) {
+ next if (/^#!/);
+ last if (!s/^#/@/ and !/^$/);
+ print;
+}
+close SELF;
+
print $code;
close STDOUT; # enforce flush
diff --git a/src/crypto/sha/asm/sha512-armv8.pl b/src/crypto/sha/asm/sha512-armv8.pl
index 5a9c812..43e7293 100644
--- a/src/crypto/sha/asm/sha512-armv8.pl
+++ b/src/crypto/sha/asm/sha512-armv8.pl
@@ -14,8 +14,10 @@
#
# SHA256-hw SHA256(*) SHA512
# Apple A7 1.97 10.5 (+33%) 6.73 (-1%(**))
-# Cortex-A53 2.38 15.6 (+110%) 10.1 (+190%(***))
+# Cortex-A53 2.38 15.5 (+115%) 10.0 (+150%(***))
# Cortex-A57 2.31 11.6 (+86%) 7.51 (+260%(***))
+# Denver 2.01 10.5 (+26%) 6.70 (+8%)
+# X-Gene 20.0 (+100%) 12.8 (+300%(***))
#
# (*) Software SHA256 results are of lesser relevance, presented
# mostly for informational purposes.
@@ -25,12 +27,24 @@
# (***) Super-impressive coefficients over gcc-generated code are
# indication of some compiler "pathology", most notably code
# generated with -mgeneral-regs-only is significanty faster
-# and lags behind assembly only by 50-90%.
+# and the gap is only 40-90%.
$flavour=shift;
+# Unlike most perlasm files, sha512-armv8.pl takes an additional argument to
+# determine which hash function to emit. This differs from upstream OpenSSL so
+# that the script may continue to output to stdout.
+$variant=shift;
$output=shift;
-if ($output =~ /512/) {
+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
+( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
+die "can't locate arm-xlate.pl";
+
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
+
+if ($variant eq "sha512") {
$BITS=512;
$SZ=8;
@Sigma0=(28,34,39);
@@ -39,7 +53,7 @@
@sigma1=(19,61, 6);
$rounds=80;
$reg_t="x";
-} else {
+} elsif ($variant eq "sha256") {
$BITS=256;
$SZ=4;
@Sigma0=( 2,13,22);
@@ -48,6 +62,8 @@
@sigma1=(17,19,10);
$rounds=64;
$reg_t="w";
+} else {
+ die "Unknown variant: $variant";
}
$func="sha${BITS}_block_data_order";
@@ -152,6 +168,7 @@
.text
+.extern OPENSSL_armcap_P
.globl $func
.type $func,%function
.align 6
@@ -181,7 +198,7 @@
ldp $E,$F,[$ctx,#4*$SZ]
add $num,$inp,$num,lsl#`log(16*$SZ)/log(2)` // end of input
ldp $G,$H,[$ctx,#6*$SZ]
- adr $Ktbl,K$BITS
+ adr $Ktbl,.LK$BITS
stp $ctx,$num,[x29,#96]
.Loop:
@@ -231,8 +248,8 @@
.size $func,.-$func
.align 6
-.type K$BITS,%object
-K$BITS:
+.type .LK$BITS,%object
+.LK$BITS:
___
$code.=<<___ if ($SZ==8);
.quad 0x428a2f98d728ae22,0x7137449123ef65cd
@@ -297,7 +314,7 @@
.long 0 //terminator
___
$code.=<<___;
-.size K$BITS,.-K$BITS
+.size .LK$BITS,.-.LK$BITS
.align 3
.LOPENSSL_armcap_P:
.quad OPENSSL_armcap_P-.
@@ -322,7 +339,7 @@
add x29,sp,#0
ld1.32 {$ABCD,$EFGH},[$ctx]
- adr $Ktbl,K256
+ adr $Ktbl,.LK256
.Loop_hw:
ld1 {@MSG[0]-@MSG[3]},[$inp],#64
diff --git a/src/crypto/sha/sha1.c b/src/crypto/sha/sha1.c
index 7595bc8..60d09f6 100644
--- a/src/crypto/sha/sha1.c
+++ b/src/crypto/sha/sha1.c
@@ -367,8 +367,9 @@
c->h3 = (c->h3 + B) & 0xffffffffL;
c->h4 = (c->h4 + C) & 0xffffffffL;
- if (--num == 0)
+ if (--num == 0) {
break;
+ }
A = c->h0;
B = c->h1;
diff --git a/src/crypto/sha/sha512.c b/src/crypto/sha/sha512.c
index 59be8c1..2acefb1 100644
--- a/src/crypto/sha/sha512.c
+++ b/src/crypto/sha/sha512.c
@@ -189,8 +189,9 @@
uint8_t *p = c->u.p;
const uint8_t *data = (const uint8_t *)in_data;
- if (len == 0)
+ if (len == 0) {
return 1;
+ }
l = (c->Nl + (((uint64_t)len) << 3)) & OPENSSL_U64(0xffffffffffffffff);
if (l < c->Nl) {
@@ -218,14 +219,21 @@
if (len >= sizeof(c->u)) {
#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
- if ((size_t)data % sizeof(c->u.d[0]) != 0)
- while (len >= sizeof(c->u))
- memcpy(p, data, sizeof(c->u)), sha512_block_data_order(c, p, 1),
- len -= sizeof(c->u), data += sizeof(c->u);
- else
+ if ((size_t)data % sizeof(c->u.d[0]) != 0) {
+ while (len >= sizeof(c->u)) {
+ memcpy(p, data, sizeof(c->u));
+ sha512_block_data_order(c, p, 1);
+ len -= sizeof(c->u);
+ data += sizeof(c->u);
+ }
+ } else
#endif
- sha512_block_data_order(c, data, len / sizeof(c->u)), data += len,
- len %= sizeof(c->u), data -= len;
+ {
+ sha512_block_data_order(c, data, len / sizeof(c->u));
+ data += len;
+ len %= sizeof(c->u);
+ data -= len;
+ }
}
if (len != 0) {
diff --git a/src/crypto/stack/make_macros.sh b/src/crypto/stack/make_macros.sh
index f72aa33..4837e44 100644
--- a/src/crypto/stack/make_macros.sh
+++ b/src/crypto/stack/make_macros.sh
@@ -86,6 +86,9 @@
#define sk_${type}_set_cmp_func(sk, comp)\\
((int (*) (const ${type} **a, const ${type} **b)) sk_set_cmp_func(CHECKED_CAST(_STACK*, STACK_OF(${type})*, sk), CHECKED_CAST(stack_cmp_func, int (*) (const ${type} **a, const ${type} **b), comp)))
+#define sk_${type}_deep_copy(sk, copy_func, free_func)\\
+((STACK_OF(${type})*) sk_deep_copy(CHECKED_CAST(const _STACK*, const STACK_OF(${type})*, sk), CHECKED_CAST(void* (*) (void*), ${ptrtype} (*) (${ptrtype}), copy_func), CHECKED_CAST(void (*) (void*), void (*) (${ptrtype}), free_func)))
+
EOF
}
diff --git a/src/crypto/stack/stack.c b/src/crypto/stack/stack.c
index 0b336ba..c584515 100644
--- a/src/crypto/stack/stack.c
+++ b/src/crypto/stack/stack.c
@@ -86,9 +86,7 @@
return ret;
err:
- if (ret) {
- OPENSSL_free(ret);
- }
+ OPENSSL_free(ret);
return NULL;
}
@@ -232,7 +230,7 @@
int (*comp_func)(const void *,const void *);
if (sk == NULL) {
- return -1;
+ return 0;
}
if (sk->comp == NULL) {
@@ -324,9 +322,7 @@
return ret;
err:
- if (ret) {
- sk_free(ret);
- }
+ sk_free(ret);
return NULL;
}
@@ -360,3 +356,31 @@
return old;
}
+
+_STACK *sk_deep_copy(const _STACK *sk, void *(*copy_func)(void *),
+ void (*free_func)(void *)) {
+ _STACK *ret = sk_dup(sk);
+ if (ret == NULL) {
+ return NULL;
+ }
+
+ size_t i;
+ for (i = 0; i < ret->num; i++) {
+ if (ret->data[i] == NULL) {
+ continue;
+ }
+ ret->data[i] = copy_func(ret->data[i]);
+ if (ret->data[i] == NULL) {
+ size_t j;
+ for (j = 0; j < i; j++) {
+ if (ret->data[j] != NULL) {
+ free_func(ret->data[j]);
+ }
+ }
+ sk_free(ret);
+ return NULL;
+ }
+ }
+
+ return ret;
+}
diff --git a/src/crypto/test/CMakeLists.txt b/src/crypto/test/CMakeLists.txt
new file mode 100644
index 0000000..0d5ca81
--- /dev/null
+++ b/src/crypto/test/CMakeLists.txt
@@ -0,0 +1,7 @@
+add_library(
+ test_support
+
+ OBJECT
+
+ file_test.cc
+)
diff --git a/src/crypto/test/file_test.cc b/src/crypto/test/file_test.cc
new file mode 100644
index 0000000..12405f2
--- /dev/null
+++ b/src/crypto/test/file_test.cc
@@ -0,0 +1,326 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "file_test.h"
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+
+#include <openssl/err.h>
+
+#include "stl_compat.h"
+
+
+FileTest::FileTest(const char *path) {
+ file_ = fopen(path, "r");
+ if (file_ == nullptr) {
+ fprintf(stderr, "Could not open file %s: %s.\n", path, strerror(errno));
+ }
+}
+
+FileTest::~FileTest() {
+ if (file_ != nullptr) {
+ fclose(file_);
+ }
+}
+
+// FindDelimiter returns a pointer to the first '=' or ':' in |str| or nullptr
+// if there is none.
+static const char *FindDelimiter(const char *str) {
+ while (*str) {
+ if (*str == ':' || *str == '=') {
+ return str;
+ }
+ str++;
+ }
+ return nullptr;
+}
+
+// StripSpace returns a string containing up to |len| characters from |str| with
+// leading and trailing whitespace removed.
+static std::string StripSpace(const char *str, size_t len) {
+ // Remove leading space.
+ while (len > 0 && isspace(*str)) {
+ str++;
+ len--;
+ }
+ while (len > 0 && isspace(str[len-1])) {
+ len--;
+ }
+ return std::string(str, len);
+}
+
+FileTest::ReadResult FileTest::ReadNext() {
+ // If the previous test had unused attributes or block, it is an error.
+ if (!unused_attributes_.empty()) {
+ for (const std::string &key : unused_attributes_) {
+ PrintLine("Unused attribute: %s", key.c_str());
+ }
+ return kReadError;
+ }
+ if (!block_.empty() && !used_block_) {
+ PrintLine("Unused block");
+ return kReadError;
+ }
+
+ ClearTest();
+
+ bool in_block = false;
+ while (true) {
+ // Read the next line.
+ char buf[4096];
+ if (fgets(buf, sizeof(buf), file_) == nullptr) {
+ if (feof(file_)) {
+ if (in_block) {
+ fprintf(stderr, "Unterminated block.\n");
+ return kReadError;
+ }
+ // EOF is a valid terminator for a test.
+ return start_line_ > 0 ? kReadSuccess : kReadEOF;
+ }
+ fprintf(stderr, "Error reading from input.\n");
+ return kReadError;
+ }
+
+ line_++;
+ size_t len = strlen(buf);
+ // Check for truncation.
+ if (len > 0 && buf[len - 1] != '\n' && !feof(file_)) {
+ fprintf(stderr, "Line %u too long.\n", line_);
+ return kReadError;
+ }
+
+ bool is_delimiter = strncmp(buf, "---", 3) == 0;
+ if (in_block) {
+ block_ += buf;
+ if (is_delimiter) {
+ // Ending the block completes the test.
+ return kReadSuccess;
+ }
+ } else if (is_delimiter) {
+ if (start_line_ == 0) {
+ fprintf(stderr, "Line %u: Unexpected block.\n", line_);
+ return kReadError;
+ }
+ in_block = true;
+ block_ += buf;
+ } else if (buf[0] == '\n' || buf[0] == '\0') {
+ // Empty lines delimit tests.
+ if (start_line_ > 0) {
+ return kReadSuccess;
+ }
+ } else if (buf[0] != '#') { // Comment lines are ignored.
+ // Parse the line as an attribute.
+ const char *delimiter = FindDelimiter(buf);
+ if (delimiter == nullptr) {
+ fprintf(stderr, "Line %u: Could not parse attribute.\n", line_);
+ }
+ std::string key = StripSpace(buf, delimiter - buf);
+ std::string value = StripSpace(delimiter + 1,
+ buf + len - delimiter - 1);
+
+ unused_attributes_.insert(key);
+ attributes_[key] = value;
+ if (start_line_ == 0) {
+ // This is the start of a test.
+ type_ = key;
+ parameter_ = value;
+ start_line_ = line_;
+ }
+ }
+ }
+}
+
+void FileTest::PrintLine(const char *format, ...) {
+ va_list args;
+ va_start(args, format);
+
+ fprintf(stderr, "Line %u: ", start_line_);
+ vfprintf(stderr, format, args);
+ fprintf(stderr, "\n");
+
+ va_end(args);
+}
+
+const std::string &FileTest::GetType() {
+ OnKeyUsed(type_);
+ return type_;
+}
+
+const std::string &FileTest::GetParameter() {
+ OnKeyUsed(type_);
+ return parameter_;
+}
+
+const std::string &FileTest::GetBlock() {
+ used_block_ = true;
+ return block_;
+}
+
+bool FileTest::HasAttribute(const std::string &key) {
+ OnKeyUsed(key);
+ return attributes_.count(key) > 0;
+}
+
+bool FileTest::GetAttribute(std::string *out_value, const std::string &key) {
+ OnKeyUsed(key);
+ auto iter = attributes_.find(key);
+ if (iter == attributes_.end()) {
+ PrintLine("Missing attribute '%s'.", key.c_str());
+ return false;
+ }
+ *out_value = iter->second;
+ return true;
+}
+
+const std::string &FileTest::GetAttributeOrDie(const std::string &key) {
+ if (!HasAttribute(key)) {
+ abort();
+ }
+ return attributes_[key];
+}
+
+static bool FromHexDigit(uint8_t *out, char c) {
+ if ('0' <= c && c <= '9') {
+ *out = c - '0';
+ return true;
+ }
+ if ('a' <= c && c <= 'f') {
+ *out = c - 'a' + 10;
+ return true;
+ }
+ if ('A' <= c && c <= 'F') {
+ *out = c - 'A' + 10;
+ return true;
+ }
+ return false;
+}
+
+bool FileTest::GetBytes(std::vector<uint8_t> *out, const std::string &key) {
+ std::string value;
+ if (!GetAttribute(&value, key)) {
+ return false;
+ }
+
+ if (value.size() >= 2 && value[0] == '"' && value[value.size() - 1] == '"') {
+ out->assign(value.begin() + 1, value.end() - 1);
+ return true;
+ }
+
+ if (value.size() % 2 != 0) {
+ PrintLine("Error decoding value: %s", value.c_str());
+ return false;
+ }
+ out->reserve(value.size() / 2);
+ for (size_t i = 0; i < value.size(); i += 2) {
+ uint8_t hi, lo;
+ if (!FromHexDigit(&hi, value[i]) || !FromHexDigit(&lo, value[i+1])) {
+ PrintLine("Error decoding value: %s", value.c_str());
+ return false;
+ }
+ out->push_back((hi << 4) | lo);
+ }
+ return true;
+}
+
+static std::string EncodeHex(const uint8_t *in, size_t in_len) {
+ static const char kHexDigits[] = "0123456789abcdef";
+ std::string ret;
+ ret.reserve(in_len * 2);
+ for (size_t i = 0; i < in_len; i++) {
+ ret += kHexDigits[in[i] >> 4];
+ ret += kHexDigits[in[i] & 0xf];
+ }
+ return ret;
+}
+
+bool FileTest::ExpectBytesEqual(const uint8_t *expected, size_t expected_len,
+ const uint8_t *actual, size_t actual_len) {
+ if (expected_len == actual_len &&
+ memcmp(expected, actual, expected_len) == 0) {
+ return true;
+ }
+
+ std::string expected_hex = EncodeHex(expected, expected_len);
+ std::string actual_hex = EncodeHex(actual, actual_len);
+ PrintLine("Expected: %s", expected_hex.c_str());
+ PrintLine("Actual: %s", actual_hex.c_str());
+ return false;
+}
+
+void FileTest::ClearTest() {
+ start_line_ = 0;
+ type_.clear();
+ parameter_.clear();
+ attributes_.clear();
+ block_.clear();
+ unused_attributes_.clear();
+ used_block_ = false;
+}
+
+void FileTest::OnKeyUsed(const std::string &key) {
+ unused_attributes_.erase(key);
+}
+
+int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
+ const char *path) {
+ FileTest t(path);
+ if (!t.is_open()) {
+ return 1;
+ }
+
+ bool failed = false;
+ while (true) {
+ FileTest::ReadResult ret = t.ReadNext();
+ if (ret == FileTest::kReadError) {
+ return 1;
+ } else if (ret == FileTest::kReadEOF) {
+ break;
+ }
+
+ bool result = run_test(&t, arg);
+ if (t.HasAttribute("Error")) {
+ if (result) {
+ t.PrintLine("Operation unexpectedly succeeded.");
+ failed = true;
+ continue;
+ }
+ uint32_t err = ERR_peek_error();
+ if (ERR_reason_error_string(err) != t.GetAttributeOrDie("Error")) {
+ t.PrintLine("Unexpected error; wanted '%s', got '%s'.",
+ t.GetAttributeOrDie("Error").c_str(),
+ ERR_reason_error_string(err));
+ failed = true;
+ continue;
+ }
+ ERR_clear_error();
+ } else if (!result) {
+ // In case the test itself doesn't print output, print something so the
+ // line number is reported.
+ t.PrintLine("Test failed");
+ ERR_print_errors_fp(stderr);
+ failed = true;
+ continue;
+ }
+ }
+
+ if (failed) {
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/test/file_test.h b/src/crypto/test/file_test.h
new file mode 100644
index 0000000..7303d8a
--- /dev/null
+++ b/src/crypto/test/file_test.h
@@ -0,0 +1,166 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H
+#define OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H
+
+#include <stdint.h>
+#include <stdio.h>
+
+#include <string>
+#include <map>
+#include <set>
+#include <vector>
+
+
+// File-based test framework.
+//
+// This module provides a file-based test framework. The file format is based on
+// that of OpenSSL upstream's evp_test and BoringSSL's aead_test. Each input
+// file is a sequence of attributes, blocks, and blank lines.
+//
+// Each attribute has the form:
+//
+// Name = Value
+//
+// Either '=' or ':' may be used to delimit the name from the value. Both the
+// name and value have leading and trailing spaces stripped.
+//
+// Blocks are delimited by lines beginning with three hyphens, "---". One such
+// line begins a block and another ends it. Blocks are intended as a convenient
+// way to embed PEM data and include their delimiters.
+//
+// Outside a block, lines beginning with # are ignored.
+//
+// A test is a sequence of one or more attributes followed by a block or blank
+// line. Blank lines are otherwise ignored. For tests that process multiple
+// kinds of test cases, the first attribute is parsed out as the test's type and
+// parameter. Otherwise, attributes are unordered. The first attribute is also
+// included in the set of attributes, so tests which do not dispatch may ignore
+// this mechanism.
+//
+// Functions in this module freely output to |stderr| on failure. Tests should
+// also do so, and it is recommended they include the corresponding test's line
+// number in any output. |PrintLine| does this automatically.
+//
+// Each attribute in a test must be consumed. When a test completes, if any
+// attributes haven't been processed, the framework reports an error.
+
+
+class FileTest {
+ public:
+ explicit FileTest(const char *path);
+ ~FileTest();
+
+ // is_open returns true if the file was successfully opened.
+ bool is_open() const { return file_ != nullptr; }
+
+ enum ReadResult {
+ kReadSuccess,
+ kReadEOF,
+ kReadError,
+ };
+
+ // ReadNext reads the next test from the file. It returns |kReadSuccess| if
+ // successfully reading a test and |kReadEOF| at the end of the file. On
+ // error or if the previous test had unconsumed attributes, it returns
+ // |kReadError|.
+ ReadResult ReadNext();
+
+ // PrintLine is a variant of printf which prepends the line number and appends
+ // a trailing newline.
+ void PrintLine(const char *format, ...)
+#ifdef __GNUC__
+ __attribute__((__format__(__printf__, 2, 3)))
+#endif
+ ;
+
+ unsigned start_line() const { return start_line_; }
+
+ // GetType returns the name of the first attribute of the current test.
+ const std::string &GetType();
+ // GetParameter returns the value of the first attribute of the current test.
+ const std::string &GetParameter();
+ // GetBlock returns the optional block of the current test, or the empty
+ // if there was no block.
+ const std::string &GetBlock();
+
+ // HasAttribute returns true if the current test has an attribute named |key|.
+ bool HasAttribute(const std::string &key);
+
+ // GetAttribute looks up the attribute with key |key|. It sets |*out_value| to
+ // the value and returns true if it exists and returns false with an error to
+ // |stderr| otherwise.
+ bool GetAttribute(std::string *out_value, const std::string &key);
+
+ // GetAttributeOrDie looks up the attribute with key |key| and aborts if it is
+ // missing. It only be used after a |HasAttribute| call.
+ const std::string &GetAttributeOrDie(const std::string &key);
+
+ // GetBytes looks up the attribute with key |key| and decodes it as a byte
+ // string. On success, it writes the result to |*out| and returns
+ // true. Otherwise it returns false with an error to |stderr|. The value may
+ // be either a hexadecimal string or a quoted ASCII string. It returns true on
+ // success and returns false with an error to |stderr| on failure.
+ bool GetBytes(std::vector<uint8_t> *out, const std::string &key);
+
+ // ExpectBytesEqual returns true if |expected| and |actual| are equal.
+ // Otherwise, it returns false and prints a message to |stderr|.
+ bool ExpectBytesEqual(const uint8_t *expected, size_t expected_len,
+ const uint8_t *actual, size_t actual_len);
+
+ private:
+ void ClearTest();
+ void OnKeyUsed(const std::string &key);
+
+ FILE *file_ = nullptr;
+ // line_ is the number of lines read.
+ unsigned line_ = 0;
+
+ // start_line_ is the line number of the first attribute of the test.
+ unsigned start_line_ = 0;
+ // type_ is the name of the first attribute of the test.
+ std::string type_;
+ // parameter_ is the value of the first attribute.
+ std::string parameter_;
+ // attributes_ contains all attributes in the test, including the first.
+ std::map<std::string, std::string> attributes_;
+ // block_, if non-empty, is the test's optional trailing block.
+ std::string block_;
+
+ // unused_attributes_ is the set of attributes that have been queried.
+ std::set<std::string> unused_attributes_;
+ // used_block_ is true if the block has been queried.
+ bool used_block_ = false;
+
+ FileTest(const FileTest&) = delete;
+ FileTest &operator=(const FileTest&) = delete;
+};
+
+// FileTestMain runs a file-based test out of |path| and returns an exit code
+// suitable to return out of |main|. |run_test| should return true on pass and
+// false on failure. FileTestMain also implements common handling of the 'Error'
+// attribute. A test with that attribute is expected to fail. The value of the
+// attribute is the reason string of the expected OpenSSL error code.
+//
+// Tests are guaranteed to run serially and may affect global state if need be.
+// It is legal to use "tests" which, for example, import a private key into a
+// list of keys. This may be used to initialize a shared set of keys for many
+// tests. However, if one test fails, the framework will continue to run
+// subsequent tests.
+int FileTestMain(bool (*run_test)(FileTest *t, void *arg), void *arg,
+ const char *path);
+
+
+#endif /* OPENSSL_HEADER_CRYPTO_TEST_FILE_TEST_H */
diff --git a/src/crypto/test/scoped_types.h b/src/crypto/test/scoped_types.h
new file mode 100644
index 0000000..eb04c18
--- /dev/null
+++ b/src/crypto/test/scoped_types.h
@@ -0,0 +1,120 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_TEST_SCOPED_TYPES_H
+#define OPENSSL_HEADER_CRYPTO_TEST_SCOPED_TYPES_H
+
+#include <stdint.h>
+
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/cmac.h>
+#include <openssl/dh.h>
+#include <openssl/ec.h>
+#include <openssl/ec_key.h>
+#include <openssl/ecdsa.h>
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+#include <openssl/mem.h>
+#include <openssl/pkcs8.h>
+#include <openssl/rsa.h>
+#include <openssl/stack.h>
+#include <openssl/x509.h>
+
+#include "stl_compat.h"
+
+
+template<typename T, void (*func)(T*)>
+struct OpenSSLDeleter {
+ void operator()(T *obj) {
+ func(obj);
+ }
+};
+
+template<typename StackType, typename T, void (*func)(T*)>
+struct OpenSSLStackDeleter {
+ void operator()(StackType *obj) {
+ sk_pop_free(reinterpret_cast<_STACK*>(obj),
+ reinterpret_cast<void (*)(void *)>(func));
+ }
+};
+
+template<typename T>
+struct OpenSSLFree {
+ void operator()(T *buf) {
+ OPENSSL_free(buf);
+ }
+};
+
+template<typename T, void (*func)(T*)>
+using ScopedOpenSSLType = bssl::unique_ptr<T, OpenSSLDeleter<T, func>>;
+
+template<typename StackType, typename T, void (*func)(T*)>
+using ScopedOpenSSLStack =
+ bssl::unique_ptr<StackType, OpenSSLStackDeleter<StackType, T, func>>;
+
+template<typename T, typename CleanupRet, void (*init_func)(T*),
+ CleanupRet (*cleanup_func)(T*)>
+class ScopedOpenSSLContext {
+ public:
+ ScopedOpenSSLContext() {
+ init_func(&ctx_);
+ }
+ ~ScopedOpenSSLContext() {
+ cleanup_func(&ctx_);
+ }
+
+ T *get() { return &ctx_; }
+ const T *get() const { return &ctx_; }
+
+ void Reset() {
+ cleanup_func(&ctx_);
+ init_func(&ctx_);
+ }
+
+ private:
+ T ctx_;
+};
+
+using ScopedBIO = ScopedOpenSSLType<BIO, BIO_vfree>;
+using ScopedBIGNUM = ScopedOpenSSLType<BIGNUM, BN_free>;
+using ScopedBN_CTX = ScopedOpenSSLType<BN_CTX, BN_CTX_free>;
+using ScopedBN_MONT_CTX = ScopedOpenSSLType<BN_MONT_CTX, BN_MONT_CTX_free>;
+using ScopedCMAC_CTX = ScopedOpenSSLType<CMAC_CTX, CMAC_CTX_free>;
+using ScopedDH = ScopedOpenSSLType<DH, DH_free>;
+using ScopedECDSA_SIG = ScopedOpenSSLType<ECDSA_SIG, ECDSA_SIG_free>;
+using ScopedEC_GROUP = ScopedOpenSSLType<EC_GROUP, EC_GROUP_free>;
+using ScopedEC_KEY = ScopedOpenSSLType<EC_KEY, EC_KEY_free>;
+using ScopedEC_POINT = ScopedOpenSSLType<EC_POINT, EC_POINT_free>;
+using ScopedEVP_PKEY = ScopedOpenSSLType<EVP_PKEY, EVP_PKEY_free>;
+using ScopedEVP_PKEY_CTX = ScopedOpenSSLType<EVP_PKEY_CTX, EVP_PKEY_CTX_free>;
+using ScopedPKCS8_PRIV_KEY_INFO = ScopedOpenSSLType<PKCS8_PRIV_KEY_INFO,
+ PKCS8_PRIV_KEY_INFO_free>;
+using ScopedPKCS12 = ScopedOpenSSLType<PKCS12, PKCS12_free>;
+using ScopedRSA = ScopedOpenSSLType<RSA, RSA_free>;
+using ScopedX509 = ScopedOpenSSLType<X509, X509_free>;
+using ScopedX509_ALGOR = ScopedOpenSSLType<X509_ALGOR, X509_ALGOR_free>;
+
+using ScopedX509Stack = ScopedOpenSSLStack<STACK_OF(X509), X509, X509_free>;
+
+using ScopedEVP_MD_CTX = ScopedOpenSSLContext<EVP_MD_CTX, int, EVP_MD_CTX_init,
+ EVP_MD_CTX_cleanup>;
+using ScopedHMAC_CTX = ScopedOpenSSLContext<HMAC_CTX, void, HMAC_CTX_init,
+ HMAC_CTX_cleanup>;
+
+using ScopedOpenSSLBytes = bssl::unique_ptr<uint8_t, OpenSSLFree<uint8_t>>;
+using ScopedOpenSSLString = bssl::unique_ptr<char, OpenSSLFree<char>>;
+
+
+#endif // OPENSSL_HEADER_CRYPTO_TEST_SCOPED_TYPES_H
diff --git a/src/crypto/test/stl_compat.h b/src/crypto/test/stl_compat.h
new file mode 100644
index 0000000..1997a45
--- /dev/null
+++ b/src/crypto/test/stl_compat.h
@@ -0,0 +1,144 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CRYPTO_TEST_STL_COMPAT_H
+#define OPENSSL_HEADER_CRYPTO_TEST_STL_COMPAT_H
+
+#include <assert.h>
+
+#include <vector>
+
+
+// This header contains re-implementations of library functions from C++11. They
+// will be replaced with their standard counterparts once Chromium has C++11
+// library support in its toolchain.
+
+namespace bssl {
+
+// vector_data is a reimplementation of |std::vector::data| from C++11.
+template <class T>
+static T *vector_data(std::vector<T> *out) {
+ return out->empty() ? nullptr : &(*out)[0];
+}
+
+template <class T>
+static const T *vector_data(const std::vector<T> *out) {
+ return out->empty() ? nullptr : &(*out)[0];
+}
+
+// remove_reference is a reimplementation of |std::remove_reference| from C++11.
+template <class T>
+struct remove_reference {
+ using type = T;
+};
+
+template <class T>
+struct remove_reference<T&> {
+ using type = T;
+};
+
+template <class T>
+struct remove_reference<T&&> {
+ using type = T;
+};
+
+// move is a reimplementation of |std::move| from C++11.
+template <class T>
+typename remove_reference<T>::type &&move(T &&t) {
+ return static_cast<typename remove_reference<T>::type&&>(t);
+}
+
+// default_delete is a partial reimplementation of |std::default_delete| from
+// C++11.
+template <class T>
+struct default_delete {
+ void operator()(T *t) const {
+ enum { type_must_be_complete = sizeof(T) };
+ delete t;
+ }
+};
+
+// nullptr_t is |std::nullptr_t| from C++11.
+using nullptr_t = decltype(nullptr);
+
+// unique_ptr is a partial reimplementation of |std::unique_ptr| from C++11. It
+// intentionally does not support stateful deleters to avoid having to bother
+// with the empty member optimization.
+template <class T, class Deleter = default_delete<T>>
+class unique_ptr {
+ public:
+ unique_ptr() : ptr_(nullptr) {}
+ unique_ptr(nullptr_t) : ptr_(nullptr) {}
+ unique_ptr(T *ptr) : ptr_(ptr) {}
+ unique_ptr(const unique_ptr &u) = delete;
+
+ unique_ptr(unique_ptr &&u) : ptr_(nullptr) {
+ reset(u.release());
+ }
+
+ ~unique_ptr() {
+ reset();
+ }
+
+ unique_ptr &operator=(nullptr_t) {
+ reset();
+ return *this;
+ }
+
+ unique_ptr &operator=(unique_ptr &&u) {
+ reset(u.release());
+ return *this;
+ }
+
+ unique_ptr& operator=(const unique_ptr &u) = delete;
+
+ explicit operator bool() const {
+ return ptr_ != nullptr;
+ }
+
+ T &operator*() const {
+ assert(ptr_ != nullptr);
+ return *ptr_;
+ }
+
+ T *operator->() const {
+ assert(ptr_ != nullptr);
+ return ptr_;
+ }
+
+ T *get() const {
+ return ptr_;
+ }
+
+ T *release() {
+ T *ptr = ptr_;
+ ptr_ = nullptr;
+ return ptr;
+ }
+
+ void reset(T *ptr = nullptr) {
+ if (ptr_ != nullptr) {
+ Deleter()(ptr_);
+ }
+ ptr_ = ptr;
+ }
+
+ private:
+ T *ptr_;
+};
+
+} // namespace bssl
+
+
+#endif // OPENSSL_HEADER_CRYPTO_TEST_STL_COMPAT_H
diff --git a/src/crypto/thread.c b/src/crypto/thread.c
index 024993e..abc8b6f 100644
--- a/src/crypto/thread.c
+++ b/src/crypto/thread.c
@@ -56,44 +56,34 @@
#include <openssl/thread.h>
-#include <errno.h>
#include <string.h>
-#if defined(OPENSSL_WINDOWS)
+#if !defined(OPENSSL_WINDOWS)
+#include <errno.h>
+#else
#pragma warning(push, 3)
#include <windows.h>
#pragma warning(pop)
#endif
#include <openssl/mem.h>
-#include <openssl/type_check.h>
+#define CRYPTO_LOCK_ITEM(x) #x
+
/* lock_names contains the names of all the locks defined in thread.h. */
static const char *const lock_names[] = {
- "<<ERROR>>", "err", "ex_data", "x509",
- "x509_info", "x509_pkey", "x509_crl", "x509_req",
- "dsa", "rsa", "evp_pkey", "x509_store",
- "ssl_ctx", "ssl_cert", "ssl_session", "ssl_sess_cert",
- "ssl", "ssl_method", "rand", "rand2",
- "debug_malloc", "BIO", "gethostbyname", "getservbyname",
- "readdir", "RSA_blinding", "dh", "debug_malloc2",
- "dso", "dynlock", "engine", "ui",
- "ecdsa", "ec", "ecdh", "bn",
- "ec_pre_comp", "store", "comp", "fips",
- "fips2", "obj",
+ CRYPTO_LOCK_LIST
};
-OPENSSL_COMPILE_ASSERT(CRYPTO_NUM_LOCKS ==
- sizeof(lock_names) / sizeof(lock_names[0]),
- CRYPTO_NUM_LOCKS_inconsistent);
+#undef CRYPTO_LOCK_ITEM
+
+#define CRYPTO_NUM_LOCKS (sizeof(lock_names) / sizeof(lock_names[0]))
static void (*locking_callback)(int mode, int lock_num, const char *file,
int line) = 0;
static int (*add_lock_callback)(int *pointer, int amount, int lock_num,
const char *file, int line) = 0;
-static void (*threadid_callback)(CRYPTO_THREADID *) = 0;
-
int CRYPTO_num_locks(void) { return CRYPTO_NUM_LOCKS; }
@@ -115,23 +105,13 @@
}
}
-int CRYPTO_THREADID_set_callback(void (*func)(CRYPTO_THREADID *)) {
- if (threadid_callback) {
- return 0;
- }
- threadid_callback = func;
- return 1;
-}
+int CRYPTO_THREADID_set_callback(void (*func)(CRYPTO_THREADID *)) { return 1; }
-void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) {
- memset(id, 0, sizeof(*id));
- id->val = val;
-}
+void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) {}
-void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) {
- memset(id, 0, sizeof(*id));
- id->ptr = ptr;
-}
+void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) {}
+
+void CRYPTO_THREADID_current(CRYPTO_THREADID *id) {}
void (*CRYPTO_get_locking_callback(void))(int mode, int lock_num,
const char *file, int line) {
@@ -165,32 +145,6 @@
return ret;
}
-void CRYPTO_THREADID_current(CRYPTO_THREADID *id) {
- if (threadid_callback) {
- threadid_callback(id);
- return;
- }
-
-#if defined(OPENSSL_WINDOWS)
- CRYPTO_THREADID_set_numeric(id, (unsigned long)GetCurrentThreadId());
-#else
- /* For everything else, default to using the address of 'errno' */
- CRYPTO_THREADID_set_pointer(id, (void *)&errno);
-#endif
-}
-
-int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b) {
- return memcmp(a, b, sizeof(*a));
-}
-
-void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src) {
- memcpy(dest, src, sizeof(*src));
-}
-
-uint32_t CRYPTO_THREADID_hash(const CRYPTO_THREADID *id) {
- return OPENSSL_hash32(id, sizeof(CRYPTO_THREADID));
-}
-
void CRYPTO_set_id_callback(unsigned long (*func)(void)) {}
void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(
diff --git a/src/crypto/thread_none.c b/src/crypto/thread_none.c
new file mode 100644
index 0000000..cf4e85a
--- /dev/null
+++ b/src/crypto/thread_none.c
@@ -0,0 +1,55 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if defined(OPENSSL_NO_THREADS)
+
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {}
+
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {}
+
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {}
+
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock) {}
+
+void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {
+ if (*once) {
+ return;
+ }
+ *once = 1;
+ init();
+}
+
+static void *g_thread_locals[NUM_OPENSSL_THREAD_LOCALS];
+
+void *CRYPTO_get_thread_local(thread_local_data_t index) {
+ return g_thread_locals[index];
+}
+
+int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
+ thread_local_destructor_t destructor) {
+ g_thread_locals[index] = value;
+ return 1;
+}
+
+#endif /* OPENSSL_NO_THREADS */
diff --git a/src/crypto/thread_pthread.c b/src/crypto/thread_pthread.c
new file mode 100644
index 0000000..59c4b8d
--- /dev/null
+++ b/src/crypto/thread_pthread.c
@@ -0,0 +1,162 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_NO_THREADS)
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/mem.h>
+#include <openssl/type_check.h>
+
+
+OPENSSL_COMPILE_ASSERT(sizeof(CRYPTO_MUTEX) >= sizeof(pthread_rwlock_t),
+ CRYPTO_MUTEX_too_small);
+
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {
+ if (pthread_rwlock_init((pthread_rwlock_t *) lock, NULL) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {
+ if (pthread_rwlock_rdlock((pthread_rwlock_t *) lock) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {
+ if (pthread_rwlock_wrlock((pthread_rwlock_t *) lock) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock) {
+ if (pthread_rwlock_unlock((pthread_rwlock_t *) lock) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {
+ pthread_rwlock_destroy((pthread_rwlock_t *) lock);
+}
+
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {
+ if (pthread_rwlock_rdlock(&lock->lock) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {
+ if (pthread_rwlock_wrlock(&lock->lock) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock) {
+ if (pthread_rwlock_unlock(&lock->lock) != 0) {
+ abort();
+ }
+}
+
+void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {
+ pthread_once(once, init);
+}
+
+static pthread_mutex_t g_destructors_lock = PTHREAD_MUTEX_INITIALIZER;
+static thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];
+
+static void thread_local_destructor(void *arg) {
+ if (arg == NULL) {
+ return;
+ }
+
+ thread_local_destructor_t destructors[NUM_OPENSSL_THREAD_LOCALS];
+ if (pthread_mutex_lock(&g_destructors_lock) != 0) {
+ return;
+ }
+ memcpy(destructors, g_destructors, sizeof(destructors));
+ pthread_mutex_unlock(&g_destructors_lock);
+
+ unsigned i;
+ void **pointers = arg;
+ for (i = 0; i < NUM_OPENSSL_THREAD_LOCALS; i++) {
+ if (destructors[i] != NULL) {
+ destructors[i](pointers[i]);
+ }
+ }
+
+ OPENSSL_free(pointers);
+}
+
+static pthread_once_t g_thread_local_init_once = PTHREAD_ONCE_INIT;
+static pthread_key_t g_thread_local_key;
+static int g_thread_local_failed = 0;
+
+static void thread_local_init(void) {
+ g_thread_local_failed =
+ pthread_key_create(&g_thread_local_key, thread_local_destructor) != 0;
+}
+
+void *CRYPTO_get_thread_local(thread_local_data_t index) {
+ CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+ if (g_thread_local_failed) {
+ return NULL;
+ }
+
+ void **pointers = pthread_getspecific(g_thread_local_key);
+ if (pointers == NULL) {
+ return NULL;
+ }
+ return pointers[index];
+}
+
+int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
+ thread_local_destructor_t destructor) {
+ CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+ if (g_thread_local_failed) {
+ destructor(value);
+ return 0;
+ }
+
+ void **pointers = pthread_getspecific(g_thread_local_key);
+ if (pointers == NULL) {
+ pointers = OPENSSL_malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+ if (pointers == NULL) {
+ destructor(value);
+ return 0;
+ }
+ memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+ if (pthread_setspecific(g_thread_local_key, pointers) != 0) {
+ OPENSSL_free(pointers);
+ destructor(value);
+ return 0;
+ }
+ }
+
+ if (pthread_mutex_lock(&g_destructors_lock) != 0) {
+ destructor(value);
+ return 0;
+ }
+ g_destructors[index] = destructor;
+ pthread_mutex_unlock(&g_destructors_lock);
+
+ pointers[index] = value;
+ return 1;
+}
+
+#endif /* !OPENSSL_WINDOWS && !OPENSSL_NO_THREADS */
diff --git a/src/crypto/thread_test.c b/src/crypto/thread_test.c
new file mode 100644
index 0000000..cecda88
--- /dev/null
+++ b/src/crypto/thread_test.c
@@ -0,0 +1,202 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#include <stdio.h>
+
+
+#if !defined(OPENSSL_NO_THREADS)
+
+#if defined(OPENSSL_WINDOWS)
+
+#pragma warning(push, 3)
+#include <Windows.h>
+#pragma warning(pop)
+
+typedef HANDLE thread_t;
+
+static DWORD WINAPI thread_run(LPVOID arg) {
+ void (*thread_func)(void);
+ /* VC really doesn't like casting between data and function pointers. */
+ memcpy(&thread_func, &arg, sizeof(thread_func));
+ thread_func();
+ return 0;
+}
+
+static int run_thread(thread_t *out_thread, void (*thread_func)(void)) {
+ void *arg;
+ /* VC really doesn't like casting between data and function pointers. */
+ memcpy(&arg, &thread_func, sizeof(arg));
+
+ *out_thread = CreateThread(NULL /* security attributes */,
+ 0 /* default stack size */, thread_run, arg,
+ 0 /* run immediately */, NULL /* ignore id */);
+ return *out_thread != NULL;
+}
+
+static int wait_for_thread(thread_t thread) {
+ return WaitForSingleObject(thread, INFINITE) == 0;
+}
+
+#else
+
+#include <pthread.h>
+
+typedef pthread_t thread_t;
+
+static void *thread_run(void *arg) {
+ void (*thread_func)(void) = arg;
+ thread_func();
+ return NULL;
+}
+
+static int run_thread(thread_t *out_thread, void (*thread_func)(void)) {
+ return pthread_create(out_thread, NULL /* default attributes */, thread_run,
+ thread_func) == 0;
+}
+
+static int wait_for_thread(thread_t thread) {
+ return pthread_join(thread, NULL) == 0;
+}
+
+#endif /* OPENSSL_WINDOWS */
+
+static unsigned g_once_init_called = 0;
+
+static void once_init(void) {
+ g_once_init_called++;
+}
+
+static CRYPTO_once_t g_test_once = CRYPTO_ONCE_INIT;
+
+static void call_once_thread(void) {
+ CRYPTO_once(&g_test_once, once_init);
+}
+
+static int test_once(void) {
+ if (g_once_init_called != 0) {
+ fprintf(stderr, "g_once_init_called was non-zero at start.\n");
+ return 0;
+ }
+
+ thread_t thread;
+ if (!run_thread(&thread, call_once_thread) ||
+ !wait_for_thread(thread)) {
+ fprintf(stderr, "thread failed.\n");
+ return 0;
+ }
+
+ CRYPTO_once(&g_test_once, once_init);
+
+ if (g_once_init_called != 1) {
+ fprintf(stderr, "Expected init function to be called once, but found %u.\n",
+ g_once_init_called);
+ return 0;
+ }
+
+ return 1;
+}
+
+
+static int g_test_thread_ok = 0;
+static unsigned g_destructor_called_count = 0;
+
+static void thread_local_destructor(void *arg) {
+ if (arg == NULL) {
+ return;
+ }
+
+ unsigned *count = arg;
+ (*count)++;
+}
+
+static void thread_local_test_thread(void) {
+ void *ptr = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_TEST);
+ if (ptr != NULL) {
+ return;
+ }
+
+ if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_TEST,
+ &g_destructor_called_count,
+ thread_local_destructor)) {
+ return;
+ }
+
+ if (CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_TEST) !=
+ &g_destructor_called_count) {
+ return;
+ }
+
+ g_test_thread_ok = 1;
+}
+
+static void thread_local_test2_thread(void) {}
+
+static int test_thread_local(void) {
+ void *ptr = CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_TEST);
+ if (ptr != NULL) {
+ fprintf(stderr, "Thread-local data was non-NULL at start.\n");
+ }
+
+ thread_t thread;
+ if (!run_thread(&thread, thread_local_test_thread) ||
+ !wait_for_thread(thread)) {
+ fprintf(stderr, "thread failed.\n");
+ return 0;
+ }
+
+ if (!g_test_thread_ok) {
+ fprintf(stderr, "Thread-local data didn't work in thread.\n");
+ return 0;
+ }
+
+ if (g_destructor_called_count != 1) {
+ fprintf(stderr,
+ "Destructor should have been called once, but actually called %u "
+ "times.\n",
+ g_destructor_called_count);
+ return 0;
+ }
+
+ /* thread_local_test2_thread doesn't do anything, but it tests that the
+ * thread destructor function works even if thread-local storage wasn't used
+ * for a thread. */
+ if (!run_thread(&thread, thread_local_test2_thread) ||
+ !wait_for_thread(thread)) {
+ fprintf(stderr, "thread failed.\n");
+ return 0;
+ }
+
+ return 1;
+}
+
+int main(int argc, char **argv) {
+ if (!test_once() ||
+ !test_thread_local()) {
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
+
+#else /* OPENSSL_NO_THREADS */
+
+int main(int argc, char **argv) {
+ printf("PASS\n");
+ return 0;
+}
+
+#endif
diff --git a/src/crypto/thread_win.c b/src/crypto/thread_win.c
new file mode 100644
index 0000000..5efd8be
--- /dev/null
+++ b/src/crypto/thread_win.c
@@ -0,0 +1,282 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include "internal.h"
+
+#if defined(OPENSSL_WINDOWS) && !defined(OPENSSL_NO_THREADS)
+
+#pragma warning(push, 3)
+#include <windows.h>
+#pragma warning(pop)
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/mem.h>
+#include <openssl/type_check.h>
+
+
+OPENSSL_COMPILE_ASSERT(sizeof(CRYPTO_MUTEX) >= sizeof(CRITICAL_SECTION),
+ CRYPTO_MUTEX_too_small);
+
+static void run_once(CRYPTO_once_t *in_once, void (*init)(void *), void *arg) {
+ volatile LONG *once = in_once;
+
+ /* Values must be aligned. */
+ assert((((uintptr_t) once) & 3) == 0);
+
+ /* This assumes that reading *once has acquire semantics. This should be true
+ * on x86 and x86-64, where we expect Windows to run. */
+#if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)
+#error "Windows once code may not work on other platforms." \
+ "You can use InitOnceBeginInitialize on >=Vista"
+#endif
+ if (*once == 1) {
+ return;
+ }
+
+ for (;;) {
+ switch (InterlockedCompareExchange(once, 2, 0)) {
+ case 0:
+ /* The value was zero so we are the first thread to call |CRYPTO_once|
+ * on it. */
+ init(arg);
+ /* Write one to indicate that initialisation is complete. */
+ InterlockedExchange(once, 1);
+ return;
+
+ case 1:
+ /* Another thread completed initialisation between our fast-path check
+ * and |InterlockedCompareExchange|. */
+ return;
+
+ case 2:
+ /* Another thread is running the initialisation. Switch to it then try
+ * again. */
+ SwitchToThread();
+ break;
+
+ default:
+ abort();
+ }
+ }
+}
+
+static void call_once_init(void *arg) {
+ void (*init_func)(void);
+ /* MSVC does not like casting between data and function pointers. */
+ memcpy(&init_func, &arg, sizeof(void *));
+ init_func();
+}
+
+void CRYPTO_once(CRYPTO_once_t *in_once, void (*init)(void)) {
+ void *arg;
+ /* MSVC does not like casting between data and function pointers. */
+ memcpy(&arg, &init, sizeof(void *));
+ run_once(in_once, call_once_init, arg);
+}
+
+void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {
+ if (!InitializeCriticalSectionAndSpinCount((CRITICAL_SECTION *) lock, 0x400)) {
+ abort();
+ }
+}
+
+void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {
+ /* Since we have to support Windows XP, read locks are actually exclusive. */
+ EnterCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {
+ EnterCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+void CRYPTO_MUTEX_unlock(CRYPTO_MUTEX *lock) {
+ LeaveCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {
+ DeleteCriticalSection((CRITICAL_SECTION *) lock);
+}
+
+static void static_lock_init(void *arg) {
+ struct CRYPTO_STATIC_MUTEX *lock = arg;
+ if (!InitializeCriticalSectionAndSpinCount(&lock->lock, 0x400)) {
+ abort();
+ }
+}
+
+void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {
+ /* Since we have to support Windows XP, read locks are actually exclusive. */
+ run_once(&lock->once, static_lock_init, lock);
+ EnterCriticalSection(&lock->lock);
+}
+
+void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {
+ CRYPTO_STATIC_MUTEX_lock_read(lock);
+}
+
+void CRYPTO_STATIC_MUTEX_unlock(struct CRYPTO_STATIC_MUTEX *lock) {
+ LeaveCriticalSection(&lock->lock);
+}
+
+static CRITICAL_SECTION g_destructors_lock;
+static thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];
+
+static CRYPTO_once_t g_thread_local_init_once = CRYPTO_ONCE_INIT;
+static DWORD g_thread_local_key;
+static int g_thread_local_failed;
+
+static void thread_local_init(void) {
+ if (!InitializeCriticalSectionAndSpinCount(&g_destructors_lock, 0x400)) {
+ g_thread_local_failed = 1;
+ return;
+ }
+ g_thread_local_key = TlsAlloc();
+ g_thread_local_failed = (g_thread_local_key == TLS_OUT_OF_INDEXES);
+}
+
+static void NTAPI thread_local_destructor(PVOID module,
+ DWORD reason, PVOID reserved) {
+ if (DLL_THREAD_DETACH != reason && DLL_PROCESS_DETACH != reason) {
+ return;
+ }
+
+ CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+ if (g_thread_local_failed) {
+ return;
+ }
+
+ void **pointers = (void**) TlsGetValue(g_thread_local_key);
+ if (pointers == NULL) {
+ return;
+ }
+
+ thread_local_destructor_t destructors[NUM_OPENSSL_THREAD_LOCALS];
+
+ EnterCriticalSection(&g_destructors_lock);
+ memcpy(destructors, g_destructors, sizeof(destructors));
+ LeaveCriticalSection(&g_destructors_lock);
+
+ unsigned i;
+ for (i = 0; i < NUM_OPENSSL_THREAD_LOCALS; i++) {
+ if (destructors[i] != NULL) {
+ destructors[i](pointers[i]);
+ }
+ }
+
+ OPENSSL_free(pointers);
+}
+
+/* Thread Termination Callbacks.
+ *
+ * Windows doesn't support a per-thread destructor with its TLS primitives.
+ * So, we build it manually by inserting a function to be called on each
+ * thread's exit. This magic is from http://www.codeproject.com/threads/tls.asp
+ * and it works for VC++ 7.0 and later.
+ *
+ * Force a reference to _tls_used to make the linker create the TLS directory
+ * if it's not already there. (E.g. if __declspec(thread) is not used). Force
+ * a reference to p_thread_callback_boringssl to prevent whole program
+ * optimization from discarding the variable. */
+#ifdef _WIN64
+#pragma comment(linker, "/INCLUDE:_tls_used")
+#pragma comment(linker, "/INCLUDE:p_thread_callback_boringssl")
+#else
+#pragma comment(linker, "/INCLUDE:__tls_used")
+#pragma comment(linker, "/INCLUDE:_p_thread_callback_boringssl")
+#endif
+
+/* .CRT$XLA to .CRT$XLZ is an array of PIMAGE_TLS_CALLBACK pointers that are
+ * called automatically by the OS loader code (not the CRT) when the module is
+ * loaded and on thread creation. They are NOT called if the module has been
+ * loaded by a LoadLibrary() call. It must have implicitly been loaded at
+ * process startup.
+ *
+ * By implicitly loaded, I mean that it is directly referenced by the main EXE
+ * or by one of its dependent DLLs. Delay-loaded DLL doesn't count as being
+ * implicitly loaded.
+ *
+ * See VC\crt\src\tlssup.c for reference. */
+
+/* The linker must not discard p_thread_callback_boringssl. (We force a reference
+ * to this variable with a linker /INCLUDE:symbol pragma to ensure that.) If
+ * this variable is discarded, the OnThreadExit function will never be
+ * called. */
+#ifdef _WIN64
+
+/* .CRT section is merged with .rdata on x64 so it must be constant data. */
+#pragma const_seg(".CRT$XLC")
+/* When defining a const variable, it must have external linkage to be sure the
+ * linker doesn't discard it. */
+extern const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl;
+const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;
+/* Reset the default section. */
+#pragma const_seg()
+
+#else
+
+#pragma data_seg(".CRT$XLC")
+PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;
+/* Reset the default section. */
+#pragma data_seg()
+
+#endif /* _WIN64 */
+
+void *CRYPTO_get_thread_local(thread_local_data_t index) {
+ CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+ if (g_thread_local_failed) {
+ return NULL;
+ }
+
+ void **pointers = TlsGetValue(g_thread_local_key);
+ if (pointers == NULL) {
+ return NULL;
+ }
+ return pointers[index];
+}
+
+int CRYPTO_set_thread_local(thread_local_data_t index, void *value,
+ thread_local_destructor_t destructor) {
+ CRYPTO_once(&g_thread_local_init_once, thread_local_init);
+ if (g_thread_local_failed) {
+ destructor(value);
+ return 0;
+ }
+
+ void **pointers = TlsGetValue(g_thread_local_key);
+ if (pointers == NULL) {
+ pointers = OPENSSL_malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+ if (pointers == NULL) {
+ destructor(value);
+ return 0;
+ }
+ memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);
+ if (TlsSetValue(g_thread_local_key, pointers) == 0) {
+ OPENSSL_free(pointers);
+ destructor(value);
+ return 0;
+ }
+ }
+
+ EnterCriticalSection(&g_destructors_lock);
+ g_destructors[index] = destructor;
+ LeaveCriticalSection(&g_destructors_lock);
+
+ pointers[index] = value;
+ return 1;
+}
+
+#endif /* OPENSSL_WINDOWS && !OPENSSL_NO_THREADS */
diff --git a/src/crypto/time_support.c b/src/crypto/time_support.c
index 9302ebf..bf9daed 100644
--- a/src/crypto/time_support.c
+++ b/src/crypto/time_support.c
@@ -67,6 +67,9 @@
#include <openssl/time_support.h>
+#include <time.h>
+
+
#define SECS_PER_DAY (24 * 60 * 60)
struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result) {
@@ -135,8 +138,9 @@
/* Work out Julian day of new date */
time_jd += offset_day;
- if (time_jd < 0)
+ if (time_jd < 0) {
return 0;
+ }
*pday = time_jd;
*psec = offset_hms;
@@ -148,15 +152,17 @@
long time_jd;
/* Convert time and offset into julian day and seconds */
- if (!julian_adj(tm, off_day, offset_sec, &time_jd, &time_sec))
+ if (!julian_adj(tm, off_day, offset_sec, &time_jd, &time_sec)) {
return 0;
+ }
/* Convert Julian day back to date */
julian_to_date(time_jd, &time_year, &time_month, &time_day);
- if (time_year < 1900 || time_year > 9999)
+ if (time_year < 1900 || time_year > 9999) {
return 0;
+ }
/* Update tm structure */
diff --git a/src/crypto/x509/CMakeLists.txt b/src/crypto/x509/CMakeLists.txt
index f00e28a..96cf35c 100644
--- a/src/crypto/x509/CMakeLists.txt
+++ b/src/crypto/x509/CMakeLists.txt
@@ -22,7 +22,6 @@
x509_cmp.c
x509_d2.c
x509_def.c
- x509_error.c
x509_ext.c
x509_lu.c
x509_obj.c
diff --git a/src/crypto/x509/asn1_gen.c b/src/crypto/x509/asn1_gen.c
index 750701e..d4d1ee6 100644
--- a/src/crypto/x509/asn1_gen.c
+++ b/src/crypto/x509/asn1_gen.c
@@ -64,6 +64,11 @@
#include <openssl/obj.h>
#include <openssl/x509v3.h>
+#include "../internal.h"
+
+
+/* Although this file is in crypto/x509 for layering purposes, it emits errors
+ * from the ASN.1 module for OpenSSL compatibility. */
#define ASN1_GEN_FLAG 0x10000
#define ASN1_GEN_FLAG_IMP (ASN1_GEN_FLAG|1)
@@ -138,6 +143,7 @@
}
ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
+ OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
{
ASN1_TYPE *ret;
tag_exp_arg asn1_tags;
@@ -165,7 +171,7 @@
{
if (!cnf)
{
- OPENSSL_PUT_ERROR(X509, ASN1_generate_v3, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
+ OPENSSL_PUT_ERROR(ASN1, ASN1_generate_v3, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);
return NULL;
}
ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf);
@@ -308,7 +314,7 @@
if (utype == -1)
{
- OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_UNKNOWN_TAG);
+ OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_UNKNOWN_TAG);
ERR_add_error_data(2, "tag=", elem);
return -1;
}
@@ -321,7 +327,7 @@
/* If no value and not end of string, error */
if (!vstart && elem[len])
{
- OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_MISSING_VALUE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_MISSING_VALUE);
return -1;
}
return 0;
@@ -334,7 +340,7 @@
/* Check for illegal multiple IMPLICIT tagging */
if (arg->imp_tag != -1)
{
- OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_ILLEGAL_NESTED_TAGGING);
+ OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_ILLEGAL_NESTED_TAGGING);
return -1;
}
if (!parse_tagging(vstart, vlen, &arg->imp_tag, &arg->imp_class))
@@ -370,17 +376,22 @@
break;
case ASN1_GEN_FLAG_FORMAT:
+ if (!vstart)
+ {
+ OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_UNKNOWN_FORMAT);
+ return -1;
+ }
if (!strncmp(vstart, "ASCII", 5))
arg->format = ASN1_GEN_FORMAT_ASCII;
else if (!strncmp(vstart, "UTF8", 4))
arg->format = ASN1_GEN_FORMAT_UTF8;
else if (!strncmp(vstart, "HEX", 3))
arg->format = ASN1_GEN_FORMAT_HEX;
- else if (!strncmp(vstart, "BITLIST", 3))
+ else if (!strncmp(vstart, "BITLIST", 7))
arg->format = ASN1_GEN_FORMAT_BITLIST;
else
{
- OPENSSL_PUT_ERROR(X509, asn1_cb, ASN1_R_UNKNOWN_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_cb, ASN1_R_UNKNOWN_FORMAT);
return -1;
}
break;
@@ -404,7 +415,7 @@
return 0;
if (tag_num < 0)
{
- OPENSSL_PUT_ERROR(X509, parse_tagging, ASN1_R_INVALID_NUMBER);
+ OPENSSL_PUT_ERROR(ASN1, parse_tagging, ASN1_R_INVALID_NUMBER);
return 0;
}
*ptag = tag_num;
@@ -437,7 +448,7 @@
default:
erch[0] = *eptr;
erch[1] = 0;
- OPENSSL_PUT_ERROR(X509, parse_tagging, ASN1_R_INVALID_MODIFIER);
+ OPENSSL_PUT_ERROR(ASN1, parse_tagging, ASN1_R_INVALID_MODIFIER);
ERR_add_error_data(2, "Char=", erch);
return 0;
break;
@@ -523,13 +534,13 @@
/* Can only have IMPLICIT if permitted */
if ((arg->imp_tag != -1) && !imp_ok)
{
- OPENSSL_PUT_ERROR(X509, append_exp, ASN1_R_ILLEGAL_IMPLICIT_TAG);
+ OPENSSL_PUT_ERROR(ASN1, append_exp, ASN1_R_ILLEGAL_IMPLICIT_TAG);
return 0;
}
if (arg->exp_count == ASN1_FLAG_EXP_MAX)
{
- OPENSSL_PUT_ERROR(X509, append_exp, ASN1_R_DEPTH_EXCEEDED);
+ OPENSSL_PUT_ERROR(ASN1, append_exp, ASN1_R_DEPTH_EXCEEDED);
return 0;
}
@@ -647,7 +658,7 @@
if (!(atmp = ASN1_TYPE_new()))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
return NULL;
}
@@ -660,7 +671,7 @@
case V_ASN1_NULL:
if (str && *str)
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_NULL_VALUE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_NULL_VALUE);
goto bad_form;
}
break;
@@ -668,7 +679,7 @@
case V_ASN1_BOOLEAN:
if (format != ASN1_GEN_FORMAT_ASCII)
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_NOT_ASCII_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_NOT_ASCII_FORMAT);
goto bad_form;
}
vtmp.name = NULL;
@@ -676,7 +687,7 @@
vtmp.value = (char *)str;
if (!X509V3_get_value_bool(&vtmp, &atmp->value.boolean))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_BOOLEAN);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_BOOLEAN);
goto bad_str;
}
break;
@@ -685,12 +696,12 @@
case V_ASN1_ENUMERATED:
if (format != ASN1_GEN_FORMAT_ASCII)
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_INTEGER_NOT_ASCII_FORMAT);
goto bad_form;
}
if (!(atmp->value.integer = s2i_ASN1_INTEGER(NULL, (char *)str)))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_INTEGER);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_INTEGER);
goto bad_str;
}
break;
@@ -698,12 +709,12 @@
case V_ASN1_OBJECT:
if (format != ASN1_GEN_FORMAT_ASCII)
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_OBJECT_NOT_ASCII_FORMAT);
goto bad_form;
}
if (!(atmp->value.object = OBJ_txt2obj(str, 0)))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_OBJECT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_OBJECT);
goto bad_str;
}
break;
@@ -712,23 +723,23 @@
case V_ASN1_GENERALIZEDTIME:
if (format != ASN1_GEN_FORMAT_ASCII)
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_TIME_NOT_ASCII_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_TIME_NOT_ASCII_FORMAT);
goto bad_form;
}
if (!(atmp->value.asn1_string = ASN1_STRING_new()))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
goto bad_str;
}
if (!ASN1_STRING_set(atmp->value.asn1_string, str, -1))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
goto bad_str;
}
atmp->value.asn1_string->type = utype;
if (!ASN1_TIME_check(atmp->value.asn1_string))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_TIME_VALUE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_TIME_VALUE);
goto bad_str;
}
@@ -750,7 +761,7 @@
format = MBSTRING_UTF8;
else
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_FORMAT);
goto bad_form;
}
@@ -758,7 +769,7 @@
if (ASN1_mbstring_copy(&atmp->value.asn1_string, (unsigned char *)str,
-1, format, ASN1_tag2bit(utype)) <= 0)
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
goto bad_str;
}
@@ -771,7 +782,7 @@
if (!(atmp->value.asn1_string = ASN1_STRING_new()))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ERR_R_MALLOC_FAILURE);
goto bad_form;
}
@@ -780,7 +791,7 @@
if (!(rdata = string_to_hex((char *)str, &rdlen)))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_HEX);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_HEX);
goto bad_str;
}
@@ -795,7 +806,7 @@
{
if (!CONF_parse_list(str, ',', 1, bitstr_cb, atmp->value.bit_string))
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_LIST_ERROR);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_LIST_ERROR);
goto bad_str;
}
no_unused = 0;
@@ -803,7 +814,7 @@
}
else
{
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_ILLEGAL_BITSTRING_FORMAT);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_ILLEGAL_BITSTRING_FORMAT);
goto bad_form;
}
@@ -819,7 +830,7 @@
break;
default:
- OPENSSL_PUT_ERROR(X509, asn1_str2type, ASN1_R_UNSUPPORTED_TYPE);
+ OPENSSL_PUT_ERROR(ASN1, asn1_str2type, ASN1_R_UNSUPPORTED_TYPE);
goto bad_str;
break;
}
@@ -849,12 +860,12 @@
return 0;
if (bitnum < 0)
{
- OPENSSL_PUT_ERROR(X509, bitstr_cb, ASN1_R_INVALID_NUMBER);
+ OPENSSL_PUT_ERROR(ASN1, bitstr_cb, ASN1_R_INVALID_NUMBER);
return 0;
}
if (!ASN1_BIT_STRING_set_bit(bitstr, bitnum, 1))
{
- OPENSSL_PUT_ERROR(X509, bitstr_cb, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(ASN1, bitstr_cb, ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
diff --git a/src/crypto/x509/by_dir.c b/src/crypto/x509/by_dir.c
index 5a77b81..098c1bd 100644
--- a/src/crypto/x509/by_dir.c
+++ b/src/crypto/x509/by_dir.c
@@ -63,6 +63,7 @@
#include <openssl/err.h>
#include <openssl/lhash.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
#include <openssl/x509.h>
@@ -442,6 +443,12 @@
if (!hent)
{
hent = OPENSSL_malloc(sizeof(BY_DIR_HASH));
+ if (hent == NULL)
+ {
+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+ ok = 0;
+ goto finish;
+ }
hent->hash = h;
hent->suffix = k;
if (!sk_BY_DIR_HASH_push(ent->hashes, hent))
diff --git a/src/crypto/x509/by_file.c b/src/crypto/x509/by_file.c
index 2649631..2fdbce4 100644
--- a/src/crypto/x509/by_file.c
+++ b/src/crypto/x509/by_file.c
@@ -55,11 +55,14 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
+#include <stdlib.h>
+
#include <openssl/buf.h>
#include <openssl/err.h>
#include <openssl/lhash.h>
#include <openssl/pem.h>
-#include <openssl/x509.h>
+#include <openssl/thread.h>
+
#ifndef OPENSSL_NO_STDIO
diff --git a/src/crypto/x509/i2d_pr.c b/src/crypto/x509/i2d_pr.c
index 8896565..443ca53 100644
--- a/src/crypto/x509/i2d_pr.c
+++ b/src/crypto/x509/i2d_pr.c
@@ -57,8 +57,7 @@
#include <openssl/x509.h>
-#include <stdio.h>
-
+#include <openssl/asn1.h>
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -77,7 +76,9 @@
PKCS8_PRIV_KEY_INFO_free(p8);
return ret;
}
- OPENSSL_PUT_ERROR(X509, i2d_PrivateKey, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+ /* Although this file is in crypto/x509 for layering reasons, it emits
+ * an error code from ASN1 for OpenSSL compatibility. */
+ OPENSSL_PUT_ERROR(ASN1, i2d_PrivateKey, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
return -1;
}
diff --git a/src/crypto/x509/pkcs7.c b/src/crypto/x509/pkcs7.c
index bb86077..99ee3da 100644
--- a/src/crypto/x509/pkcs7.c
+++ b/src/crypto/x509/pkcs7.c
@@ -18,6 +18,7 @@
#include <openssl/bytestring.h>
#include <openssl/err.h>
+#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/pem.h>
#include <openssl/stack.h>
diff --git a/src/crypto/x509/pkcs7_test.c b/src/crypto/x509/pkcs7_test.c
index bac9fb2..38beb3e 100644
--- a/src/crypto/x509/pkcs7_test.c
+++ b/src/crypto/x509/pkcs7_test.c
@@ -18,6 +18,7 @@
#include <openssl/bytestring.h>
#include <openssl/crypto.h>
+#include <openssl/mem.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
diff --git a/src/crypto/x509/vpm_int.h b/src/crypto/x509/vpm_int.h
index d18a4d4..9edbd5a 100644
--- a/src/crypto/x509/vpm_int.h
+++ b/src/crypto/x509/vpm_int.h
@@ -60,10 +60,10 @@
struct X509_VERIFY_PARAM_ID_st
{
- unsigned char *host; /* If not NULL hostname to match */
- size_t hostlen;
+ STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */
unsigned int hostflags; /* Flags to control matching features */
- unsigned char *email; /* If not NULL email address to match */
+ char *peername; /* Matching hostname in peer certificate */
+ char *email; /* If not NULL email address to match */
size_t emaillen;
unsigned char *ip; /* If not NULL IP address to match */
size_t iplen; /* Length of IP address */
diff --git a/src/crypto/x509/x509_att.c b/src/crypto/x509/x509_att.c
index 3613c35..90e7810 100644
--- a/src/crypto/x509/x509_att.c
+++ b/src/crypto/x509/x509_att.c
@@ -273,7 +273,7 @@
return(0);
ASN1_OBJECT_free(attr->object);
attr->object=OBJ_dup(obj);
- return(1);
+ return attr->object != NULL;
}
int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len)
diff --git a/src/crypto/x509/x509_error.c b/src/crypto/x509/x509_error.c
deleted file mode 100644
index 6669a7a..0000000
--- a/src/crypto/x509/x509_error.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/x509.h>
-
-const ERR_STRING_DATA X509_error_string_data[] = {
- {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_digest, 0), "ASN1_digest"},
- {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_generate_v3, 0), "ASN1_generate_v3"},
- {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_item_sign_ctx, 0), "ASN1_item_sign_ctx"},
- {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_item_verify, 0), "ASN1_item_verify"},
- {ERR_PACK(ERR_LIB_X509, X509_F_ASN1_sign, 0), "ASN1_sign"},
- {ERR_PACK(ERR_LIB_X509, X509_F_NETSCAPE_SPKI_b64_decode, 0), "NETSCAPE_SPKI_b64_decode"},
- {ERR_PACK(ERR_LIB_X509, X509_F_NETSCAPE_SPKI_b64_encode, 0), "NETSCAPE_SPKI_b64_encode"},
- {ERR_PACK(ERR_LIB_X509, X509_F_PKCS7_get_CRLs, 0), "PKCS7_get_CRLs"},
- {ERR_PACK(ERR_LIB_X509, X509_F_PKCS7_get_certificates, 0), "PKCS7_get_certificates"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_create_by_NID, 0), "X509_ATTRIBUTE_create_by_NID"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_create_by_OBJ, 0), "X509_ATTRIBUTE_create_by_OBJ"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_create_by_txt, 0), "X509_ATTRIBUTE_create_by_txt"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_get0_data, 0), "X509_ATTRIBUTE_get0_data"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_ATTRIBUTE_set1_data, 0), "X509_ATTRIBUTE_set1_data"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_CRL_add0_revoked, 0), "X509_CRL_add0_revoked"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_CRL_diff, 0), "X509_CRL_diff"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_CRL_print_fp, 0), "X509_CRL_print_fp"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_EXTENSION_create_by_NID, 0), "X509_EXTENSION_create_by_NID"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_EXTENSION_create_by_OBJ, 0), "X509_EXTENSION_create_by_OBJ"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_INFO_new, 0), "X509_INFO_new"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_ENTRY_create_by_NID, 0), "X509_NAME_ENTRY_create_by_NID"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_ENTRY_create_by_txt, 0), "X509_NAME_ENTRY_create_by_txt"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_ENTRY_set_object, 0), "X509_NAME_ENTRY_set_object"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_add_entry, 0), "X509_NAME_add_entry"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_oneline, 0), "X509_NAME_oneline"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_NAME_print, 0), "X509_NAME_print"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_PKEY_new, 0), "X509_PKEY_new"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_get, 0), "X509_PUBKEY_get"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_set, 0), "X509_PUBKEY_set"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_REQ_check_private_key, 0), "X509_REQ_check_private_key"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_REQ_to_X509, 0), "X509_REQ_to_X509"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_get1_issuer, 0), "X509_STORE_CTX_get1_issuer"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_init, 0), "X509_STORE_CTX_init"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_new, 0), "X509_STORE_CTX_new"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_CTX_purpose_inherit, 0), "X509_STORE_CTX_purpose_inherit"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_add_cert, 0), "X509_STORE_add_cert"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_STORE_add_crl, 0), "X509_STORE_add_crl"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_TRUST_add, 0), "X509_TRUST_add"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_TRUST_set, 0), "X509_TRUST_set"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_check_private_key, 0), "X509_check_private_key"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_get_pubkey_parameters, 0), "X509_get_pubkey_parameters"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_load_cert_crl_file, 0), "X509_load_cert_crl_file"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_load_cert_file, 0), "X509_load_cert_file"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_load_crl_file, 0), "X509_load_crl_file"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_print_ex_fp, 0), "X509_print_ex_fp"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_to_X509_REQ, 0), "X509_to_X509_REQ"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509_verify_cert, 0), "X509_verify_cert"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509at_add1_attr, 0), "X509at_add1_attr"},
- {ERR_PACK(ERR_LIB_X509, X509_F_X509v3_add_ext, 0), "X509v3_add_ext"},
- {ERR_PACK(ERR_LIB_X509, X509_F_add_cert_dir, 0), "add_cert_dir"},
- {ERR_PACK(ERR_LIB_X509, X509_F_append_exp, 0), "append_exp"},
- {ERR_PACK(ERR_LIB_X509, X509_F_asn1_cb, 0), "asn1_cb"},
- {ERR_PACK(ERR_LIB_X509, X509_F_asn1_str2type, 0), "asn1_str2type"},
- {ERR_PACK(ERR_LIB_X509, X509_F_bitstr_cb, 0), "bitstr_cb"},
- {ERR_PACK(ERR_LIB_X509, X509_F_by_file_ctrl, 0), "by_file_ctrl"},
- {ERR_PACK(ERR_LIB_X509, X509_F_check_policy, 0), "check_policy"},
- {ERR_PACK(ERR_LIB_X509, X509_F_d2i_X509_PKEY, 0), "d2i_X509_PKEY"},
- {ERR_PACK(ERR_LIB_X509, X509_F_dir_ctrl, 0), "dir_ctrl"},
- {ERR_PACK(ERR_LIB_X509, X509_F_get_cert_by_subject, 0), "get_cert_by_subject"},
- {ERR_PACK(ERR_LIB_X509, X509_F_i2d_DSA_PUBKEY, 0), "i2d_DSA_PUBKEY"},
- {ERR_PACK(ERR_LIB_X509, X509_F_i2d_EC_PUBKEY, 0), "i2d_EC_PUBKEY"},
- {ERR_PACK(ERR_LIB_X509, X509_F_i2d_PrivateKey, 0), "i2d_PrivateKey"},
- {ERR_PACK(ERR_LIB_X509, X509_F_i2d_RSA_PUBKEY, 0), "i2d_RSA_PUBKEY"},
- {ERR_PACK(ERR_LIB_X509, X509_F_parse_tagging, 0), "parse_tagging"},
- {ERR_PACK(ERR_LIB_X509, X509_F_pkcs7_parse_header, 0), "pkcs7_parse_header"},
- {ERR_PACK(ERR_LIB_X509, X509_F_x509_name_encode, 0), "x509_name_encode"},
- {ERR_PACK(ERR_LIB_X509, X509_F_x509_name_ex_d2i, 0), "x509_name_ex_d2i"},
- {ERR_PACK(ERR_LIB_X509, X509_F_x509_name_ex_new, 0), "x509_name_ex_new"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_AKID_MISMATCH), "AKID_MISMATCH"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_BAD_PKCS7_VERSION), "BAD_PKCS7_VERSION"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_BAD_X509_FILETYPE), "BAD_X509_FILETYPE"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_BASE64_DECODE_ERROR), "BASE64_DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_CANT_CHECK_DH_KEY), "CANT_CHECK_DH_KEY"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_CERT_ALREADY_IN_HASH_TABLE), "CERT_ALREADY_IN_HASH_TABLE"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_CONTEXT_NOT_INITIALISED), "CONTEXT_NOT_INITIALISED"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_ALREADY_DELTA), "CRL_ALREADY_DELTA"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_VERIFY_FAILURE), "CRL_VERIFY_FAILURE"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_ERR_ASN1_LIB), "ERR_ASN1_LIB"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_IDP_MISMATCH), "IDP_MISMATCH"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_BIT_STRING_BITS_LEFT), "INVALID_BIT_STRING_BITS_LEFT"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_DIRECTORY), "INVALID_DIRECTORY"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_FIELD_NAME), "INVALID_FIELD_NAME"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_INVALID_TRUST), "INVALID_TRUST"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_ISSUER_MISMATCH), "ISSUER_MISMATCH"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_KEY_TYPE_MISMATCH), "KEY_TYPE_MISMATCH"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_KEY_VALUES_MISMATCH), "KEY_VALUES_MISMATCH"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_LOADING_CERT_DIR), "LOADING_CERT_DIR"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_LOADING_DEFAULTS), "LOADING_DEFAULTS"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_METHOD_NOT_SUPPORTED), "METHOD_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_NEWER_CRL_NOT_NEWER), "NEWER_CRL_NOT_NEWER"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_NOT_PKCS7_SIGNED_DATA), "NOT_PKCS7_SIGNED_DATA"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CERTIFICATES_INCLUDED), "NO_CERTIFICATES_INCLUDED"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), "NO_CERT_SET_FOR_US_TO_VERIFY"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CRLS_INCLUDED), "NO_CRLS_INCLUDED"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_NO_CRL_NUMBER), "NO_CRL_NUMBER"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_PUBLIC_KEY_DECODE_ERROR), "PUBLIC_KEY_DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_PUBLIC_KEY_ENCODE_ERROR), "PUBLIC_KEY_ENCODE_ERROR"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_SHOULD_RETRY), "SHOULD_RETRY"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN), "UNABLE_TO_FIND_PARAMETERS_IN_CHAIN"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY), "UNABLE_TO_GET_CERTS_PUBLIC_KEY"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_KEY_TYPE), "UNKNOWN_KEY_TYPE"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_NID), "UNKNOWN_NID"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_PURPOSE_ID), "UNKNOWN_PURPOSE_ID"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNKNOWN_TRUST_ID), "UNKNOWN_TRUST_ID"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_UNSUPPORTED_ALGORITHM), "UNSUPPORTED_ALGORITHM"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_LOOKUP_TYPE), "WRONG_LOOKUP_TYPE"},
- {ERR_PACK(ERR_LIB_X509, 0, X509_R_WRONG_TYPE), "WRONG_TYPE"},
- {0, NULL},
-};
diff --git a/src/crypto/x509/x509_lu.c b/src/crypto/x509/x509_lu.c
index 090d341..34ef26e 100644
--- a/src/crypto/x509/x509_lu.c
+++ b/src/crypto/x509/x509_lu.c
@@ -60,6 +60,7 @@
#include <openssl/err.h>
#include <openssl/lhash.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -191,9 +192,6 @@
if ((ret->param = X509_VERIFY_PARAM_new()) == NULL)
goto err;
- if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
- goto err;
-
ret->references = 1;
return ret;
err:
@@ -261,7 +259,6 @@
sk_X509_LOOKUP_free(sk);
sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
if (vfy->param)
X509_VERIFY_PARAM_free(vfy->param);
OPENSSL_free(vfy);
diff --git a/src/crypto/x509/x509_req.c b/src/crypto/x509/x509_req.c
index daaedb6..2732d6e 100644
--- a/src/crypto/x509/x509_req.c
+++ b/src/crypto/x509/x509_req.c
@@ -92,6 +92,8 @@
goto err;
pktmp = X509_get_pubkey(x);
+ if (pktmp == NULL)
+ goto err;
i=X509_REQ_set_pubkey(ret,pktmp);
EVP_PKEY_free(pktmp);
if (!i) goto err;
diff --git a/src/crypto/x509/x509_v3.c b/src/crypto/x509/x509_v3.c
index 95fe729..0fc9a9a 100644
--- a/src/crypto/x509/x509_v3.c
+++ b/src/crypto/x509/x509_v3.c
@@ -231,7 +231,7 @@
return(0);
ASN1_OBJECT_free(ex->object);
ex->object=OBJ_dup(obj);
- return(1);
+ return ex->object != NULL;
}
int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
diff --git a/src/crypto/x509/x509_vfy.c b/src/crypto/x509/x509_vfy.c
index 285bcaf..a0cd9fc 100644
--- a/src/crypto/x509/x509_vfy.c
+++ b/src/crypto/x509/x509_vfy.c
@@ -64,10 +64,15 @@
#include <openssl/lhash.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
+#include <openssl/thread.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "vpm_int.h"
+#include "../internal.h"
+
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
/* CRL score values */
@@ -410,9 +415,6 @@
if (!ok) goto end;
- /* We may as well copy down any DSA parameters that are required */
- X509_get_pubkey_parameters(NULL,ctx->chain);
-
/* Check revocation status: we do this after copying parameters
* because they may be needed for CRL signature verification.
*/
@@ -441,12 +443,8 @@
/* If we get this far evaluate policies */
if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
ok = ctx->check_policy(ctx);
- if(!ok) goto end;
- if (0)
- {
+
end:
- X509_get_pubkey_parameters(NULL,ctx->chain);
- }
if (sktmp != NULL) sk_X509_free(sktmp);
if (chain_ss != NULL) X509_free(chain_ss);
return ok;
@@ -704,23 +702,38 @@
return ctx->verify_cb(0, ctx);
}
+static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
+ {
+ size_t i;
+ size_t n = sk_OPENSSL_STRING_num(id->hosts);
+ char *name;
+
+ for (i = 0; i < n; ++i)
+ {
+ name = sk_OPENSSL_STRING_value(id->hosts, i);
+ if (X509_check_host(x, name, strlen(name), id->hostflags,
+ &id->peername) > 0)
+ return 1;
+ }
+ return n == 0;
+ }
+
static int check_id(X509_STORE_CTX *ctx)
{
X509_VERIFY_PARAM *vpm = ctx->param;
X509_VERIFY_PARAM_ID *id = vpm->id;
X509 *x = ctx->cert;
- if (id->host && !X509_check_host(x, id->host, id->hostlen,
- id->hostflags))
+ if (id->hosts && check_hosts(x, id) <= 0)
{
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
return 0;
}
- if (id->email && !X509_check_email(x, id->email, id->emaillen, 0))
+ if (id->email && X509_check_email(x, id->email, id->emaillen, 0) <= 0)
{
if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
return 0;
}
- if (id->ip && !X509_check_ip(x, id->ip, id->iplen, 0))
+ if (id->ip && X509_check_ip(x, id->ip, id->iplen, 0) <= 0)
{
if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
return 0;
@@ -805,6 +818,7 @@
}
static int check_cert(X509_STORE_CTX *ctx)
+ OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
{
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
@@ -1917,48 +1931,6 @@
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
- {
- EVP_PKEY *ktmp=NULL,*ktmp2;
- size_t i,j;
-
- if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
-
- for (i=0; i<sk_X509_num(chain); i++)
- {
- ktmp=X509_get_pubkey(sk_X509_value(chain,i));
- if (ktmp == NULL)
- {
- OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
- return 0;
- }
- if (!EVP_PKEY_missing_parameters(ktmp))
- break;
- else
- {
- EVP_PKEY_free(ktmp);
- ktmp=NULL;
- }
- }
- if (ktmp == NULL)
- {
- OPENSSL_PUT_ERROR(X509, X509_get_pubkey_parameters, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
- return 0;
- }
-
- /* first, populate the other certs */
- for (j=i-1; j < i; j--)
- {
- ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
- EVP_PKEY_copy_parameters(ktmp2,ktmp);
- EVP_PKEY_free(ktmp2);
- }
-
- if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
- EVP_PKEY_free(ktmp);
- return 1;
- }
-
/* Make a delta CRL as the diff between two full CRLs */
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
@@ -2084,8 +2056,13 @@
{
/* This function is (usually) called only once, by
* SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
- new_func, dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
+ new_func, dup_func, free_func))
+ {
+ return -1;
+ }
+ return index;
}
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
@@ -2255,7 +2232,7 @@
ctx->cert=x509;
ctx->untrusted=chain;
- if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+ if(!CRYPTO_new_ex_data(&g_ex_data_class, ctx,
&ctx->ex_data))
{
goto err;
@@ -2346,7 +2323,7 @@
err:
if (ex_data_allocated)
{
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &ctx->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);
}
if (ctx->param != NULL)
{
@@ -2387,7 +2364,7 @@
sk_X509_pop_free(ctx->chain,X509_free);
ctx->chain=NULL;
}
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
+ CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));
memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
}
diff --git a/src/crypto/x509/x509_vpm.c b/src/crypto/x509/x509_vpm.c
index 3daaf61..8c8f98e 100644
--- a/src/crypto/x509/x509_vpm.c
+++ b/src/crypto/x509/x509_vpm.c
@@ -58,6 +58,7 @@
#include <openssl/lhash.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
+#include <openssl/stack.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -66,6 +67,59 @@
/* X509_VERIFY_PARAM functions */
+#define SET_HOST 0
+#define ADD_HOST 1
+
+static char *str_copy(char *s) { return OPENSSL_strdup(s); }
+static void str_free(char *s) { OPENSSL_free(s); }
+
+#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free)
+
+static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode,
+ const char *name, size_t namelen)
+ {
+ char *copy;
+
+ /*
+ * Refuse names with embedded NUL bytes.
+ * XXX: Do we need to push an error onto the error stack?
+ */
+ if (name && memchr(name, '\0', namelen))
+ return 0;
+
+ if (mode == SET_HOST && id->hosts)
+ {
+ string_stack_free(id->hosts);
+ id->hosts = NULL;
+ }
+ if (name == NULL || namelen == 0)
+ return 1;
+
+ copy = BUF_strndup(name, namelen);
+ if (copy == NULL)
+ return 0;
+
+ if (id->hosts == NULL &&
+ (id->hosts = sk_OPENSSL_STRING_new_null()) == NULL)
+ {
+ OPENSSL_free(copy);
+ return 0;
+ }
+
+ if (!sk_OPENSSL_STRING_push(id->hosts, copy))
+ {
+ OPENSSL_free(copy);
+ if (sk_OPENSSL_STRING_num(id->hosts) == 0)
+ {
+ sk_OPENSSL_STRING_free(id->hosts);
+ id->hosts = NULL;
+ }
+ return 0;
+ }
+
+ return 1;
+ }
+
static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
{
X509_VERIFY_PARAM_ID *paramid;
@@ -84,11 +138,15 @@
param->policies = NULL;
}
paramid = param->id;
- if (paramid->host)
+ if (paramid->hosts)
{
- OPENSSL_free(paramid->host);
- paramid->host = NULL;
- paramid->hostlen = 0;
+ string_stack_free(paramid->hosts);
+ paramid->hosts = NULL;
+ }
+ if (paramid->peername)
+ {
+ OPENSSL_free(paramid->peername);
+ paramid->peername = NULL;
}
if (paramid->email)
{
@@ -127,6 +185,8 @@
void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
{
+ if (param == NULL)
+ return;
x509_verify_param_zero(param);
OPENSSL_free(param->id);
OPENSSL_free(param);
@@ -232,11 +292,23 @@
return 0;
}
- if (test_x509_verify_param_copy_id(host, NULL))
+ /* Copy the host flags if and only if we're copying the host list */
+ if (test_x509_verify_param_copy_id(hosts, NULL))
{
- if (!X509_VERIFY_PARAM_set1_host(dest, id->host, id->hostlen))
- return 0;
- dest->id->hostflags = id->hostflags;
+ if (dest->id->hosts)
+ {
+ string_stack_free(dest->id->hosts);
+ dest->id->hosts = NULL;
+ }
+ if (id->hosts)
+ {
+ dest->id->hosts =
+ sk_OPENSSL_STRING_deep_copy(id->hosts,
+ str_copy, str_free);
+ if (dest->id->hosts == NULL)
+ return 0;
+ dest->id->hostflags = id->hostflags;
+ }
}
if (test_x509_verify_param_copy_id(email, NULL))
@@ -265,16 +337,16 @@
return ret;
}
-static int int_x509_param_set1(unsigned char **pdest, size_t *pdestlen,
- const unsigned char *src, size_t srclen)
+static int int_x509_param_set1(char **pdest, size_t *pdestlen,
+ const char *src, size_t srclen)
{
void *tmp;
if (src)
{
if (srclen == 0)
{
- tmp = BUF_strdup((char *)src);
- srclen = strlen((char *)src);
+ tmp = BUF_strdup(src);
+ srclen = strlen(src);
}
else
tmp = BUF_memdup(src, srclen);
@@ -394,10 +466,15 @@
}
int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
- const unsigned char *name, size_t namelen)
+ const char *name, size_t namelen)
{
- return int_x509_param_set1(¶m->id->host, ¶m->id->hostlen,
- name, namelen);
+ return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen);
+ }
+
+int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
+ const char *name, size_t namelen)
+ {
+ return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen);
}
void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
@@ -406,8 +483,13 @@
param->id->hostflags = flags;
}
+char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param)
+ {
+ return param->id->peername;
+ }
+
int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
- const unsigned char *email, size_t emaillen)
+ const char *email, size_t emaillen)
{
return int_x509_param_set1(¶m->id->email, ¶m->id->emaillen,
email, emaillen);
@@ -418,17 +500,19 @@
{
if (iplen != 0 && iplen != 4 && iplen != 16)
return 0;
- return int_x509_param_set1(¶m->id->ip, ¶m->id->iplen, ip, iplen);
+ return int_x509_param_set1((char **)¶m->id->ip, ¶m->id->iplen,
+ (char *)ip, iplen);
}
int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc)
{
unsigned char ipout[16];
- int iplen;
- iplen = a2i_ipadd(ipout, ipasc);
+ size_t iplen;
+
+ iplen = (size_t) a2i_ipadd(ipout, ipasc);
if (iplen == 0)
return 0;
- return X509_VERIFY_PARAM_set1_ip(param, ipout, (size_t)iplen);
+ return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);
}
int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
@@ -441,7 +525,7 @@
return param->name;
}
-static const X509_VERIFY_PARAM_ID _empty_id = {NULL, 0, 0U, NULL, 0, NULL, 0};
+static const X509_VERIFY_PARAM_ID _empty_id = {NULL, 0U, NULL, NULL, 0, NULL, 0};
#define vpm_empty_id (X509_VERIFY_PARAM_ID *)&_empty_id
diff --git a/src/crypto/x509/x_crl.c b/src/crypto/x509/x_crl.c
index bb23b57..aa92fa9 100644
--- a/src/crypto/x509/x_crl.c
+++ b/src/crypto/x509/x_crl.c
@@ -61,6 +61,7 @@
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/stack.h>
+#include <openssl/thread.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
diff --git a/src/crypto/x509/x_info.c b/src/crypto/x509/x_info.c
index 8047c71..6807b24 100644
--- a/src/crypto/x509/x_info.c
+++ b/src/crypto/x509/x_info.c
@@ -59,6 +59,7 @@
#include <openssl/asn1.h>
#include <openssl/err.h>
#include <openssl/mem.h>
+#include <openssl/thread.h>
X509_INFO *X509_INFO_new(void)
diff --git a/src/crypto/x509/x_name.c b/src/crypto/x509/x_name.c
index 211f68f..5cfb3ae 100644
--- a/src/crypto/x509/x_name.c
+++ b/src/crypto/x509/x_name.c
@@ -175,6 +175,16 @@
*pval = NULL;
}
+static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
+{
+ sk_X509_NAME_ENTRY_free(ne);
+}
+
+static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
+{
+ sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
+}
+
static int x509_name_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long len, const ASN1_ITEM *it,
int tag, int aclass, char opt, ASN1_TLC *ctx)
@@ -197,9 +207,14 @@
if(ret <= 0) return ret;
if(*val) x509_name_ex_free(val, NULL);
- if(!x509_name_ex_new(&nm.a, NULL)) goto err;
/* We've decoded it: now cache encoding */
- if(!BUF_MEM_grow(nm.x->bytes, p - q)) goto err;
+ if (!x509_name_ex_new(&nm.a, NULL) ||
+ !BUF_MEM_grow(nm.x->bytes, p - q))
+ {
+ sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname.s,
+ local_sk_X509_NAME_ENTRY_pop_free);
+ goto err;
+ }
memcpy(nm.x->bytes->data, q, p - q);
/* Convert internal representation to X509_NAME structure */
@@ -248,16 +263,6 @@
return ret;
}
-static void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne)
- {
- sk_X509_NAME_ENTRY_free(ne);
- }
-
-static void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne)
- {
- sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);
- }
-
static int x509_name_encode(X509_NAME *a)
{
union { STACK_OF(STACK_OF_X509_NAME_ENTRY) *s;
diff --git a/src/crypto/x509/x_pkey.c b/src/crypto/x509/x_pkey.c
index 550078b..5acbe5b 100644
--- a/src/crypto/x509/x_pkey.c
+++ b/src/crypto/x509/x_pkey.c
@@ -59,8 +59,9 @@
#include <string.h>
#include <openssl/asn1.h>
-#include <openssl/mem.h>
#include <openssl/err.h>
+#include <openssl/mem.h>
+#include <openssl/thread.h>
X509_PKEY *X509_PKEY_new(void)
diff --git a/src/crypto/x509/x_pubkey.c b/src/crypto/x509/x_pubkey.c
index c285aa6..d6512ae 100644
--- a/src/crypto/x509/x_pubkey.c
+++ b/src/crypto/x509/x_pubkey.c
@@ -60,6 +60,7 @@
#include <openssl/evp.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
+#include <openssl/thread.h>
#include <openssl/x509.h>
#include "../evp/internal.h"
@@ -133,7 +134,7 @@
if (key->pkey != NULL)
{
- return EVP_PKEY_dup(key->pkey);
+ return EVP_PKEY_up_ref(key->pkey);
}
if (key->public_key == NULL) goto error;
@@ -178,7 +179,7 @@
CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
}
- return EVP_PKEY_dup(ret);
+ return EVP_PKEY_up_ref(ret);
error:
if (ret != NULL)
diff --git a/src/crypto/x509/x_x509.c b/src/crypto/x509/x_x509.c
index 5cda3c7..234494d 100644
--- a/src/crypto/x509/x_x509.c
+++ b/src/crypto/x509/x_x509.c
@@ -65,6 +65,10 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "../internal.h"
+
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
@@ -100,7 +104,7 @@
ret->akid = NULL;
ret->aux = NULL;
ret->crldp = NULL;
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+ CRYPTO_new_ex_data(&g_ex_data_class, ret, &ret->ex_data);
break;
case ASN1_OP_D2I_POST:
@@ -109,7 +113,7 @@
break;
case ASN1_OP_FREE_POST:
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class, ret, &ret->ex_data);
X509_CERT_AUX_free(ret->aux);
ASN1_OCTET_STRING_free(ret->skid);
AUTHORITY_KEYID_free(ret->akid);
@@ -145,8 +149,13 @@
int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
{
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, argl, argp,
- new_func, dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
+ new_func, dup_func, free_func))
+ {
+ return -1;
+ }
+ return index;
}
int X509_set_ex_data(X509 *r, int idx, void *arg)
@@ -171,8 +180,13 @@
{
const unsigned char *q;
X509 *ret;
+ int freeret = 0;
+
/* Save start position */
q = *pp;
+
+ if (!a || *a == NULL)
+ freeret = 1;
ret = d2i_X509(a, pp, length);
/* If certificate unreadable then forget it */
if(!ret) return NULL;
@@ -182,7 +196,12 @@
if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
return ret;
err:
- X509_free(ret);
+ if (freeret)
+ {
+ X509_free(ret);
+ if (a)
+ *a = NULL;
+ }
return NULL;
}
diff --git a/src/crypto/x509v3/CMakeLists.txt b/src/crypto/x509v3/CMakeLists.txt
index 26de0ed..ffa5a4a 100644
--- a/src/crypto/x509v3/CMakeLists.txt
+++ b/src/crypto/x509v3/CMakeLists.txt
@@ -41,7 +41,6 @@
v3_skey.c
v3_sxnet.c
v3_utl.c
- x509v3_error.c
)
add_executable(
@@ -50,11 +49,12 @@
v3nametest.c
)
+target_link_libraries(v3name_test crypto)
+
add_executable(
tab_test
tabtest.c
)
-target_link_libraries(v3name_test crypto)
target_link_libraries(tab_test crypto)
diff --git a/src/crypto/x509v3/tabtest.c b/src/crypto/x509v3/tabtest.c
index 26ecc6c..6b97e91 100644
--- a/src/crypto/x509v3/tabtest.c
+++ b/src/crypto/x509v3/tabtest.c
@@ -62,13 +62,17 @@
#include <stdio.h>
+#include <openssl/base.h>
#include <openssl/crypto.h>
#include <openssl/x509v3.h>
+#if !defined(BORINGSSL_SHARED_LIBRARY)
#include "ext_dat.h"
+#endif
int main(void)
{
+#if !defined(BORINGSSL_SHARED_LIBRARY)
int i, prev = -1, bad = 0;
const X509V3_EXT_METHOD *const *tmp;
CRYPTO_library_init();
@@ -91,4 +95,9 @@
printf("PASS\n");
return 0;
}
+#else
+ /* TODO(davidben): Fix this test in the shared library build. */
+ printf("PASS\n");
+ return 0;
+#endif
}
diff --git a/src/crypto/x509v3/v3_alt.c b/src/crypto/x509v3/v3_alt.c
index 113cf45..f547316 100644
--- a/src/crypto/x509v3/v3_alt.c
+++ b/src/crypto/x509v3/v3_alt.c
@@ -583,6 +583,8 @@
return 0;
objlen = p - value;
objtmp = OPENSSL_malloc(objlen + 1);
+ if (objtmp == NULL)
+ return 0;
strncpy(objtmp, value, objlen);
objtmp[objlen] = 0;
gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
diff --git a/src/crypto/x509v3/v3_conf.c b/src/crypto/x509v3/v3_conf.c
index 7606ac1..cb6569f 100644
--- a/src/crypto/x509v3/v3_conf.c
+++ b/src/crypto/x509v3/v3_conf.c
@@ -67,6 +67,8 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
+#include "../internal.h"
+
static int v3_check_critical(char **value);
static int v3_check_generic(char **value);
@@ -260,6 +262,7 @@
static X509_EXTENSION *v3_generic_extension(const char *ext, char *value,
int crit, int gen_type,
X509V3_CTX *ctx)
+ OPENSSL_SUPPRESS_POTENTIALLY_UNINITIALIZED_WARNINGS
{
unsigned char *ext_der=NULL;
long ext_len;
@@ -454,76 +457,3 @@
ctx->flags = flags;
}
-/* TODO(fork): remove */
-#if 0
-/* Old conf compatibility functions */
-
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *name, char *value)
- {
- CONF ctmp;
- CONF_set_nconf(&ctmp, conf);
- return X509V3_EXT_nconf(&ctmp, ctx, name, value);
- }
-
-/* LHASH *conf: Config file */
-/* char *value: Value */
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- int ext_nid, char *value)
- {
- CONF ctmp;
- CONF_set_nconf(&ctmp, conf);
- return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
- }
-
-static char *conf_lhash_get_string(void *db, char *section, char *value)
- {
- return CONF_get_string(db, section, value);
- }
-
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section)
- {
- return CONF_get_section(db, section);
- }
-
-static const X509V3_CONF_METHOD conf_lhash_method = {
-conf_lhash_get_string,
-conf_lhash_get_section,
-NULL,
-NULL
-};
-
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
- {
- ctx->db_meth = &conf_lhash_method;
- ctx->db = lhash;
- }
-
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509 *cert)
- {
- CONF ctmp;
- CONF_set_nconf(&ctmp, conf);
- return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
- }
-
-/* Same as above but for a CRL */
-
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_CRL *crl)
- {
- CONF ctmp;
- CONF_set_nconf(&ctmp, conf);
- return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
- }
-
-/* Add extensions to certificate request */
-
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_REQ *req)
- {
- CONF ctmp;
- CONF_set_nconf(&ctmp, conf);
- return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
- }
-#endif
diff --git a/src/crypto/x509v3/v3_cpols.c b/src/crypto/x509v3/v3_cpols.c
index d5a8c3c..cbe596b 100644
--- a/src/crypto/x509v3/v3_cpols.c
+++ b/src/crypto/x509v3/v3_cpols.c
@@ -228,7 +228,14 @@
goto merr;
/* TODO(fork): const correctness */
qual->pqualid = (ASN1_OBJECT*) OBJ_nid2obj(NID_id_qt_cps);
+ if (qual->pqualid == NULL) {
+ OPENSSL_PUT_ERROR(X509V3, policy_section, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
qual->d.cpsuri = M_ASN1_IA5STRING_new();
+ if (qual->d.cpsuri == NULL) {
+ goto err;
+ }
if(!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
strlen(cnf->value))) goto merr;
} else if(!name_cmp(cnf->name, "userNotice")) {
@@ -287,12 +294,19 @@
if(!(qual = POLICYQUALINFO_new())) goto merr;
/* TODO(fork): const correctness */
qual->pqualid = (ASN1_OBJECT *) OBJ_nid2obj(NID_id_qt_unotice);
+ if (qual->pqualid == NULL)
+ {
+ OPENSSL_PUT_ERROR(X509V3, notice_section, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
if(!(not = USERNOTICE_new())) goto merr;
qual->d.usernotice = not;
for(i = 0; i < sk_CONF_VALUE_num(unot); i++) {
cnf = sk_CONF_VALUE_value(unot, i);
if(!strcmp(cnf->name, "explicitText")) {
not->exptext = M_ASN1_VISIBLESTRING_new();
+ if (not->exptext == NULL)
+ goto merr;
if(!ASN1_STRING_set(not->exptext, cnf->value,
strlen(cnf->value))) goto merr;
} else if(!strcmp(cnf->name, "organization")) {
diff --git a/src/crypto/x509v3/v3_purp.c b/src/crypto/x509v3/v3_purp.c
index 6daf632..3f175c9 100644
--- a/src/crypto/x509v3/v3_purp.c
+++ b/src/crypto/x509v3/v3_purp.c
@@ -63,6 +63,7 @@
#include <openssl/digest.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
+#include <openssl/thread.h>
#include <openssl/x509_vfy.h>
#include <openssl/x509v3.h>
@@ -200,7 +201,7 @@
name_dup = BUF_strdup(name);
sname_dup = BUF_strdup(sname);
if (name_dup == NULL || sname_dup == NULL) {
- OPENSSL_PUT_ERROR(X509, X509_TRUST_add, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(X509V3, X509_PURPOSE_add, ERR_R_MALLOC_FAILURE);
if (name_dup != NULL)
OPENSSL_free(name_dup);
if (sname_dup != NULL)
diff --git a/src/crypto/x509v3/v3_utl.c b/src/crypto/x509v3/v3_utl.c
index d081c1c..27a91ff 100644
--- a/src/crypto/x509v3/v3_utl.c
+++ b/src/crypto/x509v3/v3_utl.c
@@ -262,6 +262,8 @@
int state;
/* We are going to modify the line so copy it first */
linebuf = BUF_strdup(line);
+ if (linebuf == NULL)
+ goto err;
state = HDR_NAME;
ntmp = NULL;
/* Go through all characters */
@@ -850,9 +852,11 @@
*/
static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
- unsigned int flags,
- const unsigned char *b, size_t blen)
+ unsigned int flags, const char *b, size_t blen,
+ char **peername)
{
+ int rv = 0;
+
if (!a->data || !a->length)
return 0;
if (cmp_type > 0)
@@ -860,27 +864,31 @@
if (cmp_type != a->type)
return 0;
if (cmp_type == V_ASN1_IA5STRING)
- return equal(a->data, a->length, b, blen, flags);
- if (a->length == (int)blen && !memcmp(a->data, b, blen))
- return 1;
- else
- return 0;
+ rv = equal(a->data, a->length,
+ (unsigned char *)b, blen, flags);
+ else if (a->length == (int)blen && !memcmp(a->data, b, blen))
+ rv = 1;
+ if (rv > 0 && peername)
+ *peername = BUF_strndup((char *)a->data, a->length);
}
else
{
- int astrlen, rv;
+ int astrlen;
unsigned char *astr;
astrlen = ASN1_STRING_to_UTF8(&astr, a);
if (astrlen < 0)
return -1;
- rv = equal(astr, astrlen, b, blen, flags);
+ rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
OPENSSL_free(astr);
- return rv;
+ if (rv > 0 && peername)
+ *peername = BUF_strndup((char *)astr, astrlen);
}
+ return rv;
}
-static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags, int check_type)
+static int do_x509_check(X509 *x, const char *chk, size_t chklen,
+ unsigned int flags, int check_type,
+ char **peername)
{
GENERAL_NAMES *gens = NULL;
X509_NAME *name = NULL;
@@ -889,6 +897,7 @@
int cnid;
int alt_type;
int san_present = 0;
+ int rv = 0;
equal_fn equal;
/* See below, this flag is internal-only */
@@ -918,13 +927,9 @@
equal = equal_case;
}
- if (chklen == 0)
- chklen = strlen((const char *)chk);
-
gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gens)
{
- int rv = 0;
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
{
GENERAL_NAME *gen;
@@ -939,16 +944,14 @@
cstr = gen->d.dNSName;
else
cstr = gen->d.iPAddress;
- if (do_check_string(cstr, alt_type, equal, flags,
- chk, chklen))
- {
- rv = 1;
+ /* Positive on success, negative on error! */
+ if ((rv = do_check_string(cstr, alt_type, equal, flags,
+ chk, chklen, peername)) != 0)
break;
- }
}
GENERAL_NAMES_free(gens);
- if (rv)
- return 1;
+ if (rv != 0)
+ return rv;
if (!cnid
|| (san_present
&& !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
@@ -962,38 +965,53 @@
ASN1_STRING *str;
ne = X509_NAME_get_entry(name, j);
str = X509_NAME_ENTRY_get_data(ne);
- if (do_check_string(str, -1, equal, flags, chk, chklen))
- return 1;
+ /* Positive on success, negative on error! */
+ if ((rv = do_check_string(str, -1, equal, flags,
+ chk, chklen, peername)) != 0)
+ return rv;
}
return 0;
}
-int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags)
+int X509_check_host(X509 *x, const char *chk, size_t chklen,
+ unsigned int flags, char **peername)
{
- return do_x509_check(x, chk, chklen, flags, GEN_DNS);
+ if (chk == NULL)
+ return -2;
+ if (memchr(chk, '\0', chklen))
+ return -2;
+ return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
}
-int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags)
+int X509_check_email(X509 *x, const char *chk, size_t chklen,
+ unsigned int flags)
{
- return do_x509_check(x, chk, chklen, flags, GEN_EMAIL);
+ if (chk == NULL)
+ return -2;
+ if (memchr(chk, '\0', chklen))
+ return -2;
+ return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
}
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags)
{
- return do_x509_check(x, chk, chklen, flags, GEN_IPADD);
+ if (chk == NULL)
+ return -2;
+ return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
}
int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
{
unsigned char ipout[16];
- int iplen;
- iplen = a2i_ipadd(ipout, ipasc);
+ size_t iplen;
+
+ if (ipasc == NULL)
+ return -2;
+ iplen = (size_t) a2i_ipadd(ipout, ipasc);
if (iplen == 0)
return -2;
- return do_x509_check(x, ipout, (size_t)iplen, flags, GEN_IPADD);
+ return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
}
/* Convert IP addresses both IPv4 and IPv6 into an
diff --git a/src/crypto/x509v3/v3nametest.c b/src/crypto/x509v3/v3nametest.c
index b2e9c09..a3197e6 100644
--- a/src/crypto/x509v3/v3nametest.c
+++ b/src/crypto/x509v3/v3nametest.c
@@ -52,6 +52,7 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
+#include <stdarg.h>
#include <string.h>
#include <openssl/crypto.h>
@@ -332,8 +333,7 @@
int match, ret;
memcpy(name, *pname, namelen);
- ret = X509_check_host(crt, (const unsigned char *)name,
- namelen, 0);
+ ret = X509_check_host(crt, name, namelen, 0, NULL);
match = -1;
if (ret < 0)
{
@@ -351,8 +351,8 @@
match = 1;
check_message(fn, "host", nameincert, match, *pname);
- ret = X509_check_host(crt, (const unsigned char *)name,
- namelen, X509_CHECK_FLAG_NO_WILDCARDS);
+ ret = X509_check_host(crt, name, namelen,
+ X509_CHECK_FLAG_NO_WILDCARDS, NULL);
match = -1;
if (ret < 0)
{
@@ -371,8 +371,7 @@
check_message(fn, "host-no-wildcards",
nameincert, match, *pname);
- ret = X509_check_email(crt, (const unsigned char *)name,
- namelen, 0);
+ ret = X509_check_email(crt, name, namelen, 0);
match = -1;
if (fn->email)
{
diff --git a/src/crypto/x509v3/x509v3_error.c b/src/crypto/x509v3/x509v3_error.c
deleted file mode 100644
index 9fbca5f..0000000
--- a/src/crypto/x509v3/x509v3_error.c
+++ /dev/null
@@ -1,147 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/x509v3.h>
-
-const ERR_STRING_DATA X509V3_error_string_data[] = {
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_add_id_INTEGER, 0), "SXNET_add_id_INTEGER"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_add_id_asc, 0), "SXNET_add_id_asc"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_add_id_ulong, 0), "SXNET_add_id_ulong"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_get_id_asc, 0), "SXNET_get_id_asc"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_SXNET_get_id_ulong, 0), "SXNET_get_id_ulong"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_add, 0), "X509V3_EXT_add"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_add_alias, 0), "X509V3_EXT_add_alias"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_free, 0), "X509V3_EXT_free"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_i2d, 0), "X509V3_EXT_i2d"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_EXT_nconf, 0), "X509V3_EXT_nconf"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_add1_i2d, 0), "X509V3_add1_i2d"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_add_value, 0), "X509V3_add_value"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_get_section, 0), "X509V3_get_section"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_get_string, 0), "X509V3_get_string"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_get_value_bool, 0), "X509V3_get_value_bool"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509V3_parse_list, 0), "X509V3_parse_list"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509_PURPOSE_add, 0), "X509_PURPOSE_add"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_X509_PURPOSE_set, 0), "X509_PURPOSE_set"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_a2i_GENERAL_NAME, 0), "a2i_GENERAL_NAME"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_copy_email, 0), "copy_email"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_copy_issuer, 0), "copy_issuer"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_do_dirname, 0), "do_dirname"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_do_ext_i2d, 0), "do_ext_i2d"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_do_ext_nconf, 0), "do_ext_nconf"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_gnames_from_sectname, 0), "gnames_from_sectname"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_hex_to_string, 0), "hex_to_string"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2s_ASN1_ENUMERATED, 0), "i2s_ASN1_ENUMERATED"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2s_ASN1_IA5STRING, 0), "i2s_ASN1_IA5STRING"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2s_ASN1_INTEGER, 0), "i2s_ASN1_INTEGER"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_i2v_AUTHORITY_INFO_ACCESS, 0), "i2v_AUTHORITY_INFO_ACCESS"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_notice_section, 0), "notice_section"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_nref_nos, 0), "nref_nos"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_policy_section, 0), "policy_section"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_process_pci_value, 0), "process_pci_value"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_r2i_certpol, 0), "r2i_certpol"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_r2i_pci, 0), "r2i_pci"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_ASN1_IA5STRING, 0), "s2i_ASN1_IA5STRING"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_ASN1_INTEGER, 0), "s2i_ASN1_INTEGER"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_ASN1_OCTET_STRING, 0), "s2i_ASN1_OCTET_STRING"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_s2i_skey_id, 0), "s2i_skey_id"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_set_dist_point_name, 0), "set_dist_point_name"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_string_to_hex, 0), "string_to_hex"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_ASN1_BIT_STRING, 0), "v2i_ASN1_BIT_STRING"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_AUTHORITY_INFO_ACCESS, 0), "v2i_AUTHORITY_INFO_ACCESS"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_AUTHORITY_KEYID, 0), "v2i_AUTHORITY_KEYID"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_BASIC_CONSTRAINTS, 0), "v2i_BASIC_CONSTRAINTS"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_EXTENDED_KEY_USAGE, 0), "v2i_EXTENDED_KEY_USAGE"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_GENERAL_NAMES, 0), "v2i_GENERAL_NAMES"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_GENERAL_NAME_ex, 0), "v2i_GENERAL_NAME_ex"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_NAME_CONSTRAINTS, 0), "v2i_NAME_CONSTRAINTS"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_POLICY_CONSTRAINTS, 0), "v2i_POLICY_CONSTRAINTS"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_POLICY_MAPPINGS, 0), "v2i_POLICY_MAPPINGS"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_crld, 0), "v2i_crld"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_idp, 0), "v2i_idp"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_issuer_alt, 0), "v2i_issuer_alt"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v2i_subject_alt, 0), "v2i_subject_alt"},
- {ERR_PACK(ERR_LIB_X509V3, X509V3_F_v3_generic_extension, 0), "v3_generic_extension"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_IP_ADDRESS), "BAD_IP_ADDRESS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BAD_OBJECT), "BAD_OBJECT"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_DEC2BN_ERROR), "BN_DEC2BN_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "BN_TO_ASN1_INTEGER_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_CANNOT_FIND_FREE_FUNCTION), "CANNOT_FIND_FREE_FUNCTION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DIRNAME_ERROR), "DIRNAME_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DISTPOINT_ALREADY_SET), "DISTPOINT_ALREADY_SET"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_DUPLICATE_ZONE_ID), "DUPLICATE_ZONE_ID"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_CONVERTING_ZONE), "ERROR_CONVERTING_ZONE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_CREATING_EXTENSION), "ERROR_CREATING_EXTENSION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ERROR_IN_EXTENSION), "ERROR_IN_EXTENSION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXPECTED_A_SECTION_NAME), "EXPECTED_A_SECTION_NAME"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_EXISTS), "EXTENSION_EXISTS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_NAME_ERROR), "EXTENSION_NAME_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_NOT_FOUND), "EXTENSION_NOT_FOUND"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "EXTENSION_SETTING_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_EXTENSION_VALUE_ERROR), "EXTENSION_VALUE_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ILLEGAL_EMPTY_EXTENSION), "ILLEGAL_EMPTY_EXTENSION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ILLEGAL_HEX_DIGIT), "ILLEGAL_HEX_DIGIT"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "INCORRECT_POLICY_SYNTAX_TAG"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_ASNUMBER), "INVALID_ASNUMBER"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_ASRANGE), "INVALID_ASRANGE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_BOOLEAN_STRING), "INVALID_BOOLEAN_STRING"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_EXTENSION_STRING), "INVALID_EXTENSION_STRING"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_INHERITANCE), "INVALID_INHERITANCE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_IPADDRESS), "INVALID_IPADDRESS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_MULTIPLE_RDNS), "INVALID_MULTIPLE_RDNS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NAME), "INVALID_NAME"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_ARGUMENT), "INVALID_NULL_ARGUMENT"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_NAME), "INVALID_NULL_NAME"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NULL_VALUE), "INVALID_NULL_VALUE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBER), "INVALID_NUMBER"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_NUMBERS), "INVALID_NUMBERS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_OBJECT_IDENTIFIER), "INVALID_OBJECT_IDENTIFIER"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_OPTION), "INVALID_OPTION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_POLICY_IDENTIFIER), "INVALID_POLICY_IDENTIFIER"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_PROXY_POLICY_SETTING), "INVALID_PROXY_POLICY_SETTING"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_PURPOSE), "INVALID_PURPOSE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SAFI), "INVALID_SAFI"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SECTION), "INVALID_SECTION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_INVALID_SYNTAX), "INVALID_SYNTAX"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ISSUER_DECODE_ERROR), "ISSUER_DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_MISSING_VALUE), "MISSING_VALUE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "NEED_ORGANIZATION_AND_NUMBERS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_CONFIG_DATABASE), "NO_CONFIG_DATABASE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_ISSUER_CERTIFICATE), "NO_ISSUER_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_ISSUER_DETAILS), "NO_ISSUER_DETAILS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_POLICY_IDENTIFIER), "NO_POLICY_IDENTIFIER"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_PUBLIC_KEY), "NO_PUBLIC_KEY"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_NO_SUBJECT_DETAILS), "NO_SUBJECT_DETAILS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_ODD_NUMBER_OF_DIGITS), "ODD_NUMBER_OF_DIGITS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_OPERATION_NOT_DEFINED), "OPERATION_NOT_DEFINED"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_OTHERNAME_ERROR), "OTHERNAME_ERROR"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "POLICY_LANGUAGE_ALREADY_DEFINED"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_PATH_LENGTH), "POLICY_PATH_LENGTH"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "POLICY_PATH_LENGTH_ALREADY_DEFINED"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_SECTION_NOT_FOUND), "SECTION_NOT_FOUND"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "UNABLE_TO_GET_ISSUER_DETAILS"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "UNABLE_TO_GET_ISSUER_KEYID"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "UNKNOWN_BIT_STRING_ARGUMENT"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION), "UNKNOWN_EXTENSION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_EXTENSION_NAME), "UNKNOWN_EXTENSION_NAME"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNKNOWN_OPTION), "UNKNOWN_OPTION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_OPTION), "UNSUPPORTED_OPTION"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_UNSUPPORTED_TYPE), "UNSUPPORTED_TYPE"},
- {ERR_PACK(ERR_LIB_X509V3, 0, X509V3_R_USER_TOO_LONG), "USER_TOO_LONG"},
- {0, NULL},
-};
diff --git a/src/decrepit/CMakeLists.txt b/src/decrepit/CMakeLists.txt
new file mode 100644
index 0000000..b43fea7
--- /dev/null
+++ b/src/decrepit/CMakeLists.txt
@@ -0,0 +1,9 @@
+add_subdirectory(cast)
+add_subdirectory(blowfish)
+
+add_library(
+ decrepit
+
+ $<TARGET_OBJECTS:cast>
+ $<TARGET_OBJECTS:blowfish>
+)
diff --git a/src/decrepit/blowfish/CMakeLists.txt b/src/decrepit/blowfish/CMakeLists.txt
new file mode 100644
index 0000000..afaf641
--- /dev/null
+++ b/src/decrepit/blowfish/CMakeLists.txt
@@ -0,0 +1,9 @@
+include_directories(. ../../include)
+
+add_library(
+ blowfish
+
+ OBJECT
+
+ blowfish.c
+)
diff --git a/src/decrepit/blowfish/blowfish.c b/src/decrepit/blowfish/blowfish.c
new file mode 100644
index 0000000..e277f34
--- /dev/null
+++ b/src/decrepit/blowfish/blowfish.c
@@ -0,0 +1,493 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/blowfish.h>
+
+#include <string.h>
+
+#include "../macros.h"
+
+
+#define BF_ENC(LL, R, S, P) \
+ (LL ^= P, \
+ LL ^= \
+ (((S[((int)(R >> 24) & 0xff)] + S[0x0100 + ((int)(R >> 16) & 0xff)]) ^ \
+ S[0x0200 + ((int)(R >> 8) & 0xff)]) + \
+ S[0x0300 + ((int)(R)&0xff)]) & \
+ 0xffffffffL)
+
+void BF_encrypt(uint32_t *data, const BF_KEY *key) {
+ uint32_t l, r;
+ const uint32_t *p, *s;
+
+ p = key->P;
+ s = &(key->S[0]);
+ l = data[0];
+ r = data[1];
+
+ l ^= p[0];
+ BF_ENC(r, l, s, p[1]);
+ BF_ENC(l, r, s, p[2]);
+ BF_ENC(r, l, s, p[3]);
+ BF_ENC(l, r, s, p[4]);
+ BF_ENC(r, l, s, p[5]);
+ BF_ENC(l, r, s, p[6]);
+ BF_ENC(r, l, s, p[7]);
+ BF_ENC(l, r, s, p[8]);
+ BF_ENC(r, l, s, p[9]);
+ BF_ENC(l, r, s, p[10]);
+ BF_ENC(r, l, s, p[11]);
+ BF_ENC(l, r, s, p[12]);
+ BF_ENC(r, l, s, p[13]);
+ BF_ENC(l, r, s, p[14]);
+ BF_ENC(r, l, s, p[15]);
+ BF_ENC(l, r, s, p[16]);
+ r ^= p[BF_ROUNDS + 1];
+
+ data[1] = l & 0xffffffffL;
+ data[0] = r & 0xffffffffL;
+}
+
+void BF_decrypt(uint32_t *data, const BF_KEY *key) {
+ uint32_t l, r;
+ const uint32_t *p, *s;
+
+ p = key->P;
+ s = &(key->S[0]);
+ l = data[0];
+ r = data[1];
+
+ l ^= p[BF_ROUNDS + 1];
+ BF_ENC(r, l, s, p[16]);
+ BF_ENC(l, r, s, p[15]);
+ BF_ENC(r, l, s, p[14]);
+ BF_ENC(l, r, s, p[13]);
+ BF_ENC(r, l, s, p[12]);
+ BF_ENC(l, r, s, p[11]);
+ BF_ENC(r, l, s, p[10]);
+ BF_ENC(l, r, s, p[9]);
+ BF_ENC(r, l, s, p[8]);
+ BF_ENC(l, r, s, p[7]);
+ BF_ENC(r, l, s, p[6]);
+ BF_ENC(l, r, s, p[5]);
+ BF_ENC(r, l, s, p[4]);
+ BF_ENC(l, r, s, p[3]);
+ BF_ENC(r, l, s, p[2]);
+ BF_ENC(l, r, s, p[1]);
+ r ^= p[0];
+
+ data[1] = l & 0xffffffffL;
+ data[0] = r & 0xffffffffL;
+}
+
+void BF_ecb_encrypt(const uint8_t *in, uint8_t *out,
+ const BF_KEY *key, int encrypt) {
+ uint32_t d[2];
+
+ n2l(in, d[0]);
+ n2l(in, d[1]);
+ if (encrypt) {
+ BF_encrypt(d, key);
+ } else {
+ BF_decrypt(d, key);
+ }
+ l2n(d[0], out);
+ l2n(d[1], out);
+}
+
+void BF_cbc_encrypt(const uint8_t *in, uint8_t *out, long length,
+ const BF_KEY *schedule, uint8_t *ivec, int encrypt) {
+ uint32_t tin0, tin1;
+ uint32_t tout0, tout1, xor0, xor1;
+ long l = length;
+ uint32_t tin[2];
+
+ if (encrypt) {
+ n2l(ivec, tout0);
+ n2l(ivec, tout1);
+ ivec -= 8;
+ for (l -= 8; l >= 0; l -= 8) {
+ n2l(in, tin0);
+ n2l(in, tin1);
+ tin0 ^= tout0;
+ tin1 ^= tout1;
+ tin[0] = tin0;
+ tin[1] = tin1;
+ BF_encrypt(tin, schedule);
+ tout0 = tin[0];
+ tout1 = tin[1];
+ l2n(tout0, out);
+ l2n(tout1, out);
+ }
+ if (l != -8) {
+ n2ln(in, tin0, tin1, l + 8);
+ tin0 ^= tout0;
+ tin1 ^= tout1;
+ tin[0] = tin0;
+ tin[1] = tin1;
+ BF_encrypt(tin, schedule);
+ tout0 = tin[0];
+ tout1 = tin[1];
+ l2n(tout0, out);
+ l2n(tout1, out);
+ }
+ l2n(tout0, ivec);
+ l2n(tout1, ivec);
+ } else {
+ n2l(ivec, xor0);
+ n2l(ivec, xor1);
+ ivec -= 8;
+ for (l -= 8; l >= 0; l -= 8) {
+ n2l(in, tin0);
+ n2l(in, tin1);
+ tin[0] = tin0;
+ tin[1] = tin1;
+ BF_decrypt(tin, schedule);
+ tout0 = tin[0] ^ xor0;
+ tout1 = tin[1] ^ xor1;
+ l2n(tout0, out);
+ l2n(tout1, out);
+ xor0 = tin0;
+ xor1 = tin1;
+ }
+ if (l != -8) {
+ n2l(in, tin0);
+ n2l(in, tin1);
+ tin[0] = tin0;
+ tin[1] = tin1;
+ BF_decrypt(tin, schedule);
+ tout0 = tin[0] ^ xor0;
+ tout1 = tin[1] ^ xor1;
+ l2nn(tout0, tout1, out, l + 8);
+ xor0 = tin0;
+ xor1 = tin1;
+ }
+ l2n(xor0, ivec);
+ l2n(xor1, ivec);
+ }
+ tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
+ tin[0] = tin[1] = 0;
+}
+
+static const BF_KEY bf_init = {
+ {0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L, 0xa4093822L,
+ 0x299f31d0L, 0x082efa98L, 0xec4e6c89L, 0x452821e6L, 0x38d01377L,
+ 0xbe5466cfL, 0x34e90c6cL, 0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L,
+ 0xb5470917L, 0x9216d5d9L, 0x8979fb1b},
+ {
+ 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, 0xb8e1afedL,
+ 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, 0x24a19947L, 0xb3916cf7L,
+ 0x0801f2e2L, 0x858efc16L, 0x636920d8L, 0x71574e69L, 0xa458fea3L,
+ 0xf4933d7eL, 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL,
+ 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, 0xc5d1b023L,
+ 0x286085f0L, 0xca417918L, 0xb8db38efL, 0x8e79dcb0L, 0x603a180eL,
+ 0x6c9e0e8bL, 0xb01e8a3eL, 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL,
+ 0x55605c60L, 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L,
+ 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, 0xa15486afL,
+ 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, 0x2ba9c55dL, 0x741831f6L,
+ 0xce5c3e16L, 0x9b87931eL, 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L,
+ 0x28958677L, 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L,
+ 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, 0xef845d5dL,
+ 0xe98575b1L, 0xdc262302L, 0xeb651b88L, 0x23893e81L, 0xd396acc5L,
+ 0x0f6d6ff3L, 0x83f44239L, 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL,
+ 0x9e1f9b5eL, 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L,
+ 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, 0x6eef0b6cL,
+ 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, 0xa1f1651dL, 0x39af0176L,
+ 0x66ca593eL, 0x82430e88L, 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L,
+ 0x3b8b5ebeL, 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L,
+ 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, 0x37d0d724L,
+ 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, 0x075372c9L, 0x80991b7bL,
+ 0x25d479d8L, 0xf6e8def7L, 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL,
+ 0x04c006baL, 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L,
+ 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, 0x6dfc511fL,
+ 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, 0xbee3d004L, 0xde334afdL,
+ 0x660f2807L, 0x192e4bb3L, 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L,
+ 0xb9d3fbdbL, 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L,
+ 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, 0x3c7516dfL,
+ 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, 0x323db5faL, 0xfd238760L,
+ 0x53317b48L, 0x3e00df82L, 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL,
+ 0xdf1769dbL, 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L,
+ 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, 0x10fa3d98L,
+ 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, 0x9a53e479L, 0xb6f84565L,
+ 0xd28e49bcL, 0x4bfb9790L, 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L,
+ 0xcee4c6e8L, 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L,
+ 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, 0xd08ed1d0L,
+ 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, 0x8ff6e2fbL, 0xf2122b64L,
+ 0x8888b812L, 0x900df01cL, 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L,
+ 0xb3a8c1adL, 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L,
+ 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, 0xb4a84fe0L,
+ 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, 0x165fa266L, 0x80957705L,
+ 0x93cc7314L, 0x211a1477L, 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L,
+ 0xfb9d35cfL, 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L,
+ 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, 0x2464369bL,
+ 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, 0x78c14389L, 0xd95a537fL,
+ 0x207d5ba2L, 0x02e5b9c5L, 0x83260376L, 0x6295cfa9L, 0x11c81968L,
+ 0x4e734a41L, 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L,
+ 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, 0x08ba6fb5L,
+ 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, 0xb6636521L, 0xe7b9f9b6L,
+ 0xff34052eL, 0xc5855664L, 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L,
+ 0x6e85076aL, 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L,
+ 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, 0xecaa8c71L,
+ 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, 0x193602a5L, 0x75094c29L,
+ 0xa0591340L, 0xe4183a3eL, 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L,
+ 0x99f73fd6L, 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L,
+ 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, 0x09686b3fL,
+ 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, 0x687f3584L, 0x52a0e286L,
+ 0xb79c5305L, 0xaa500737L, 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL,
+ 0x5716f2b8L, 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL,
+ 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, 0xd19113f9L,
+ 0x7ca92ff6L, 0x94324773L, 0x22f54701L, 0x3ae5e581L, 0x37c2dadcL,
+ 0xc8b57634L, 0x9af3dda7L, 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL,
+ 0xa4751e41L, 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L,
+ 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, 0x2cb81290L,
+ 0x24977c79L, 0x5679b072L, 0xbcaf89afL, 0xde9a771fL, 0xd9930810L,
+ 0xb38bae12L, 0xdccf3f2eL, 0x5512721fL, 0x2e6b7124L, 0x501adde6L,
+ 0x9f84cd87L, 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL,
+ 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, 0xef1c1847L,
+ 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, 0x12a14d43L, 0x2a65c451L,
+ 0x50940002L, 0x133ae4ddL, 0x71dff89eL, 0x10314e55L, 0x81ac77d6L,
+ 0x5f11199bL, 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L,
+ 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, 0x86e34570L,
+ 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, 0x771fe71cL, 0x4e3d06faL,
+ 0x2965dcb9L, 0x99e71d0fL, 0x803e89d6L, 0x5266c825L, 0x2e4cc978L,
+ 0x9c10b36aL, 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L,
+ 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, 0x5223a708L,
+ 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, 0xe3bc4595L, 0xa67bc883L,
+ 0xb17f37d1L, 0x018cff28L, 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L,
+ 0x68ab9802L, 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L,
+ 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, 0x13cca830L,
+ 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, 0xb5735c90L, 0x4c70a239L,
+ 0xd59e9e0bL, 0xcbaade14L, 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL,
+ 0xb2f3846eL, 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L,
+ 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, 0x9b540b19L,
+ 0x875fa099L, 0x95f7997eL, 0x623d7da8L, 0xf837889aL, 0x97e32d77L,
+ 0x11ed935fL, 0x16681281L, 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L,
+ 0x7858ba99L, 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L,
+ 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, 0x58ebf2efL,
+ 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, 0x5d4a14d9L, 0xe864b7e3L,
+ 0x42105d14L, 0x203e13e0L, 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L,
+ 0xfacb4fd0L, 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L,
+ 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, 0xcf62a1f2L,
+ 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, 0x7f1524c3L, 0x69cb7492L,
+ 0x47848a0bL, 0x5692b285L, 0x095bbf00L, 0xad19489dL, 0x1462b174L,
+ 0x23820e00L, 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L,
+ 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, 0x7cde3759L,
+ 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, 0xa6078084L, 0x19f8509eL,
+ 0xe8efd855L, 0x61d99735L, 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL,
+ 0x800bcadcL, 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L,
+ 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, 0xc5c43465L,
+ 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, 0x153e21e7L, 0x8fb03d4aL,
+ 0xe6e39f2bL, 0xdb83adf7L, 0xe93d5a68L, 0x948140f7L, 0xf64c261cL,
+ 0x94692934L, 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L,
+ 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, 0x1e39f62eL,
+ 0x97244546L, 0x14214f74L, 0xbf8b8840L, 0x4d95fc1dL, 0x96b591afL,
+ 0x70f4ddd3L, 0x66a02f45L, 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L,
+ 0x31cb8504L, 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL,
+ 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, 0x68dc1462L,
+ 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, 0x4f3ffea2L, 0xe887ad8cL,
+ 0xb58ce006L, 0x7af4d6b6L, 0xaace1e7cL, 0xd3375fecL, 0xce78a399L,
+ 0x406b2a42L, 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL,
+ 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, 0x3a6efa74L,
+ 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, 0xfb0af54eL, 0xd8feb397L,
+ 0x454056acL, 0xba489527L, 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L,
+ 0xd096954bL, 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L,
+ 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, 0xfdf8e802L,
+ 0x04272f70L, 0x80bb155cL, 0x05282ce3L, 0x95c11548L, 0xe4c66d22L,
+ 0x48c1133fL, 0xc70f86dcL, 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L,
+ 0x5d886e17L, 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L,
+ 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, 0x0e12b4c2L,
+ 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, 0x6b2395e0L, 0x333e92e1L,
+ 0x3b240b62L, 0xeebeb922L, 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL,
+ 0x2da2f728L, 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L,
+ 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, 0x0a476341L,
+ 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, 0xa812dc60L, 0xa1ebddf8L,
+ 0x991be14cL, 0xdb6e6b0dL, 0xc67b5510L, 0x6d672c37L, 0x2765d43bL,
+ 0xdcd0e804L, 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL,
+ 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, 0xbb132f88L,
+ 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, 0x37392eb3L, 0xcc115979L,
+ 0x8026e297L, 0xf42e312dL, 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL,
+ 0x782ef11cL, 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L,
+ 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, 0x44421659L,
+ 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, 0x64af674eL, 0xda86a85fL,
+ 0xbebfe988L, 0x64e4c3feL, 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L,
+ 0x6003604dL, 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL,
+ 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, 0x77a057beL,
+ 0xbde8ae24L, 0x55464299L, 0xbf582e61L, 0x4e58f48fL, 0xf2ddfda2L,
+ 0xf474ef38L, 0x8789bdc2L, 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L,
+ 0x46fcd9b9L, 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L,
+ 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, 0xb90bace1L,
+ 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, 0xb77f19b6L, 0xe0a9dc09L,
+ 0x662d09a1L, 0xc4324633L, 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L,
+ 0x1d6efe10L, 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L,
+ 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, 0x50115e01L,
+ 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, 0x9af88c27L, 0x773f8641L,
+ 0xc3604c06L, 0x61a806b5L, 0xf0177a28L, 0xc0f586e0L, 0x006058aaL,
+ 0x30dc7d62L, 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L,
+ 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, 0x6f05e409L,
+ 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, 0x86e3725fL, 0x724d9db9L,
+ 0x1ac15bb4L, 0xd39eb8fcL, 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L,
+ 0x4dad0fc4L, 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL,
+ 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, 0xd79a3234L,
+ 0x92638212L, 0x670efa8eL, 0x406000e0L, 0x3a39ce37L, 0xd3faf5cfL,
+ 0xabc27737L, 0x5ac52d1bL, 0x5cb0679eL, 0x4fa33742L, 0xd3822740L,
+ 0x99bc9bbeL, 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL,
+ 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, 0x5748ab2fL,
+ 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, 0x530ff8eeL, 0x468dde7dL,
+ 0xd5730a1dL, 0x4cd04dc6L, 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L,
+ 0xbe5ee304L, 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L,
+ 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, 0x83c061baL,
+ 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, 0x2826a2f9L, 0xa73a3ae1L,
+ 0x4ba99586L, 0xef5562e9L, 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L,
+ 0x77fa0a59L, 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L,
+ 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, 0x96d5ac3aL,
+ 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, 0x1f9f25cfL, 0xadf2b89bL,
+ 0x5ad6b472L, 0x5a88f54cL, 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL,
+ 0xed93fa9bL, 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L,
+ 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, 0x15056dd4L,
+ 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, 0xc3eb9e15L, 0x3c9057a2L,
+ 0x97271aecL, 0xa93a072aL, 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL,
+ 0x26dcf319L, 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL,
+ 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, 0x4de81751L,
+ 0x3830dc8eL, 0x379d5862L, 0x9320f991L, 0xea7a90c2L, 0xfb3e7bceL,
+ 0x5121ce64L, 0x774fbe32L, 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L,
+ 0x6413e680L, 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L,
+ 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, 0x5bbef7ddL,
+ 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, 0xdda26a7eL, 0x3a59ff45L,
+ 0x3e350a44L, 0xbcb4cdd5L, 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL,
+ 0xbf3c6f47L, 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L,
+ 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, 0x4040cb08L,
+ 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, 0xe1b00428L, 0x95983a1dL,
+ 0x06b89fb4L, 0xce6ea048L, 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL,
+ 0x277227f8L, 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL,
+ 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, 0xe01cc87eL,
+ 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, 0x1a908749L, 0xd44fbd9aL,
+ 0xd0dadecbL, 0xd50ada38L, 0x0339c32aL, 0xc6913667L, 0x8df9317cL,
+ 0xe0b12b4fL, 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL,
+ 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, 0xfae59361L,
+ 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, 0xb6c1075eL, 0xe3056a0cL,
+ 0x10d25065L, 0xcb03a442L, 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL,
+ 0x3278e964L, 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL,
+ 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, 0xdf359f8dL,
+ 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, 0xe54cda54L, 0x1edad891L,
+ 0xce6279cfL, 0xcd3e7e6fL, 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L,
+ 0xf6fb2299L, 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L,
+ 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, 0xde966292L,
+ 0x81b949d0L, 0x4c50901bL, 0x71c65614L, 0xe6c6c7bdL, 0x327a140aL,
+ 0x45e1d006L, 0xc3f27b9aL, 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L,
+ 0x35bdd2f6L, 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL,
+ 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, 0xba38209cL,
+ 0xf746ce76L, 0x77afa1c5L, 0x20756060L, 0x85cbfe4eL, 0x8ae88dd8L,
+ 0x7aaaf9b0L, 0x4cf9aa7eL, 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L,
+ 0xd6ebe1f9L, 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL,
+ 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L,
+ },
+};
+
+void BF_set_key(BF_KEY *key, size_t len, const uint8_t *data) {
+ int i;
+ uint32_t *p, ri, in[2];
+ const uint8_t *d, *end;
+
+ memcpy(key, &bf_init, sizeof(BF_KEY));
+ p = key->P;
+
+ if (len > ((BF_ROUNDS + 2) * 4))
+ len = (BF_ROUNDS + 2) * 4;
+
+ d = data;
+ end = &data[len];
+ for (i = 0; i < BF_ROUNDS + 2; i++) {
+ ri = *(d++);
+ if (d >= end) {
+ d = data;
+ }
+
+ ri <<= 8;
+ ri |= *(d++);
+ if (d >= end) {
+ d = data;
+ }
+
+ ri <<= 8;
+ ri |= *(d++);
+ if (d >= end) {
+ d = data;
+ }
+
+ ri <<= 8;
+ ri |= *(d++);
+ if (d >= end) {
+ d = data;
+ }
+
+ p[i] ^= ri;
+ }
+
+ in[0] = 0L;
+ in[1] = 0L;
+ for (i = 0; i < BF_ROUNDS + 2; i += 2) {
+ BF_encrypt(in, key);
+ p[i] = in[0];
+ p[i + 1] = in[1];
+ }
+
+ p = key->S;
+ for (i = 0; i < 4 * 256; i += 2) {
+ BF_encrypt(in, key);
+ p[i] = in[0];
+ p[i + 1] = in[1];
+ }
+}
diff --git a/src/decrepit/cast/CMakeLists.txt b/src/decrepit/cast/CMakeLists.txt
new file mode 100644
index 0000000..ada99e4
--- /dev/null
+++ b/src/decrepit/cast/CMakeLists.txt
@@ -0,0 +1,10 @@
+include_directories(. ../../include)
+
+add_library(
+ cast
+
+ OBJECT
+
+ cast.c
+ cast_tables.c
+)
diff --git a/src/decrepit/cast/cast.c b/src/decrepit/cast/cast.c
new file mode 100644
index 0000000..68bcbe3
--- /dev/null
+++ b/src/decrepit/cast/cast.c
@@ -0,0 +1,416 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]. */
+
+#include <openssl/cast.h>
+
+#if defined(OPENSSL_WINDOWS)
+#pragma warning(push, 3)
+#include <intrin.h>
+#pragma warning(pop)
+#endif
+
+#include "../macros.h"
+
+
+void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out, const CAST_KEY *ks,
+ int enc) {
+ uint32_t d[2];
+
+ n2l(in, d[0]);
+ n2l(in, d[1]);
+ if (enc) {
+ CAST_encrypt(d, ks);
+ } else {
+ CAST_decrypt(d, ks);
+ }
+ l2n(d[0], out);
+ l2n(d[1], out);
+}
+
+extern const uint32_t CAST_S_table0[256];
+extern const uint32_t CAST_S_table1[256];
+extern const uint32_t CAST_S_table2[256];
+extern const uint32_t CAST_S_table3[256];
+extern const uint32_t CAST_S_table4[256];
+extern const uint32_t CAST_S_table5[256];
+extern const uint32_t CAST_S_table6[256];
+extern const uint32_t CAST_S_table7[256];
+
+#if defined(OPENSSL_WINDOWS) && defined(_MSC_VER)
+#define ROTL(a, n) (_lrotl(a, n))
+#else
+#define ROTL(a, n) ((((a) << (n)) | ((a) >> ((-(n))&31))) & 0xffffffffL)
+#endif
+
+#define E_CAST(n, key, L, R, OP1, OP2, OP3) \
+ { \
+ uint32_t a, b, c, d; \
+ t = (key[n * 2] OP1 R) & 0xffffffff; \
+ t = ROTL(t, (key[n * 2 + 1])); \
+ a = CAST_S_table0[(t >> 8) & 0xff]; \
+ b = CAST_S_table1[(t)&0xff]; \
+ c = CAST_S_table2[(t >> 24) & 0xff]; \
+ d = CAST_S_table3[(t >> 16) & 0xff]; \
+ L ^= (((((a OP2 b)&0xffffffffL)OP3 c) & 0xffffffffL)OP1 d) & 0xffffffffL; \
+ }
+
+void CAST_encrypt(uint32_t *data, const CAST_KEY *key) {
+ uint32_t l, r, t;
+ const uint32_t *k;
+
+ k = &key->data[0];
+ l = data[0];
+ r = data[1];
+
+ E_CAST(0, k, l, r, +, ^, -);
+ E_CAST(1, k, r, l, ^, -, +);
+ E_CAST(2, k, l, r, -, +, ^);
+ E_CAST(3, k, r, l, +, ^, -);
+ E_CAST(4, k, l, r, ^, -, +);
+ E_CAST(5, k, r, l, -, +, ^);
+ E_CAST(6, k, l, r, +, ^, -);
+ E_CAST(7, k, r, l, ^, -, +);
+ E_CAST(8, k, l, r, -, +, ^);
+ E_CAST(9, k, r, l, +, ^, -);
+ E_CAST(10, k, l, r, ^, -, +);
+ E_CAST(11, k, r, l, -, +, ^);
+
+ if (!key->short_key) {
+ E_CAST(12, k, l, r, +, ^, -);
+ E_CAST(13, k, r, l, ^, -, +);
+ E_CAST(14, k, l, r, -, +, ^);
+ E_CAST(15, k, r, l, +, ^, -);
+ }
+
+ data[1] = l & 0xffffffffL;
+ data[0] = r & 0xffffffffL;
+}
+
+void CAST_decrypt(uint32_t *data, const CAST_KEY *key) {
+ uint32_t l, r, t;
+ const uint32_t *k;
+
+ k = &key->data[0];
+ l = data[0];
+ r = data[1];
+
+ if (!key->short_key) {
+ E_CAST(15, k, l, r, +, ^, -);
+ E_CAST(14, k, r, l, -, +, ^);
+ E_CAST(13, k, l, r, ^, -, +);
+ E_CAST(12, k, r, l, +, ^, -);
+ }
+
+ E_CAST(11, k, l, r, -, +, ^);
+ E_CAST(10, k, r, l, ^, -, +);
+ E_CAST(9, k, l, r, +, ^, -);
+ E_CAST(8, k, r, l, -, +, ^);
+ E_CAST(7, k, l, r, ^, -, +);
+ E_CAST(6, k, r, l, +, ^, -);
+ E_CAST(5, k, l, r, -, +, ^);
+ E_CAST(4, k, r, l, ^, -, +);
+ E_CAST(3, k, l, r, +, ^, -);
+ E_CAST(2, k, r, l, -, +, ^);
+ E_CAST(1, k, l, r, ^, -, +);
+ E_CAST(0, k, r, l, +, ^, -);
+
+ data[1] = l & 0xffffffffL;
+ data[0] = r & 0xffffffffL;
+}
+
+void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out, long length,
+ const CAST_KEY *ks, uint8_t *iv, int enc) {
+ uint32_t tin0, tin1;
+ uint32_t tout0, tout1, xor0, xor1;
+ long l = length;
+ uint32_t tin[2];
+
+ if (enc) {
+ n2l(iv, tout0);
+ n2l(iv, tout1);
+ iv -= 8;
+ for (l -= 8; l >= 0; l -= 8) {
+ n2l(in, tin0);
+ n2l(in, tin1);
+ tin0 ^= tout0;
+ tin1 ^= tout1;
+ tin[0] = tin0;
+ tin[1] = tin1;
+ CAST_encrypt(tin, ks);
+ tout0 = tin[0];
+ tout1 = tin[1];
+ l2n(tout0, out);
+ l2n(tout1, out);
+ }
+ if (l != -8) {
+ n2ln(in, tin0, tin1, l + 8);
+ tin0 ^= tout0;
+ tin1 ^= tout1;
+ tin[0] = tin0;
+ tin[1] = tin1;
+ CAST_encrypt(tin, ks);
+ tout0 = tin[0];
+ tout1 = tin[1];
+ l2n(tout0, out);
+ l2n(tout1, out);
+ }
+ l2n(tout0, iv);
+ l2n(tout1, iv);
+ } else {
+ n2l(iv, xor0);
+ n2l(iv, xor1);
+ iv -= 8;
+ for (l -= 8; l >= 0; l -= 8) {
+ n2l(in, tin0);
+ n2l(in, tin1);
+ tin[0] = tin0;
+ tin[1] = tin1;
+ CAST_decrypt(tin, ks);
+ tout0 = tin[0] ^ xor0;
+ tout1 = tin[1] ^ xor1;
+ l2n(tout0, out);
+ l2n(tout1, out);
+ xor0 = tin0;
+ xor1 = tin1;
+ }
+ if (l != -8) {
+ n2l(in, tin0);
+ n2l(in, tin1);
+ tin[0] = tin0;
+ tin[1] = tin1;
+ CAST_decrypt(tin, ks);
+ tout0 = tin[0] ^ xor0;
+ tout1 = tin[1] ^ xor1;
+ l2nn(tout0, tout1, out, l + 8);
+ xor0 = tin0;
+ xor1 = tin1;
+ }
+ l2n(xor0, iv);
+ l2n(xor1, iv);
+ }
+ tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
+ tin[0] = tin[1] = 0;
+}
+
+#define CAST_exp(l, A, a, n) \
+ A[n / 4] = l; \
+ a[n + 3] = (l)&0xff; \
+ a[n + 2] = (l >> 8) & 0xff; \
+ a[n + 1] = (l >> 16) & 0xff; \
+ a[n + 0] = (l >> 24) & 0xff;
+#define S4 CAST_S_table4
+#define S5 CAST_S_table5
+#define S6 CAST_S_table6
+#define S7 CAST_S_table7
+
+void CAST_set_key(CAST_KEY *key, size_t len, const uint8_t *data) {
+ uint32_t x[16];
+ uint32_t z[16];
+ uint32_t k[32];
+ uint32_t X[4], Z[4];
+ uint32_t l, *K;
+ size_t i;
+
+ for (i = 0; i < 16; i++) {
+ x[i] = 0;
+ }
+
+ if (len > 16) {
+ len = 16;
+ }
+
+ for (i = 0; i < len; i++) {
+ x[i] = data[i];
+ }
+
+ if (len <= 10) {
+ key->short_key = 1;
+ } else {
+ key->short_key = 0;
+ }
+
+ K = &k[0];
+ X[0] = ((x[0] << 24) | (x[1] << 16) | (x[2] << 8) | x[3]) & 0xffffffffL;
+ X[1] = ((x[4] << 24) | (x[5] << 16) | (x[6] << 8) | x[7]) & 0xffffffffL;
+ X[2] = ((x[8] << 24) | (x[9] << 16) | (x[10] << 8) | x[11]) & 0xffffffffL;
+ X[3] = ((x[12] << 24) | (x[13] << 16) | (x[14] << 8) | x[15]) & 0xffffffffL;
+
+ for (;;) {
+ l = X[0] ^ S4[x[13]] ^ S5[x[15]] ^ S6[x[12]] ^ S7[x[14]] ^ S6[x[8]];
+ CAST_exp(l, Z, z, 0);
+ l = X[2] ^ S4[z[0]] ^ S5[z[2]] ^ S6[z[1]] ^ S7[z[3]] ^ S7[x[10]];
+ CAST_exp(l, Z, z, 4);
+ l = X[3] ^ S4[z[7]] ^ S5[z[6]] ^ S6[z[5]] ^ S7[z[4]] ^ S4[x[9]];
+ CAST_exp(l, Z, z, 8);
+ l = X[1] ^ S4[z[10]] ^ S5[z[9]] ^ S6[z[11]] ^ S7[z[8]] ^ S5[x[11]];
+ CAST_exp(l, Z, z, 12);
+
+ K[0] = S4[z[8]] ^ S5[z[9]] ^ S6[z[7]] ^ S7[z[6]] ^ S4[z[2]];
+ K[1] = S4[z[10]] ^ S5[z[11]] ^ S6[z[5]] ^ S7[z[4]] ^ S5[z[6]];
+ K[2] = S4[z[12]] ^ S5[z[13]] ^ S6[z[3]] ^ S7[z[2]] ^ S6[z[9]];
+ K[3] = S4[z[14]] ^ S5[z[15]] ^ S6[z[1]] ^ S7[z[0]] ^ S7[z[12]];
+
+ l = Z[2] ^ S4[z[5]] ^ S5[z[7]] ^ S6[z[4]] ^ S7[z[6]] ^ S6[z[0]];
+ CAST_exp(l, X, x, 0);
+ l = Z[0] ^ S4[x[0]] ^ S5[x[2]] ^ S6[x[1]] ^ S7[x[3]] ^ S7[z[2]];
+ CAST_exp(l, X, x, 4);
+ l = Z[1] ^ S4[x[7]] ^ S5[x[6]] ^ S6[x[5]] ^ S7[x[4]] ^ S4[z[1]];
+ CAST_exp(l, X, x, 8);
+ l = Z[3] ^ S4[x[10]] ^ S5[x[9]] ^ S6[x[11]] ^ S7[x[8]] ^ S5[z[3]];
+ CAST_exp(l, X, x, 12);
+
+ K[4] = S4[x[3]] ^ S5[x[2]] ^ S6[x[12]] ^ S7[x[13]] ^ S4[x[8]];
+ K[5] = S4[x[1]] ^ S5[x[0]] ^ S6[x[14]] ^ S7[x[15]] ^ S5[x[13]];
+ K[6] = S4[x[7]] ^ S5[x[6]] ^ S6[x[8]] ^ S7[x[9]] ^ S6[x[3]];
+ K[7] = S4[x[5]] ^ S5[x[4]] ^ S6[x[10]] ^ S7[x[11]] ^ S7[x[7]];
+
+ l = X[0] ^ S4[x[13]] ^ S5[x[15]] ^ S6[x[12]] ^ S7[x[14]] ^ S6[x[8]];
+ CAST_exp(l, Z, z, 0);
+ l = X[2] ^ S4[z[0]] ^ S5[z[2]] ^ S6[z[1]] ^ S7[z[3]] ^ S7[x[10]];
+ CAST_exp(l, Z, z, 4);
+ l = X[3] ^ S4[z[7]] ^ S5[z[6]] ^ S6[z[5]] ^ S7[z[4]] ^ S4[x[9]];
+ CAST_exp(l, Z, z, 8);
+ l = X[1] ^ S4[z[10]] ^ S5[z[9]] ^ S6[z[11]] ^ S7[z[8]] ^ S5[x[11]];
+ CAST_exp(l, Z, z, 12);
+
+ K[8] = S4[z[3]] ^ S5[z[2]] ^ S6[z[12]] ^ S7[z[13]] ^ S4[z[9]];
+ K[9] = S4[z[1]] ^ S5[z[0]] ^ S6[z[14]] ^ S7[z[15]] ^ S5[z[12]];
+ K[10] = S4[z[7]] ^ S5[z[6]] ^ S6[z[8]] ^ S7[z[9]] ^ S6[z[2]];
+ K[11] = S4[z[5]] ^ S5[z[4]] ^ S6[z[10]] ^ S7[z[11]] ^ S7[z[6]];
+
+ l = Z[2] ^ S4[z[5]] ^ S5[z[7]] ^ S6[z[4]] ^ S7[z[6]] ^ S6[z[0]];
+ CAST_exp(l, X, x, 0);
+ l = Z[0] ^ S4[x[0]] ^ S5[x[2]] ^ S6[x[1]] ^ S7[x[3]] ^ S7[z[2]];
+ CAST_exp(l, X, x, 4);
+ l = Z[1] ^ S4[x[7]] ^ S5[x[6]] ^ S6[x[5]] ^ S7[x[4]] ^ S4[z[1]];
+ CAST_exp(l, X, x, 8);
+ l = Z[3] ^ S4[x[10]] ^ S5[x[9]] ^ S6[x[11]] ^ S7[x[8]] ^ S5[z[3]];
+ CAST_exp(l, X, x, 12);
+
+ K[12] = S4[x[8]] ^ S5[x[9]] ^ S6[x[7]] ^ S7[x[6]] ^ S4[x[3]];
+ K[13] = S4[x[10]] ^ S5[x[11]] ^ S6[x[5]] ^ S7[x[4]] ^ S5[x[7]];
+ K[14] = S4[x[12]] ^ S5[x[13]] ^ S6[x[3]] ^ S7[x[2]] ^ S6[x[8]];
+ K[15] = S4[x[14]] ^ S5[x[15]] ^ S6[x[1]] ^ S7[x[0]] ^ S7[x[13]];
+ if (K != k) {
+ break;
+ }
+ K += 16;
+ }
+
+ for (i = 0; i < 16; i++) {
+ key->data[i * 2] = k[i];
+ key->data[i * 2 + 1] = ((k[i + 16]) + 16) & 0x1f;
+ }
+}
+
+/* The input and output encrypted as though 64bit cfb mode is being used. The
+ * extra state information to record how much of the 64bit block we have used
+ * is contained in *num. */
+void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out, long length,
+ const CAST_KEY *schedule, uint8_t *ivec, int *num,
+ int enc) {
+ uint32_t v0, v1, t;
+ int n = *num;
+ long l = length;
+ uint32_t ti[2];
+ uint8_t *iv, c, cc;
+
+ iv = ivec;
+ if (enc) {
+ while (l--) {
+ if (n == 0) {
+ n2l(iv, v0);
+ ti[0] = v0;
+ n2l(iv, v1);
+ ti[1] = v1;
+ CAST_encrypt((uint32_t *)ti, schedule);
+ iv = ivec;
+ t = ti[0];
+ l2n(t, iv);
+ t = ti[1];
+ l2n(t, iv);
+ iv = ivec;
+ }
+ c = *(in++) ^ iv[n];
+ *(out++) = c;
+ iv[n] = c;
+ n = (n + 1) & 0x07;
+ }
+ } else {
+ while (l--) {
+ if (n == 0) {
+ n2l(iv, v0);
+ ti[0] = v0;
+ n2l(iv, v1);
+ ti[1] = v1;
+ CAST_encrypt((uint32_t *)ti, schedule);
+ iv = ivec;
+ t = ti[0];
+ l2n(t, iv);
+ t = ti[1];
+ l2n(t, iv);
+ iv = ivec;
+ }
+ cc = *(in++);
+ c = iv[n];
+ iv[n] = cc;
+ *(out++) = c ^ cc;
+ n = (n + 1) & 0x07;
+ }
+ }
+ v0 = v1 = ti[0] = ti[1] = t = c = cc = 0;
+ *num = n;
+}
diff --git a/src/decrepit/cast/cast_tables.c b/src/decrepit/cast/cast_tables.c
new file mode 100644
index 0000000..a00acd8
--- /dev/null
+++ b/src/decrepit/cast/cast_tables.c
@@ -0,0 +1,425 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#include <openssl/base.h>
+
+const uint32_t CAST_S_table0[256] = {
+ 0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3,
+ 0x6003e540, 0xcf9fc949, 0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675,
+ 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e, 0x28683b6f, 0xc07fd059,
+ 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d,
+ 0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b,
+ 0x22568e3a, 0xa2d341d0, 0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de,
+ 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7, 0xb82cbaef, 0xd751d159,
+ 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935,
+ 0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f,
+ 0xb48ee411, 0x4bff345d, 0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165,
+ 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50, 0x882240f2, 0x0c6e4f38,
+ 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe,
+ 0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493,
+ 0xe63d37e0, 0x2a54f6b3, 0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a,
+ 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167, 0x38901091, 0xc6b505eb,
+ 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291,
+ 0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14,
+ 0xa0bebc3c, 0x54623779, 0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6,
+ 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2, 0x81383f05, 0x6963c5c8,
+ 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511,
+ 0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495,
+ 0xaa573b04, 0x4a805d8d, 0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e,
+ 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5, 0x6b54bfab, 0x2b0b1426,
+ 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324,
+ 0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98,
+ 0xe31231b2, 0x2ad5ad6c, 0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f,
+ 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc, 0x7b5a41f0, 0xd37cfbad,
+ 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d,
+ 0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464,
+ 0x5ad328d8, 0xb347cc96, 0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a,
+ 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a, 0x3f04442f, 0x6188b153,
+ 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d,
+ 0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274,
+ 0xdd24cb9e, 0x7e1c54bd, 0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755,
+ 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6, 0x580304f0, 0xca042cf1,
+ 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9,
+ 0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1,
+ 0xd5ea50f1, 0x85a92872, 0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79,
+ 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c, 0x474d6ad7, 0x7c0c5e5c,
+ 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e,
+ 0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff,
+ 0xb141ab08, 0x7cca89b9, 0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d,
+ 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf,
+};
+
+const uint32_t CAST_S_table1[256] = {
+ 0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a,
+ 0x55889c94, 0x72fc0651, 0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba,
+ 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3, 0xa0b52f7b, 0x59e83605,
+ 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb,
+ 0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b,
+ 0x25a1ff41, 0xe180f806, 0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4,
+ 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b, 0xe113c85b, 0xacc40083,
+ 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359,
+ 0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f,
+ 0x361e3084, 0xe4eb573b, 0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d,
+ 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c, 0x10843094, 0x2537a95e,
+ 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34,
+ 0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366,
+ 0x721d9bfd, 0xa58684bb, 0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4,
+ 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd, 0xc5d655dd, 0xeb667064,
+ 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860,
+ 0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6,
+ 0x83ca6b94, 0x2d6ed23b, 0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709,
+ 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304, 0x81ed6f61, 0x20e74364,
+ 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b,
+ 0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b,
+ 0xa4b09f6b, 0x1ca815cf, 0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9,
+ 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c, 0xee41e729, 0x6e1d2d7c,
+ 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13,
+ 0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741,
+ 0x7cbad9a2, 0x2180036f, 0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab,
+ 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6, 0xcdf0b680, 0x17844d3b,
+ 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6,
+ 0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa,
+ 0xef8579cc, 0xd152de58, 0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8,
+ 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906, 0xb8da230c, 0x80823028,
+ 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d,
+ 0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6,
+ 0x273be979, 0xb0ffeaa6, 0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b,
+ 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4, 0xdc8637a0, 0x16a7d3b1,
+ 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6,
+ 0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb,
+ 0x145892f5, 0x91584f7f, 0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea,
+ 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249, 0xb284600c, 0xd835731d,
+ 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa,
+ 0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e,
+ 0x5c038323, 0x3e5d3bb9, 0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef,
+ 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1,
+};
+
+const uint32_t CAST_S_table2[256] = {
+ 0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b,
+ 0x8c1fc644, 0xaececa90, 0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae,
+ 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5, 0x11107d9f, 0x07647db9,
+ 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e,
+ 0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd,
+ 0x9255c5ed, 0x1257a240, 0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e,
+ 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5, 0xa8c01db7, 0x579fc264,
+ 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b,
+ 0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e,
+ 0xc5884a28, 0xccc36f71, 0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f,
+ 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04, 0xa747d2d0, 0x1651192e,
+ 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82,
+ 0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790,
+ 0x796fb449, 0x8252dc15, 0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504,
+ 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2, 0x23efe941, 0xa903f12e,
+ 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176,
+ 0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8,
+ 0x96bbb682, 0x93b4b148, 0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d,
+ 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc, 0x8b907cee, 0xb51fd240,
+ 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341,
+ 0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c,
+ 0x127dadaa, 0x438a074e, 0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15,
+ 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51, 0x68cc7bfb, 0xd90f2788,
+ 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f,
+ 0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa,
+ 0x27627545, 0x825cf47a, 0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392,
+ 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b, 0x285ba1c8, 0x3c62f44f,
+ 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b,
+ 0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae,
+ 0x12deca4d, 0x2c3f8cc5, 0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67,
+ 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45, 0x3a609437, 0xec00c9a9,
+ 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536,
+ 0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888,
+ 0xa2e53f55, 0xb9e6d4bc, 0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d,
+ 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0, 0x947b0001, 0x570075d2,
+ 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69,
+ 0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2,
+ 0xf1ac2571, 0xcc8239c2, 0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce,
+ 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49, 0x5727c148, 0x2be98a1d,
+ 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d,
+ 0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00,
+ 0x52bce688, 0x1b03588a, 0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5,
+ 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783,
+};
+
+const uint32_t CAST_S_table3[256] = {
+ 0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57,
+ 0x85510443, 0xfa020ed1, 0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120,
+ 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf, 0x28147f5f, 0x4fa2b8cd,
+ 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15,
+ 0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe,
+ 0x081b08ca, 0x05170121, 0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701,
+ 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25, 0xce84ffdf, 0xf5718801,
+ 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5,
+ 0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1,
+ 0x72500e03, 0xf80eb2bb, 0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746,
+ 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5, 0x4d351805, 0x7f3d5ce3,
+ 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d,
+ 0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c,
+ 0x18f8931e, 0x281658e6, 0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c,
+ 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23, 0x69dead38, 0x1574ca16,
+ 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003,
+ 0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7,
+ 0x0ce5c2ec, 0x4db4bba6, 0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327,
+ 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119, 0x6e85cb75, 0xbe07c002,
+ 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24,
+ 0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7,
+ 0x041afa32, 0x1d16625a, 0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031,
+ 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79, 0x026a4ceb, 0x52437eff,
+ 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df,
+ 0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035,
+ 0x213d42f6, 0x2c1c7c26, 0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69,
+ 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab, 0x63315c21, 0x5e0a72ec,
+ 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7,
+ 0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e,
+ 0xcfcbd12f, 0xc1de8417, 0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3,
+ 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2, 0x6f7de532, 0x58fd7eb6,
+ 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2,
+ 0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f,
+ 0xaf9eb3db, 0x29c9ed2a, 0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091,
+ 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919, 0x77079103, 0xdea03af6,
+ 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef,
+ 0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2,
+ 0xf3e0eb5b, 0xd6cc9876, 0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367,
+ 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab, 0xb5676e69, 0x9bd3ddda,
+ 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04,
+ 0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6,
+ 0xb657c34d, 0x4edfd282, 0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e,
+ 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2,
+};
+
+const uint32_t CAST_S_table4[256] = {
+ 0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5,
+ 0x44dd9d44, 0x1731167f, 0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00,
+ 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a, 0xe6a2e77f, 0xf0c720cd,
+ 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff,
+ 0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb,
+ 0x8dba1cfe, 0x41a99b02, 0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725,
+ 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a, 0xf2f3f763, 0x68af8040,
+ 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7,
+ 0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2,
+ 0x2261be02, 0xd642a0c9, 0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec,
+ 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981, 0x5c1ff900, 0xfe38d399,
+ 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774,
+ 0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966,
+ 0xdfdd55bc, 0x29de0655, 0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468,
+ 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2, 0xbcf3f0aa, 0x87ac36e9,
+ 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910,
+ 0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616,
+ 0xf24766e3, 0x8eca36c1, 0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4,
+ 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da, 0x26e46695, 0xb7566419,
+ 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049,
+ 0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9,
+ 0x68cb3e47, 0x086c010f, 0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6,
+ 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba, 0x0ab378d5, 0xd951fb0c,
+ 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be,
+ 0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715,
+ 0x646c6bd7, 0x44904db3, 0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6,
+ 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840, 0x76f0ae02, 0x083be84d,
+ 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4,
+ 0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba,
+ 0x9cad9010, 0xaf462ba2, 0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487,
+ 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7, 0x445f7382, 0x175683f4,
+ 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5,
+ 0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c,
+ 0x1ad2fff3, 0x8c25404e, 0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78,
+ 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e, 0x44094f85, 0x3f481d87,
+ 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801,
+ 0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110,
+ 0x1b5ad7a8, 0xf61ed5ad, 0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58,
+ 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0, 0x5ce96c28, 0xe176eda3,
+ 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20,
+ 0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d,
+ 0x34010718, 0xbb30cab8, 0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55,
+ 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4,
+};
+
+const uint32_t CAST_S_table5[256] = {
+ 0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4,
+ 0xeced5cbc, 0x325553ac, 0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9,
+ 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138, 0x33f14961, 0xc01937bd,
+ 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367,
+ 0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f,
+ 0xa888614a, 0x2900af98, 0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c,
+ 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072, 0xfd41197e, 0x9305a6b0,
+ 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3,
+ 0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941,
+ 0x2c0e636a, 0xba7dd9cd, 0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d,
+ 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8, 0x284caf89, 0xaa928223,
+ 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9,
+ 0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6,
+ 0x9a69a02f, 0x68818a54, 0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a,
+ 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387, 0x53bddb65, 0xe76ffbe7,
+ 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc,
+ 0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89,
+ 0xfd339fed, 0xb87834bf, 0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be,
+ 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf, 0x4ec75b95, 0x24f2c3c0,
+ 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f,
+ 0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4,
+ 0xe9a9d848, 0xf3160289, 0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853,
+ 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950, 0x36f73523, 0x4cfb6e87,
+ 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f,
+ 0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585,
+ 0xdc049441, 0xc8098f9b, 0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751,
+ 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be, 0xbf32679d, 0xd45b5b75,
+ 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13,
+ 0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283,
+ 0x3cc2acfb, 0x3fc06976, 0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459,
+ 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0, 0x3007cd3e, 0x74719eef,
+ 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891,
+ 0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0,
+ 0xbc60b42a, 0x953498da, 0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb,
+ 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc, 0xe8816f4a, 0x3814f200,
+ 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084,
+ 0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf,
+ 0x3a479c3a, 0x5302da25, 0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b,
+ 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121, 0xb81a928a, 0x60ed5869,
+ 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5,
+ 0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb,
+ 0xb0e93524, 0xbebb8fbd, 0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454,
+ 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f,
+};
+
+const uint32_t CAST_S_table6[256] = {
+ 0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912,
+ 0xde6008a1, 0x2028da1f, 0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82,
+ 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de, 0xa05fbcf6, 0xcd4181e9,
+ 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43,
+ 0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4,
+ 0x1286becf, 0xb6eacb19, 0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9,
+ 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2, 0x107789be, 0xb3b2e9ce,
+ 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516,
+ 0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7,
+ 0xd0d854c0, 0xcb3a6c88, 0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e,
+ 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816, 0x0a961288, 0xe1a5c06e,
+ 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756,
+ 0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9,
+ 0xc6e6fa14, 0xbae8584a, 0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b,
+ 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264, 0x92544a8b, 0x009b4fc3,
+ 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688,
+ 0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c,
+ 0x16746233, 0x3c034c28, 0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802,
+ 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3, 0x0c4fb99a, 0xbb325778,
+ 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7,
+ 0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be,
+ 0xbe8b9d2d, 0x7979fb06, 0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858,
+ 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033, 0xf28ebfb0, 0xf5b9c310,
+ 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a,
+ 0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476,
+ 0x488dcf25, 0x36c9d566, 0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df,
+ 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509, 0xf22b017d, 0xa4173f70,
+ 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962,
+ 0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a,
+ 0x058745b9, 0x3453dc1e, 0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07,
+ 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c, 0x66626c1c, 0x7154c24c,
+ 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c,
+ 0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e,
+ 0xe4f2dfa6, 0x693ed285, 0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378,
+ 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301, 0xc79f022f, 0x3c997e7e,
+ 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be,
+ 0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301,
+ 0xcfd2a87f, 0x60aeb767, 0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2,
+ 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647, 0x97fd61a9, 0xea7759f4,
+ 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914,
+ 0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021,
+ 0xc3c0bdae, 0x4958c24c, 0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada,
+ 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3,
+};
+
+const uint32_t CAST_S_table7[256] = {
+ 0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b,
+ 0x0e241600, 0x052ce8b5, 0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174,
+ 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc, 0xde9adeb1, 0x0a0cc32c,
+ 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd,
+ 0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7,
+ 0x72df191b, 0x7580330d, 0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164,
+ 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2, 0x12a8ddec, 0xfdaa335d,
+ 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862,
+ 0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8,
+ 0x57e8726e, 0x647a78fc, 0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6,
+ 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c, 0xbbd35049, 0x2998df04,
+ 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e,
+ 0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38,
+ 0x424f7618, 0x35856039, 0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8,
+ 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8, 0x7170c608, 0x2d5e3354,
+ 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42,
+ 0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160,
+ 0x7895cda5, 0x859c15a5, 0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab,
+ 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472, 0x835ffcb8, 0x6df4c1f2,
+ 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225,
+ 0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98,
+ 0x7cd16efc, 0x1436876c, 0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441,
+ 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb, 0xa842eedf, 0xfdba60b4,
+ 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054,
+ 0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5,
+ 0xbae7dfdc, 0x42cbda70, 0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c,
+ 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc, 0x77853b53, 0x37effcb5,
+ 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c,
+ 0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b,
+ 0xc4248289, 0xacf3ebc3, 0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4,
+ 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4, 0xe87b40e4, 0xe98ea084,
+ 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101,
+ 0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a,
+ 0xe0779695, 0xf9c17a8f, 0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf,
+ 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e, 0x11403092, 0x00da6d77,
+ 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a,
+ 0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f,
+ 0xdf09822b, 0xbd691a6c, 0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819,
+ 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384, 0x5938fa0f, 0x42399ef3,
+ 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c,
+ 0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1,
+ 0xa466bb1e, 0xf8da0a82, 0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d,
+ 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e,
+};
diff --git a/src/decrepit/macros.h b/src/decrepit/macros.h
new file mode 100644
index 0000000..228183a
--- /dev/null
+++ b/src/decrepit/macros.h
@@ -0,0 +1,123 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_DECREPIT_MACROS_H
+#define OPENSSL_HEADER_DECREPIT_MACROS_H
+
+
+/* NOTE - c is not incremented as per n2l */
+#define n2ln(c, l1, l2, n) \
+ { \
+ c += n; \
+ l1 = l2 = 0; \
+ switch (n) { \
+ case 8: \
+ l2 = ((unsigned long)(*(--(c)))); \
+ case 7: \
+ l2 |= ((unsigned long)(*(--(c)))) << 8; \
+ case 6: \
+ l2 |= ((unsigned long)(*(--(c)))) << 16; \
+ case 5: \
+ l2 |= ((unsigned long)(*(--(c)))) << 24; \
+ case 4: \
+ l1 = ((unsigned long)(*(--(c)))); \
+ case 3: \
+ l1 |= ((unsigned long)(*(--(c)))) << 8; \
+ case 2: \
+ l1 |= ((unsigned long)(*(--(c)))) << 16; \
+ case 1: \
+ l1 |= ((unsigned long)(*(--(c)))) << 24; \
+ } \
+ }
+
+/* NOTE - c is not incremented as per l2n */
+#define l2nn(l1, l2, c, n) \
+ { \
+ c += n; \
+ switch (n) { \
+ case 8: \
+ *(--(c)) = (unsigned char)(((l2)) & 0xff); \
+ case 7: \
+ *(--(c)) = (unsigned char)(((l2) >> 8) & 0xff); \
+ case 6: \
+ *(--(c)) = (unsigned char)(((l2) >> 16) & 0xff); \
+ case 5: \
+ *(--(c)) = (unsigned char)(((l2) >> 24) & 0xff); \
+ case 4: \
+ *(--(c)) = (unsigned char)(((l1)) & 0xff); \
+ case 3: \
+ *(--(c)) = (unsigned char)(((l1) >> 8) & 0xff); \
+ case 2: \
+ *(--(c)) = (unsigned char)(((l1) >> 16) & 0xff); \
+ case 1: \
+ *(--(c)) = (unsigned char)(((l1) >> 24) & 0xff); \
+ } \
+ }
+
+#define l2n(l, c) \
+ (*((c)++) = (unsigned char)(((l) >> 24L) & 0xff), \
+ *((c)++) = (unsigned char)(((l) >> 16L) & 0xff), \
+ *((c)++) = (unsigned char)(((l) >> 8L) & 0xff), \
+ *((c)++) = (unsigned char)(((l)) & 0xff))
+
+#define n2l(c, l) \
+ (l = ((unsigned long)(*((c)++))) << 24L, \
+ l |= ((unsigned long)(*((c)++))) << 16L, \
+ l |= ((unsigned long)(*((c)++))) << 8L, \
+ l |= ((unsigned long)(*((c)++))))
+
+
+#endif /* OPENSSL_HEADER_DECREPIT_MACROS_H */
diff --git a/src/include/openssl/aead.h b/src/include/openssl/aead.h
index 61cf3cd..dc453e3 100644
--- a/src/include/openssl/aead.h
+++ b/src/include/openssl/aead.h
@@ -115,18 +115,28 @@
* See |EVP_aead_aes_128_key_wrap| for details. */
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_key_wrap(void);
+/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for
+ * authentication. The nonce is 12 bytes; the bottom 32-bits are used as the
+ * block counter, thus the maximum plaintext size is 64GB. */
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);
+
+/* EVP_aead_aes_128_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for
+ * authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. */
+OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);
+
/* EVP_has_aes_hardware returns one if we enable hardware support for fast and
* constant-time AES-GCM. */
OPENSSL_EXPORT int EVP_has_aes_hardware(void);
-/* TLS specific AEAD algorithms.
+/* TLS-specific AEAD algorithms.
*
* These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to TLS in some fashion and should not be used outside of that
- * context. They require an additional data of length 11 (the standard TLS one
- * with the length omitted). They are also stateful, so a given |EVP_AEAD_CTX|
- * may only be used for one of seal or open, but not both. */
+ * all specific to TLS and should not be used outside of that context. They must
+ * be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may
+ * not be used concurrently. Any nonces are used as IVs, so they must be
+ * unpredictable. They only accept an |ad| parameter of length 11 (the standard
+ * TLS one with length omitted). */
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_tls(void);
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_tls(void);
@@ -144,11 +154,13 @@
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);
-/* SSLv3 specific AEAD algorithms.
+/* SSLv3-specific AEAD algorithms.
*
* These AEAD primitives do not meet the definition of generic AEADs. They are
- * all specific to SSLv3 in some fashion and should not be used outside of that
- * context. */
+ * all specific to SSLv3 and should not be used outside of that context. They
+ * must be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful,
+ * and may not be used concurrently. They only accept an |ad| parameter of
+ * length 9 (the standard TLS one with length and version omitted). */
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_md5_ssl3(void);
OPENSSL_EXPORT const EVP_AEAD *EVP_aead_rc4_sha1_ssl3(void);
@@ -205,17 +217,35 @@
* be used. */
#define EVP_AEAD_DEFAULT_TAG_LENGTH 0
-/* EVP_AEAD_init initializes |ctx| for the given AEAD algorithm from |impl|.
+/* evp_aead_direction_t denotes the direction of an AEAD operation. */
+enum evp_aead_direction_t {
+ evp_aead_open,
+ evp_aead_seal,
+};
+
+/* EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm from |impl|.
* The |impl| argument may be NULL to choose the default implementation.
* Authentication tags may be truncated by passing a size as |tag_len|. A
* |tag_len| of zero indicates the default tag length and this is defined as
* EVP_AEAD_DEFAULT_TAG_LENGTH for readability.
- * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. */
+ *
+ * Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In
+ * the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's
+ * harmless to do so. */
OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
const uint8_t *key, size_t key_len,
size_t tag_len, ENGINE *impl);
-/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. */
+/* EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal
+ * AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a
+ * given direction. */
+OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(
+ EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,
+ size_t tag_len, enum evp_aead_direction_t dir);
+
+/* EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to
+ * call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to
+ * all zeros. */
OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);
/* EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and
@@ -270,6 +300,14 @@
const uint8_t *ad, size_t ad_len);
+/* Obscure functions. */
+
+/* EVP_AEAD_CTX_get_rc4_state sets |*out_key| to point to an RC4 key structure.
+ * It returns one on success or zero if |ctx| doesn't have an RC4 key. */
+OPENSSL_EXPORT int EVP_AEAD_CTX_get_rc4_state(const EVP_AEAD_CTX *ctx,
+ const RC4_KEY **out_key);
+
+
#if defined(__cplusplus)
} /* extern C */
#endif
diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h
index 941b156..4baf81c 100644
--- a/src/include/openssl/asn1.h
+++ b/src/include/openssl/asn1.h
@@ -517,7 +517,7 @@
} /* X509_ALGOR */;
DEFINE_STACK_OF(X509_ALGOR);
-DECLARE_ASN1_FUNCTIONS(X509_ALGOR);
+DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
typedef struct NETSCAPE_X509_st
{
@@ -1078,187 +1078,157 @@
}
#endif
-#define ASN1_F_asn1_template_ex_d2i 100
-#define ASN1_F_ASN1_dup 101
-#define ASN1_F_a2i_ASN1_STRING 102
-#define ASN1_F_ASN1_d2i_fp 103
-#define ASN1_F_d2i_ASN1_OBJECT 104
-#define ASN1_F_asn1_item_ex_combine_new 105
-#define ASN1_F_ASN1_template_new 106
-#define ASN1_F_asn1_do_adb 107
-#define ASN1_F_asn1_d2i_read_bio 108
-#define ASN1_F_asn1_ex_c2i 109
-#define ASN1_F_c2i_ASN1_INTEGER 110
-#define ASN1_F_ASN1_PCTX_new 111
-#define ASN1_F_ASN1_item_unpack 112
-#define ASN1_F_d2i_ASN1_type_bytes 113
-#define ASN1_F_a2i_ASN1_INTEGER 114
-#define ASN1_F_asn1_collect 115
-#define ASN1_F_ASN1_item_dup 116
-#define ASN1_F_ASN1_ENUMERATED_set 117
-#define ASN1_F_c2i_ASN1_OBJECT 118
-#define ASN1_F_ASN1_unpack_string 119
-#define ASN1_F_d2i_ASN1_UINTEGER 120
-#define ASN1_F_long_c2i 121
-#define ASN1_F_ASN1_seq_pack 122
-#define ASN1_F_a2d_ASN1_OBJECT 123
-#define ASN1_F_ASN1_STRING_type_new 124
-#define ASN1_F_ASN1_INTEGER_set 125
-#define ASN1_F_BN_to_ASN1_INTEGER 126
-#define ASN1_F_BIO_new_NDEF 127
-#define ASN1_F_ASN1_ENUMERATED_to_BN 128
-#define ASN1_F_ASN1_item_ex_d2i 129
-#define ASN1_F_ASN1_INTEGER_to_BN 130
-#define ASN1_F_i2d_ASN1_TIME 131
-#define ASN1_F_ASN1_TIME_adj 132
-#define ASN1_F_ASN1_BIT_STRING_set_bit 133
-#define ASN1_F_ASN1_seq_unpack 134
-#define ASN1_F_ASN1_item_pack 135
-#define ASN1_F_ASN1_STRING_set 136
-#define ASN1_F_ASN1_UTCTIME_adj 137
-#define ASN1_F_ASN1_mbstring_ncopy 138
-#define ASN1_F_d2i_ASN1_BOOLEAN 139
-#define ASN1_F_ASN1_OBJECT_new 140
-#define ASN1_F_asn1_template_noexp_d2i 141
-#define ASN1_F_c2i_ASN1_BIT_STRING 142
-#define ASN1_F_BN_to_ASN1_ENUMERATED 143
-#define ASN1_F_asn1_d2i_ex_primitive 144
-#define ASN1_F_ASN1_i2d_bio 145
-#define ASN1_F_ASN1_item_i2d_bio 146
-#define ASN1_F_d2i_ASN1_UTCTIME 147
-#define ASN1_F_ASN1_STRING_TABLE_add 148
-#define ASN1_F_asn1_find_end 149
-#define ASN1_F_ASN1_item_d2i_fp 150
-#define ASN1_F_collect_data 151
-#define ASN1_F_asn1_check_tlen 152
-#define ASN1_F_ASN1_i2d_fp 153
-#define ASN1_F_ASN1_item_i2d_fp 154
-#define ASN1_F_ASN1_GENERALIZEDTIME_adj 155
-#define ASN1_F_asn1_collate_primitive 156
-#define ASN1_F_ASN1_pack_string 157
-#define ASN1_F_ASN1_get_object 158
-#define ASN1_F_d2i_ASN1_bytes 159
-#define ASN1_F_a2i_ASN1_ENUMERATED 160
-#define ASN1_R_ASN1_SIG_PARSE_ERROR 100
-#define ASN1_R_ADDING_OBJECT 101
-#define ASN1_R_MIME_NO_CONTENT_TYPE 102
-#define ASN1_R_UNKNOWN_OBJECT_TYPE 103
-#define ASN1_R_ILLEGAL_FORMAT 104
-#define ASN1_R_HEADER_TOO_LONG 105
-#define ASN1_R_INVALID_UTF8STRING 106
-#define ASN1_R_EXPLICIT_LENGTH_MISMATCH 107
-#define ASN1_R_ILLEGAL_TAGGED_ANY 108
-#define ASN1_R_DATA_IS_WRONG 109
-#define ASN1_R_NOT_ASCII_FORMAT 110
-#define ASN1_R_NOT_ENOUGH_DATA 111
-#define ASN1_R_MSTRING_NOT_UNIVERSAL 112
-#define ASN1_R_UNKNOWN_FORMAT 113
-#define ASN1_R_BAD_PASSWORD_READ 115
-#define ASN1_R_BAD_OBJECT_HEADER 116
-#define ASN1_R_ILLEGAL_CHARACTERS 117
-#define ASN1_R_CONTEXT_NOT_INITIALISED 118
-#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 119
-#define ASN1_R_BN_LIB 120
-#define ASN1_R_NO_MATCHING_CHOICE_TYPE 121
-#define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 122
-#define ASN1_R_ASN1_PARSE_ERROR 123
-#define ASN1_R_NO_MULTIPART_BOUNDARY 124
-#define ASN1_R_INVALID_SEPARATOR 125
-#define ASN1_R_MALLOC_FAILURE 126
-#define ASN1_R_ILLEGAL_NULL 127
-#define ASN1_R_INVALID_MIME_TYPE 128
-#define ASN1_R_INVALID_NUMBER 129
-#define ASN1_R_STRING_TOO_LONG 130
-#define ASN1_R_BAD_GET_ASN1_OBJECT_CALL 131
-#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 132
-#define ASN1_R_EXPECTING_A_TIME 133
-#define ASN1_R_TAG_VALUE_TOO_HIGH 134
-#define ASN1_R_NESTED_ASN1_STRING 135
-#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 136
-#define ASN1_R_MISSING_SECOND_NUMBER 137
-#define ASN1_R_TIME_NOT_ASCII_FORMAT 138
-#define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 139
-#define ASN1_R_WRONG_TYPE 140
-#define ASN1_R_EXPECTING_AN_INTEGER 141
-#define ASN1_R_DEPTH_EXCEEDED 142
-#define ASN1_R_ILLEGAL_OBJECT 143
-#define ASN1_R_UNKNOWN_TAG 144
-#define ASN1_R_ILLEGAL_IMPLICIT_TAG 145
-#define ASN1_R_AUX_ERROR 146
-#define ASN1_R_SEQUENCE_LENGTH_MISMATCH 147
-#define ASN1_R_FIELD_MISSING 148
-#define ASN1_R_TYPE_NOT_CONSTRUCTED 149
-#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 150
-#define ASN1_R_FIRST_NUM_TOO_LARGE 151
-#define ASN1_R_INVALID_DIGIT 152
-#define ASN1_R_MSTRING_WRONG_TAG 153
-#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 154
-#define ASN1_R_UNSUPPORTED_TYPE 155
-#define ASN1_R_ERROR_LOADING_SECTION 156
-#define ASN1_R_ODD_NUMBER_OF_CHARS 157
-#define ASN1_R_ASN1_LENGTH_MISMATCH 158
-#define ASN1_R_MISSING_EOC 159
-#define ASN1_R_ILLEGAL_INTEGER 160
-#define ASN1_R_ILLEGAL_HEX 161
-#define ASN1_R_NESTED_ASN1_ERROR 162
-#define ASN1_R_TOO_LONG 163
-#define ASN1_R_LENGTH_ERROR 164
-#define ASN1_R_DECODING_ERROR 165
-#define ASN1_R_MIME_SIG_PARSE_ERROR 166
-#define ASN1_R_ILLEGAL_NULL_VALUE 167
-#define ASN1_R_EXPECTING_A_BOOLEAN 168
-#define ASN1_R_STREAMING_NOT_SUPPORTED 169
-#define ASN1_R_INVALID_BMPSTRING_LENGTH 170
-#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 171
-#define ASN1_R_INVALID_MODIFIER 172
-#define ASN1_R_UNEXPECTED_EOC 173
-#define ASN1_R_ILLEGAL_NESTED_TAGGING 174
-#define ASN1_R_IV_TOO_LARGE 175
-#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 176
-#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 177
-#define ASN1_R_BUFFER_TOO_SMALL 178
-#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 179
-#define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM 181
-#define ASN1_R_MIME_PARSE_ERROR 182
-#define ASN1_R_INVALID_OBJECT_ENCODING 183
-#define ASN1_R_PRIVATE_KEY_HEADER_MISSING 184
-#define ASN1_R_UNSUPPORTED_CIPHER 185
-#define ASN1_R_NO_MULTIPART_BODY_FAILURE 186
-#define ASN1_R_NO_CONTENT_TYPE 187
-#define ASN1_R_SECOND_NUMBER_TOO_LARGE 188
-#define ASN1_R_INVALID_TIME_FORMAT 189
-#define ASN1_R_NO_DEFAULT_DIGEST 190
-#define ASN1_R_ERROR_SETTING_CIPHER_PARAMS 191
-#define ASN1_R_EXPECTING_AN_OBJECT 192
-#define ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE 193
-#define ASN1_R_ERROR_GETTING_TIME 194
-#define ASN1_R_MISSING_VALUE 195
-#define ASN1_R_LIST_ERROR 196
-#define ASN1_R_DECODE_ERROR 197
-#define ASN1_R_NON_HEX_CHARACTERS 198
-#define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 199
-#define ASN1_R_EXPECTING_AN_ASN1_SEQUENCE 201
-#define ASN1_R_STRING_TOO_SHORT 203
-#define ASN1_R_ILLEGAL_OPTIONAL_ANY 204
-#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 205
-#define ASN1_R_NO_SIG_CONTENT_TYPE 206
-#define ASN1_R_ENCODE_ERROR 207
-#define ASN1_R_SHORT_LINE 208
-#define ASN1_R_ILLEGAL_TIME_VALUE 209
-#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 210
-#define ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 211
-#define ASN1_R_BAD_CLASS 212
-#define ASN1_R_BAD_TAG 213
-#define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 214
-#define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED 215
-#define ASN1_R_ILLEGAL_BOOLEAN 216
-#define ASN1_R_SIG_INVALID_MIME_TYPE 217
-#define ASN1_R_NULL_IS_WRONG_LENGTH 218
-#define ASN1_R_MISSING_ASN1_EOS 219
-#define ASN1_R_ERROR_PARSING_SET_ELEMENT 220
-#define ASN1_R_WRONG_TAG 221
-#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 222
-#define ASN1_R_TYPE_NOT_PRIMITIVE 223
-#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 224
+#define ASN1_F_ASN1_BIT_STRING_set_bit 100
+#define ASN1_F_ASN1_ENUMERATED_set 101
+#define ASN1_F_ASN1_ENUMERATED_to_BN 102
+#define ASN1_F_ASN1_GENERALIZEDTIME_adj 103
+#define ASN1_F_ASN1_INTEGER_set 104
+#define ASN1_F_ASN1_INTEGER_to_BN 105
+#define ASN1_F_ASN1_OBJECT_new 106
+#define ASN1_F_ASN1_PCTX_new 107
+#define ASN1_F_ASN1_STRING_TABLE_add 108
+#define ASN1_F_ASN1_STRING_set 109
+#define ASN1_F_ASN1_STRING_type_new 110
+#define ASN1_F_ASN1_TIME_adj 111
+#define ASN1_F_ASN1_UTCTIME_adj 112
+#define ASN1_F_ASN1_d2i_fp 113
+#define ASN1_F_ASN1_dup 114
+#define ASN1_F_ASN1_generate_v3 115
+#define ASN1_F_ASN1_get_object 116
+#define ASN1_F_ASN1_i2d_bio 117
+#define ASN1_F_ASN1_i2d_fp 118
+#define ASN1_F_ASN1_item_d2i_fp 119
+#define ASN1_F_ASN1_item_dup 120
+#define ASN1_F_ASN1_item_ex_d2i 121
+#define ASN1_F_ASN1_item_i2d_bio 122
+#define ASN1_F_ASN1_item_i2d_fp 123
+#define ASN1_F_ASN1_item_pack 124
+#define ASN1_F_ASN1_item_unpack 125
+#define ASN1_F_ASN1_mbstring_ncopy 126
+#define ASN1_F_ASN1_template_new 127
+#define ASN1_F_BIO_new_NDEF 128
+#define ASN1_F_BN_to_ASN1_ENUMERATED 129
+#define ASN1_F_BN_to_ASN1_INTEGER 130
+#define ASN1_F_a2d_ASN1_OBJECT 131
+#define ASN1_F_a2i_ASN1_ENUMERATED 132
+#define ASN1_F_a2i_ASN1_INTEGER 133
+#define ASN1_F_a2i_ASN1_STRING 134
+#define ASN1_F_append_exp 135
+#define ASN1_F_asn1_cb 136
+#define ASN1_F_asn1_check_tlen 137
+#define ASN1_F_asn1_collate_primitive 138
+#define ASN1_F_asn1_collect 139
+#define ASN1_F_asn1_d2i_ex_primitive 140
+#define ASN1_F_asn1_d2i_read_bio 141
+#define ASN1_F_asn1_do_adb 142
+#define ASN1_F_asn1_ex_c2i 143
+#define ASN1_F_asn1_find_end 144
+#define ASN1_F_asn1_item_ex_combine_new 145
+#define ASN1_F_asn1_str2type 146
+#define ASN1_F_asn1_template_ex_d2i 147
+#define ASN1_F_asn1_template_noexp_d2i 148
+#define ASN1_F_bitstr_cb 149
+#define ASN1_F_c2i_ASN1_BIT_STRING 150
+#define ASN1_F_c2i_ASN1_INTEGER 151
+#define ASN1_F_c2i_ASN1_OBJECT 152
+#define ASN1_F_collect_data 153
+#define ASN1_F_d2i_ASN1_BOOLEAN 154
+#define ASN1_F_d2i_ASN1_OBJECT 155
+#define ASN1_F_d2i_ASN1_UINTEGER 156
+#define ASN1_F_d2i_ASN1_UTCTIME 157
+#define ASN1_F_d2i_ASN1_bytes 158
+#define ASN1_F_d2i_ASN1_type_bytes 159
+#define ASN1_F_i2d_ASN1_TIME 160
+#define ASN1_F_i2d_PrivateKey 161
+#define ASN1_F_long_c2i 162
+#define ASN1_F_parse_tagging 163
+#define ASN1_R_ASN1_LENGTH_MISMATCH 100
+#define ASN1_R_AUX_ERROR 101
+#define ASN1_R_BAD_GET_ASN1_OBJECT_CALL 102
+#define ASN1_R_BAD_OBJECT_HEADER 103
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 104
+#define ASN1_R_BN_LIB 105
+#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
+#define ASN1_R_BUFFER_TOO_SMALL 107
+#define ASN1_R_DECODE_ERROR 108
+#define ASN1_R_DEPTH_EXCEEDED 109
+#define ASN1_R_ENCODE_ERROR 110
+#define ASN1_R_ERROR_GETTING_TIME 111
+#define ASN1_R_EXPECTING_AN_ASN1_SEQUENCE 112
+#define ASN1_R_EXPECTING_AN_INTEGER 113
+#define ASN1_R_EXPECTING_AN_OBJECT 114
+#define ASN1_R_EXPECTING_A_BOOLEAN 115
+#define ASN1_R_EXPECTING_A_TIME 116
+#define ASN1_R_EXPLICIT_LENGTH_MISMATCH 117
+#define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED 118
+#define ASN1_R_FIELD_MISSING 119
+#define ASN1_R_FIRST_NUM_TOO_LARGE 120
+#define ASN1_R_HEADER_TOO_LONG 121
+#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 122
+#define ASN1_R_ILLEGAL_BOOLEAN 123
+#define ASN1_R_ILLEGAL_CHARACTERS 124
+#define ASN1_R_ILLEGAL_FORMAT 125
+#define ASN1_R_ILLEGAL_HEX 126
+#define ASN1_R_ILLEGAL_IMPLICIT_TAG 127
+#define ASN1_R_ILLEGAL_INTEGER 128
+#define ASN1_R_ILLEGAL_NESTED_TAGGING 129
+#define ASN1_R_ILLEGAL_NULL 130
+#define ASN1_R_ILLEGAL_NULL_VALUE 131
+#define ASN1_R_ILLEGAL_OBJECT 132
+#define ASN1_R_ILLEGAL_OPTIONAL_ANY 133
+#define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 134
+#define ASN1_R_ILLEGAL_TAGGED_ANY 135
+#define ASN1_R_ILLEGAL_TIME_VALUE 136
+#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 137
+#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 138
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 139
+#define ASN1_R_INVALID_BMPSTRING_LENGTH 140
+#define ASN1_R_INVALID_DIGIT 141
+#define ASN1_R_INVALID_MODIFIER 142
+#define ASN1_R_INVALID_NUMBER 143
+#define ASN1_R_INVALID_OBJECT_ENCODING 144
+#define ASN1_R_INVALID_SEPARATOR 145
+#define ASN1_R_INVALID_TIME_FORMAT 146
+#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 147
+#define ASN1_R_INVALID_UTF8STRING 148
+#define ASN1_R_LIST_ERROR 149
+#define ASN1_R_MALLOC_FAILURE 150
+#define ASN1_R_MISSING_ASN1_EOS 151
+#define ASN1_R_MISSING_EOC 152
+#define ASN1_R_MISSING_SECOND_NUMBER 153
+#define ASN1_R_MISSING_VALUE 154
+#define ASN1_R_MSTRING_NOT_UNIVERSAL 155
+#define ASN1_R_MSTRING_WRONG_TAG 156
+#define ASN1_R_NESTED_ASN1_ERROR 157
+#define ASN1_R_NESTED_ASN1_STRING 158
+#define ASN1_R_NON_HEX_CHARACTERS 159
+#define ASN1_R_NOT_ASCII_FORMAT 160
+#define ASN1_R_NOT_ENOUGH_DATA 161
+#define ASN1_R_NO_MATCHING_CHOICE_TYPE 162
+#define ASN1_R_NULL_IS_WRONG_LENGTH 163
+#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 164
+#define ASN1_R_ODD_NUMBER_OF_CHARS 165
+#define ASN1_R_SECOND_NUMBER_TOO_LARGE 166
+#define ASN1_R_SEQUENCE_LENGTH_MISMATCH 167
+#define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 168
+#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 169
+#define ASN1_R_SHORT_LINE 170
+#define ASN1_R_STREAMING_NOT_SUPPORTED 171
+#define ASN1_R_STRING_TOO_LONG 172
+#define ASN1_R_STRING_TOO_SHORT 173
+#define ASN1_R_TAG_VALUE_TOO_HIGH 174
+#define ASN1_R_TIME_NOT_ASCII_FORMAT 175
+#define ASN1_R_TOO_LONG 176
+#define ASN1_R_TYPE_NOT_CONSTRUCTED 177
+#define ASN1_R_TYPE_NOT_PRIMITIVE 178
+#define ASN1_R_UNEXPECTED_EOC 179
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 180
+#define ASN1_R_UNKNOWN_FORMAT 181
+#define ASN1_R_UNKNOWN_TAG 182
+#define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 183
+#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 184
+#define ASN1_R_UNSUPPORTED_TYPE 185
+#define ASN1_R_WRONG_TAG 186
+#define ASN1_R_WRONG_TYPE 187
#endif
diff --git a/src/include/openssl/asn1_mac.h b/src/include/openssl/asn1_mac.h
index 3e8eebb..49b2a28 100644
--- a/src/include/openssl/asn1_mac.h
+++ b/src/include/openssl/asn1_mac.h
@@ -65,512 +65,10 @@
extern "C" {
#endif
-#ifndef ASN1_MAC_ERR_LIB
-#define ASN1_MAC_ERR_LIB ERR_LIB_ASN1
-#endif
-
-#define ASN1_MAC_H_err(f,r,line) \
- ERR_put_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line))
-
-#define M_ASN1_D2I_vars(a,type,func) \
- ASN1_const_CTX c; \
- type ret=NULL; \
- \
- c.pp=(const unsigned char **)pp; \
- c.q= *(const unsigned char **)pp; \
- c.error=ASN1_R_NESTED_ASN1_ERROR; \
- if ((a == NULL) || ((*a) == NULL)) \
- { if ((ret=(type)func()) == NULL) \
- { c.line=__LINE__; goto err; } } \
- else ret=(*a);
-
-#define M_ASN1_D2I_Init() \
- c.p= *(const unsigned char **)pp; \
- c.max=(length == 0)?0:(c.p+length);
-
-#define M_ASN1_D2I_Finish_2(a) \
- if (!asn1_const_Finish(&c)) \
- { c.line=__LINE__; goto err; } \
- *(const unsigned char **)pp=c.p; \
- if (a != NULL) (*a)=ret; \
- return(ret);
-
-#define M_ASN1_D2I_Finish(a,func,e) \
- M_ASN1_D2I_Finish_2(a); \
-err:\
- ASN1_MAC_H_err((e),c.error,c.line); \
- asn1_add_error(*(const unsigned char **)pp,(int)(c.q- *pp)); \
- if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
- return(NULL)
-
-#define M_ASN1_D2I_start_sequence() \
- if (!asn1_GetSequence(&c,&length)) \
- { c.line=__LINE__; goto err; }
-/* Begin reading ASN1 without a surrounding sequence */
-#define M_ASN1_D2I_begin() \
- c.slen = length;
-
-/* End reading ASN1 with no check on length */
-#define M_ASN1_D2I_Finish_nolen(a, func, e) \
- *pp=c.p; \
- if (a != NULL) (*a)=ret; \
- return(ret); \
-err:\
- ASN1_MAC_H_err((e),c.error,c.line); \
- asn1_add_error(*pp,(int)(c.q- *pp)); \
- if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \
- return(NULL)
-
-#define M_ASN1_D2I_end_sequence() \
- (((c.inf&1) == 0)?(c.slen <= 0): \
- (c.eos=ASN1_const_check_infinite_end(&c.p,c.slen)))
-
-/* Don't use this with d2i_ASN1_BOOLEAN() */
-#define M_ASN1_D2I_get(b, func) \
- c.q=c.p; \
- if (func(&(b),&c.p,c.slen) == NULL) \
- {c.line=__LINE__; goto err; } \
- c.slen-=(c.p-c.q);
-
-/* Don't use this with d2i_ASN1_BOOLEAN() */
-#define M_ASN1_D2I_get_x(type,b,func) \
- c.q=c.p; \
- if (((D2I_OF(type))func)(&(b),&c.p,c.slen) == NULL) \
- {c.line=__LINE__; goto err; } \
- c.slen-=(c.p-c.q);
-
-/* use this instead () */
-#define M_ASN1_D2I_get_int(b,func) \
- c.q=c.p; \
- if (func(&(b),&c.p,c.slen) < 0) \
- {c.line=__LINE__; goto err; } \
- c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_opt(b,func,type) \
- if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \
- == (V_ASN1_UNIVERSAL|(type)))) \
- { \
- M_ASN1_D2I_get(b,func); \
- }
-
-#define M_ASN1_D2I_get_int_opt(b,func,type) \
- if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \
- == (V_ASN1_UNIVERSAL|(type)))) \
- { \
- M_ASN1_D2I_get_int(b,func); \
- }
-
-#define M_ASN1_D2I_get_imp(b,func, type) \
- M_ASN1_next=(_tmp& V_ASN1_CONSTRUCTED)|type; \
- c.q=c.p; \
- if (func(&(b),&c.p,c.slen) == NULL) \
- {c.line=__LINE__; M_ASN1_next_prev = _tmp; goto err; } \
- c.slen-=(c.p-c.q);\
- M_ASN1_next_prev=_tmp;
-
-#define M_ASN1_D2I_get_IMP_opt(b,func,tag,type) \
- if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) == \
- (V_ASN1_CONTEXT_SPECIFIC|(tag)))) \
- { \
- unsigned char _tmp = M_ASN1_next; \
- M_ASN1_D2I_get_imp(b,func, type);\
- }
-
-#define M_ASN1_D2I_get_set(r,func,free_func) \
- M_ASN1_D2I_get_imp_set(r,func,free_func, \
- V_ASN1_SET,V_ASN1_UNIVERSAL);
-
-#define M_ASN1_D2I_get_set_type(type,r,func,free_func) \
- M_ASN1_D2I_get_imp_set_type(type,r,func,free_func, \
- V_ASN1_SET,V_ASN1_UNIVERSAL);
-
-#define M_ASN1_D2I_get_set_opt(r,func,free_func) \
- if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
- V_ASN1_CONSTRUCTED|V_ASN1_SET)))\
- { M_ASN1_D2I_get_set(r,func,free_func); }
-
-#define M_ASN1_D2I_get_set_opt_type(type,r,func,free_func) \
- if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
- V_ASN1_CONSTRUCTED|V_ASN1_SET)))\
- { M_ASN1_D2I_get_set_type(type,r,func,free_func); }
-
-#define M_ASN1_I2D_len_SET_opt(a,f) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- M_ASN1_I2D_len_SET(a,f);
-
-#define M_ASN1_I2D_put_SET_opt(a,f) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- M_ASN1_I2D_put_SET(a,f);
-
-#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- M_ASN1_I2D_put_SEQUENCE(a,f);
-
-#define M_ASN1_I2D_put_SEQUENCE_opt_type(type,a,f) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- M_ASN1_I2D_put_SEQUENCE_type(type,a,f);
-
-#define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \
- if ((c.slen != 0) && \
- (M_ASN1_next == \
- (V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\
- { \
- M_ASN1_D2I_get_imp_set(b,func,free_func,\
- tag,V_ASN1_CONTEXT_SPECIFIC); \
- }
-
-#define M_ASN1_D2I_get_IMP_set_opt_type(type,b,func,free_func,tag) \
- if ((c.slen != 0) && \
- (M_ASN1_next == \
- (V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\
- { \
- M_ASN1_D2I_get_imp_set_type(type,b,func,free_func,\
- tag,V_ASN1_CONTEXT_SPECIFIC); \
- }
-
-#define M_ASN1_D2I_get_seq(r,func,free_func) \
- M_ASN1_D2I_get_imp_set(r,func,free_func,\
- V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL);
-
-#define M_ASN1_D2I_get_seq_type(type,r,func,free_func) \
- M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\
- V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL)
-
-#define M_ASN1_D2I_get_seq_opt(r,func,free_func) \
- if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
- V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\
- { M_ASN1_D2I_get_seq(r,func,free_func); }
-
-#define M_ASN1_D2I_get_seq_opt_type(type,r,func,free_func) \
- if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \
- V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\
- { M_ASN1_D2I_get_seq_type(type,r,func,free_func); }
-
-#define M_ASN1_D2I_get_IMP_set(r,func,free_func,x) \
- M_ASN1_D2I_get_imp_set(r,func,free_func,\
- x,V_ASN1_CONTEXT_SPECIFIC);
-
-#define M_ASN1_D2I_get_IMP_set_type(type,r,func,free_func,x) \
- M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\
- x,V_ASN1_CONTEXT_SPECIFIC);
-
-#define M_ASN1_D2I_get_imp_set(r,func,free_func,a,b) \
- c.q=c.p; \
- if (d2i_ASN1_SET(&(r),&c.p,c.slen,(char *(*)())func,\
- (void (*)())free_func,a,b) == NULL) \
- { c.line=__LINE__; goto err; } \
- c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,a,b) \
- c.q=c.p; \
- if (d2i_ASN1_SET_OF_##type(&(r),&c.p,c.slen,func,\
- free_func,a,b) == NULL) \
- { c.line=__LINE__; goto err; } \
- c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_set_strings(r,func,a,b) \
- c.q=c.p; \
- if (d2i_ASN1_STRING_SET(&(r),&c.p,c.slen,a,b) == NULL) \
- { c.line=__LINE__; goto err; } \
- c.slen-=(c.p-c.q);
-
-#define M_ASN1_D2I_get_EXP_opt(r,func,tag) \
- if ((c.slen != 0L) && (M_ASN1_next == \
- (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
- { \
- int Tinf,Ttag,Tclass; \
- long Tlen; \
- \
- c.q=c.p; \
- Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
- if (Tinf & 0x80) \
- { c.error=ASN1_R_BAD_OBJECT_HEADER; \
- c.line=__LINE__; goto err; } \
- if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
- Tlen = c.slen - (c.p - c.q) - 2; \
- if (func(&(r),&c.p,Tlen) == NULL) \
- { c.line=__LINE__; goto err; } \
- if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
- Tlen = c.slen - (c.p - c.q); \
- if(!ASN1_const_check_infinite_end(&c.p, Tlen)) \
- { c.error=ASN1_R_MISSING_ASN1_EOS; \
- c.line=__LINE__; goto err; } \
- }\
- c.slen-=(c.p-c.q); \
- }
-
-#define M_ASN1_D2I_get_EXP_set_opt(r,func,free_func,tag,b) \
- if ((c.slen != 0) && (M_ASN1_next == \
- (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
- { \
- int Tinf,Ttag,Tclass; \
- long Tlen; \
- \
- c.q=c.p; \
- Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
- if (Tinf & 0x80) \
- { c.error=ASN1_R_BAD_OBJECT_HEADER; \
- c.line=__LINE__; goto err; } \
- if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
- Tlen = c.slen - (c.p - c.q) - 2; \
- if (d2i_ASN1_SET(&(r),&c.p,Tlen,(char *(*)())func, \
- (void (*)())free_func, \
- b,V_ASN1_UNIVERSAL) == NULL) \
- { c.line=__LINE__; goto err; } \
- if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
- Tlen = c.slen - (c.p - c.q); \
- if(!ASN1_check_infinite_end(&c.p, Tlen)) \
- { c.error=ASN1_R_MISSING_ASN1_EOS; \
- c.line=__LINE__; goto err; } \
- }\
- c.slen-=(c.p-c.q); \
- }
-
-#define M_ASN1_D2I_get_EXP_set_opt_type(type,r,func,free_func,tag,b) \
- if ((c.slen != 0) && (M_ASN1_next == \
- (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \
- { \
- int Tinf,Ttag,Tclass; \
- long Tlen; \
- \
- c.q=c.p; \
- Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \
- if (Tinf & 0x80) \
- { c.error=ASN1_R_BAD_OBJECT_HEADER; \
- c.line=__LINE__; goto err; } \
- if (Tinf == (V_ASN1_CONSTRUCTED+1)) \
- Tlen = c.slen - (c.p - c.q) - 2; \
- if (d2i_ASN1_SET_OF_##type(&(r),&c.p,Tlen,func, \
- free_func,b,V_ASN1_UNIVERSAL) == NULL) \
- { c.line=__LINE__; goto err; } \
- if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \
- Tlen = c.slen - (c.p - c.q); \
- if(!ASN1_check_infinite_end(&c.p, Tlen)) \
- { c.error=ASN1_R_MISSING_ASN1_EOS; \
- c.line=__LINE__; goto err; } \
- }\
- c.slen-=(c.p-c.q); \
- }
-
-/* New macros */
-#define M_ASN1_New_Malloc(ret,type) \
- if ((ret=(type *)OPENSSL_malloc(sizeof(type))) == NULL) \
- { c.line=__LINE__; goto err2; }
-
-#define M_ASN1_New(arg,func) \
- if (((arg)=func()) == NULL) return(NULL)
-
-#define M_ASN1_New_Error(a) \
-/* err: ASN1_MAC_H_err((a),ASN1_R_NESTED_ASN1_ERROR,c.line); \
- return(NULL);*/ \
- err2: ASN1_MAC_H_err((a),ASN1_R_MALLOC_FAILURE,c.line); \
- return(NULL)
-
-
-/* BIG UGLY WARNING! This is so damn ugly I wanna puke. Unfortunately,
- some macros that use ASN1_const_CTX still insist on writing in the input
- stream. ARGH! ARGH! ARGH! Let's get rid of this macro package.
- Please? -- Richard Levitte */
-#define M_ASN1_next (*((unsigned char *)(c.p)))
-#define M_ASN1_next_prev (*((unsigned char *)(c.q)))
-
-/*************************************************/
-
-#define M_ASN1_I2D_vars(a) int r=0,ret=0; \
- unsigned char *p; \
- if (a == NULL) return(0)
-
-/* Length Macros */
-#define M_ASN1_I2D_len(a,f) ret+=f(a,NULL)
-#define M_ASN1_I2D_len_IMP_opt(a,f) if (a != NULL) M_ASN1_I2D_len(a,f)
-
-#define M_ASN1_I2D_len_SET(a,f) \
- ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET);
-
-#define M_ASN1_I2D_len_SET_type(type,a,f) \
- ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SET, \
- V_ASN1_UNIVERSAL,IS_SET);
-
-#define M_ASN1_I2D_len_SEQUENCE(a,f) \
- ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \
- IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_SEQUENCE_type(type,a,f) \
- ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SEQUENCE, \
- V_ASN1_UNIVERSAL,IS_SEQUENCE)
-
-#define M_ASN1_I2D_len_SEQUENCE_opt(a,f) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- M_ASN1_I2D_len_SEQUENCE(a,f);
-
-#define M_ASN1_I2D_len_SEQUENCE_opt_type(type,a,f) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- M_ASN1_I2D_len_SEQUENCE_type(type,a,f);
-
-#define M_ASN1_I2D_len_IMP_SET(a,f,x) \
- ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SET_type(type,a,f,x) \
- ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
- V_ASN1_CONTEXT_SPECIFIC,IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SET_opt(a,f,x) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
- IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SET_opt_type(type,a,f,x) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
- V_ASN1_CONTEXT_SPECIFIC,IS_SET);
-
-#define M_ASN1_I2D_len_IMP_SEQUENCE(a,f,x) \
- ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
- IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_IMP_SEQUENCE_opt(a,f,x) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \
- IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(type,a,f,x) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \
- V_ASN1_CONTEXT_SPECIFIC, \
- IS_SEQUENCE);
-
-#define M_ASN1_I2D_len_EXP_opt(a,f,mtag,v) \
- if (a != NULL)\
- { \
- v=f(a,NULL); \
- ret+=ASN1_object_size(1,v,mtag); \
- }
-
-#define M_ASN1_I2D_len_EXP_SET_opt(a,f,mtag,tag,v) \
- if ((a != NULL) && (sk_num(a) != 0))\
- { \
- v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL,IS_SET); \
- ret+=ASN1_object_size(1,v,mtag); \
- }
-
-#define M_ASN1_I2D_len_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \
- if ((a != NULL) && (sk_num(a) != 0))\
- { \
- v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL, \
- IS_SEQUENCE); \
- ret+=ASN1_object_size(1,v,mtag); \
- }
-
-#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \
- if ((a != NULL) && (sk_##type##_num(a) != 0))\
- { \
- v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \
- V_ASN1_UNIVERSAL, \
- IS_SEQUENCE); \
- ret+=ASN1_object_size(1,v,mtag); \
- }
-
-/* Put Macros */
-#define M_ASN1_I2D_put(a,f) f(a,&p)
-
-#define M_ASN1_I2D_put_IMP_opt(a,f,t) \
- if (a != NULL) \
- { \
- unsigned char *q=p; \
- f(a,&p); \
- *q=(V_ASN1_CONTEXT_SPECIFIC|t|(*q&V_ASN1_CONSTRUCTED));\
- }
-
-#define M_ASN1_I2D_put_SET(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SET,\
- V_ASN1_UNIVERSAL,IS_SET)
-#define M_ASN1_I2D_put_SET_type(type,a,f) \
- i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET)
-#define M_ASN1_I2D_put_IMP_SET(a,f,x) i2d_ASN1_SET(a,&p,f,x,\
- V_ASN1_CONTEXT_SPECIFIC,IS_SET)
-#define M_ASN1_I2D_put_IMP_SET_type(type,a,f,x) \
- i2d_ASN1_SET_OF_##type(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET)
-#define M_ASN1_I2D_put_IMP_SEQUENCE(a,f,x) i2d_ASN1_SET(a,&p,f,x,\
- V_ASN1_CONTEXT_SPECIFIC,IS_SEQUENCE)
-
-#define M_ASN1_I2D_put_SEQUENCE(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SEQUENCE,\
- V_ASN1_UNIVERSAL,IS_SEQUENCE)
-
-#define M_ASN1_I2D_put_SEQUENCE_type(type,a,f) \
- i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \
- IS_SEQUENCE)
-
-#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- M_ASN1_I2D_put_SEQUENCE(a,f);
-
-#define M_ASN1_I2D_put_IMP_SET_opt(a,f,x) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- { i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \
- IS_SET); }
-
-#define M_ASN1_I2D_put_IMP_SET_opt_type(type,a,f,x) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- { i2d_ASN1_SET_OF_##type(a,&p,f,x, \
- V_ASN1_CONTEXT_SPECIFIC, \
- IS_SET); }
-
-#define M_ASN1_I2D_put_IMP_SEQUENCE_opt(a,f,x) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- { i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \
- IS_SEQUENCE); }
-
-#define M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(type,a,f,x) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- { i2d_ASN1_SET_OF_##type(a,&p,f,x, \
- V_ASN1_CONTEXT_SPECIFIC, \
- IS_SEQUENCE); }
-
-#define M_ASN1_I2D_put_EXP_opt(a,f,tag,v) \
- if (a != NULL) \
- { \
- ASN1_put_object(&p,1,v,tag,V_ASN1_CONTEXT_SPECIFIC); \
- f(a,&p); \
- }
-
-#define M_ASN1_I2D_put_EXP_SET_opt(a,f,mtag,tag,v) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- { \
- ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
- i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SET); \
- }
-
-#define M_ASN1_I2D_put_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \
- if ((a != NULL) && (sk_num(a) != 0)) \
- { \
- ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
- i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SEQUENCE); \
- }
-
-#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \
- if ((a != NULL) && (sk_##type##_num(a) != 0)) \
- { \
- ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \
- i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \
- IS_SEQUENCE); \
- }
-
-#define M_ASN1_I2D_seq_total() \
- r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \
- if (pp == NULL) return(r); \
- p= *pp; \
- ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL)
-
-#define M_ASN1_I2D_INF_seq_start(tag,ctx) \
- *(p++)=(V_ASN1_CONSTRUCTED|(tag)|(ctx)); \
- *(p++)=0x80
-
-#define M_ASN1_I2D_INF_seq_end() *(p++)=0x00; *(p++)=0x00
-
-#define M_ASN1_I2D_finish() *pp=p; \
- return(r);
OPENSSL_EXPORT int asn1_GetSequence(ASN1_const_CTX *c, long *length);
-OPENSSL_EXPORT void asn1_add_error(const unsigned char *address, int offset);
+
+
#ifdef __cplusplus
}
#endif
diff --git a/src/include/openssl/asn1t.h b/src/include/openssl/asn1t.h
index 72eb2cb..6c91134 100644
--- a/src/include/openssl/asn1t.h
+++ b/src/include/openssl/asn1t.h
@@ -58,7 +58,7 @@
#ifndef HEADER_ASN1T_H
#define HEADER_ASN1T_H
-#include <stddef.h>
+#include <openssl/base.h>
#include <openssl/asn1.h>
#ifdef OPENSSL_BUILD_SHLIBCRYPTO
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index d73f269..b769ad5 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -56,8 +56,8 @@
/* This file should be the first included by all BoringSSL headers. */
+#include <stddef.h>
#include <stdint.h>
-#include <stdlib.h>
#include <sys/types.h>
#include <openssl/opensslfeatures.h>
@@ -103,6 +103,11 @@
#define OPENSSL_WINDOWS
#endif
+#if defined(TRUSTY)
+#define OPENSSL_TRUSTY
+#define OPENSSL_NO_THREADS
+#endif
+
#define OPENSSL_IS_BORINGSSL
#define OPENSSL_VERSION_NUMBER 0x10002000
@@ -132,6 +137,9 @@
#endif /* defined(BORINGSSL_SHARED_LIBRARY) */
+/* CRYPTO_THREADID is a dummy value. */
+typedef int CRYPTO_THREADID;
+
typedef int ASN1_BOOLEAN;
typedef int ASN1_NULL;
typedef struct ASN1_ITEM_st ASN1_ITEM;
@@ -174,7 +182,9 @@
typedef struct buf_mem_st BUF_MEM;
typedef struct cbb_st CBB;
typedef struct cbs_st CBS;
+typedef struct cmac_ctx_st CMAC_CTX;
typedef struct conf_st CONF;
+typedef struct conf_value_st CONF_VALUE;
typedef struct dh_method DH_METHOD;
typedef struct dh_st DH;
typedef struct dsa_method DSA_METHOD;
@@ -198,6 +208,7 @@
typedef struct pkcs8_priv_key_info_st PKCS8_PRIV_KEY_INFO;
typedef struct pkcs12_st PKCS12;
typedef struct rand_meth_st RAND_METHOD;
+typedef struct rc4_key_st RC4_KEY;
typedef struct rsa_meth_st RSA_METHOD;
typedef struct rsa_st RSA;
typedef struct sha256_state_st SHA256_CTX;
diff --git a/src/include/openssl/bio.h b/src/include/openssl/bio.h
index 4d89d11..b70b42f 100644
--- a/src/include/openssl/bio.h
+++ b/src/include/openssl/bio.h
@@ -59,9 +59,9 @@
#include <openssl/base.h>
-#include <stdarg.h>
#include <stdio.h> /* For FILE */
+#include <openssl/err.h> /* for ERR_print_errors_fp */
#include <openssl/ex_data.h>
#include <openssl/stack.h>
@@ -96,6 +96,9 @@
* TODO(fork): remove. */
OPENSSL_EXPORT void BIO_vfree(BIO *bio);
+/* BIO_up_ref increments the reference count of |bio| and returns it. */
+OPENSSL_EXPORT BIO *BIO_up_ref(BIO *bio);
+
/* Basic I/O. */
@@ -331,10 +334,6 @@
OPENSSL_EXPORT int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len,
unsigned indent);
-/* BIO_print_errors_fp prints the current contents of the error stack to |out|
- * using human readable strings where possible. */
-OPENSSL_EXPORT void BIO_print_errors_fp(FILE *out);
-
/* BIO_print_errors prints the current contents of the error stack to |bio|
* using human readable strings where possible. */
OPENSSL_EXPORT void BIO_print_errors(BIO *bio);
@@ -652,7 +651,7 @@
* stack.
*
* The zero copy write operation is completed by calling
- * |BIO_zero_copy_write_buf_don|e. Neither |BIO_zero_copy_get_write_buf_done|
+ * |BIO_zero_copy_write_buf_done|. Neither |BIO_zero_copy_get_write_buf|
* nor any other I/O write operation may be called while a zero copy write
* operation is active. */
OPENSSL_EXPORT int BIO_zero_copy_get_write_buf(BIO* bio,
@@ -693,8 +692,6 @@
#define BIO_CTRL_INFO 3 /* opt - extra tit-bits */
#define BIO_CTRL_SET 4 /* man - set the 'IO' type */
#define BIO_CTRL_GET 5 /* man - get the 'IO' type */
-#define BIO_CTRL_PUSH 6 /* opt - internal, used to signify change */
-#define BIO_CTRL_POP 7 /* opt - internal, used to signify change */
#define BIO_CTRL_GET_CLOSE 8 /* man - set the 'close' on free */
#define BIO_CTRL_SET_CLOSE 9 /* man - set the 'close' on free */
#define BIO_CTRL_PENDING 10 /* opt - is their more data buffered */
@@ -706,6 +703,14 @@
#define BIO_CTRL_SET_FILENAME 30 /* BIO_s_file special */
+/* Android compatibility section.
+ *
+ * A previous version of BoringSSL used in Android renamed ERR_print_errors_fp
+ * to BIO_print_errors_fp. It has subsequently been renamed back to
+ * ERR_print_errors_fp. */
+#define BIO_print_errors_fp ERR_print_errors_fp
+
+
/* Private functions */
#define BIO_FLAGS_READ 0x01
@@ -779,17 +784,12 @@
/* num is a BIO-specific value. For example, in fd BIOs it's used to store a
* file descriptor. */
int num;
- /* TODO(fork): reference counting is only used by the SSL BIO code. If we can
- * dump that then we can remove this. We could also drop
- * BIO_CTRL_PUSH/BIO_CTRL_POP. */
int references;
void *ptr;
/* next_bio points to the next |BIO| in a chain. This |BIO| owns a reference
* to |next_bio|. */
struct bio_st *next_bio; /* used by filter BIOs */
size_t num_read, num_write;
-
- CRYPTO_EX_DATA ex_data;
};
#define BIO_C_SET_CONNECT 100
@@ -854,43 +854,40 @@
} /* extern C */
#endif
-#define BIO_F_bio_make_pair 100
-#define BIO_F_bio_ctrl 101
-#define BIO_F_buffer_ctrl 102
+#define BIO_F_BIO_callback_ctrl 100
+#define BIO_F_BIO_ctrl 101
+#define BIO_F_BIO_new 102
#define BIO_F_BIO_new_file 103
-#define BIO_F_file_read 104
-#define BIO_F_BIO_new 105
-#define BIO_F_bio_io 106
-#define BIO_F_BIO_new_mem_buf 107
-#define BIO_F_mem_write 108
-#define BIO_F_conn_state 109
-#define BIO_F_conn_ctrl 110
-#define BIO_F_file_ctrl 111
-#define BIO_F_BIO_callback_ctrl 112
-#define BIO_F_bio_ip_and_port_to_socket_and_addr 113
-#define BIO_F_bio_write 114
-#define BIO_F_BIO_ctrl 115
-#define BIO_F_BIO_zero_copy_get_write_buf 116
-#define BIO_F_BIO_zero_copy_get_write_buf_done 117
-#define BIO_F_BIO_zero_copy_get_read_buf 118
-#define BIO_F_BIO_zero_copy_get_read_buf_done 119
-#define BIO_R_UNSUPPORTED_METHOD 100
-#define BIO_R_NO_PORT_SPECIFIED 101
-#define BIO_R_NO_HOSTNAME_SPECIFIED 102
-#define BIO_R_IN_USE 103
-#define BIO_R_UNINITIALIZED 104
-#define BIO_R_CONNECT_ERROR 105
+#define BIO_F_BIO_new_mem_buf 104
+#define BIO_F_BIO_zero_copy_get_read_buf 105
+#define BIO_F_BIO_zero_copy_get_read_buf_done 106
+#define BIO_F_BIO_zero_copy_get_write_buf 107
+#define BIO_F_BIO_zero_copy_get_write_buf_done 108
+#define BIO_F_bio_io 109
+#define BIO_F_bio_make_pair 110
+#define BIO_F_bio_write 111
+#define BIO_F_buffer_ctrl 112
+#define BIO_F_conn_ctrl 113
+#define BIO_F_conn_state 114
+#define BIO_F_file_ctrl 115
+#define BIO_F_file_read 116
+#define BIO_F_mem_write 117
+#define BIO_R_BAD_FOPEN_MODE 100
+#define BIO_R_BROKEN_PIPE 101
+#define BIO_R_CONNECT_ERROR 102
+#define BIO_R_ERROR_SETTING_NBIO 103
+#define BIO_R_INVALID_ARGUMENT 104
+#define BIO_R_IN_USE 105
#define BIO_R_KEEPALIVE 106
-#define BIO_R_BROKEN_PIPE 107
-#define BIO_R_NBIO_CONNECT_ERROR 108
-#define BIO_R_BAD_FOPEN_MODE 109
-#define BIO_R_ASN1_OBJECT_TOO_LONG 110
-#define BIO_R_INVALID_ARGUMENT 111
-#define BIO_R_WRITE_TO_READ_ONLY_BIO 112
-#define BIO_R_ERROR_SETTING_NBIO 113
-#define BIO_R_SYS_LIB 114
-#define BIO_R_NO_SUCH_FILE 115
-#define BIO_R_NULL_PARAMETER 116
-#define BIO_R_UNABLE_TO_CREATE_SOCKET 117
+#define BIO_R_NBIO_CONNECT_ERROR 107
+#define BIO_R_NO_HOSTNAME_SPECIFIED 108
+#define BIO_R_NO_PORT_SPECIFIED 109
+#define BIO_R_NO_SUCH_FILE 110
+#define BIO_R_NULL_PARAMETER 111
+#define BIO_R_SYS_LIB 112
+#define BIO_R_UNABLE_TO_CREATE_SOCKET 113
+#define BIO_R_UNINITIALIZED 114
+#define BIO_R_UNSUPPORTED_METHOD 115
+#define BIO_R_WRITE_TO_READ_ONLY_BIO 116
#endif /* OPENSSL_HEADER_BIO_H */
diff --git a/src/include/openssl/blowfish.h b/src/include/openssl/blowfish.h
new file mode 100644
index 0000000..fa60d53
--- /dev/null
+++ b/src/include/openssl/blowfish.h
@@ -0,0 +1,93 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_BLOWFISH_H
+#define OPENSSL_HEADER_BLOWFISH_H
+
+#include <openssl/base.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#define BF_ENCRYPT 1
+#define BF_DECRYPT 0
+
+#define BF_ROUNDS 16
+#define BF_BLOCK 8
+
+typedef struct bf_key_st {
+ uint32_t P[BF_ROUNDS + 2];
+ uint32_t S[4 * 256];
+} BF_KEY;
+
+OPENSSL_EXPORT void BF_set_key(BF_KEY *key, size_t len, const uint8_t *data);
+OPENSSL_EXPORT void BF_encrypt(uint32_t *data, const BF_KEY *key);
+OPENSSL_EXPORT void BF_decrypt(uint32_t *data, const BF_KEY *key);
+
+OPENSSL_EXPORT void BF_ecb_encrypt(const uint8_t *in, uint8_t *out,
+ const BF_KEY *key, int enc);
+OPENSSL_EXPORT void BF_cbc_encrypt(const uint8_t *in, uint8_t *out, long length,
+ const BF_KEY *schedule, uint8_t *ivec,
+ int enc);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* OPENSSL_HEADER_BLOWFISH_H */
diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h
index 0631b8c..2cd0224 100644
--- a/src/include/openssl/bn.h
+++ b/src/include/openssl/bn.h
@@ -124,7 +124,9 @@
#define OPENSSL_HEADER_BN_H
#include <openssl/base.h>
+#include <openssl/thread.h>
+#include <inttypes.h> /* for PRIu64 and friends */
#include <stdio.h> /* for FILE* */
#if defined(__cplusplus)
@@ -137,13 +139,24 @@
* will allow you to work with numbers until you run out of memory. */
-/* BN_ULONG is the native word size when working with big integers. */
+/* BN_ULONG is the native word size when working with big integers.
+ *
+ * Note: on some platforms, inttypes.h does not define print format macros in
+ * C++ unless |__STDC_FORMAT_MACROS| defined. As this is a public header, bn.h
+ * does not define |__STDC_FORMAT_MACROS| itself. C++ source files which use the
+ * FMT macros must define it externally. */
#if defined(OPENSSL_64_BIT)
#define BN_ULONG uint64_t
#define BN_BITS2 64
+#define BN_DEC_FMT1 "%" PRIu64
+#define BN_DEC_FMT2 "%019" PRIu64
+#define BN_HEX_FMT1 "%" PRIx64
#elif defined(OPENSSL_32_BIT)
#define BN_ULONG uint32_t
#define BN_BITS2 32
+#define BN_DEC_FMT1 "%" PRIu32
+#define BN_DEC_FMT2 "%09" PRIu32
+#define BN_HEX_FMT1 "%" PRIx32
#else
#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
#endif
@@ -473,7 +486,8 @@
BN_div(NULL, (rem), (numerator), (divisor), (ctx))
/* BN_nnmod is a non-negative modulo function. It acts like |BN_mod|, but 0 <=
- * |rem| < |divisor| is always true. */
+ * |rem| < |divisor| is always true. It returns one on success and zero on
+ * error. */
OPENSSL_EXPORT int BN_nnmod(BIGNUM *rem, const BIGNUM *numerator,
const BIGNUM *divisor, BN_CTX *ctx);
@@ -710,15 +724,13 @@
OPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod,
BN_CTX *ctx);
-/* BN_MONT_CTX_set_locked takes the lock indicated by |lock| and checks whether
- * |*pmont| is NULL. If so, it creates a new |BN_MONT_CTX| and sets the modulus
- * for it to |mod|. It then stores it as |*pmont| and returns it, or NULL on
- * error.
+/* BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If
+ * so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It
+ * then stores it as |*pmont| and returns it, or NULL on error.
*
* If |*pmont| is already non-NULL then the existing value is returned. */
-OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont,
- int lock, const BIGNUM *mod,
- BN_CTX *ctx);
+BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,
+ const BIGNUM *mod, BN_CTX *bn_ctx);
/* BN_to_montgomery sets |ret| equal to |a| in the Montgomery domain. It
* returns one on success and zero on error. */
@@ -815,47 +827,47 @@
} /* extern C */
#endif
-#define BN_F_BN_bn2hex 100
-#define BN_F_BN_new 101
-#define BN_F_BN_exp 102
-#define BN_F_mod_exp_recp 103
-#define BN_F_BN_mod_sqrt 104
-#define BN_F_BN_rand 105
-#define BN_F_BN_rand_range 106
-#define BN_F_bn_wexpand 107
-#define BN_F_BN_mod_exp_mont 108
-#define BN_F_BN_mod_exp2_mont 109
-#define BN_F_BN_CTX_get 110
-#define BN_F_BN_mod_inverse 111
-#define BN_F_BN_bn2dec 112
-#define BN_F_BN_div 113
-#define BN_F_BN_div_recp 114
-#define BN_F_BN_mod_exp_mont_consttime 115
-#define BN_F_BN_mod_exp_mont_word 116
-#define BN_F_BN_CTX_start 117
-#define BN_F_BN_usub 118
-#define BN_F_BN_mod_lshift_quick 119
-#define BN_F_BN_CTX_new 120
-#define BN_F_BN_mod_inverse_no_branch 121
-#define BN_F_BN_generate_dsa_nonce 122
-#define BN_F_BN_generate_prime_ex 123
-#define BN_F_BN_sqrt 124
-#define BN_R_NOT_A_SQUARE 100
-#define BN_R_TOO_MANY_ITERATIONS 101
-#define BN_R_INPUT_NOT_REDUCED 102
-#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 103
-#define BN_R_NO_INVERSE 104
-#define BN_R_NOT_INITIALIZED 105
-#define BN_R_DIV_BY_ZERO 106
-#define BN_R_CALLED_WITH_EVEN_MODULUS 107
-#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 108
-#define BN_R_BAD_RECIPROCAL 109
-#define BN_R_P_IS_NOT_PRIME 110
-#define BN_R_INVALID_RANGE 111
-#define BN_R_ARG2_LT_ARG3 112
-#define BN_R_BIGNUM_TOO_LONG 113
-#define BN_R_PRIVATE_KEY_TOO_LARGE 114
-#define BN_R_BITS_TOO_SMALL 115
-#define BN_R_NEGATIVE_NUMBER 116
+#define BN_F_BN_CTX_get 100
+#define BN_F_BN_CTX_new 101
+#define BN_F_BN_CTX_start 102
+#define BN_F_BN_bn2dec 103
+#define BN_F_BN_bn2hex 104
+#define BN_F_BN_div 105
+#define BN_F_BN_div_recp 106
+#define BN_F_BN_exp 107
+#define BN_F_BN_generate_dsa_nonce 108
+#define BN_F_BN_generate_prime_ex 109
+#define BN_F_BN_mod_exp2_mont 110
+#define BN_F_BN_mod_exp_mont 111
+#define BN_F_BN_mod_exp_mont_consttime 112
+#define BN_F_BN_mod_exp_mont_word 113
+#define BN_F_BN_mod_inverse 114
+#define BN_F_BN_mod_inverse_no_branch 115
+#define BN_F_BN_mod_lshift_quick 116
+#define BN_F_BN_mod_sqrt 117
+#define BN_F_BN_new 118
+#define BN_F_BN_rand 119
+#define BN_F_BN_rand_range 120
+#define BN_F_BN_sqrt 121
+#define BN_F_BN_usub 122
+#define BN_F_bn_wexpand 123
+#define BN_F_mod_exp_recp 124
+#define BN_R_ARG2_LT_ARG3 100
+#define BN_R_BAD_RECIPROCAL 101
+#define BN_R_BIGNUM_TOO_LONG 102
+#define BN_R_BITS_TOO_SMALL 103
+#define BN_R_CALLED_WITH_EVEN_MODULUS 104
+#define BN_R_DIV_BY_ZERO 105
+#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 106
+#define BN_R_INPUT_NOT_REDUCED 107
+#define BN_R_INVALID_RANGE 108
+#define BN_R_NEGATIVE_NUMBER 109
+#define BN_R_NOT_A_SQUARE 110
+#define BN_R_NOT_INITIALIZED 111
+#define BN_R_NO_INVERSE 112
+#define BN_R_PRIVATE_KEY_TOO_LARGE 113
+#define BN_R_P_IS_NOT_PRIME 114
+#define BN_R_TOO_MANY_ITERATIONS 115
+#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 116
#endif /* OPENSSL_HEADER_BN_H */
diff --git a/src/include/openssl/buf.h b/src/include/openssl/buf.h
index 0a0a9b8..2b36ce4 100644
--- a/src/include/openssl/buf.h
+++ b/src/include/openssl/buf.h
@@ -116,8 +116,8 @@
#endif
#define BUF_F_BUF_MEM_new 100
-#define BUF_F_buf_mem_grow 101
+#define BUF_F_BUF_memdup 101
#define BUF_F_BUF_strndup 102
-#define BUF_F_BUF_memdup 103
+#define BUF_F_buf_mem_grow 103
#endif /* OPENSSL_HEADER_BUFFER_H */
diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h
index 2bff3f5..e10621a 100644
--- a/src/include/openssl/bytestring.h
+++ b/src/include/openssl/bytestring.h
@@ -47,7 +47,7 @@
* otherwise. */
OPENSSL_EXPORT int CBS_skip(CBS *cbs, size_t len);
-/* CBS_data returns a pointer to the contains of |cbs|. */
+/* CBS_data returns a pointer to the contents of |cbs|. */
OPENSSL_EXPORT const uint8_t *CBS_data(const CBS *cbs);
/* CBS_len returns the number of bytes remaining in |cbs|. */
@@ -134,7 +134,7 @@
* element must match |tag_value|. It returns one on success and zero
* on error.
*
- * Tag numbers greater than 31 are not supported. */
+ * Tag numbers greater than 30 are not supported (i.e. short form only). */
OPENSSL_EXPORT int CBS_get_asn1(CBS *cbs, CBS *out, unsigned tag_value);
/* CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the
@@ -155,7 +155,7 @@
* header. Each of |out|, |out_tag|, and |out_header_len| may be NULL to ignore
* the value.
*
- * Tag numbers greater than 31 are not supported. */
+ * Tag numbers greater than 30 are not supported (i.e. short form only). */
OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out,
unsigned *out_tag,
size_t *out_header_len);
@@ -287,7 +287,9 @@
/* CBB_add_asn sets |*out_contents| to a |CBB| into which the contents of an
* ASN.1 object can be written. The |tag| argument will be used as the tag for
- * the object. It returns one on success or zero on error. */
+ * the object. Passing in |tag| number 31 will return in an error since only
+ * single octet identifiers are supported. It returns one on success or zero
+ * on error. */
OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, uint8_t tag);
/* CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on
diff --git a/src/include/openssl/cast.h b/src/include/openssl/cast.h
new file mode 100644
index 0000000..8021723
--- /dev/null
+++ b/src/include/openssl/cast.h
@@ -0,0 +1,96 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.] */
+
+#ifndef OPENSSL_HEADER_CAST_H
+#define OPENSSL_HEADER_CAST_H
+
+#include <openssl/base.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+#define CAST_ENCRYPT 1
+#define CAST_DECRYPT 0
+
+#define CAST_BLOCK 8
+#define CAST_KEY_LENGTH 16
+
+typedef struct cast_key_st {
+ uint32_t data[32];
+ int short_key; /* Use reduced rounds for short key */
+} CAST_KEY;
+
+OPENSSL_EXPORT void CAST_set_key(CAST_KEY *key, size_t len,
+ const uint8_t *data);
+OPENSSL_EXPORT void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out,
+ const CAST_KEY *key, int enc);
+OPENSSL_EXPORT void CAST_encrypt(uint32_t *data, const CAST_KEY *key);
+OPENSSL_EXPORT void CAST_decrypt(uint32_t *data, const CAST_KEY *key);
+OPENSSL_EXPORT void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out,
+ long length, const CAST_KEY *ks,
+ uint8_t *iv, int enc);
+
+OPENSSL_EXPORT void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out,
+ long length, const CAST_KEY *schedule,
+ uint8_t *ivec, int *num, int enc);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* OPENSSL_HEADER_CAST_H */
diff --git a/src/include/openssl/cipher.h b/src/include/openssl/cipher.h
index adca5a9..f1469a0 100644
--- a/src/include/openssl/cipher.h
+++ b/src/include/openssl/cipher.h
@@ -80,10 +80,12 @@
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ecb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cbc(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ctr(void);
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ofb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ecb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cbc(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ctr(void);
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ofb(void);
/* Deprecated AES-GCM implementations that set |EVP_CIPH_FLAG_CUSTOM_CIPHER|.
* Use |EVP_aead_aes_128_gcm| and |EVP_aead_aes_256_gcm| instead. */
@@ -91,9 +93,9 @@
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_gcm(void);
/* Deprecated 192-bit version of AES. */
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ecb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cbc(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ctr(void);
-OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ecb(void);
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_gcm(void);
/* EVP_enc_null returns a 'cipher' that passes plaintext through as
@@ -123,8 +125,8 @@
* |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure. */
OPENSSL_EXPORT EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
-/* EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns one
- * on success and zero otherwise. */
+/* EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns
+ * one. */
OPENSSL_EXPORT int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx);
/* EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees
@@ -236,7 +238,8 @@
const EVP_CIPHER_CTX *ctx);
/* EVP_CIPHER_CTX_nid returns a NID identifying the |EVP_CIPHER| underlying
- * |ctx| (e.g. |NID_rc4|). It will crash if no cipher has been configured. */
+ * |ctx| (e.g. |NID_aes_128_gcm|). It will crash if no cipher has been
+ * configured. */
OPENSSL_EXPORT int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
/* EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher
@@ -289,13 +292,9 @@
/* Cipher accessors. */
/* EVP_CIPHER_nid returns a NID identifing |cipher|. (For example,
- * |NID_rc4|.) */
+ * |NID_aes_128_gcm|.) */
OPENSSL_EXPORT int EVP_CIPHER_nid(const EVP_CIPHER *cipher);
-/* EVP_CIPHER_name returns the short name for |cipher| or NULL if no name is
- * known. */
-OPENSSL_EXPORT const char *EVP_CIPHER_name(const EVP_CIPHER *cipher);
-
/* EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one
* if |cipher| is a stream cipher. */
OPENSSL_EXPORT unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher);
@@ -491,7 +490,7 @@
} EVP_CIPHER_INFO;
struct evp_cipher_st {
- /* type contains a NID identifing the cipher. (For example, NID_rc4.) */
+ /* type contains a NID identifing the cipher. (e.g. NID_aes_128_gcm.) */
int nid;
/* block_size contains the block size, in bytes, of the cipher, or 1 for a
@@ -521,7 +520,7 @@
int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
size_t inl);
- int (*cleanup)(EVP_CIPHER_CTX *);
+ void (*cleanup)(EVP_CIPHER_CTX *);
int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);
};
@@ -531,62 +530,65 @@
} /* extern C */
#endif
-#define CIPHER_F_EVP_CipherInit_ex 100
-#define CIPHER_F_EVP_EncryptFinal_ex 101
-#define CIPHER_F_EVP_DecryptFinal_ex 102
-#define CIPHER_F_EVP_CIPHER_CTX_ctrl 103
-#define CIPHER_F_aes_init_key 104
-#define CIPHER_F_aesni_init_key 105
-#define CIPHER_F_EVP_CIPHER_CTX_copy 106
-#define CIPHER_F_EVP_AEAD_CTX_open 107
-#define CIPHER_F_EVP_AEAD_CTX_init 108
-#define CIPHER_F_EVP_AEAD_CTX_seal 109
-#define CIPHER_F_aead_aes_gcm_seal 110
-#define CIPHER_F_aead_aes_gcm_open 111
-#define CIPHER_F_aead_aes_gcm_init 112
-#define CIPHER_F_aead_chacha20_poly1305_init 113
-#define CIPHER_F_aead_chacha20_poly1305_open 114
-#define CIPHER_F_aead_chacha20_poly1305_seal 115
-#define CIPHER_F_aead_rc4_md5_tls_init 116
-#define CIPHER_F_aead_rc4_md5_tls_seal 117
-#define CIPHER_F_aead_rc4_md5_tls_open 118
-#define CIPHER_F_aead_aes_key_wrap_seal 119
-#define CIPHER_F_aead_aes_key_wrap_init 120
-#define CIPHER_F_aead_aes_key_wrap_open 121
-#define CIPHER_F_EVP_CIPHER_CTX_set_key_length 122
-#define CIPHER_F_aead_tls_init 123
-#define CIPHER_F_aead_tls_open 124
-#define CIPHER_F_aead_tls_seal 125
-#define CIPHER_F_aead_tls_ensure_cipher_init 126
-#define CIPHER_F_aead_ssl3_open 127
-#define CIPHER_F_aead_ssl3_seal 128
-#define CIPHER_F_aead_ssl3_init 129
-#define CIPHER_F_aead_ssl3_ensure_cipher_init 130
-#define CIPHER_R_WRAP_MODE_NOT_ALLOWED 100
-#define CIPHER_R_AES_KEY_SETUP_FAILED 101
-#define CIPHER_R_INPUT_NOT_INITIALIZED 102
-#define CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 103
-#define CIPHER_R_INITIALIZATION_ERROR 104
-#define CIPHER_R_CTRL_NOT_IMPLEMENTED 105
-#define CIPHER_R_NO_CIPHER_SET 106
-#define CIPHER_R_BAD_DECRYPT 107
-#define CIPHER_R_WRONG_FINAL_BLOCK_LENGTH 108
-#define CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED 109
-#define CIPHER_R_TAG_TOO_LARGE 110
-#define CIPHER_R_BAD_KEY_LENGTH 111
-#define CIPHER_R_BUFFER_TOO_SMALL 112
-#define CIPHER_R_OUTPUT_ALIASES_INPUT 113
-#define CIPHER_R_UNSUPPORTED_KEY_SIZE 114
-#define CIPHER_R_TOO_LARGE 115
-#define CIPHER_R_IV_TOO_LARGE 116
-#define CIPHER_R_INVALID_AD_SIZE 117
-#define CIPHER_R_INVALID_AD 118
-#define CIPHER_R_UNSUPPORTED_TAG_SIZE 119
-#define CIPHER_R_UNSUPPORTED_INPUT_SIZE 120
-#define CIPHER_R_UNSUPPORTED_AD_SIZE 121
-#define CIPHER_R_UNSUPPORTED_NONCE_SIZE 122
-#define CIPHER_R_INVALID_KEY_LENGTH 123
-#define CIPHER_R_INVALID_OPERATION 124
-#define CIPHER_R_INVALID_NONCE_SIZE 125
+#define CIPHER_F_EVP_AEAD_CTX_init 100
+#define CIPHER_F_EVP_AEAD_CTX_open 101
+#define CIPHER_F_EVP_AEAD_CTX_seal 102
+#define CIPHER_F_EVP_CIPHER_CTX_copy 103
+#define CIPHER_F_EVP_CIPHER_CTX_ctrl 104
+#define CIPHER_F_EVP_CIPHER_CTX_set_key_length 105
+#define CIPHER_F_EVP_CipherInit_ex 106
+#define CIPHER_F_EVP_DecryptFinal_ex 107
+#define CIPHER_F_EVP_EncryptFinal_ex 108
+#define CIPHER_F_aead_aes_gcm_init 109
+#define CIPHER_F_aead_aes_gcm_open 110
+#define CIPHER_F_aead_aes_gcm_seal 111
+#define CIPHER_F_aead_aes_key_wrap_init 112
+#define CIPHER_F_aead_aes_key_wrap_open 113
+#define CIPHER_F_aead_aes_key_wrap_seal 114
+#define CIPHER_F_aead_chacha20_poly1305_init 115
+#define CIPHER_F_aead_chacha20_poly1305_open 116
+#define CIPHER_F_aead_chacha20_poly1305_seal 117
+#define CIPHER_F_aead_rc4_md5_tls_init 118
+#define CIPHER_F_aead_rc4_md5_tls_open 119
+#define CIPHER_F_aead_rc4_md5_tls_seal 120
+#define CIPHER_F_aead_ssl3_ensure_cipher_init 121
+#define CIPHER_F_aead_ssl3_init 122
+#define CIPHER_F_aead_ssl3_open 123
+#define CIPHER_F_aead_ssl3_seal 124
+#define CIPHER_F_aead_tls_ensure_cipher_init 125
+#define CIPHER_F_aead_tls_init 126
+#define CIPHER_F_aead_tls_open 127
+#define CIPHER_F_aead_tls_seal 128
+#define CIPHER_F_aes_init_key 129
+#define CIPHER_F_aesni_init_key 130
+#define CIPHER_F_EVP_AEAD_CTX_init_with_direction 131
+#define CIPHER_F_aead_aes_ctr_hmac_sha256_init 132
+#define CIPHER_F_aead_aes_ctr_hmac_sha256_open 133
+#define CIPHER_F_aead_aes_ctr_hmac_sha256_seal 134
+#define CIPHER_R_AES_KEY_SETUP_FAILED 100
+#define CIPHER_R_BAD_DECRYPT 101
+#define CIPHER_R_BAD_KEY_LENGTH 102
+#define CIPHER_R_BUFFER_TOO_SMALL 103
+#define CIPHER_R_CTRL_NOT_IMPLEMENTED 104
+#define CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED 105
+#define CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 106
+#define CIPHER_R_INITIALIZATION_ERROR 107
+#define CIPHER_R_INPUT_NOT_INITIALIZED 108
+#define CIPHER_R_INVALID_AD_SIZE 109
+#define CIPHER_R_INVALID_KEY_LENGTH 110
+#define CIPHER_R_INVALID_NONCE_SIZE 111
+#define CIPHER_R_INVALID_OPERATION 112
+#define CIPHER_R_IV_TOO_LARGE 113
+#define CIPHER_R_NO_CIPHER_SET 114
+#define CIPHER_R_OUTPUT_ALIASES_INPUT 115
+#define CIPHER_R_TAG_TOO_LARGE 116
+#define CIPHER_R_TOO_LARGE 117
+#define CIPHER_R_UNSUPPORTED_AD_SIZE 118
+#define CIPHER_R_UNSUPPORTED_INPUT_SIZE 119
+#define CIPHER_R_UNSUPPORTED_KEY_SIZE 120
+#define CIPHER_R_UNSUPPORTED_NONCE_SIZE 121
+#define CIPHER_R_UNSUPPORTED_TAG_SIZE 122
+#define CIPHER_R_WRONG_FINAL_BLOCK_LENGTH 123
+#define CIPHER_R_NO_DIRECTION_SET 124
#endif /* OPENSSL_HEADER_CIPHER_H */
diff --git a/src/include/openssl/cmac.h b/src/include/openssl/cmac.h
new file mode 100644
index 0000000..183f41b
--- /dev/null
+++ b/src/include/openssl/cmac.h
@@ -0,0 +1,76 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#ifndef OPENSSL_HEADER_CMAC_H
+#define OPENSSL_HEADER_CMAC_H
+
+#include <openssl/base.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* CMAC.
+ *
+ * CMAC is a MAC based on AES-CBC and defined in
+ * https://tools.ietf.org/html/rfc4493#section-2.3. */
+
+
+/* One-shot functions. */
+
+/* AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of
+ * |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select
+ * between AES-128 and AES-256. It returns one on success or zero on error. */
+OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,
+ const uint8_t *in, size_t in_len);
+
+
+/* Incremental interface. */
+
+/* CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on
+ * error. */
+OPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void);
+
+/* CMAC_CTX_free frees a |CMAC_CTX|. */
+OPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx);
+
+/* CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC
+ * only specifies the use of AES-128 thus |key_len| should be 16 and |cipher|
+ * should be |EVP_aes_128_cbc()|. However, this implementation also supports
+ * AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The
+ * |engine| argument is ignored.
+ *
+ * It returns one on success or zero on error. */
+OPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,
+ const EVP_CIPHER *cipher, ENGINE *engine);
+
+
+/* CMAC_Reset resets |ctx| so that a fresh message can be authenticated. */
+OPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx);
+
+/* CMAC_Update processes |in_len| bytes of message from |in|. It returns one on
+ * success or zero on error. */
+OPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len);
+
+/* CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes
+ * of authenticator to it. It returns one on success or zero on error. */
+OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len);
+
+
+#if defined(__cplusplus)
+} /* extern C */
+#endif
+
+#endif /* OPENSSL_HEADER_CBC_H */
diff --git a/src/include/openssl/conf.h b/src/include/openssl/conf.h
index 0918c0c..84fc94f 100644
--- a/src/include/openssl/conf.h
+++ b/src/include/openssl/conf.h
@@ -79,19 +79,20 @@
*
* Config files are representated by a |CONF|. */
-typedef struct {
+struct conf_value_st {
char *section;
char *name;
char *value;
-} CONF_VALUE;
+};
struct conf_st {
LHASH_OF(CONF_VALUE) *data;
};
-/* NCONF_new returns a fresh, empty |CONF|, or NULL on error. */
-CONF *NCONF_new(void);
+/* NCONF_new returns a fresh, empty |CONF|, or NULL on error. The |method|
+ * argument must be NULL. */
+CONF *NCONF_new(void *method);
/* NCONF_free frees all the data owned by |conf| and then |conf| itself. */
void NCONF_free(CONF *conf);
@@ -102,6 +103,10 @@
* number of the line that contained the error. */
int NCONF_load(CONF *conf, const char *filename, long *out_error_line);
+/* NCONF_load_bio acts like |NCONF_load| but reads from |bio| rather than from
+ * a named file. */
+int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line);
+
/* NCONF_get_section returns a stack of values for a given section in |conf|.
* If |section| is NULL, the default section is returned. It returns NULL on
* error. */
@@ -131,14 +136,14 @@
#endif
#define CONF_F_CONF_parse_list 100
-#define CONF_F_str_copy 101
+#define CONF_F_NCONF_load 101
#define CONF_F_def_load_bio 102
-#define CONF_F_NCONF_load 103
-#define CONF_R_MISSING_EQUAL_SIGN 100
-#define CONF_R_LIST_CANNOT_BE_NULL 101
-#define CONF_R_NO_CLOSE_BRACE 102
-#define CONF_R_VARIABLE_HAS_NO_VALUE 103
+#define CONF_F_str_copy 103
+#define CONF_R_LIST_CANNOT_BE_NULL 100
+#define CONF_R_MISSING_CLOSE_SQUARE_BRACKET 101
+#define CONF_R_MISSING_EQUAL_SIGN 102
+#define CONF_R_NO_CLOSE_BRACE 103
#define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 104
-#define CONF_R_MISSING_CLOSE_SQUARE_BRACKET 105
+#define CONF_R_VARIABLE_HAS_NO_VALUE 105
#endif /* OPENSSL_HEADER_THREAD_H */
diff --git a/src/include/openssl/cpu.h b/src/include/openssl/cpu.h
index 79441ae..83ec473 100644
--- a/src/include/openssl/cpu.h
+++ b/src/include/openssl/cpu.h
@@ -78,7 +78,6 @@
* Index 0:
* EDX for CPUID where EAX = 1
* Bit 30 is used to indicate an Intel CPU
- * Bit 20 is used to indicate RC4_CHAR
* Index 1:
* ECX for CPUID where EAX = 1
* Index 2:
diff --git a/src/include/openssl/crypto.h b/src/include/openssl/crypto.h
index e58d5f0..5c974f8 100644
--- a/src/include/openssl/crypto.h
+++ b/src/include/openssl/crypto.h
@@ -17,8 +17,11 @@
#include <openssl/base.h>
+/* Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than
+ * mem.h. */
#include <openssl/mem.h>
+
#if defined(__cplusplus)
extern "C" {
#endif
@@ -32,6 +35,9 @@
* nothing and a static initializer is used instead. */
OPENSSL_EXPORT void CRYPTO_library_init(void);
+
+/* Deprecated functions. */
+
#define OPENSSL_VERSION_TEXT "BoringSSL"
#define SSLEAY_VERSION 0
@@ -48,9 +54,9 @@
} /* extern C */
#endif
-#define CRYPTO_F_CRYPTO_set_ex_data 100
-#define CRYPTO_F_get_class 101
-#define CRYPTO_F_get_new_index 102
+#define CRYPTO_F_CRYPTO_get_ex_new_index 100
+#define CRYPTO_F_CRYPTO_set_ex_data 101
+#define CRYPTO_F_get_class 102
#define CRYPTO_F_get_func_pointers 103
#endif /* OPENSSL_HEADER_CRYPTO_H */
diff --git a/src/include/openssl/des.h b/src/include/openssl/des.h
index 1f0dbad..f3804c3 100644
--- a/src/include/openssl/des.h
+++ b/src/include/openssl/des.h
@@ -94,6 +94,10 @@
OPENSSL_EXPORT void DES_set_key(const DES_cblock *key,
DES_key_schedule *schedule);
+/* DES_set_odd_parity sets the parity bits (the least-significant bits in each
+ * byte) of |key| given the other bits in each byte. */
+OPENSSL_EXPORT void DES_set_odd_parity(DES_cblock *key);
+
/* DES_ecb_encrypt encrypts (or decrypts, if |is_encrypt| is |DES_DECRYPT|) a
* single DES block (8 bytes) from in to out, using the key configured in
* |schedule|. */
@@ -108,6 +112,15 @@
const DES_key_schedule *schedule,
DES_cblock *ivec, int enc);
+/* DES_ecb3_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) a single
+ * block (8 bytes) of data from |input| to |output| using 3DES. */
+OPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input,
+ DES_cblock *output,
+ const DES_key_schedule *ks1,
+ const DES_key_schedule *ks2,
+ const DES_key_schedule *ks3,
+ int enc);
+
/* DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|
* bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus
* the function takes three different |DES_key_schedule|s. */
diff --git a/src/include/openssl/dh.h b/src/include/openssl/dh.h
index 9d8bda2..60a030d 100644
--- a/src/include/openssl/dh.h
+++ b/src/include/openssl/dh.h
@@ -61,6 +61,7 @@
#include <openssl/engine.h>
#include <openssl/ex_data.h>
+#include <openssl/thread.h>
#if defined(__cplusplus)
extern "C" {
@@ -144,6 +145,10 @@
#define DH_CHECK_INVALID_Q_VALUE 0x20
#define DH_CHECK_INVALID_J_VALUE 0x40
+/* These are compatibility defines. */
+#define DH_NOT_SUITABLE_GENERATOR DH_CHECK_NOT_SUITABLE_GENERATOR
+#define DH_UNABLE_TO_CHECK_GENERATOR DH_CHECK_UNABLE_TO_CHECK_GENERATOR
+
/* DH_check checks the suitability of |dh| as a Diffie-Hellman group. and sets
* |DH_CHECK_*| flags in |*out_flags| if it finds any errors. It returns one if
* |*out_flags| was successfully set and zero on error.
@@ -185,7 +190,7 @@
/* ex_data functions.
*
- * These functions are wrappers. See |ex_data.h| for details. */
+ * See |ex_data.h| for details. */
OPENSSL_EXPORT int DH_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_new *new_func,
@@ -232,6 +237,8 @@
/* priv_length contains the length, in bits, of the private value. If zero,
* the private value will be the same length as |p|. */
unsigned priv_length;
+
+ CRYPTO_MUTEX method_mont_p_lock;
BN_MONT_CTX *method_mont_p;
/* Place holders if we want to do X9.42 DH */
@@ -251,12 +258,12 @@
} /* extern C */
#endif
-#define DH_F_generate_parameters 100
-#define DH_F_generate_key 101
-#define DH_F_compute_key 102
-#define DH_F_DH_new_method 103
-#define DH_R_INVALID_PUBKEY 100
-#define DH_R_BAD_GENERATOR 101
+#define DH_F_DH_new_method 100
+#define DH_F_compute_key 101
+#define DH_F_generate_key 102
+#define DH_F_generate_parameters 103
+#define DH_R_BAD_GENERATOR 100
+#define DH_R_INVALID_PUBKEY 101
#define DH_R_MODULUS_TOO_LARGE 102
#define DH_R_NO_PRIVATE_VALUE 103
diff --git a/src/include/openssl/digest.h b/src/include/openssl/digest.h
index 95a35e7..8285dce 100644
--- a/src/include/openssl/digest.h
+++ b/src/include/openssl/digest.h
@@ -171,12 +171,9 @@
* These functions allow code to learn details about an abstract hash
* function. */
-/* EVP_MD_type returns a NID identifing |md|. (For example, |NID_md5|.) */
+/* EVP_MD_type returns a NID identifing |md|. (For example, |NID_sha256|.) */
OPENSSL_EXPORT int EVP_MD_type(const EVP_MD *md);
-/* EVP_MD_name returns the short name for |md| or NULL if no name is known. */
-OPENSSL_EXPORT const char *EVP_MD_name(const EVP_MD *md);
-
/* EVP_MD_flags returns the flags for |md|, which is a set of |EVP_MD_FLAG_*|
* values, ORed together. */
OPENSSL_EXPORT uint32_t EVP_MD_flags(const EVP_MD *md);
@@ -224,7 +221,7 @@
OPENSSL_EXPORT unsigned EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
/* EVP_MD_CTX_type returns a NID describing the digest function used by |ctx|.
- * (For example, |NID_md5|.) It will crash if a digest hasn't been set on
+ * (For example, |NID_sha256|.) It will crash if a digest hasn't been set on
* |ctx|. */
OPENSSL_EXPORT int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);
diff --git a/src/include/openssl/dsa.h b/src/include/openssl/dsa.h
index 8a182c2..2271915 100644
--- a/src/include/openssl/dsa.h
+++ b/src/include/openssl/dsa.h
@@ -64,6 +64,7 @@
#include <openssl/engine.h>
#include <openssl/ex_data.h>
+#include <openssl/thread.h>
#if defined(__cplusplus)
extern "C" {
@@ -301,7 +302,7 @@
/* ex_data functions.
*
- * These functions are wrappers. See |ex_data.h| for details. */
+ * See |ex_data.h| for details. */
OPENSSL_EXPORT int DSA_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_new *new_func,
@@ -351,6 +352,7 @@
int flags;
/* Normally used to cache montgomery values */
+ CRYPTO_MUTEX method_mont_p_lock;
BN_MONT_CTX *method_mont_p;
int references;
CRYPTO_EX_DATA ex_data;
@@ -364,14 +366,14 @@
} /* extern C */
#endif
-#define DSA_F_sign 100
-#define DSA_F_verify 101
-#define DSA_F_dsa_sig_cb 102
-#define DSA_F_DSA_new_method 103
-#define DSA_F_sign_setup 104
-#define DSA_R_NEED_NEW_SETUP_VALUES 100
-#define DSA_R_BAD_Q_VALUE 101
+#define DSA_F_DSA_new_method 100
+#define DSA_F_dsa_sig_cb 101
+#define DSA_F_sign 102
+#define DSA_F_sign_setup 103
+#define DSA_F_verify 104
+#define DSA_R_BAD_Q_VALUE 100
+#define DSA_R_MISSING_PARAMETERS 101
#define DSA_R_MODULUS_TOO_LARGE 102
-#define DSA_R_MISSING_PARAMETERS 103
+#define DSA_R_NEED_NEW_SETUP_VALUES 103
#endif /* OPENSSL_HEADER_DSA_H */
diff --git a/src/include/openssl/dtls1.h b/src/include/openssl/dtls1.h
index 0fc3ae6..38ca801 100644
--- a/src/include/openssl/dtls1.h
+++ b/src/include/openssl/dtls1.h
@@ -1,255 +1,16 @@
-/* ssl/dtls1.h */
-/*
- * DTLS implementation written by Nagendra Modadugu
- * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
- */
-/* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved.
+/* Copyright (c) 2015, Google Inc.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com). */
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-#ifndef HEADER_DTLS1_H
-#define HEADER_DTLS1_H
-
-#include <openssl/base.h>
-#include <openssl/buf.h>
-#include <openssl/pqueue.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-#define DTLS1_VERSION 0xFEFF
-#define DTLS1_2_VERSION 0xFEFD
-
-/* lengths of messages */
-#define DTLS1_COOKIE_LENGTH 256
-
-#define DTLS1_RT_HEADER_LENGTH 13
-
-#define DTLS1_HM_HEADER_LENGTH 12
-
-#define DTLS1_HM_BAD_FRAGMENT -2
-#define DTLS1_HM_FRAGMENT_RETRY -3
-
-#define DTLS1_CCS_HEADER_LENGTH 1
-
-#define DTLS1_AL_HEADER_LENGTH 2
-
-#ifndef OPENSSL_NO_SSL_INTERN
-
-
-#if defined(OPENSSL_WINDOWS)
-/* Because of Windows header issues, we can't get the normal declaration of
- * timeval. */
-typedef struct OPENSSL_timeval_st {
- long tv_sec;
- long tv_usec;
-} OPENSSL_timeval;
-#else
-#include <sys/time.h>
-typedef struct timeval OPENSSL_timeval;
-#endif
-
-typedef struct dtls1_bitmap_st
- {
- /* map is a bit mask of the last 64 sequence numbers. Bit
- * |1<<i| corresponds to |max_seq_num - i|. */
- uint64_t map;
- /* max_seq_num is the largest sequence number seen so far. It
- * is a 64-bit value in big-endian encoding. */
- uint8_t max_seq_num[8];
- } DTLS1_BITMAP;
-
-struct dtls1_retransmit_state
- {
- SSL_AEAD_CTX *aead_write_ctx;
- SSL_SESSION *session;
- unsigned short epoch;
- };
-
-struct hm_header_st
- {
- unsigned char type;
- unsigned long msg_len;
- unsigned short seq;
- unsigned long frag_off;
- unsigned long frag_len;
- unsigned int is_ccs;
- struct dtls1_retransmit_state saved_retransmit_state;
- };
-
-struct ccs_header_st
- {
- unsigned char type;
- unsigned short seq;
- };
-
-struct dtls1_timeout_st
- {
- /* Number of read timeouts so far */
- unsigned int read_timeouts;
-
- /* Number of write timeouts so far */
- unsigned int write_timeouts;
-
- /* Number of alerts received so far */
- unsigned int num_alerts;
- };
-
-typedef struct record_pqueue_st
- {
- unsigned short epoch;
- pqueue q;
- } record_pqueue;
-
-typedef struct hm_fragment_st
- {
- struct hm_header_st msg_header;
- unsigned char *fragment;
- unsigned char *reassembly;
- } hm_fragment;
-
-typedef struct dtls1_state_st
- {
- /* send_cookie is true if we are resending the ClientHello
- * with a cookie from a HelloVerifyRequest. */
- unsigned int send_cookie;
-
- uint8_t cookie[DTLS1_COOKIE_LENGTH];
- size_t cookie_len;
-
- /*
- * The current data and handshake epoch. This is initially
- * undefined, and starts at zero once the initial handshake is
- * completed
- */
- unsigned short r_epoch;
- unsigned short w_epoch;
-
- /* records being received in the current epoch */
- DTLS1_BITMAP bitmap;
-
- /* renegotiation starts a new set of sequence numbers */
- DTLS1_BITMAP next_bitmap;
-
- /* handshake message numbers */
- unsigned short handshake_write_seq;
- unsigned short next_handshake_write_seq;
-
- unsigned short handshake_read_seq;
-
- /* save last sequence number for retransmissions */
- unsigned char last_write_sequence[8];
-
- /* Received handshake records (processed and unprocessed) */
- record_pqueue unprocessed_rcds;
- record_pqueue processed_rcds;
-
- /* Buffered handshake messages */
- pqueue buffered_messages;
-
- /* Buffered (sent) handshake records */
- pqueue sent_messages;
-
- /* Buffered application records.
- * Only for records between CCS and Finished
- * to prevent either protocol violation or
- * unnecessary message loss.
- */
- record_pqueue buffered_app_data;
-
- unsigned int mtu; /* max DTLS packet size */
-
- struct hm_header_st w_msg_hdr;
- struct hm_header_st r_msg_hdr;
-
- struct dtls1_timeout_st timeout;
-
- /* Indicates when the last handshake msg or heartbeat sent will
- * timeout. Because of header issues on Windows, this cannot actually
- * be a struct timeval. */
- OPENSSL_timeval next_timeout;
-
- /* Timeout duration */
- unsigned short timeout_duration;
-
- /* storage for Alert/Handshake protocol data received but not
- * yet processed by ssl3_read_bytes: */
- unsigned char alert_fragment[DTLS1_AL_HEADER_LENGTH];
- unsigned int alert_fragment_len;
- unsigned char handshake_fragment[DTLS1_HM_HEADER_LENGTH];
- unsigned int handshake_fragment_len;
-
- unsigned int change_cipher_spec_ok;
- } DTLS1_STATE;
-
-typedef struct dtls1_record_data_st
- {
- unsigned char *packet;
- unsigned int packet_length;
- SSL3_BUFFER rbuf;
- SSL3_RECORD rrec;
- } DTLS1_RECORD_DATA;
-
-#endif
-
-/* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
-#define DTLS1_TMO_READ_COUNT 2
-#define DTLS1_TMO_WRITE_COUNT 2
-
-#define DTLS1_TMO_ALERT_COUNT 12
-
-#ifdef __cplusplus
-}
-#endif
-#endif
-
+/* This header is provided in order to make compiling against code that expects
+ OpenSSL easier. */
diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h
index 2662c01..633b11b 100644
--- a/src/include/openssl/ec.h
+++ b/src/include/openssl/ec.h
@@ -107,10 +107,6 @@
/* EC_GROUP_free frees |group| and the data that it points to. */
OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group);
-/* EC_GROUP_copy sets |*dest| equal to |*src|. It returns one on success and
- * zero otherwise. */
-OPENSSL_EXPORT int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src);
-
/* EC_GROUP_dup returns a fresh |EC_GROUP| which is equal to |a| or NULL on
* error. */
OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *a);
@@ -319,91 +315,99 @@
} /* extern C */
#endif
-#define EC_F_ec_pre_comp_new 100
-#define EC_F_ec_GFp_mont_field_decode 101
-#define EC_F_ec_group_new_from_data 102
-#define EC_F_ec_GFp_simple_point_get_affine_coordinates 103
-#define EC_F_ec_GFp_simple_make_affine 104
-#define EC_F_EC_KEY_new_method 105
-#define EC_F_ec_GFp_mont_field_encode 106
-#define EC_F_EC_GROUP_new_by_curve_name 107
-#define EC_F_ec_group_new 108
-#define EC_F_ec_asn1_group2pkparameters 109
-#define EC_F_EC_POINT_set_compressed_coordinates_GFp 110
-#define EC_F_ec_GFp_mont_field_sqr 111
-#define EC_F_EC_POINT_make_affine 112
-#define EC_F_i2d_ECParameters 113
-#define EC_F_ec_wNAF_mul 114
-#define EC_F_EC_GROUP_copy 115
-#define EC_F_EC_POINT_cmp 116
-#define EC_F_ec_GFp_mont_field_mul 117
-#define EC_F_EC_POINT_dup 118
-#define EC_F_EC_POINT_invert 119
-#define EC_F_ec_GFp_simple_point_set_affine_coordinates 120
-#define EC_F_ec_GFp_simple_points_make_affine 121
-#define EC_F_i2o_ECPublicKey 122
-#define EC_F_EC_KEY_check_key 123
-#define EC_F_ec_wNAF_precompute_mult 124
-#define EC_F_EC_POINT_oct2point 125
-#define EC_F_EC_POINT_is_at_infinity 126
-#define EC_F_EC_POINT_get_affine_coordinates_GFp 127
-#define EC_F_ec_point_set_Jprojective_coordinates_GFp 128
-#define EC_F_o2i_ECPublicKey 129
-#define EC_F_ec_GFp_mont_field_set_to_one 130
-#define EC_F_ec_group_new_curve_GFp 131
-#define EC_F_EC_POINT_dbl 132
-#define EC_F_ec_asn1_pkparameters2group 133
-#define EC_F_i2d_ECPKParameters 134
-#define EC_F_EC_KEY_copy 135
-#define EC_F_EC_POINT_new 136
-#define EC_F_EC_POINT_point2oct 137
-#define EC_F_EC_POINT_copy 138
-#define EC_F_EC_POINT_is_on_curve 139
-#define EC_F_ec_GFp_simple_group_set_curve 140
-#define EC_F_i2d_ECPrivateKey 141
-#define EC_F_d2i_ECParameters 142
-#define EC_F_ec_GFp_mont_group_set_curve 143
-#define EC_F_EC_POINT_set_to_infinity 144
-#define EC_F_EC_POINTs_make_affine 145
-#define EC_F_compute_wNAF 146
-#define EC_F_ec_GFp_simple_point2oct 147
-#define EC_F_EC_GROUP_get_degree 148
-#define EC_F_ec_GFp_simple_group_check_discriminant 149
-#define EC_F_d2i_ECPKParameters 150
-#define EC_F_d2i_ECPrivateKey 151
-#define EC_F_ec_GFp_simple_oct2point 152
-#define EC_F_EC_POINT_set_affine_coordinates_GFp 153
-#define EC_F_EC_KEY_set_public_key_affine_coordinates 154
-#define EC_F_EC_KEY_generate_key 155
-#define EC_F_ec_GFp_simple_set_compressed_coordinates 156
-#define EC_F_EC_POINT_add 157
-#define EC_F_EC_GROUP_get_curve_GFp 158
-#define EC_R_PKPARAMETERS2GROUP_FAILURE 100
-#define EC_R_NON_NAMED_CURVE 101
-#define EC_R_COORDINATES_OUT_OF_RANGE 102
-#define EC_R_POINT_AT_INFINITY 103
-#define EC_R_NOT_INITIALIZED 104
-#define EC_R_MISSING_PRIVATE_KEY 105
-#define EC_R_GROUP2PKPARAMETERS_FAILURE 106
-#define EC_R_INVALID_ENCODING 107
-#define EC_R_BUFFER_TOO_SMALL 108
-#define EC_R_D2I_ECPKPARAMETERS_FAILURE 109
-#define EC_R_INVALID_FORM 110
-#define EC_R_INVALID_PRIVATE_KEY 111
-#define EC_R_INVALID_COMPRESSED_POINT 112
-#define EC_R_MISSING_PARAMETERS 113
-#define EC_R_INVALID_FIELD 114
-#define EC_R_INVALID_COMPRESSION_BIT 115
-#define EC_R_GF2M_NOT_SUPPORTED 116
-#define EC_R_POINT_IS_NOT_ON_CURVE 117
-#define EC_R_UNKNOWN_ORDER 118
-#define EC_R_UNKNOWN_GROUP 119
-#define EC_R_WRONG_ORDER 120
-#define EC_R_UNDEFINED_GENERATOR 121
-#define EC_R_INCOMPATIBLE_OBJECTS 122
-#define EC_R_I2D_ECPKPARAMETERS_FAILURE 123
-#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 124
-#define EC_R_INVALID_GROUP_ORDER 125
-#define EC_R_SLOT_FULL 126
+#define EC_F_EC_GROUP_copy 100
+#define EC_F_EC_GROUP_get_curve_GFp 101
+#define EC_F_EC_GROUP_get_degree 102
+#define EC_F_EC_GROUP_new_by_curve_name 103
+#define EC_F_EC_KEY_check_key 104
+#define EC_F_EC_KEY_copy 105
+#define EC_F_EC_KEY_generate_key 106
+#define EC_F_EC_KEY_new_method 107
+#define EC_F_EC_KEY_set_public_key_affine_coordinates 108
+#define EC_F_EC_POINT_add 109
+#define EC_F_EC_POINT_cmp 110
+#define EC_F_EC_POINT_copy 111
+#define EC_F_EC_POINT_dbl 112
+#define EC_F_EC_POINT_dup 113
+#define EC_F_EC_POINT_get_affine_coordinates_GFp 114
+#define EC_F_EC_POINT_invert 115
+#define EC_F_EC_POINT_is_at_infinity 116
+#define EC_F_EC_POINT_is_on_curve 117
+#define EC_F_EC_POINT_make_affine 118
+#define EC_F_EC_POINT_new 119
+#define EC_F_EC_POINT_oct2point 120
+#define EC_F_EC_POINT_point2oct 121
+#define EC_F_EC_POINT_set_affine_coordinates_GFp 122
+#define EC_F_EC_POINT_set_compressed_coordinates_GFp 123
+#define EC_F_EC_POINT_set_to_infinity 124
+#define EC_F_EC_POINTs_make_affine 125
+#define EC_F_compute_wNAF 126
+#define EC_F_d2i_ECPKParameters 127
+#define EC_F_d2i_ECParameters 128
+#define EC_F_d2i_ECPrivateKey 129
+#define EC_F_ec_GFp_mont_field_decode 130
+#define EC_F_ec_GFp_mont_field_encode 131
+#define EC_F_ec_GFp_mont_field_mul 132
+#define EC_F_ec_GFp_mont_field_set_to_one 133
+#define EC_F_ec_GFp_mont_field_sqr 134
+#define EC_F_ec_GFp_mont_group_set_curve 135
+#define EC_F_ec_GFp_simple_group_check_discriminant 136
+#define EC_F_ec_GFp_simple_group_set_curve 137
+#define EC_F_ec_GFp_simple_make_affine 138
+#define EC_F_ec_GFp_simple_oct2point 139
+#define EC_F_ec_GFp_simple_point2oct 140
+#define EC_F_ec_GFp_simple_point_get_affine_coordinates 141
+#define EC_F_ec_GFp_simple_point_set_affine_coordinates 142
+#define EC_F_ec_GFp_simple_points_make_affine 143
+#define EC_F_ec_GFp_simple_set_compressed_coordinates 144
+#define EC_F_ec_asn1_group2pkparameters 145
+#define EC_F_ec_asn1_pkparameters2group 146
+#define EC_F_ec_group_new 147
+#define EC_F_ec_group_new_curve_GFp 148
+#define EC_F_ec_group_new_from_data 149
+#define EC_F_ec_point_set_Jprojective_coordinates_GFp 150
+#define EC_F_ec_pre_comp_new 151
+#define EC_F_ec_wNAF_mul 152
+#define EC_F_ec_wNAF_precompute_mult 153
+#define EC_F_i2d_ECPKParameters 154
+#define EC_F_i2d_ECParameters 155
+#define EC_F_i2d_ECPrivateKey 156
+#define EC_F_i2o_ECPublicKey 157
+#define EC_F_o2i_ECPublicKey 158
+#define EC_F_BN_to_felem 159
+#define EC_F_ec_GFp_nistp256_group_set_curve 160
+#define EC_F_ec_GFp_nistp256_point_get_affine_coordinates 161
+#define EC_F_ec_GFp_nistp256_points_mul 162
+#define EC_F_ec_group_copy 163
+#define EC_F_nistp256_pre_comp_new 164
+#define EC_F_EC_KEY_new_by_curve_name 165
+#define EC_R_BUFFER_TOO_SMALL 100
+#define EC_R_COORDINATES_OUT_OF_RANGE 101
+#define EC_R_D2I_ECPKPARAMETERS_FAILURE 102
+#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 103
+#define EC_R_GROUP2PKPARAMETERS_FAILURE 104
+#define EC_R_I2D_ECPKPARAMETERS_FAILURE 105
+#define EC_R_INCOMPATIBLE_OBJECTS 106
+#define EC_R_INVALID_COMPRESSED_POINT 107
+#define EC_R_INVALID_COMPRESSION_BIT 108
+#define EC_R_INVALID_ENCODING 109
+#define EC_R_INVALID_FIELD 110
+#define EC_R_INVALID_FORM 111
+#define EC_R_INVALID_GROUP_ORDER 112
+#define EC_R_INVALID_PRIVATE_KEY 113
+#define EC_R_MISSING_PARAMETERS 114
+#define EC_R_MISSING_PRIVATE_KEY 115
+#define EC_R_NON_NAMED_CURVE 116
+#define EC_R_NOT_INITIALIZED 117
+#define EC_R_PKPARAMETERS2GROUP_FAILURE 118
+#define EC_R_POINT_AT_INFINITY 119
+#define EC_R_POINT_IS_NOT_ON_CURVE 120
+#define EC_R_SLOT_FULL 121
+#define EC_R_UNDEFINED_GENERATOR 122
+#define EC_R_UNKNOWN_GROUP 123
+#define EC_R_UNKNOWN_ORDER 124
+#define EC_R_WRONG_ORDER 125
+#define EC_R_BIGNUM_OUT_OF_RANGE 126
+#define EC_R_WRONG_CURVE_PARAMETERS 127
#endif /* OPENSSL_HEADER_EC_H */
diff --git a/src/include/openssl/ec_key.h b/src/include/openssl/ec_key.h
index 115c0cd..ee64030 100644
--- a/src/include/openssl/ec_key.h
+++ b/src/include/openssl/ec_key.h
@@ -79,7 +79,7 @@
#endif
-/* ec_key.h conatins functions that handle elliptic-curve points that are
+/* ec_key.h contains functions that handle elliptic-curve points that are
* public/private keys. */
diff --git a/src/include/openssl/ecdh.h b/src/include/openssl/ecdh.h
index 46cf839..27a8578 100644
--- a/src/include/openssl/ecdh.h
+++ b/src/include/openssl/ecdh.h
@@ -96,8 +96,8 @@
#endif
#define ECDH_F_ECDH_compute_key 100
-#define ECDH_R_POINT_ARITHMETIC_FAILURE 100
-#define ECDH_R_KDF_FAILED 101
-#define ECDH_R_NO_PRIVATE_VALUE 102
+#define ECDH_R_KDF_FAILED 100
+#define ECDH_R_NO_PRIVATE_VALUE 101
+#define ECDH_R_POINT_ARITHMETIC_FAILURE 102
#endif /* OPENSSL_HEADER_ECDH_H */
diff --git a/src/include/openssl/ecdsa.h b/src/include/openssl/ecdsa.h
index f3ff49f..e045463 100644
--- a/src/include/openssl/ecdsa.h
+++ b/src/include/openssl/ecdsa.h
@@ -107,17 +107,13 @@
OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);
/* ECDSA_sign signs |digest_len| bytes from |digest| with |key| and returns the
- * resulting signature structure, or NULL on error.
- *
- * TODO(fork): remove this function. */
+ * resulting signature structure, or NULL on error. */
OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest,
size_t digest_len, EC_KEY *key);
/* ECDSA_verify verifies that |sig| constitutes a valid signature by |key| of
* |digest|. It returns one on success or zero if the signature is invalid or
- * on error.
- *
- * TODO(fork): remove this function. */
+ * on error. */
OPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,
const ECDSA_SIG *sig, EC_KEY *key);
@@ -172,16 +168,15 @@
} /* extern C */
#endif
-#define ECDSA_F_digest_to_bn 100
+#define ECDSA_F_ECDSA_do_sign_ex 100
#define ECDSA_F_ECDSA_do_verify 101
-#define ECDSA_F_ECDSA_sign_setup 102
-#define ECDSA_F_ECDSA_do_sign_ex 103
-#define ECDSA_F_ECDSA_sign_ex 104
-#define ECDSA_F_ecdsa_sign_setup 105
-#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 100
-#define ECDSA_R_NEED_NEW_SETUP_VALUES 101
-#define ECDSA_R_MISSING_PARAMETERS 102
-#define ECDSA_R_BAD_SIGNATURE 103
-#define ECDSA_R_NOT_IMPLEMENTED 104
+#define ECDSA_F_ECDSA_sign_ex 102
+#define ECDSA_F_digest_to_bn 103
+#define ECDSA_F_ecdsa_sign_setup 104
+#define ECDSA_R_BAD_SIGNATURE 100
+#define ECDSA_R_MISSING_PARAMETERS 101
+#define ECDSA_R_NEED_NEW_SETUP_VALUES 102
+#define ECDSA_R_NOT_IMPLEMENTED 103
+#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104
#endif /* OPENSSL_HEADER_ECDSA_H */
diff --git a/src/include/openssl/engine.h b/src/include/openssl/engine.h
index 4a4f37d..da242f6 100644
--- a/src/include/openssl/engine.h
+++ b/src/include/openssl/engine.h
@@ -78,12 +78,14 @@
* These functions take a void* type but actually operate on all method
* structures. */
-/* METHOD_ref increments the reference count of |method|. */
-OPENSSL_EXPORT void METHOD_ref(void *method);
+/* METHOD_ref increments the reference count of |method|. This is a no-op for
+ * now because all methods are currently static. */
+void METHOD_ref(void *method);
/* METHOD_unref decrements the reference count of |method| and frees it if the
- * reference count drops to zero. */
-OPENSSL_EXPORT void METHOD_unref(void *method);
+ * reference count drops to zero. This is a no-op for now because all methods
+ * are currently static. */
+void METHOD_unref(void *method);
/* Private functions. */
diff --git a/src/include/openssl/err.h b/src/include/openssl/err.h
index c749659..e591534 100644
--- a/src/include/openssl/err.h
+++ b/src/include/openssl/err.h
@@ -109,9 +109,9 @@
#ifndef OPENSSL_HEADER_ERR_H
#define OPENSSL_HEADER_ERR_H
+#include <stdio.h>
+
#include <openssl/base.h>
-#include <openssl/thread.h>
-#include <openssl/lhash.h>
#if defined(__cplusplus)
extern "C" {
@@ -142,16 +142,18 @@
/* Startup and shutdown. */
-/* ERR_load_crypto_strings initialises the error string hash with builtin
- * values. If this is not called then the string forms of errors produced by
- * the functions below will contain numeric identifiers rather than
- * human-readable strings. */
+/* ERR_load_BIO_strings does nothing.
+ *
+ * TODO(fork): remove. libjingle calls this. */
+OPENSSL_EXPORT void ERR_load_BIO_strings(void);
+
+/* ERR_load_ERR_strings does nothing. */
+OPENSSL_EXPORT void ERR_load_ERR_strings(void);
+
+/* ERR_load_crypto_strings does nothing. */
OPENSSL_EXPORT void ERR_load_crypto_strings(void);
-/* ERR_free_strings frees any memory retained by the error system, expect for
- * per-thread structures which are assumed to have already been freed with
- * |ERR_remove_thread_state|. This should only be called at process
- * shutdown. */
+/* ERR_free_strings does nothing. */
OPENSSL_EXPORT void ERR_free_strings(void);
@@ -257,13 +259,21 @@
void *ctx);
+/* ERR_print_errors_fp prints the current contents of the error stack to |file|
+ * using human readable strings where possible. */
+OPENSSL_EXPORT void ERR_print_errors_fp(FILE *file);
+
/* Clearing errors. */
/* ERR_clear_error clears the error queue for the current thread. */
OPENSSL_EXPORT void ERR_clear_error(void);
-/* ERR_remove_thread_state deletes the error queue for the given thread. If
- * |tid| is NULL then the error queue for the current thread is deleted. */
+/* ERR_remove_thread_state clears the error queue for the current thread if
+ * |tid| is NULL. Otherwise it does nothing because it's no longer possible to
+ * delete the error queue for other threads.
+ *
+ * Error queues are thread-local data and are deleted automatically. You do not
+ * need to call this function. See |ERR_clear_error|. */
OPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid);
@@ -357,9 +367,6 @@
/* ERR_STATE contains the per-thread, error queue. */
typedef struct err_state_st {
- /* tid is the identifier of the thread that owns this queue. */
- CRYPTO_THREADID tid;
-
/* errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring
* buffer. */
struct err_error_st errors[ERR_NUM_ERRORS];
@@ -474,40 +481,6 @@
#define ERR_GET_FUNC(packed_error) ((int)(((packed_error) >> 12) & 0xfff))
#define ERR_GET_REASON(packed_error) ((int)((packed_error) & 0xfff))
-/* ERR_STRING_DATA is the type of an lhash node that contains a mapping from a
- * library, function or reason code to a string representation of it. */
-typedef struct err_string_data_st {
- uint32_t error;
- const char *string;
-} ERR_STRING_DATA;
-
-/* ERR_load_strings loads an array of ERR_STRING_DATA into the hash table. The
- * array must be terminated by an entry with a NULL string. */
-OPENSSL_EXPORT void ERR_load_strings(const ERR_STRING_DATA *str);
-
-/* ERR_FNS_st is a structure of function pointers that contains the actual
- * implementation of the error queue handling functions. */
-struct ERR_FNS_st {
- void (*shutdown)(void (*err_state_free_cb)(ERR_STATE*));
- ERR_STRING_DATA *(*get_item)(uint32_t packed_error);
- ERR_STRING_DATA *(*set_item)(const ERR_STRING_DATA *);
- ERR_STRING_DATA *(*del_item)(uint32_t packed_error);
-
- /* get_state returns the ERR_STATE for the current thread. This function
- * never returns NULL. */
- ERR_STATE *(*get_state)(void);
-
- /* release_state returns the |ERR_STATE| for the given thread, or NULL if
- * none exists. It the return value is not NULL, it also returns ownership of
- * the |ERR_STATE| and deletes it from its data structures. */
- ERR_STATE *(*release_state)(const CRYPTO_THREADID *tid);
-
- /* get_next_library returns a unique value suitable for passing as the
- * |library| to error calls. It will be distinct from all built-in library
- * values. */
- int (*get_next_library)(void);
-};
-
/* OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates
* the error defines) to recognise that an additional reason value is needed.
* This is needed when the reason value is used outside of an
@@ -522,11 +495,6 @@
* ${lib}_F_${reason}. */
#define OPENSSL_DECLARE_ERROR_FUNCTION(lib, function_name)
-/* ERR_load_BIO_strings does nothing.
- *
- * TODO(fork): remove. libjingle calls this. */
-OPENSSL_EXPORT void ERR_load_BIO_strings(void);
-
/* Android compatibility section.
*
diff --git a/src/include/openssl/evp.h b/src/include/openssl/evp.h
index 39da689..54ad4be 100644
--- a/src/include/openssl/evp.h
+++ b/src/include/openssl/evp.h
@@ -58,7 +58,6 @@
#define OPENSSL_HEADER_EVP_H
#include <openssl/base.h>
-#include <openssl/stack.h>
/* OpenSSL included digest and cipher functions in this header so we include
* them for users that still expect that.
@@ -67,9 +66,7 @@
#include <openssl/aead.h>
#include <openssl/cipher.h>
#include <openssl/digest.h>
-#include <openssl/mem.h>
#include <openssl/obj.h>
-#include <openssl/thread.h>
#if defined(__cplusplus)
extern "C" {
@@ -89,6 +86,9 @@
* itself. */
OPENSSL_EXPORT void EVP_PKEY_free(EVP_PKEY *pkey);
+/* EVP_PKEY_up_ref increments the reference count of |pkey| and returns it. */
+OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_up_ref(EVP_PKEY *pkey);
+
/* EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by
* custom implementations which do not expose key material and parameters. It is
* an error to attempt to duplicate, export, or compare an opaque key. */
@@ -107,10 +107,6 @@
* function. */
OPENSSL_EXPORT int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
-/* EVP_PKEY_dup adds one to the reference count of |pkey| and returns
- * |pkey|. */
-OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey);
-
/* EVP_PKEY_copy_parameters sets the parameters of |to| to equal the parameters
* of |from|. It returns one on success and zero on error. */
OPENSSL_EXPORT int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
@@ -119,12 +115,15 @@
* parameters or zero if not, or if the algorithm doesn't take parameters. */
OPENSSL_EXPORT int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
-/* EVP_PKEY_size returns the "size", in bytes, of |pkey|. For example, for an
- * RSA key this returns the number of bytes needed to represent the modulus. */
+/* EVP_PKEY_size returns the maximum size, in bytes, of a signature signed by
+ * |pkey|. For an RSA key, this returns the number of bytes needed to represent
+ * the modulus. For an EC key, this returns the maximum size of a DER-encoded
+ * ECDSA signature. */
OPENSSL_EXPORT int EVP_PKEY_size(const EVP_PKEY *pkey);
-/* EVP_PKEY_bits returns the "size", in bits, of |pkey|. For example, for an
- * RSA key, this returns the bit length of the modulus. */
+/* EVP_PKEY_bits returns the "size", in bits, of |pkey|. For an RSA key, this
+ * returns the bit length of the modulus. For an EC key, this returns the bit
+ * length of the group order. */
OPENSSL_EXPORT int EVP_PKEY_bits(EVP_PKEY *pkey);
/* EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*|
@@ -444,18 +443,6 @@
* set. */
OPENSSL_EXPORT void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
-/* EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|
- * arguments can be -1 to specify that any type and operation are acceptable,
- * otherwise |keytype| must match the type of |ctx| and the bits of |optype|
- * must intersect the operation flags set on |ctx|.
- *
- * The |p1| and |p2| arguments depend on the value of |cmd|.
- *
- * It returns -2 if |cmd| is not recognised, -1 on error or a |cmd| specific
- * value otherwise. */
-OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
- int cmd, int p1, void *p2);
-
/* EVP_PKEY_sign_init initialises an |EVP_PKEY_CTX| for a signing operation. It
* should be called before |EVP_PKEY_sign|.
*
@@ -569,64 +556,28 @@
OPENSSL_EXPORT int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
-/* EVP_PKEY_CTX_ctrl operations.
- *
- * These values are passed as the |cmd| argument to
- * EVP_PKEY_CTX_ctrl */
-
-/* Generic. */
+/* Generic control functions. */
/* EVP_PKEY_CTX_set_signature_md sets |md| as the digest to be used in a
- * signature operation. It returns one on success or otherwise on error. See
- * the return values of |EVP_PKEY_CTX_ctrl| for details. */
+ * signature operation. It returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
/* EVP_PKEY_CTX_get_signature_md sets |*out_md| to the digest to be used in a
- * signature operation. It returns one on success or otherwise on error. See
- * the return values of |EVP_PKEY_CTX_ctrl| for details. */
+ * signature operation. It returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx,
const EVP_MD **out_md);
-/* EVP_PKEY_CTRL_DIGESTINIT is an internal value. It's called by
- * EVP_DigestInit_ex to signal the |EVP_PKEY| that a digest operation is
- * starting. */
-#define EVP_PKEY_CTRL_DIGESTINIT 3
-
-/* EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:
- * 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.
- * If the return value is <= 0, the key is rejected.
- * 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a
- * peer key. If the return value is <= 0, the key is rejected.
- * 2: Is called with |p2| == NULL to test whether the peer's key was used.
- * (EC)DH always return one in this case.
- * 3: Is called with |p2| == NULL to set whether the peer's key was used.
- * (EC)DH always return one in this case. This was only used for GOST. */
-#define EVP_PKEY_CTRL_PEER_KEY 4
-
-/* EVP_PKEY_CTRL_SET_MAC_KEY sets a MAC key. For example, this can be done an
- * |EVP_PKEY_CTX| prior to calling |EVP_PKEY_keygen| in order to generate an
- * HMAC |EVP_PKEY| with the given key. It returns one on success and zero on
- * error. */
-#define EVP_PKEY_CTRL_SET_MAC_KEY 5
-
-/* EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl
- * commands are numbered. */
-#define EVP_PKEY_ALG_CTRL 0x1000
-
/* RSA specific control functions. */
/* EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one
- * of the |RSA_*_PADDING| values. Returns one on success or another value on
- * error. See |EVP_PKEY_CTX_ctrl| for the other return values, which are
- * non-standard. */
+ * of the |RSA_*_PADDING| values. Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding);
/* EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding
* value, which is one of the |RSA_*_PADDING| values. Returns one on success or
- * another value on error. See |EVP_PKEY_CTX_ctrl| for the other return values,
- * which are non-standard. */
+ * zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx,
int *out_padding);
@@ -635,8 +586,7 @@
* in the signature. A value of -2 causes the salt to be the maximum length
* that will fit. Otherwise the value gives the size of the salt in bytes.
*
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
int salt_len);
@@ -645,68 +595,68 @@
* |EVP_PKEY_CTX_set_rsa_pss_saltlen| for details of the special values that it
* can take.
*
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,
int *out_salt_len);
/* EVP_PKEY_CTX_set_rsa_keygen_bits sets the size of the desired RSA modulus,
- * in bits, for key generation. Returns one on success or another value on
- * error. See |EVP_PKEY_CTX_ctrl| for the other return values, which are
- * non-standard. */
+ * in bits, for key generation. Returns one on success or zero on
+ * error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx,
int bits);
/* EVP_PKEY_CTX_set_rsa_keygen_pubexp sets |e| as the public exponent for key
- * generation. Returns one on success or another value on error. See
- * |EVP_PKEY_CTX_ctrl| for the other return values, which are non-standard. */
+ * generation. Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx,
BIGNUM *e);
/* EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding.
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
/* EVP_PKEY_CTX_get_rsa_oaep_md sets |*out_md| to the digest function used in
- * OAEP padding. Returns one on success or another value on error. See
- * |EVP_PKEY_CTX_ctrl| for the other return values, which are non-standard. */
+ * OAEP padding. Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx,
const EVP_MD **out_md);
/* EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns
- * one on success or another value on error. See |EVP_PKEY_CTX_ctrl| for the
- * other return values, which are non-standard. */
+ * one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
const EVP_MD *md);
/* EVP_PKEY_CTX_get_rsa_mgf1_md sets |*out_md| to the digest function used in
- * MGF1. Returns one on success or another value on error. See
- * |EVP_PKEY_CTX_ctrl| for the other return values, which are non-standard. */
+ * MGF1. Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx,
const EVP_MD **out_md);
/* EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the
- * label used in OAEP. DANGER: this call takes ownership of |label| and will
- * call |free| on it when |ctx| is destroyed.
+ * label used in OAEP. DANGER: On success, this call takes ownership of |label|
+ * and will call |OPENSSL_free| on it when |ctx| is destroyed.
*
- * Returns one on success or another value on error. See |EVP_PKEY_CTX_ctrl|
- * for the other return values, which are non-standard. */
+ * Returns one on success or zero on error. */
OPENSSL_EXPORT int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
const uint8_t *label,
size_t label_len);
/* EVP_PKEY_CTX_get0_rsa_oaep_label sets |*out_label| to point to the internal
* buffer containing the OAEP label (which may be NULL) and returns the length
- * of the label or a negative value on error. */
+ * of the label or a negative value on error.
+ *
+ * WARNING: the return value differs from the usual return value convention. */
OPENSSL_EXPORT int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
const uint8_t **out_label);
-/* EC specific */
+/* Deprecated functions. */
-#define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 1)
+/* EVP_PKEY_dup adds one to the reference count of |pkey| and returns
+ * |pkey|.
+ *
+ * WARNING: this is a |_dup| function that doesn't actually duplicate! Use
+ * |EVP_PKEY_up_ref| if you want to increment the reference count without
+ * confusion. */
+OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey);
/* Private functions */
@@ -734,9 +684,6 @@
* which element (if any) of the |pkey| union is valid. */
int type;
- /* TODO(fork): document */
- int save_type;
-
union {
char *ptr;
struct rsa_st *rsa; /* RSA */
@@ -745,16 +692,9 @@
struct ec_key_st *ec; /* ECC */
} pkey;
- ENGINE *engine;
-
- /* TODO(fork): document */
- int save_parameters;
/* ameth contains a pointer to a method table that contains many ASN.1
* methods for the key type. */
const EVP_PKEY_ASN1_METHOD *ameth;
-
- /* TODO(fork): document; */
- STACK_OF(X509_ATTRIBUTE) * attributes; /* [ 0 ] */
} /* EVP_PKEY */;
@@ -762,105 +702,105 @@
} /* extern C */
#endif
-#define EVP_F_rsa_item_verify 100
-#define EVP_F_do_sigver_init 101
-#define EVP_F_eckey_priv_decode 102
-#define EVP_F_pkey_ec_sign 103
-#define EVP_F_EVP_PKEY_sign_init 104
-#define EVP_F_d2i_PrivateKey 105
-#define EVP_F_rsa_priv_encode 106
-#define EVP_F_rsa_mgf1_to_md 107
-#define EVP_F_EVP_PKEY_get1_DH 108
-#define EVP_F_EVP_PKEY_sign 109
-#define EVP_F_old_ec_priv_decode 110
-#define EVP_F_EVP_PKEY_get1_RSA 111
-#define EVP_F_pkey_ec_ctrl 112
-#define EVP_F_evp_pkey_ctx_new 113
-#define EVP_F_EVP_PKEY_verify 114
-#define EVP_F_EVP_PKEY_encrypt 115
+#define EVP_F_EVP_PKEY_derive_init 108
+#define EVP_F_EVP_PKEY_encrypt 110
+#define EVP_F_EVP_PKEY_encrypt_init 111
+#define EVP_F_EVP_PKEY_get1_DH 112
+#define EVP_F_EVP_PKEY_get1_EC_KEY 114
+#define EVP_F_EVP_PKEY_get1_RSA 115
#define EVP_F_EVP_PKEY_keygen 116
-#define EVP_F_eckey_type2param 117
-#define EVP_F_eckey_priv_encode 118
-#define EVP_F_do_EC_KEY_print 119
-#define EVP_F_pkey_ec_keygen 120
-#define EVP_F_EVP_PKEY_encrypt_init 121
-#define EVP_F_pkey_rsa_ctrl 122
-#define EVP_F_rsa_priv_decode 123
-#define EVP_F_rsa_pss_to_ctx 124
-#define EVP_F_EVP_PKEY_get1_EC_KEY 125
-#define EVP_F_EVP_PKEY_verify_init 126
-#define EVP_F_EVP_PKEY_derive_init 127
-#define EVP_F_eckey_param2type 128
-#define EVP_F_eckey_pub_decode 129
-#define EVP_F_d2i_AutoPrivateKey 130
+#define EVP_F_EVP_PKEY_sign 120
+#define EVP_F_EVP_PKEY_sign_init 121
+#define EVP_F_EVP_PKEY_verify 122
+#define EVP_F_EVP_PKEY_verify_init 123
+#define EVP_F_d2i_AutoPrivateKey 125
+#define EVP_F_d2i_PrivateKey 126
+#define EVP_F_do_EC_KEY_print 127
+#define EVP_F_do_sigver_init 129
+#define EVP_F_eckey_param2type 130
#define EVP_F_eckey_param_decode 131
-#define EVP_F_EVP_PKEY_new 132
-#define EVP_F_pkey_ec_derive 133
-#define EVP_F_pkey_ec_paramgen 134
-#define EVP_F_EVP_PKEY_CTX_ctrl 135
-#define EVP_F_EVP_PKEY_decrypt_init 136
-#define EVP_F_EVP_PKEY_decrypt 137
-#define EVP_F_EVP_PKEY_copy_parameters 138
-#define EVP_F_EVP_PKEY_set_type 139
-#define EVP_F_EVP_PKEY_derive 140
-#define EVP_F_EVP_PKEY_keygen_init 141
-#define EVP_F_do_rsa_print 142
-#define EVP_F_old_rsa_priv_decode 143
-#define EVP_F_rsa_algor_to_md 144
-#define EVP_F_eckey_pub_encode 145
-#define EVP_F_EVP_PKEY_derive_set_peer 146
-#define EVP_F_pkey_rsa_sign 147
-#define EVP_F_check_padding_md 148
-#define EVP_F_i2d_PublicKey 149
-#define EVP_F_rsa_pub_decode 150
-#define EVP_F_EVP_PKEY_get1_DSA 151
-#define EVP_F_pkey_rsa_encrypt 152
-#define EVP_F_pkey_rsa_decrypt 153
-#define EVP_F_hmac_signctx 154
-#define EVP_F_EVP_DigestVerifyInitFromAlgorithm 155
-#define EVP_F_EVP_DigestSignAlgorithm 156
-#define EVP_F_rsa_digest_verify_init_from_algorithm 157
-#define EVP_F_EVP_PKEY_CTX_dup 158
-#define EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE 100
-#define EVP_R_UNSUPPORTED_SIGNATURE_TYPE 101
-#define EVP_R_INVALID_DIGEST_TYPE 102
-#define EVP_R_EXPECTING_A_DH_KEY 103
-#define EVP_R_OPERATON_NOT_INITIALIZED 104
-#define EVP_R_MISSING_PARAMETERS 105
-#define EVP_R_NO_DEFAULT_DIGEST 106
-#define EVP_R_UNKNOWN_DIGEST 107
-#define EVP_R_KEYS_NOT_SET 108
-#define EVP_R_X931_UNSUPPORTED 109
-#define EVP_R_DIGEST_DOES_NOT_MATCH 110
-#define EVP_R_DIFFERENT_PARAMETERS 111
-#define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 112
-#define EVP_R_DIFFERENT_KEY_TYPES 113
-#define EVP_R_NO_PARAMETERS_SET 114
-#define EVP_R_NO_NID_FOR_CURVE 115
-#define EVP_R_NO_OPERATION_SET 116
-#define EVP_R_UNSUPPORTED_ALGORITHM 117
-#define EVP_R_EXPECTING_AN_DSA_KEY 118
-#define EVP_R_UNKNOWN_MASK_DIGEST 119
-#define EVP_R_INVALID_SALT_LENGTH 120
-#define EVP_R_BUFFER_TOO_SMALL 121
-#define EVP_R_INVALID_PADDING_MODE 122
-#define EVP_R_INVALID_MGF1_MD 123
-#define EVP_R_SHARED_INFO_ERROR 124
-#define EVP_R_INVALID_KEYBITS 125
-#define EVP_R_PEER_KEY_ERROR 126
-#define EVP_R_EXPECTING_A_DSA_KEY 127
-#define EVP_R_UNSUPPORTED_MASK_ALGORITHM 128
-#define EVP_R_EXPECTING_AN_EC_KEY_KEY 129
-#define EVP_R_INVALID_TRAILER 130
-#define EVP_R_INVALID_DIGEST_LENGTH 131
-#define EVP_R_COMMAND_NOT_SUPPORTED 132
-#define EVP_R_EXPLICIT_EC_PARAMETERS_NOT_SUPPORTED 133
-#define EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 134
-#define EVP_R_NO_MDC2_SUPPORT 135
-#define EVP_R_INVALID_CURVE 136
-#define EVP_R_NO_KEY_SET 137
-#define EVP_R_INVALID_PSS_PARAMETERS 138
-#define EVP_R_KDF_PARAMETER_ERROR 139
+#define EVP_F_eckey_priv_decode 132
+#define EVP_F_eckey_priv_encode 133
+#define EVP_F_eckey_pub_decode 134
+#define EVP_F_eckey_pub_encode 135
+#define EVP_F_eckey_type2param 136
+#define EVP_F_evp_pkey_ctx_new 137
+#define EVP_F_hmac_signctx 138
+#define EVP_F_i2d_PublicKey 139
+#define EVP_F_old_ec_priv_decode 140
+#define EVP_F_old_rsa_priv_decode 141
+#define EVP_F_pkey_ec_ctrl 142
+#define EVP_F_pkey_ec_derive 143
+#define EVP_F_pkey_ec_keygen 144
+#define EVP_F_pkey_ec_paramgen 145
+#define EVP_F_pkey_ec_sign 146
+#define EVP_F_pkey_rsa_ctrl 147
+#define EVP_F_pkey_rsa_decrypt 148
+#define EVP_F_pkey_rsa_encrypt 149
+#define EVP_F_pkey_rsa_sign 150
+#define EVP_F_rsa_algor_to_md 151
+#define EVP_F_rsa_digest_verify_init_from_algorithm 152
+#define EVP_F_rsa_mgf1_to_md 153
+#define EVP_F_rsa_priv_decode 154
+#define EVP_F_rsa_priv_encode 155
+#define EVP_F_rsa_pss_to_ctx 156
+#define EVP_F_rsa_pub_decode 157
+#define EVP_F_pkey_hmac_ctrl 158
+#define EVP_F_EVP_PKEY_CTX_get0_rsa_oaep_label 159
+#define EVP_F_EVP_DigestSignAlgorithm 160
+#define EVP_F_EVP_DigestVerifyInitFromAlgorithm 161
+#define EVP_F_EVP_PKEY_CTX_ctrl 162
+#define EVP_F_EVP_PKEY_CTX_dup 163
+#define EVP_F_EVP_PKEY_copy_parameters 164
+#define EVP_F_EVP_PKEY_decrypt 165
+#define EVP_F_EVP_PKEY_decrypt_init 166
+#define EVP_F_EVP_PKEY_derive 167
+#define EVP_F_EVP_PKEY_derive_set_peer 168
+#define EVP_F_EVP_PKEY_get1_DSA 169
+#define EVP_F_EVP_PKEY_keygen_init 170
+#define EVP_F_EVP_PKEY_new 171
+#define EVP_F_EVP_PKEY_set_type 172
+#define EVP_F_check_padding_md 173
+#define EVP_F_do_dsa_print 174
+#define EVP_F_do_rsa_print 175
+#define EVP_F_dsa_param_decode 176
+#define EVP_F_dsa_priv_decode 177
+#define EVP_F_dsa_priv_encode 178
+#define EVP_F_dsa_pub_decode 179
+#define EVP_F_dsa_pub_encode 180
+#define EVP_F_dsa_sig_print 181
+#define EVP_F_old_dsa_priv_decode 182
+#define EVP_R_BUFFER_TOO_SMALL 100
+#define EVP_R_COMMAND_NOT_SUPPORTED 101
+#define EVP_R_DIFFERENT_KEY_TYPES 104
+#define EVP_R_DIFFERENT_PARAMETERS 105
+#define EVP_R_EXPECTING_AN_EC_KEY_KEY 107
+#define EVP_R_EXPECTING_A_DH_KEY 109
+#define EVP_R_EXPECTING_A_DSA_KEY 110
+#define EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 111
+#define EVP_R_INVALID_CURVE 112
+#define EVP_R_INVALID_DIGEST_LENGTH 113
+#define EVP_R_INVALID_DIGEST_TYPE 114
+#define EVP_R_INVALID_KEYBITS 115
+#define EVP_R_INVALID_MGF1_MD 116
+#define EVP_R_INVALID_PADDING_MODE 118
+#define EVP_R_INVALID_PSS_PARAMETERS 119
+#define EVP_R_INVALID_SALT_LENGTH 121
+#define EVP_R_INVALID_TRAILER 122
+#define EVP_R_KEYS_NOT_SET 123
+#define EVP_R_MISSING_PARAMETERS 124
+#define EVP_R_NO_DEFAULT_DIGEST 125
+#define EVP_R_NO_KEY_SET 126
+#define EVP_R_NO_MDC2_SUPPORT 127
+#define EVP_R_NO_NID_FOR_CURVE 128
+#define EVP_R_NO_OPERATION_SET 129
+#define EVP_R_NO_PARAMETERS_SET 130
+#define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 131
+#define EVP_R_OPERATON_NOT_INITIALIZED 132
+#define EVP_R_UNKNOWN_DIGEST 133
+#define EVP_R_UNKNOWN_MASK_DIGEST 134
+#define EVP_R_UNSUPPORTED_ALGORITHM 138
+#define EVP_R_UNSUPPORTED_MASK_ALGORITHM 139
#define EVP_R_UNSUPPORTED_MASK_PARAMETER 140
#define EVP_R_EXPECTING_AN_RSA_KEY 141
#define EVP_R_INVALID_OPERATION 142
@@ -872,5 +812,9 @@
#define EVP_R_WRONG_PUBLIC_KEY_TYPE 148
#define EVP_R_UNKNOWN_SIGNATURE_ALGORITHM 149
#define EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 150
+#define EVP_R_BN_DECODE_ERROR 151
+#define EVP_R_PARAMETER_ENCODING_ERROR 152
+#define EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE 153
+#define EVP_R_UNSUPPORTED_SIGNATURE_TYPE 154
#endif /* OPENSSL_HEADER_EVP_H */
diff --git a/src/include/openssl/ex_data.h b/src/include/openssl/ex_data.h
index f61501a..2303eb4 100644
--- a/src/include/openssl/ex_data.h
+++ b/src/include/openssl/ex_data.h
@@ -119,21 +119,51 @@
/* ex_data is a mechanism for associating arbitrary extra data with objects.
- * The different types of objects which can have data associated with them are
- * called "classes" and there are predefined classes for all the OpenSSL
- * objects that support ex_data.
- *
- * Within a given class, different users can be assigned indexes in which to
- * store their data. Each index has callback functions that are called when a
- * new object of that type is created, freed and duplicated. */
+ * For each type of object that supports ex_data, different users can be
+ * assigned indexes in which to store their data. Each index has callback
+ * functions that are called when a new object of that type is created, freed
+ * and duplicated. */
typedef struct crypto_ex_data_st CRYPTO_EX_DATA;
+
+/* Type-specific functions.
+ *
+ * Each type that supports ex_data provides three functions: */
+
+#if 0 /* Sample */
+
+/* |TYPE_get_ex_new_index| allocates a new index for |TYPE|. See the
+ * descriptions of the callback typedefs for details of when they are
+ * called. Any of the callback arguments may be NULL. The |argl| and |argp|
+ * arguments are opaque values that are passed to the callbacks. It returns the
+ * new index or a negative number on error.
+ *
+ * TODO(fork): this should follow the standard calling convention. */
+OPENSSL_EXPORT int TYPE_get_ex_new_index(long argl, void *argp,
+ CRYPTO_EX_new *new_func,
+ CRYPTO_EX_dup *dup_func,
+ CRYPTO_EX_free *free_func);
+
+/* |TYPE_set_ex_data| sets an extra data pointer on |t|. The |index| argument
+ * should have been returned from a previous call to |TYPE_get_ex_new_index|. */
+OPENSSL_EXPORT int TYPE_set_ex_data(TYPE *t, int index, void *arg);
+
+/* |TYPE_get_ex_data| returns an extra data pointer for |t|, or NULL if no such
+ * pointer exists. The |index| argument should have been returned from a
+ * previous call to |TYPE_get_ex_new_index|. */
+OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index);
+
+#endif /* Sample */
+
+
+/* Callback types. */
+
/* CRYPTO_EX_new is the type of a callback function that is called whenever a
* new object of a given class is created. For example, if this callback has
- * been passed to |CRYPTO_get_ex_new_index| with a |class| of
- * |CRYPTO_EX_INDEX_SSL| then it'll be called each time an SSL* is created.
+ * been passed to |SSL_get_ex_new_index| then it'll be called each time an SSL*
+ * is created.
*
* The callback is passed the new object (i.e. the SSL*) in |parent|. The
* arguments |argl| and |argp| contain opaque values that were given to
@@ -166,126 +196,10 @@
typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
void **from_d, int index, long argl, void *argp);
-/* CRYPTO_get_ex_new_index allocates a new index for ex_data linked with
- * objects of the given |class|. This should not be called directly, rather
- * each class of object should provide a wrapper function that sets
- * |class_value| correctly.
- *
- * The |class_value| argument should be one of |CRYPTO_EX_INDEX_*| or a
- * user-defined class value returned from |CRYPTO_ex_data_new_class|.
- *
- * See the descriptions of the callback typedefs for details of when they are
- * called. Any of the callback arguments may be NULL. The |argl| and |argp|
- * arguments are opaque values that are passed to the callbacks.
- *
- * It returns the new index, or a negative number on error.
- *
- * TODO(fork): this should follow the standard calling convention.
- *
- * TODO(fork): replace the class_value with a pointer to EX_CLASS_ITEM. Saves
- * having that hash table and some of the lock-bouncing. Maybe have every
- * module have a private global EX_CLASS_ITEM somewhere and any direct callers
- * of CRYPTO_{get,set}_ex_data{,_index} would have to always call the
- * wrappers. */
-OPENSSL_EXPORT int CRYPTO_get_ex_new_index(int class_value, long argl,
- void *argp, CRYPTO_EX_new *new_func,
- CRYPTO_EX_dup *dup_func,
- CRYPTO_EX_free *free_func);
-/* CRYPTO_set_ex_data sets an extra data pointer on a given object. This should
- * not be called directly, rather each class of object should provide a wrapper
- * function.
- *
- * The |index| argument should have been returned from a previous call to
- * |CRYPTO_get_ex_new_index|. */
-OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);
+/* Deprecated functions. */
-/* CRYPTO_set_ex_data return an extra data pointer for a given object, or NULL
- * if no such index exists. This should not be called directly, rather each
- * class of object should provide a wrapper function.
- *
- * The |index| argument should have been returned from a previous call to
- * |CRYPTO_get_ex_new_index|. */
-OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);
-
-/* CRYPTO_EX_INDEX_* are the built-in classes of objects.
- *
- * User defined classes start at 100.
- *
- * TODO(fork): WARNING: these are called "INDEX", but they aren't! */
-#define CRYPTO_EX_INDEX_BIO 0
-#define CRYPTO_EX_INDEX_SSL 1
-#define CRYPTO_EX_INDEX_SSL_CTX 2
-#define CRYPTO_EX_INDEX_SSL_SESSION 3
-#define CRYPTO_EX_INDEX_X509_STORE 4
-#define CRYPTO_EX_INDEX_X509_STORE_CTX 5
-#define CRYPTO_EX_INDEX_RSA 6
-#define CRYPTO_EX_INDEX_DSA 7
-#define CRYPTO_EX_INDEX_DH 8
-#define CRYPTO_EX_INDEX_ENGINE 9
-#define CRYPTO_EX_INDEX_X509 10
-#define CRYPTO_EX_INDEX_UI 11
-#define CRYPTO_EX_INDEX_EC_KEY 12
-#define CRYPTO_EX_INDEX_EC_GROUP 13
-#define CRYPTO_EX_INDEX_COMP 14
-#define CRYPTO_EX_INDEX_STORE 15
-
-
-/* User-defined classes of objects.
- *
- * Core OpenSSL code has predefined class values given above (the
- * |CRYPTO_EX_INDEX_*| values). It's possible to get dynamic class values
- * assigned for user-defined objects. */
-
-/* CRYPTO_ex_data_new_class returns a fresh class value for a user-defined type
- * that wishes to use ex_data.
- *
- * TODO(fork): hopefully remove this. */
-OPENSSL_EXPORT int CRYPTO_ex_data_new_class(void);
-
-
-/* Embedding, allocating and freeing |CRYPTO_EX_DATA| structures for objects
- * that embed them. */
-
-/* CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA| which is
- * embedded inside of |obj| which is of class |class_value|. Returns one on
- * success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_new_ex_data(int class_value, void *obj,
- CRYPTO_EX_DATA *ad);
-
-/* CRYPTO_dup_ex_data duplicates |from| into a freshly allocated
- * |CRYPTO_EX_DATA|, |to|. Both of which are inside objects of the given
- * class. It returns one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_dup_ex_data(int class_value, CRYPTO_EX_DATA *to,
- const CRYPTO_EX_DATA *from);
-
-/* CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an
- * object of the given class. */
-OPENSSL_EXPORT void CRYPTO_free_ex_data(int class_value, void *obj,
- CRYPTO_EX_DATA *ad);
-
-
-/* Handling different ex_data implementations. */
-
-/* CRYPTO_EX_DATA_IMPL is the opaque type of an implementation of ex_data. */
-typedef struct st_CRYPTO_EX_DATA_IMPL CRYPTO_EX_DATA_IMPL;
-
-/* CRYPTO_get_ex_data_implementation returns the current implementation of
- * ex_data. */
-OPENSSL_EXPORT const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(
- void);
-
-/* CRYPTO_set_ex_data_implementation sets the implementation of ex_data to use,
- * unless ex_data has already been used and the default implementation
- * installed. It returns one on success and zero otherwise. */
-OPENSSL_EXPORT int CRYPTO_set_ex_data_implementation(
- const CRYPTO_EX_DATA_IMPL *impl);
-
-
-/* Private functions. */
-
-/* CRYPTO_cleanup_all_ex_data cleans up all ex_data state. It assumes that no
- * other threads are executing code that might call ex_data functions. */
+/* CRYPTO_cleanup_all_ex_data does nothing. */
OPENSSL_EXPORT void CRYPTO_cleanup_all_ex_data(void);
struct crypto_ex_data_st {
diff --git a/src/include/openssl/hmac.h b/src/include/openssl/hmac.h
index 6c34cdc..89cdf8f 100644
--- a/src/include/openssl/hmac.h
+++ b/src/include/openssl/hmac.h
@@ -94,9 +94,14 @@
OPENSSL_EXPORT void HMAC_CTX_cleanup(HMAC_CTX *ctx);
/* HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash
- * function and |key| as the key. Any of |md| or |key| can be NULL, in which
- * case the previous value will be used. It returns one on success or zero
- * otherwise. */
+ * function and |key| as the key. For a non-initial call, |md| may be NULL, in
+ * which case the previous hash function will be used. If the hash function has
+ * not changed and |key| is NULL, |ctx| reuses the previous key. It returns one
+ * on success or zero otherwise.
+ *
+ * WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL
+ * |key| but repeating the previous |md| reuses the previous key rather than the
+ * empty key. */
OPENSSL_EXPORT int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,
const EVP_MD *md, ENGINE *impl);
@@ -152,8 +157,6 @@
EVP_MD_CTX md_ctx;
EVP_MD_CTX i_ctx;
EVP_MD_CTX o_ctx;
- unsigned int key_length;
- unsigned char key[HMAC_MAX_MD_CBLOCK];
} /* HMAC_CTX */;
diff --git a/src/include/openssl/lhash.h b/src/include/openssl/lhash.h
index c8628d1..d2ee982 100644
--- a/src/include/openssl/lhash.h
+++ b/src/include/openssl/lhash.h
@@ -96,9 +96,6 @@
*
* LHASH_OF:ASN1_OBJECT
* LHASH_OF:CONF_VALUE
- * LHASH_OF:ERR_STATE
- * LHASH_OF:ERR_STRING_DATA
- * LHASH_OF:EX_CLASS_ITEM
* LHASH_OF:SSL_SESSION */
#define IN_LHASH_H
diff --git a/src/include/openssl/lhash_macros.h b/src/include/openssl/lhash_macros.h
index f84b5ed..1d98107 100644
--- a/src/include/openssl/lhash_macros.h
+++ b/src/include/openssl/lhash_macros.h
@@ -92,122 +92,6 @@
void (*)(CONF_VALUE *, void *), func), \
arg);
-/* ERR_STATE */
-#define lh_ERR_STATE_new(hash, comp) \
- ((LHASH_OF(ERR_STATE) *)lh_new( \
- CHECKED_CAST(lhash_hash_func, uint32_t (*)(const ERR_STATE *), hash), \
- CHECKED_CAST(lhash_cmp_func, \
- int (*)(const ERR_STATE *a, const ERR_STATE *b), comp)))
-
-#define lh_ERR_STATE_free(lh) \
- lh_free(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh));
-
-#define lh_ERR_STATE_num_items(lh) \
- lh_num_items(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh))
-
-#define lh_ERR_STATE_retrieve(lh, data) \
- ((ERR_STATE *)lh_retrieve(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
- CHECKED_CAST(void *, ERR_STATE *, data)))
-
-#define lh_ERR_STATE_insert(lh, old_data, data) \
- lh_insert(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
- CHECKED_CAST(void **, ERR_STATE **, old_data), \
- CHECKED_CAST(void *, ERR_STATE *, data))
-
-#define lh_ERR_STATE_delete(lh, data) \
- ((ERR_STATE *)lh_delete(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
- CHECKED_CAST(void *, ERR_STATE *, data)))
-
-#define lh_ERR_STATE_doall(lh, func) \
- lh_doall(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
- CHECKED_CAST(void (*)(void *), void (*)(ERR_STATE *), func));
-
-#define lh_ERR_STATE_doall_arg(lh, func, arg) \
- lh_doall_arg(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STATE) *, lh), \
- CHECKED_CAST(void (*)(void *, void *), \
- void (*)(ERR_STATE *, void *), func), \
- arg);
-
-/* ERR_STRING_DATA */
-#define lh_ERR_STRING_DATA_new(hash, comp) \
- ((LHASH_OF(ERR_STRING_DATA) *)lh_new( \
- CHECKED_CAST(lhash_hash_func, uint32_t (*)(const ERR_STRING_DATA *), \
- hash), \
- CHECKED_CAST( \
- lhash_cmp_func, \
- int (*)(const ERR_STRING_DATA *a, const ERR_STRING_DATA *b), comp)))
-
-#define lh_ERR_STRING_DATA_free(lh) \
- lh_free(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh));
-
-#define lh_ERR_STRING_DATA_num_items(lh) \
- lh_num_items(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh))
-
-#define lh_ERR_STRING_DATA_retrieve(lh, data) \
- ((ERR_STRING_DATA *)lh_retrieve( \
- CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
- CHECKED_CAST(void *, ERR_STRING_DATA *, data)))
-
-#define lh_ERR_STRING_DATA_insert(lh, old_data, data) \
- lh_insert(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
- CHECKED_CAST(void **, ERR_STRING_DATA **, old_data), \
- CHECKED_CAST(void *, ERR_STRING_DATA *, data))
-
-#define lh_ERR_STRING_DATA_delete(lh, data) \
- ((ERR_STRING_DATA *)lh_delete( \
- CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
- CHECKED_CAST(void *, ERR_STRING_DATA *, data)))
-
-#define lh_ERR_STRING_DATA_doall(lh, func) \
- lh_doall(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
- CHECKED_CAST(void (*)(void *), void (*)(ERR_STRING_DATA *), func));
-
-#define lh_ERR_STRING_DATA_doall_arg(lh, func, arg) \
- lh_doall_arg(CHECKED_CAST(_LHASH *, LHASH_OF(ERR_STRING_DATA) *, lh), \
- CHECKED_CAST(void (*)(void *, void *), \
- void (*)(ERR_STRING_DATA *, void *), func), \
- arg);
-
-/* EX_CLASS_ITEM */
-#define lh_EX_CLASS_ITEM_new(hash, comp) \
- ((LHASH_OF(EX_CLASS_ITEM) *)lh_new( \
- CHECKED_CAST(lhash_hash_func, uint32_t (*)(const EX_CLASS_ITEM *), \
- hash), \
- CHECKED_CAST(lhash_cmp_func, \
- int (*)(const EX_CLASS_ITEM *a, const EX_CLASS_ITEM *b), \
- comp)))
-
-#define lh_EX_CLASS_ITEM_free(lh) \
- lh_free(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh));
-
-#define lh_EX_CLASS_ITEM_num_items(lh) \
- lh_num_items(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh))
-
-#define lh_EX_CLASS_ITEM_retrieve(lh, data) \
- ((EX_CLASS_ITEM *)lh_retrieve( \
- CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
- CHECKED_CAST(void *, EX_CLASS_ITEM *, data)))
-
-#define lh_EX_CLASS_ITEM_insert(lh, old_data, data) \
- lh_insert(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
- CHECKED_CAST(void **, EX_CLASS_ITEM **, old_data), \
- CHECKED_CAST(void *, EX_CLASS_ITEM *, data))
-
-#define lh_EX_CLASS_ITEM_delete(lh, data) \
- ((EX_CLASS_ITEM *)lh_delete( \
- CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
- CHECKED_CAST(void *, EX_CLASS_ITEM *, data)))
-
-#define lh_EX_CLASS_ITEM_doall(lh, func) \
- lh_doall(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
- CHECKED_CAST(void (*)(void *), void (*)(EX_CLASS_ITEM *), func));
-
-#define lh_EX_CLASS_ITEM_doall_arg(lh, func, arg) \
- lh_doall_arg(CHECKED_CAST(_LHASH *, LHASH_OF(EX_CLASS_ITEM) *, lh), \
- CHECKED_CAST(void (*)(void *, void *), \
- void (*)(EX_CLASS_ITEM *, void *), func), \
- arg);
-
/* SSL_SESSION */
#define lh_SSL_SESSION_new(hash, comp) \
((LHASH_OF(SSL_SESSION) *)lh_new( \
diff --git a/src/include/openssl/mem.h b/src/include/openssl/mem.h
index 3bd01c0..42ec46a 100644
--- a/src/include/openssl/mem.h
+++ b/src/include/openssl/mem.h
@@ -58,6 +58,7 @@
#include <openssl/base.h>
+#include <stdlib.h>
#include <stdarg.h>
#if defined(__cplusplus)
diff --git a/src/include/openssl/obj.h b/src/include/openssl/obj.h
index 5dd8886..f476617 100644
--- a/src/include/openssl/obj.h
+++ b/src/include/openssl/obj.h
@@ -193,10 +193,10 @@
} /* extern C */
#endif
-#define OBJ_F_OBJ_txt2obj 100
-#define OBJ_F_OBJ_create 101
-#define OBJ_F_OBJ_dup 102
-#define OBJ_F_OBJ_nid2obj 103
+#define OBJ_F_OBJ_create 100
+#define OBJ_F_OBJ_dup 101
+#define OBJ_F_OBJ_nid2obj 102
+#define OBJ_F_OBJ_txt2obj 103
#define OBJ_R_UNKNOWN_NID 100
#endif /* OPENSSL_HEADER_OBJECTS_H */
diff --git a/src/include/openssl/opensslfeatures.h b/src/include/openssl/opensslfeatures.h
index 4f5cb31..c3f97d5 100644
--- a/src/include/openssl/opensslfeatures.h
+++ b/src/include/openssl/opensslfeatures.h
@@ -22,12 +22,15 @@
#define OPENSSL_NO_BF
#define OPENSSL_NO_BUF_FREELISTS
#define OPENSSL_NO_CAMELLIA
+#define OPENSSL_NO_CAPIENG
#define OPENSSL_NO_CAST
#define OPENSSL_NO_CMS
#define OPENSSL_NO_COMP
#define OPENSSL_NO_DANE
#define OPENSSL_NO_DEPRECATED
#define OPENSSL_NO_DYNAMIC_ENGINE
+#define OPENSSL_NO_EC_NISTP_64_GCC_128
+#define OPENSSL_NO_EC2M
#define OPENSSL_NO_ENGINE
#define OPENSSL_NO_GMP
#define OPENSSL_NO_GOST
@@ -38,11 +41,13 @@
#define OPENSSL_NO_KRB5
#define OPENSSL_NO_MD2
#define OPENSSL_NO_MDC2
+#define OPENSSL_NO_OCB
#define OPENSSL_NO_OCSP
#define OPENSSL_NO_RC2
#define OPENSSL_NO_RC5
#define OPENSSL_NO_RFC3779
#define OPENSSL_NO_RIPEMD
+#define OPENSSL_NO_RMD160
#define OPENSSL_NO_SCTP
#define OPENSSL_NO_SEED
#define OPENSSL_NO_SRP
diff --git a/src/include/openssl/opensslv.h b/src/include/openssl/opensslv.h
index a3555d4..22f7e25 100644
--- a/src/include/openssl/opensslv.h
+++ b/src/include/openssl/opensslv.h
@@ -15,4 +15,4 @@
/* This header is provided in order to make compiling against code that expects
OpenSSL easier. */
-#include "crypto.h"
+#include "ssl.h"
diff --git a/src/include/openssl/pem.h b/src/include/openssl/pem.h
index 5f61cab..adc8d86 100644
--- a/src/include/openssl/pem.h
+++ b/src/include/openssl/pem.h
@@ -502,57 +502,44 @@
}
#endif
-#define PEM_F_PEM_read_bio_DHparams 100
-#define PEM_F_load_iv 101
-#define PEM_F_PEM_write 102
-#define PEM_F_do_pk8pkey_fp 103
-#define PEM_F_PEM_read_PrivateKey 104
-#define PEM_F_PEM_read_DHparams 105
-#define PEM_F_PEM_ASN1_read_bio 106
-#define PEM_F_PEM_ASN1_read 107
+#define PEM_F_PEM_ASN1_read 100
+#define PEM_F_PEM_ASN1_read_bio 101
+#define PEM_F_PEM_ASN1_write 102
+#define PEM_F_PEM_ASN1_write_bio 103
+#define PEM_F_PEM_X509_INFO_read 104
+#define PEM_F_PEM_X509_INFO_read_bio 105
+#define PEM_F_PEM_X509_INFO_write_bio 106
+#define PEM_F_PEM_do_header 107
#define PEM_F_PEM_get_EVP_CIPHER_INFO 108
-#define PEM_F_PEM_X509_INFO_read 109
-#define PEM_F_PEM_read_bio_Parameters 110
-#define PEM_F_PEM_read 111
-#define PEM_F_PEM_X509_INFO_read_bio 112
-#define PEM_F_PEM_X509_INFO_write_bio 113
-#define PEM_F_PEM_ASN1_write 114
-#define PEM_F_d2i_PKCS8PrivateKey_bio 115
-#define PEM_F_d2i_PKCS8PrivateKey_fp 116
-#define PEM_F_PEM_read_bio_PrivateKey 117
-#define PEM_F_PEM_write_PrivateKey 118
-#define PEM_F_PEM_ASN1_write_bio 119
-#define PEM_F_PEM_do_header 120
-#define PEM_F_PEM_write_bio 121
-#define PEM_F_do_pk8pkey 122
-#define PEM_F_PEM_read_bio 123
-#define PEM_R_NO_START_LINE 100
-#define PEM_R_NOT_PROC_TYPE 101
-#define PEM_R_SHORT_HEADER 102
+#define PEM_F_PEM_read 109
+#define PEM_F_PEM_read_DHparams 110
+#define PEM_F_PEM_read_PrivateKey 111
+#define PEM_F_PEM_read_bio 112
+#define PEM_F_PEM_read_bio_DHparams 113
+#define PEM_F_PEM_read_bio_Parameters 114
+#define PEM_F_PEM_read_bio_PrivateKey 115
+#define PEM_F_PEM_write 116
+#define PEM_F_PEM_write_PrivateKey 117
+#define PEM_F_PEM_write_bio 118
+#define PEM_F_d2i_PKCS8PrivateKey_bio 119
+#define PEM_F_d2i_PKCS8PrivateKey_fp 120
+#define PEM_F_do_pk8pkey 121
+#define PEM_F_do_pk8pkey_fp 122
+#define PEM_F_load_iv 123
+#define PEM_R_BAD_BASE64_DECODE 100
+#define PEM_R_BAD_DECRYPT 101
+#define PEM_R_BAD_END_LINE 102
#define PEM_R_BAD_IV_CHARS 103
-#define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 104
-#define PEM_R_BAD_END_LINE 105
-#define PEM_R_CIPHER_IS_NULL 106
-#define PEM_R_BAD_MAGIC_NUMBER 107
-#define PEM_R_BAD_DECRYPT 108
-#define PEM_R_UNSUPPORTED_ENCRYPTION 109
-#define PEM_R_PVK_DATA_TOO_SHORT 110
-#define PEM_R_PROBLEMS_GETTING_PASSWORD 111
-#define PEM_R_KEYBLOB_HEADER_PARSE_ERROR 112
-#define PEM_R_BIO_WRITE_FAILURE 113
-#define PEM_R_INCONSISTENT_HEADER 114
-#define PEM_R_PUBLIC_KEY_NO_RSA 115
-#define PEM_R_EXPECTING_PUBLIC_KEY_BLOB 116
-#define PEM_R_KEYBLOB_TOO_SHORT 117
-#define PEM_R_BAD_BASE64_DECODE 118
-#define PEM_R_READ_KEY 119
-#define PEM_R_BAD_PASSWORD_READ 120
-#define PEM_R_UNSUPPORTED_KEY_COMPONENTS 121
-#define PEM_R_UNSUPPORTED_CIPHER 122
-#define PEM_R_NOT_ENCRYPTED 123
-#define PEM_R_NOT_DEK_INFO 124
-#define PEM_R_BAD_VERSION_NUMBER 125
-#define PEM_R_EXPECTING_PRIVATE_KEY_BLOB 126
-#define PEM_R_PVK_TOO_SHORT 127
+#define PEM_R_BAD_PASSWORD_READ 104
+#define PEM_R_CIPHER_IS_NULL 105
+#define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 106
+#define PEM_R_NOT_DEK_INFO 107
+#define PEM_R_NOT_ENCRYPTED 108
+#define PEM_R_NOT_PROC_TYPE 109
+#define PEM_R_NO_START_LINE 110
+#define PEM_R_READ_KEY 111
+#define PEM_R_SHORT_HEADER 112
+#define PEM_R_UNSUPPORTED_CIPHER 113
+#define PEM_R_UNSUPPORTED_ENCRYPTION 114
#endif /* OPENSSL_HEADER_PEM_H */
diff --git a/src/include/openssl/pkcs8.h b/src/include/openssl/pkcs8.h
index 826ac7f..8dc7731 100644
--- a/src/include/openssl/pkcs8.h
+++ b/src/include/openssl/pkcs8.h
@@ -58,11 +58,9 @@
#define OPENSSL_HEADER_PKCS8_H
#include <openssl/base.h>
-
-#include <stdio.h>
-
#include <openssl/x509.h>
+
#if defined(__cplusplus)
extern "C" {
#endif
@@ -172,52 +170,48 @@
} /* extern C */
#endif
-#define PKCS8_F_PKCS8_encrypt 100
+#define PKCS8_F_EVP_PKCS82PKEY 100
#define PKCS8_F_EVP_PKEY2PKCS8 101
-#define PKCS8_F_EVP_PKCS82PKEY 102
-#define PKCS8_F_PKCS5_pbe_set0_algor 103
-#define PKCS8_F_pbe_crypt 104
-#define PKCS8_F_pkcs12_item_decrypt_d2i 105
+#define PKCS8_F_PKCS12_get_key_and_certs 102
+#define PKCS8_F_PKCS12_handle_content_info 103
+#define PKCS8_F_PKCS12_handle_content_infos 104
+#define PKCS8_F_PKCS5_pbe2_set_iv 105
#define PKCS8_F_PKCS5_pbe_set 106
-#define PKCS8_F_pkcs12_key_gen_uni 107
-#define PKCS8_F_pkcs12_key_gen_asc 108
-#define PKCS8_F_pkcs12_pbe_keyivgen 109
-#define PKCS8_F_pbe_cipher_init 110
-#define PKCS8_F_pkcs12_item_i2d_encrypt 111
-#define PKCS8_F_PKCS5_pbe2_set_iv 112
-#define PKCS8_F_PKCS5_pbkdf2_set 113
-#define PKCS8_F_pkcs12_key_gen_raw 114
-#define PKCS8_F_PKCS8_decrypt 115
-#define PKCS8_F_PKCS8_encrypt_pbe 116
-#define PKCS8_F_PKCS12_parse 117
-#define PKCS8_F_PKCS12_handle_content_info 118
-#define PKCS8_F_PKCS12_handle_content_infos 119
-#define PKCS8_F_PKCS12_get_key_and_certs 120
-#define PKCS8_R_ERROR_SETTING_CIPHER_PARAMS 100
-#define PKCS8_R_PRIVATE_KEY_ENCODE_ERROR 101
-#define PKCS8_R_UNKNOWN_ALGORITHM 102
-#define PKCS8_R_UNKNOWN_CIPHER 103
-#define PKCS8_R_UNKNOWN_DIGEST 104
+#define PKCS8_F_PKCS5_pbe_set0_algor 107
+#define PKCS8_F_PKCS5_pbkdf2_set 108
+#define PKCS8_F_PKCS8_decrypt 109
+#define PKCS8_F_PKCS8_encrypt 110
+#define PKCS8_F_PKCS8_encrypt_pbe 111
+#define PKCS8_F_pbe_cipher_init 112
+#define PKCS8_F_pbe_crypt 113
+#define PKCS8_F_pkcs12_item_decrypt_d2i 114
+#define PKCS8_F_pkcs12_item_i2d_encrypt 115
+#define PKCS8_F_pkcs12_key_gen_raw 116
+#define PKCS8_F_pkcs12_pbe_keyivgen 117
+#define PKCS8_R_BAD_PKCS12_DATA 100
+#define PKCS8_R_BAD_PKCS12_VERSION 101
+#define PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 102
+#define PKCS8_R_CRYPT_ERROR 103
+#define PKCS8_R_DECODE_ERROR 104
#define PKCS8_R_ENCODE_ERROR 105
-#define PKCS8_R_DECODE_ERROR 106
-#define PKCS8_R_ENCRYPT_ERROR 107
-#define PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 108
-#define PKCS8_R_PRIVATE_KEY_DECODE_ERROR 109
-#define PKCS8_R_UNKNOWN_CIPHER_ALGORITHM 110
-#define PKCS8_R_KEYGEN_FAILURE 111
-#define PKCS8_R_TOO_LONG 112
-#define PKCS8_R_CRYPT_ERROR 113
-#define PKCS8_R_METHOD_NOT_SUPPORTED 114
-#define PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 115
-#define PKCS8_R_KEY_GEN_ERROR 116
-#define PKCS8_R_BAD_PKCS12_DATA 117
-#define PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED 118
-#define PKCS8_R_BAD_PKCS12_VERSION 119
-#define PKCS8_R_PKCS12_TOO_DEEPLY_NESTED 120
-#define PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12 121
-#define PKCS8_R_UNKNOWN_HASH 122
-#define PKCS8_R_BAD_MAC 123
-#define PKCS8_R_MISSING_MAC 124
-#define PKCS8_R_INCORRECT_PASSWORD 125
+#define PKCS8_R_ENCRYPT_ERROR 106
+#define PKCS8_R_ERROR_SETTING_CIPHER_PARAMS 107
+#define PKCS8_R_INCORRECT_PASSWORD 108
+#define PKCS8_R_KEYGEN_FAILURE 109
+#define PKCS8_R_KEY_GEN_ERROR 110
+#define PKCS8_R_METHOD_NOT_SUPPORTED 111
+#define PKCS8_R_MISSING_MAC 112
+#define PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12 113
+#define PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED 114
+#define PKCS8_R_PKCS12_TOO_DEEPLY_NESTED 115
+#define PKCS8_R_PRIVATE_KEY_DECODE_ERROR 116
+#define PKCS8_R_PRIVATE_KEY_ENCODE_ERROR 117
+#define PKCS8_R_TOO_LONG 118
+#define PKCS8_R_UNKNOWN_ALGORITHM 119
+#define PKCS8_R_UNKNOWN_CIPHER 120
+#define PKCS8_R_UNKNOWN_CIPHER_ALGORITHM 121
+#define PKCS8_R_UNKNOWN_DIGEST 122
+#define PKCS8_R_UNKNOWN_HASH 123
+#define PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 124
#endif /* OPENSSL_HEADER_PKCS8_H */
diff --git a/src/include/openssl/rand.h b/src/include/openssl/rand.h
index 6186044..01ef4f8 100644
--- a/src/include/openssl/rand.h
+++ b/src/include/openssl/rand.h
@@ -22,8 +22,10 @@
#endif
-/* RAND_bytes writes |len| bytes of random data to |buf|. It returns one on
- * success and zero on otherwise. */
+/* Random number generation. */
+
+
+/* RAND_bytes writes |len| bytes of random data to |buf| and returns one. */
OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len);
/* RAND_cleanup frees any resources used by the RNG. This is not safe if other
diff --git a/src/include/openssl/rc4.h b/src/include/openssl/rc4.h
index 727b474..0619cac 100644
--- a/src/include/openssl/rc4.h
+++ b/src/include/openssl/rc4.h
@@ -67,13 +67,10 @@
/* RC4. */
-typedef struct rc4_key_st {
+struct rc4_key_st {
uint32_t x, y;
- /* data is sometimes used as an array of 32-bit values and sometimes as 8-bit
- * values, depending on the platform. */
uint32_t data[256];
-} RC4_KEY;
-
+} /* RC4_KEY */;
/* RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len|
* bytes of key material from |key|. */
diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h
index a4596c7..2e24231 100644
--- a/src/include/openssl/rsa.h
+++ b/src/include/openssl/rsa.h
@@ -61,6 +61,7 @@
#include <openssl/engine.h>
#include <openssl/ex_data.h>
+#include <openssl/thread.h>
#if defined(__cplusplus)
extern "C" {
@@ -190,7 +191,7 @@
unsigned int *out_len, RSA *rsa);
/* RSA_sign_raw signs |in_len| bytes from |in| with the public key from |rsa|
- * and writes, at most, |max_out| bytes of encrypted data to |out|. The
+ * and writes, at most, |max_out| bytes of signature data to |out|. The
* |max_out| argument must be, at least, |RSA_size| in order to ensure success.
*
* It returns 1 on success or zero on error.
@@ -254,7 +255,7 @@
/* Utility functions. */
/* RSA_size returns the number of bytes in the modulus, which is also the size
- * of a signature of encrypted value using |rsa|. */
+ * of a signature or encrypted value using |rsa|. */
OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);
/* RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key
@@ -286,11 +287,12 @@
OPENSSL_EXPORT int RSA_recover_crt_params(RSA *rsa);
/* RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of
- * |mHash|, where |mHash| is a digest produced by |Hash|. The |mgf1Hash|
- * argument specifies the hash function for generating the mask. If NULL,
- * |Hash| is used. The |sLen| argument specifies the expected salt length in
- * bytes. If |sLen| is -1 then the salt length is the same as the hash length.
- * If -2, then the salt length is maximal and is taken from the size of |EM|.
+ * |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to
+ * exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the
+ * hash function for generating the mask. If NULL, |Hash| is used. The |sLen|
+ * argument specifies the expected salt length in bytes. If |sLen| is -1 then
+ * the salt length is the same as the hash length. If -2, then the salt length
+ * is maximal and is taken from the size of |EM|.
*
* It returns one on success or zero on error. */
OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const uint8_t *mHash,
@@ -299,12 +301,12 @@
const uint8_t *EM, int sLen);
/* RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,
- * where |mHash| is a digest produced by |Hash|. There must be at least
- * |RSA_size(rsa)| bytes of space in |EM|. The |mgf1Hash| argument specifies
- * the hash function for generating the mask. If NULL, |Hash| is used. The
- * |sLen| argument specifies the expected salt length in bytes. If |sLen| is -1
- * then the salt length is the same as the hash length. If -2, then the salt
- * length is maximal given the space in |EM|.
+ * where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of
+ * output will be written to |EM|. The |mgf1Hash| argument specifies the hash
+ * function for generating the mask. If NULL, |Hash| is used. The |sLen|
+ * argument specifies the expected salt length in bytes. If |sLen| is -1 then
+ * the salt length is the same as the hash length. If -2, then the salt length
+ * is maximal given the space in |EM|.
*
* It returns one on success or zero on error. */
OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, uint8_t *EM,
@@ -314,7 +316,6 @@
int sLen);
-
/* ASN.1 functions. */
/* d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len|
@@ -348,7 +349,7 @@
/* ex_data functions.
*
- * These functions are wrappers. See |ex_data.h| for details. */
+ * See |ex_data.h| for details. */
OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,
CRYPTO_EX_new *new_func,
@@ -477,18 +478,21 @@
int references;
int flags;
- /* Used to cache montgomery values */
+ CRYPTO_MUTEX lock;
+
+ /* Used to cache montgomery values. The creation of these values is protected
+ * by |lock|. */
BN_MONT_CTX *_method_mod_n;
BN_MONT_CTX *_method_mod_p;
BN_MONT_CTX *_method_mod_q;
/* num_blindings contains the size of the |blindings| and |blindings_inuse|
* arrays. This member and the |blindings_inuse| array are protected by
- * CRYPTO_LOCK_RSA_BLINDING. */
+ * |lock|. */
unsigned num_blindings;
/* blindings is an array of BN_BLINDING structures that can be reserved by a
- * thread by locking CRYPTO_LOCK_RSA_BLINDING and changing the corresponding
- * element in |blindings_inuse| from 0 to 1. */
+ * thread by locking |lock| and changing the corresponding element in
+ * |blindings_inuse| from 0 to 1. */
BN_BLINDING **blindings;
unsigned char *blindings_inuse;
};
@@ -498,79 +502,74 @@
} /* extern C */
#endif
-#define RSA_F_RSA_padding_check_none 100
-#define RSA_F_RSA_padding_add_none 101
-#define RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1 102
-#define RSA_F_RSA_verify_PKCS1_PSS_mgf1 103
-#define RSA_F_RSA_padding_add_PKCS1_PSS_mgf1 104
-#define RSA_F_RSA_verify 105
-#define RSA_F_rsa_setup_blinding 106
-#define RSA_F_verify_raw 107
-#define RSA_F_RSA_padding_add_PKCS1_type_1 108
-#define RSA_F_keygen 109
-#define RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1 110
-#define RSA_F_pkcs1_prefixed_msg 111
-#define RSA_F_BN_BLINDING_update 112
-#define RSA_F_RSA_padding_check_SSLv23 113
-#define RSA_F_RSA_padding_add_SSLv23 114
-#define RSA_F_BN_BLINDING_new 115
-#define RSA_F_RSA_padding_add_PKCS1_type_2 116
-#define RSA_F_BN_BLINDING_convert_ex 117
-#define RSA_F_BN_BLINDING_invert_ex 118
-#define RSA_F_encrypt 119
-#define RSA_F_sign_raw 120
-#define RSA_F_RSA_new_method 121
-#define RSA_F_RSA_padding_check_PKCS1_type_1 122
-#define RSA_F_RSA_sign 123
-#define RSA_F_BN_BLINDING_create_param 124
-#define RSA_F_decrypt 125
-#define RSA_F_RSA_padding_check_PKCS1_type_2 126
-#define RSA_F_RSA_recover_crt_params 127
-#define RSA_F_RSA_check_key 128
-#define RSA_F_private_transform 129
-#define RSA_R_INVALID_MESSAGE_LENGTH 100
-#define RSA_R_NO_PUBLIC_EXPONENT 102
-#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 103
-#define RSA_R_BLOCK_TYPE_IS_NOT_01 104
-#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 105
-#define RSA_R_UNKNOWN_PADDING_TYPE 106
-#define RSA_R_TOO_MANY_ITERATIONS 107
-#define RSA_R_SLEN_RECOVERY_FAILED 108
-#define RSA_R_WRONG_SIGNATURE_LENGTH 109
-#define RSA_R_MODULUS_TOO_LARGE 110
-#define RSA_R_NULL_BEFORE_BLOCK_MISSING 111
-#define RSA_R_DATA_TOO_LARGE 112
-#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 113
-#define RSA_R_SLEN_CHECK_FAILED 114
-#define RSA_R_FIRST_OCTET_INVALID 115
-#define RSA_R_BAD_E_VALUE 116
-#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 117
-#define RSA_R_EMPTY_PUBLIC_KEY 118
-#define RSA_R_BAD_PAD_BYTE_COUNT 119
-#define RSA_R_OAEP_DECODING_ERROR 120
-#define RSA_R_TOO_LONG 121
-#define RSA_R_BAD_FIXED_HEADER_DECRYPT 122
-#define RSA_R_DATA_TOO_SMALL 123
-#define RSA_R_UNKNOWN_ALGORITHM_TYPE 124
-#define RSA_R_PADDING_CHECK_FAILED 125
-#define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 126
-#define RSA_R_BLOCK_TYPE_IS_NOT_02 127
-#define RSA_R_LAST_OCTET_INVALID 128
-#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 129
-#define RSA_R_SSLV3_ROLLBACK_ATTACK 130
-#define RSA_R_KEY_SIZE_TOO_SMALL 131
-#define RSA_R_BAD_SIGNATURE 132
-#define RSA_R_BN_NOT_INITIALIZED 133
-#define RSA_R_PKCS_DECODING_ERROR 134
-#define RSA_R_BAD_RSA_PARAMETERS 135
-#define RSA_R_INTERNAL_ERROR 136
-#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 137
-#define RSA_R_D_E_NOT_CONGRUENT_TO_1 138
+#define RSA_F_BN_BLINDING_convert_ex 100
+#define RSA_F_BN_BLINDING_create_param 101
+#define RSA_F_BN_BLINDING_invert_ex 102
+#define RSA_F_BN_BLINDING_new 103
+#define RSA_F_BN_BLINDING_update 104
+#define RSA_F_RSA_check_key 105
+#define RSA_F_RSA_new_method 106
+#define RSA_F_RSA_padding_add_PKCS1_OAEP_mgf1 107
+#define RSA_F_RSA_padding_add_PKCS1_PSS_mgf1 108
+#define RSA_F_RSA_padding_add_PKCS1_type_1 109
+#define RSA_F_RSA_padding_add_PKCS1_type_2 110
+#define RSA_F_RSA_padding_add_none 111
+#define RSA_F_RSA_padding_check_PKCS1_OAEP_mgf1 112
+#define RSA_F_RSA_padding_check_PKCS1_type_1 113
+#define RSA_F_RSA_padding_check_PKCS1_type_2 114
+#define RSA_F_RSA_padding_check_none 115
+#define RSA_F_RSA_recover_crt_params 116
+#define RSA_F_RSA_sign 117
+#define RSA_F_RSA_verify 118
+#define RSA_F_RSA_verify_PKCS1_PSS_mgf1 119
+#define RSA_F_decrypt 120
+#define RSA_F_encrypt 121
+#define RSA_F_keygen 122
+#define RSA_F_pkcs1_prefixed_msg 123
+#define RSA_F_private_transform 124
+#define RSA_F_rsa_setup_blinding 125
+#define RSA_F_sign_raw 126
+#define RSA_F_verify_raw 127
+#define RSA_R_BAD_E_VALUE 100
+#define RSA_R_BAD_FIXED_HEADER_DECRYPT 101
+#define RSA_R_BAD_PAD_BYTE_COUNT 102
+#define RSA_R_BAD_RSA_PARAMETERS 103
+#define RSA_R_BAD_SIGNATURE 104
+#define RSA_R_BLOCK_TYPE_IS_NOT_01 105
+#define RSA_R_BN_NOT_INITIALIZED 106
+#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 107
+#define RSA_R_CRT_VALUES_INCORRECT 108
+#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 109
+#define RSA_R_DATA_TOO_LARGE 110
+#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 111
+#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 112
+#define RSA_R_DATA_TOO_SMALL 113
+#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 114
+#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 115
+#define RSA_R_D_E_NOT_CONGRUENT_TO_1 116
+#define RSA_R_EMPTY_PUBLIC_KEY 117
+#define RSA_R_FIRST_OCTET_INVALID 118
+#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 119
+#define RSA_R_INTERNAL_ERROR 120
+#define RSA_R_INVALID_MESSAGE_LENGTH 121
+#define RSA_R_KEY_SIZE_TOO_SMALL 122
+#define RSA_R_LAST_OCTET_INVALID 123
+#define RSA_R_MODULUS_TOO_LARGE 124
+#define RSA_R_NO_PUBLIC_EXPONENT 125
+#define RSA_R_NULL_BEFORE_BLOCK_MISSING 126
+#define RSA_R_N_NOT_EQUAL_P_Q 127
+#define RSA_R_OAEP_DECODING_ERROR 128
+#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 129
+#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 130
+#define RSA_R_PADDING_CHECK_FAILED 131
+#define RSA_R_PKCS_DECODING_ERROR 132
+#define RSA_R_SLEN_CHECK_FAILED 133
+#define RSA_R_SLEN_RECOVERY_FAILED 134
+#define RSA_R_TOO_LONG 135
+#define RSA_R_TOO_MANY_ITERATIONS 136
+#define RSA_R_UNKNOWN_ALGORITHM_TYPE 137
+#define RSA_R_UNKNOWN_PADDING_TYPE 138
#define RSA_R_VALUE_MISSING 139
-#define RSA_R_N_NOT_EQUAL_P_Q 140
-#define RSA_R_CRT_VALUES_INCORRECT 141
-#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 142
-#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 143
-#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 144
+#define RSA_R_WRONG_SIGNATURE_LENGTH 140
#endif /* OPENSSL_HEADER_RSA_H */
diff --git a/src/include/openssl/safe_stack.h b/src/include/openssl/safestack.h
similarity index 100%
rename from src/include/openssl/safe_stack.h
rename to src/include/openssl/safestack.h
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index ef73c8d..b746007 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -140,8 +140,8 @@
* OTHERWISE.
*/
-#ifndef HEADER_SSL_H
-#define HEADER_SSL_H
+#ifndef OPENSSL_HEADER_SSL_H
+#define OPENSSL_HEADER_SSL_H
#include <openssl/base.h>
@@ -152,17 +152,132 @@
#include <openssl/pem.h>
#include <openssl/x509.h>
+#if !defined(OPENSSL_WINDOWS)
+#include <sys/time.h>
+#endif
+
/* Some code expected to get the threading functions by including ssl.h. */
#include <openssl/thread.h>
/* wpa_supplicant expects to get the version functions from ssl.h */
#include <openssl/crypto.h>
-#ifdef __cplusplus
+/* Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
+ * Windows headers define too many macros to be included in public headers.
+ * However, only a forward declaration is needed. */
+struct timeval;
+
+#if defined(__cplusplus)
extern "C" {
#endif
+/* SSL implementation. */
+
+
+/* Initialization. */
+
+/* SSL_library_init initializes the crypto and SSL libraries and returns one. */
+OPENSSL_EXPORT int SSL_library_init(void);
+
+
+/* Protocol version constants */
+
+#define SSL3_VERSION 0x0300
+#define SSL3_VERSION_MAJOR 0x03
+#define SSL3_VERSION_MINOR 0x00
+
+#define TLS1_2_VERSION 0x0303
+#define TLS1_2_VERSION_MAJOR 0x03
+#define TLS1_2_VERSION_MINOR 0x03
+
+#define TLS1_1_VERSION 0x0302
+#define TLS1_1_VERSION_MAJOR 0x03
+#define TLS1_1_VERSION_MINOR 0x02
+
+#define TLS1_VERSION 0x0301
+#define TLS1_VERSION_MAJOR 0x03
+#define TLS1_VERSION_MINOR 0x01
+
+#define DTLS1_VERSION 0xFEFF
+#define DTLS1_2_VERSION 0xFEFD
+
+
+/* Cipher suites. */
+
+/* An SSL_CIPHER represents a cipher suite. */
+typedef struct ssl_cipher_st {
+ /* name is the OpenSSL name for the cipher. */
+ const char *name;
+ /* id is the cipher suite value bitwise OR-d with 0x03000000. */
+ uint32_t id;
+
+ /* The following are internal fields. See ssl/internal.h for their values. */
+
+ uint32_t algorithm_mkey;
+ uint32_t algorithm_auth;
+ uint32_t algorithm_enc;
+ uint32_t algorithm_mac;
+ uint32_t algorithm_ssl;
+ uint32_t algo_strength;
+
+ /* algorithm2 contains extra flags. See ssl/internal.h. */
+ uint32_t algorithm2;
+
+ /* strength_bits is the strength of the cipher in bits. */
+ int strength_bits;
+ /* alg_bits is the number of bits of key material used by the algorithm. */
+ int alg_bits;
+} SSL_CIPHER;
+
+DECLARE_STACK_OF(SSL_CIPHER)
+
+/* SSL_get_cipher_by_value returns the structure representing a TLS cipher
+ * suite based on its assigned number, or NULL if unknown. See
+ * https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4. */
+OPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);
+
+/* SSL_CIPHER_get_id returns |cipher|'s id. It may be cast to a |uint16_t| to
+ * get the cipher suite value. */
+OPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
+ * mode). */
+OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_has_MD5_HMAC returns one if |cipher| uses HMAC-MD5. */
+OPENSSL_EXPORT int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. */
+OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
+ * CHACHA20_POLY1305. */
+OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. */
+OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
+ * method used by |cipher|. For example, "ECDHE_ECDSA". */
+OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_rfc_name returns a newly-allocated string with the standard
+ * name for |cipher|. For example, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256". The
+ * caller is responsible for calling |OPENSSL_free| on the result. */
+OPENSSL_EXPORT char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher);
+
+/* SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If
+ * |out_alg_bits| is not NULL, it writes the number of bits consumed by the
+ * symmetric algorithm to |*out_alg_bits|. */
+OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,
+ int *out_alg_bits);
+
+
+/* Underdocumented functions.
+ *
+ * Functions below here haven't been touched up and may be underdocumented. */
+
/* SSLeay version number for ASN.1 encoding of the session information */
/* Version 0 - initial version
* Version 1 - added the optional peer certificate. */
@@ -178,11 +293,11 @@
#define SSL_TXT_HIGH "HIGH"
#define SSL_TXT_FIPS "FIPS"
-#define SSL_TXT_aNULL "aNULL"
-
#define SSL_TXT_kRSA "kRSA"
-#define SSL_TXT_kEDH "kEDH"
-#define SSL_TXT_kEECDH "kEECDH"
+#define SSL_TXT_kDHE "kDHE"
+#define SSL_TXT_kEDH "kEDH" /* same as "kDHE" */
+#define SSL_TXT_kECDHE "kECDHE"
+#define SSL_TXT_kEECDH "kEECDH" /* same as "kECDHE" */
#define SSL_TXT_kPSK "kPSK"
#define SSL_TXT_aRSA "aRSA"
@@ -190,12 +305,12 @@
#define SSL_TXT_aPSK "aPSK"
#define SSL_TXT_DH "DH"
-#define SSL_TXT_EDH "EDH" /* same as "kEDH:-ADH" */
-#define SSL_TXT_ADH "ADH"
+#define SSL_TXT_DHE "DHE" /* same as "kDHE" */
+#define SSL_TXT_EDH "EDH" /* same as "DHE" */
#define SSL_TXT_RSA "RSA"
#define SSL_TXT_ECDH "ECDH"
-#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
-#define SSL_TXT_AECDH "AECDH"
+#define SSL_TXT_ECDHE "ECDHE" /* same as "kECDHE" */
+#define SSL_TXT_EECDH "EECDH" /* same as "ECDHE" */
#define SSL_TXT_ECDSA "ECDSA"
#define SSL_TXT_PSK "PSK"
@@ -237,7 +352,7 @@
/* The following cipher list is used by default. It also is substituted when an
* application-defined cipher list string starts with 'DEFAULT'. */
-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
+#define SSL_DEFAULT_CIPHER_LIST "ALL"
/* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
@@ -253,14 +368,11 @@
typedef struct ssl_method_st SSL_METHOD;
typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
-typedef struct ssl_cipher_st SSL_CIPHER;
typedef struct ssl_session_st SSL_SESSION;
typedef struct tls_sigalgs_st TLS_SIGALGS;
typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
typedef struct ssl3_enc_method SSL3_ENC_METHOD;
-DECLARE_STACK_OF(SSL_CIPHER)
-
/* SRTP protection profiles for use with the use_srtp extension (RFC 5764). */
typedef struct srtp_protection_profile_st {
const char *name;
@@ -269,28 +381,6 @@
DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
-/* used to hold info on the particular ciphers used */
-struct ssl_cipher_st {
- int valid;
- const char *name; /* text name */
- unsigned long id; /* id, 4 bytes, first is version */
-
- /* changed in 0.9.9: these four used to be portions of a single value
- * 'algorithms' */
- unsigned long algorithm_mkey; /* key exchange algorithm */
- unsigned long algorithm_auth; /* server authentication */
- unsigned long algorithm_enc; /* symmetric encryption */
- unsigned long algorithm_mac; /* symmetric authentication */
- unsigned long algorithm_ssl; /* (major) protocol version */
-
- unsigned long algo_strength; /* strength and export flags */
- unsigned long algorithm2; /* Extra flags. See SSL2_CF_* in ssl2.h
- and algorithm2 section in
- ssl_locl.h */
- int strength_bits; /* Number of bits really used */
- int alg_bits; /* Number of bits for algorithm */
-};
-
/* An SSL_SESSION represents an SSL session that may be resumed in an
* abbreviated handshake. */
struct ssl_session_st {
@@ -382,8 +472,6 @@
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x00001000L
-/* Turn on Cookie Exchange (on relevant for servers) */
-#define SSL_OP_COOKIE_EXCHANGE 0x00002000L
/* Don't use RFC4507 ticket extension */
#define SSL_OP_NO_TICKET 0x00004000L
@@ -393,9 +481,9 @@
#define SSL_OP_NO_COMPRESSION 0x00020000L
/* Permit unsafe legacy renegotiation */
#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
-/* If set, always create a new key when using tmp_ecdh parameters */
+/* SSL_OP_SINGLE_ECDH_USE does nothing. */
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
-/* If set, always create a new key when using tmp_dh parameters */
+/* SSL_OP_SINGLE_DH_USE does nothing. */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
/* Set on servers to choose the cipher according to the server's preferences */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
@@ -435,14 +523,11 @@
#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
/* Don't attempt to automatically build certificate chain */
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
-/* Save RAM by releasing read and write buffers when they're empty. (SSL3 and
- * TLS only.) "Released" buffers are put onto a free-list in the context or
- * just freed (depending on the context's setting for freelist_max_len). */
-#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
/* The following flags do nothing and are included only to make it easier to
* compile code with BoringSSL. */
#define SSL_MODE_AUTO_RETRY 0
+#define SSL_MODE_RELEASE_BUFFERS 0
/* Send the current time in the Random fields of the ClientHello and
* ServerHello records for compatibility with hypothetical implementations that
@@ -467,9 +552,14 @@
/* Clear verification errors from queue */
#define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR 0x10
-/* When set, clients may send application data before receipt of CCS and
- * Finished. This mode enables full-handshakes to 'complete' in one RTT. */
-#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000080L
+/* SSL_MODE_ENABLE_FALSE_START allows clients to send application data before
+ * receipt of CCS and Finished. This mode enables full-handshakes to 'complete'
+ * in one RTT. See draft-bmoeller-tls-falsestart-01. */
+#define SSL_MODE_ENABLE_FALSE_START 0x00000080L
+
+/* Deprecated: SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as
+ * SSL_MODE_ENABLE_FALSE_START. */
+#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START
/* When set, TLS 1.0 and SSLv3, multi-byte, CBC records will be split in two:
* the first record will contain a single byte and the second will contain the
@@ -482,7 +572,7 @@
* session resumption is used for a given SSL*. */
#define SSL_MODE_NO_SESSION_CREATION 0x00000200L
-/* SSL_MODE_SEND_SERVERHELLO_TIME sends TLS_FALLBACK_SCSV in the ClientHello.
+/* SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello.
* To be set only by applications that reconnect with a downgraded protocol
* version; see https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05
* for details.
@@ -492,38 +582,69 @@
* draft-ietf-tls-downgrade-scsv-05. */
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L
-/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they
- * cannot be used to clear bits. */
+/* SSL_CTX_set_options enables all options set in |options| (which should be one
+ * or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
+ * bitmask representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options);
-#define SSL_CTX_set_options(ctx, op) \
- SSL_CTX_ctrl((ctx), SSL_CTRL_OPTIONS, (op), NULL)
-#define SSL_CTX_clear_options(ctx, op) \
- SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_OPTIONS, (op), NULL)
-#define SSL_CTX_get_options(ctx) SSL_CTX_ctrl((ctx), SSL_CTRL_OPTIONS, 0, NULL)
-#define SSL_set_options(ssl, op) SSL_ctrl((ssl), SSL_CTRL_OPTIONS, (op), NULL)
-#define SSL_clear_options(ssl, op) \
- SSL_ctrl((ssl), SSL_CTRL_CLEAR_OPTIONS, (op), NULL)
-#define SSL_get_options(ssl) SSL_ctrl((ssl), SSL_CTRL_OPTIONS, 0, NULL)
+/* SSL_CTX_clear_options disables all options set in |options| (which should be
+ * one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a
+ * bitmask representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options);
-#define SSL_CTX_set_mode(ctx, op) SSL_CTX_ctrl((ctx), SSL_CTRL_MODE, (op), NULL)
-#define SSL_CTX_clear_mode(ctx, op) \
- SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_MODE, (op), NULL)
-#define SSL_CTX_get_mode(ctx) SSL_CTX_ctrl((ctx), SSL_CTRL_MODE, 0, NULL)
-#define SSL_clear_mode(ssl, op) SSL_ctrl((ssl), SSL_CTRL_CLEAR_MODE, (op), NULL)
-#define SSL_set_mode(ssl, op) SSL_ctrl((ssl), SSL_CTRL_MODE, (op), NULL)
-#define SSL_get_mode(ssl) SSL_ctrl((ssl), SSL_CTRL_MODE, 0, NULL)
-#define SSL_set_mtu(ssl, mtu) SSL_ctrl((ssl), SSL_CTRL_SET_MTU, (mtu), NULL)
+/* SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all
+ * the options enabled for |ctx|. */
+OPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx);
-#define SSL_get_secure_renegotiation_support(ssl) \
- SSL_ctrl((SSL *)(ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
+/* SSL_set_options enables all options set in |options| (which should be one or
+ * more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask
+ * representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options);
-#define SSL_CTX_set_cert_flags(ctx, op) \
- SSL_CTX_ctrl((ctx), SSL_CTRL_CERT_FLAGS, (op), NULL)
-#define SSL_set_cert_flags(s, op) SSL_ctrl((s), SSL_CTRL_CERT_FLAGS, (op), NULL)
-#define SSL_CTX_clear_cert_flags(ctx, op) \
- SSL_CTX_ctrl((ctx), SSL_CTRL_CLEAR_CERT_FLAGS, (op), NULL)
-#define SSL_clear_cert_flags(s, op) \
- SSL_ctrl((s), SSL_CTRL_CLEAR_CERT_FLAGS, (op), NULL)
+/* SSL_clear_options disables all options set in |options| (which should be one
+ * or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a
+ * bitmask representing the resulting enabled options. */
+OPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options);
+
+/* SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the
+ * options enabled for |ssl|. */
+OPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl);
+
+/* SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more
+ * of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask
+ * representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode);
+
+/* SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or
+ * more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a
+ * bitmask representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode);
+
+/* SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all
+ * the modes enabled for |ssl|. */
+OPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx);
+
+/* SSL_set_mode enables all modes set in |mode| (which should be one or more of
+ * the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
+ * representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);
+
+/* SSL_clear_mode disables all modes set in |mode| (which should be one or more
+ * of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask
+ * representing the resulting enabled modes. */
+OPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode);
+
+/* SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the
+ * modes enabled for |ssl|. */
+OPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);
+
+/* SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success
+ * and zero on failure. */
+OPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);
+
+/* SSL_get_secure_renegotiation_support returns one if the peer supports secure
+ * renegotiation (RFC 5746) and zero otherwise. */
+OPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl);
/* SSL_CTX_set_min_version sets the minimum protocol version for |ctx| to
* |version|. */
@@ -541,16 +662,36 @@
* |version|. */
OPENSSL_EXPORT void SSL_set_max_version(SSL *ssl, uint16_t version);
+/* SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.
+ * This callback will be called when sending or receiving low-level record
+ * headers, complete handshake messages, ChangeCipherSpec, and alerts.
+ * |write_p| is one for outgoing messages and zero for incoming messages.
+ *
+ * For each record header, |cb| is called with |version| = 0 and |content_type|
+ * = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that
+ * this does not include the record body. If the record is sealed, the length
+ * in the header is the length of the ciphertext.
+ *
+ * For each handshake message, ChangeCipherSpec, and alert, |version| is the
+ * protocol version and |content_type| is the corresponding record type. The
+ * |len| bytes from |buf| contain the handshake message, one-byte
+ * ChangeCipherSpec body, and two-byte alert, respectively. */
OPENSSL_EXPORT void SSL_CTX_set_msg_callback(
SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg));
+
+/* SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message
+ * callback. */
+OPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+
+/* SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See
+ * |SSL_CTX_set_msg_callback| for when this callback is called. */
OPENSSL_EXPORT void SSL_set_msg_callback(
SSL *ssl, void (*cb)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg));
-#define SSL_CTX_set_msg_callback_arg(ctx, arg) \
- SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-#define SSL_set_msg_callback_arg(ssl, arg) \
- SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
+
+/* set_msg_callback_arg sets the |arg| parameter of the message callback. */
+OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
/* SSL_CTX_set_keylog_bio sets configures all SSL objects attached to |ctx| to
* log session material to |keylog_bio|. This is intended for debugging use
@@ -686,6 +827,10 @@
struct ssl_session_st *session_cache_head;
struct ssl_session_st *session_cache_tail;
+ /* handshakes_since_cache_flush is the number of successful handshakes since
+ * the last cache flush. */
+ int handshakes_since_cache_flush;
+
/* This can have one of 2 values, ored together,
* SSL_SESS_CACHE_CLIENT,
* SSL_SESS_CACHE_SERVER,
@@ -709,26 +854,6 @@
SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, uint8_t *data, int len,
int *copy);
- /* TODO(agl): remove the stats stuff. */
- struct {
- int sess_connect; /* SSL new conn - started */
- int sess_connect_renegotiate; /* SSL reneg - requested */
- int sess_connect_good; /* SSL new conne/reneg - finished */
- int sess_accept; /* SSL new accept - started */
- int sess_accept_renegotiate; /* SSL reneg - requested */
- int sess_accept_good; /* SSL accept/reneg - finished */
- int sess_miss; /* session lookup misses */
- int sess_timeout; /* reuse attempt on timeouted session */
- int sess_cache_full; /* session removed due to full cache */
- int sess_hit; /* session reuse actually done */
- int sess_cb_hit; /* session-id that was not
- * in the cache was
- * passed back via the callback. This
- * indicates that the application is
- * supplying session-id's from other
- * processes - spooky :-) */
- } stats;
-
int references;
/* if defined, these override the X509_verify_cert() calls */
@@ -749,13 +874,6 @@
/* get channel id callback */
void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey);
- /* cookie generate callback */
- int (*app_gen_cookie_cb)(SSL *ssl, uint8_t *cookie, size_t *cookie_len);
-
- /* verify cookie callback */
- int (*app_verify_cookie_cb)(SSL *ssl, const uint8_t *cookie,
- size_t cookie_len);
-
CRYPTO_EX_DATA ex_data;
STACK_OF(X509) *extra_certs;
@@ -773,9 +891,9 @@
/* Default values to use in SSL structures follow (these are copied by
* SSL_new) */
- unsigned long options;
- unsigned long mode;
- long max_cert_list;
+ uint32_t options;
+ uint32_t mode;
+ uint32_t max_cert_list;
struct cert_st /* CERT */ *cert;
int read_ahead;
@@ -800,16 +918,22 @@
* before the decision whether to resume a session is made. It may return one
* to continue the handshake or zero to cause the handshake loop to return
* with an error and cause SSL_get_error to return
- * SSL_ERROR_PENDING_CERTIFICATE. */
+ * SSL_ERROR_PENDING_CERTIFICATE. Note: when the handshake loop is resumed, it
+ * will not call the callback a second time. */
int (*select_certificate_cb)(const struct ssl_early_callback_ctx *);
+ /* dos_protection_cb is called once the resumption decision for a ClientHello
+ * has been made. It returns one to continue the handshake or zero to
+ * abort. */
+ int (*dos_protection_cb) (const struct ssl_early_callback_ctx *);
+
/* quiet_shutdown is true if the connection should not send a close_notify on
* shutdown. */
int quiet_shutdown;
/* Maximum amount of data to send in one fragment. actual record size can be
* more than this due to padding and MAC overheads. */
- unsigned int max_send_fragment;
+ uint16_t max_send_fragment;
/* TLS extensions servername callback */
int (*tlsext_servername_callback)(SSL *, int *, void *);
@@ -822,11 +946,6 @@
int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
- /* certificate status request info */
- /* Callback for status request */
- int (*tlsext_status_cb)(SSL *ssl, void *arg);
- void *tlsext_status_arg;
-
/* Server-only: psk_identity_hint is the default identity hint to send in
* PSK-based key exchanges. */
char *psk_identity_hint;
@@ -906,47 +1025,17 @@
/* If not NULL, session key material will be logged to this BIO for debugging
* purposes. The format matches NSS's and is readable by Wireshark. */
BIO *keylog_bio;
+
+ /* current_time_cb, if not NULL, is the function to use to get the current
+ * time. It sets |*out_clock| to the current time. */
+ void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
};
-#define SSL_SESS_CACHE_OFF 0x0000
-#define SSL_SESS_CACHE_CLIENT 0x0001
-#define SSL_SESS_CACHE_SERVER 0x0002
-#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)
-#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
-/* See SSL_CTX_set_session_cache_mode(3) */
-#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
-#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
-#define SSL_SESS_CACHE_NO_INTERNAL \
- (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)
-
OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
-#define SSL_CTX_sess_number(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_NUMBER, 0, NULL)
-#define SSL_CTX_sess_connect(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT, 0, NULL)
-#define SSL_CTX_sess_connect_good(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT_GOOD, 0, NULL)
-#define SSL_CTX_sess_connect_renegotiate(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CONNECT_RENEGOTIATE, 0, NULL)
-#define SSL_CTX_sess_accept(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT, 0, NULL)
-#define SSL_CTX_sess_accept_renegotiate(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT_RENEGOTIATE, 0, NULL)
-#define SSL_CTX_sess_accept_good(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_ACCEPT_GOOD, 0, NULL)
-#define SSL_CTX_sess_hits(ctx) SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_HIT, 0, NULL)
-#define SSL_CTX_sess_cb_hits(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CB_HIT, 0, NULL)
-#define SSL_CTX_sess_misses(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_MISSES, 0, NULL)
-#define SSL_CTX_sess_timeouts(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_TIMEOUTS, 0, NULL)
-#define SSL_CTX_sess_cache_full(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SESS_CACHE_FULL, 0, NULL)
-/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client
- * IDs from clients. Returns 1 on success. */
-#define SSL_CTX_enable_tls_channel_id(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_CHANNEL_ID, 0, NULL)
+
+/* SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal
+ * session cache. */
+OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx);
OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(
SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess));
@@ -984,13 +1073,6 @@
SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey));
OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl,
EVP_PKEY **pkey);
-OPENSSL_EXPORT void SSL_CTX_set_cookie_generate_cb(
- SSL_CTX *ctx,
- int (*app_gen_cookie_cb)(SSL *ssl, uint8_t *cookie, size_t *cookie_len));
-OPENSSL_EXPORT void SSL_CTX_set_cookie_verify_cb(
- SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, const uint8_t *cookie,
- size_t cookie_len));
-
/* SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end
* of a connection) to request SCTs from the server. See
@@ -1051,10 +1133,24 @@
#define OPENSSL_NPN_NEGOTIATED 1
#define OPENSSL_NPN_NO_OVERLAP 2
+/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
+ * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+ * length-prefixed strings). It returns zero on success and one on failure.
+ *
+ * WARNING: this function is dangerous because it breaks the usual return value
+ * convention. */
OPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
unsigned protos_len);
+
+/* SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
+ * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
+ * length-prefixed strings). It returns zero on success and one on failure.
+ *
+ * WARNING: this function is dangerous because it breaks the usual return value
+ * convention. */
OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,
unsigned protos_len);
+
OPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb(
SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *outlen,
const uint8_t *in, unsigned int inlen, void *arg),
@@ -1067,6 +1163,11 @@
* causes 3G radios to switch to DCH mode (high data rate). */
OPENSSL_EXPORT void SSL_enable_fastradio_padding(SSL *ssl, char on_off);
+/* SSL_set_reject_peer_renegotiations controls whether renegotiation attempts by
+ * the peer are rejected. It may be set at any point in a connection's lifetime
+ * to disallow future renegotiations programmatically. */
+OPENSSL_EXPORT void SSL_set_reject_peer_renegotiations(SSL *ssl, int reject);
+
/* the maximum length of the buffer given to callbacks containing the resulting
* identity/psk */
#define PSK_MAX_IDENTITY_LEN 128
@@ -1259,17 +1360,12 @@
/* for server side, keep the list of CA_dn we can use */
STACK_OF(X509_NAME) *client_CA;
- int references;
- unsigned long options; /* protocol behaviour */
- unsigned long mode; /* API behaviour */
- long max_cert_list;
+ uint32_t options; /* protocol behaviour */
+ uint32_t mode; /* API behaviour */
+ uint32_t max_cert_list;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
- unsigned int max_send_fragment;
- /* TLS extension debug callback */
- void (*tlsext_debug_cb)(SSL *s, int client_server, int type, uint8_t *data,
- int len, void *arg);
- void *tlsext_debug_arg;
+ uint16_t max_send_fragment;
char *tlsext_hostname;
/* should_ack_sni is true if the SNI extension should be acked. This is
* only used by a server. */
@@ -1328,6 +1424,10 @@
* data rate) state in 3G networks. */
char fastradio_padding;
+ /* reject_peer_renegotiations, if one, causes causes renegotiation attempts
+ * from the peer to be rejected with a fatal error. */
+ char reject_peer_renegotiations;
+
/* These fields are always NULL and exist only to keep wpa_supplicant happy
* about the change to EVP_AEAD. They are only needed for EAP-FAST, which we
* don't support. */
@@ -1335,21 +1435,6 @@
EVP_MD_CTX *read_hash;
};
-#ifdef __cplusplus
-}
-#endif
-
-#include <openssl/ssl2.h>
-#include <openssl/ssl3.h>
-#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
-#include <openssl/dtls1.h> /* Datagram TLS */
-#include <openssl/ssl23.h>
-#include <openssl/srtp.h> /* Support for the use_srtp extension */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
/* compatibility */
#define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)arg))
#define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))
@@ -1391,12 +1476,15 @@
/* Is the SSL_connection established? */
#define SSL_get_state(a) SSL_state(a)
#define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK)
-#define SSL_in_init(a) \
- ((SSL_state(a) & SSL_ST_INIT) && !SSL_cutthrough_complete(a))
+#define SSL_in_init(a) (SSL_state(a) & SSL_ST_INIT)
#define SSL_in_before(a) (SSL_state(a) & SSL_ST_BEFORE)
#define SSL_in_connect_init(a) (SSL_state(a) & SSL_ST_CONNECT)
#define SSL_in_accept_init(a) (SSL_state(a) & SSL_ST_ACCEPT)
-OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s);
+
+/* SSL_in_false_start returns one if |s| has a pending unfinished handshake that
+ * is in False Start. |SSL_write| may be called at this point without waiting
+ * for the peer, but |SSL_read| will require the handshake to be completed. */
+OPENSSL_EXPORT int SSL_in_false_start(const SSL *s);
/* The following 2 states are kept in ssl->rstate when reads fail,
* you should not need these */
@@ -1493,84 +1581,17 @@
#define SSL_ERROR_PENDING_SESSION 11
#define SSL_ERROR_PENDING_CERTIFICATE 12
-#define SSL_CTRL_NEED_TMP_RSA 1
-#define SSL_CTRL_SET_TMP_RSA 2
-#define SSL_CTRL_SET_TMP_DH 3
-#define SSL_CTRL_SET_TMP_ECDH 4
-#define SSL_CTRL_SET_TMP_RSA_CB 5
-#define SSL_CTRL_SET_TMP_DH_CB 6
-#define SSL_CTRL_SET_TMP_ECDH_CB 7
-
-#define SSL_CTRL_GET_SESSION_REUSED 8
-#define SSL_CTRL_GET_CLIENT_CERT_REQUEST 9
-#define SSL_CTRL_GET_NUM_RENEGOTIATIONS 10
-#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
-#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
-#define SSL_CTRL_GET_FLAGS 13
#define SSL_CTRL_EXTRA_CHAIN_CERT 14
-#define SSL_CTRL_SET_MSG_CALLBACK 15
-#define SSL_CTRL_SET_MSG_CALLBACK_ARG 16
-
-/* only applies to datagram connections */
-#define SSL_CTRL_SET_MTU 17
-/* Stats */
-#define SSL_CTRL_SESS_NUMBER 20
-#define SSL_CTRL_SESS_CONNECT 21
-#define SSL_CTRL_SESS_CONNECT_GOOD 22
-#define SSL_CTRL_SESS_CONNECT_RENEGOTIATE 23
-#define SSL_CTRL_SESS_ACCEPT 24
-#define SSL_CTRL_SESS_ACCEPT_GOOD 25
-#define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE 26
-#define SSL_CTRL_SESS_HIT 27
-#define SSL_CTRL_SESS_CB_HIT 28
-#define SSL_CTRL_SESS_MISSES 29
-#define SSL_CTRL_SESS_TIMEOUTS 30
-#define SSL_CTRL_SESS_CACHE_FULL 31
-#define SSL_CTRL_OPTIONS 32
-#define SSL_CTRL_MODE 33
-
-#define SSL_CTRL_GET_READ_AHEAD 40
-#define SSL_CTRL_SET_READ_AHEAD 41
-#define SSL_CTRL_SET_SESS_CACHE_SIZE 42
-#define SSL_CTRL_GET_SESS_CACHE_SIZE 43
-#define SSL_CTRL_SET_SESS_CACHE_MODE 44
-#define SSL_CTRL_GET_SESS_CACHE_MODE 45
-
-#define SSL_CTRL_GET_MAX_CERT_LIST 50
-#define SSL_CTRL_SET_MAX_CERT_LIST 51
-
-#define SSL_CTRL_SET_MAX_SEND_FRAGMENT 52
-
/* see tls1.h for macros based on these */
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 53
-#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 54
-#define SSL_CTRL_SET_TLSEXT_HOSTNAME 55
-#define SSL_CTRL_SET_TLSEXT_DEBUG_CB 56
-#define SSL_CTRL_SET_TLSEXT_DEBUG_ARG 57
#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS 58
#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS 59
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
-#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
-
-#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
-
-#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB 75
-#define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB 76
-#define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB 77
#define SSL_CTRL_SET_SRP_ARG 78
#define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME 79
#define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH 80
#define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD 81
-#define DTLS_CTRL_GET_TIMEOUT 73
-#define DTLS_CTRL_HANDLE_TIMEOUT 74
-
-#define SSL_CTRL_GET_RI_SUPPORT 76
-#define SSL_CTRL_CLEAR_OPTIONS 77
-#define SSL_CTRL_CLEAR_MODE 78
-
#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
@@ -1580,11 +1601,8 @@
#define SSL_CTRL_GET_CURVES 90
#define SSL_CTRL_SET_CURVES 91
#define SSL_CTRL_SET_CURVES_LIST 92
-#define SSL_CTRL_SET_ECDH_AUTO 94
#define SSL_CTRL_SET_SIGALGS 97
#define SSL_CTRL_SET_SIGALGS_LIST 98
-#define SSL_CTRL_CERT_FLAGS 99
-#define SSL_CTRL_CLEAR_CERT_FLAGS 100
#define SSL_CTRL_SET_CLIENT_SIGALGS 101
#define SSL_CTRL_SET_CLIENT_SIGALGS_LIST 102
#define SSL_CTRL_GET_CLIENT_CERT_TYPES 103
@@ -1593,70 +1611,97 @@
#define SSL_CTRL_SET_VERIFY_CERT_STORE 106
#define SSL_CTRL_SET_CHAIN_CERT_STORE 107
#define SSL_CTRL_GET_SERVER_TMP_KEY 109
-#define SSL_CTRL_GET_RAW_CIPHERLIST 110
#define SSL_CTRL_GET_EC_POINT_FORMATS 111
#define SSL_CTRL_GET_CHAIN_CERTS 115
#define SSL_CTRL_SELECT_CURRENT_CERT 116
-#define SSL_CTRL_CHANNEL_ID 117
-#define SSL_CTRL_GET_CHANNEL_ID 118
-#define SSL_CTRL_SET_CHANNEL_ID 119
-
/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
- * timeout in progress, it sets |*((OPENSSL_timeval*)arg)| to the time remaining
- * and returns one. Otherwise, it returns zero. */
-#define DTLSv1_get_timeout(ssl, arg) \
- SSL_ctrl(ssl, DTLS_CTRL_GET_TIMEOUT, 0, (void *)arg)
-#define DTLSv1_handle_timeout(ssl) \
- SSL_ctrl(ssl, DTLS_CTRL_HANDLE_TIMEOUT, 0, NULL)
+ * timeout in progress, it sets |*out| to the time remaining and returns one.
+ * Otherwise, it returns zero.
+ *
+ * When the timeout expires, call |DTLSv1_handle_timeout| to handle the
+ * retransmit behavior.
+ *
+ * NOTE: This function must be queried again whenever the handshake state
+ * machine changes, including when |DTLSv1_handle_timeout| is called. */
+OPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);
-#define SSL_session_reused(ssl) \
- SSL_ctrl((ssl), SSL_CTRL_GET_SESSION_REUSED, 0, NULL)
-#define SSL_num_renegotiations(ssl) \
- SSL_ctrl((ssl), SSL_CTRL_GET_NUM_RENEGOTIATIONS, 0, NULL)
-#define SSL_clear_num_renegotiations(ssl) \
- SSL_ctrl((ssl), SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS, 0, NULL)
-#define SSL_total_renegotiations(ssl) \
- SSL_ctrl((ssl), SSL_CTRL_GET_TOTAL_RENEGOTIATIONS, 0, NULL)
+/* DTLSv1_handle_timeout is called when a DTLS handshake timeout expires. If no
+ * timeout had expired, it returns 0. Otherwise, it retransmits the previous
+ * flight of handshake messages and returns 1. If too many timeouts had expired
+ * without progress or an error occurs, it returns -1.
+ *
+ * NOTE: The caller's external timer should be compatible with the one |ssl|
+ * queries within some fudge factor. Otherwise, the call will be a no-op, but
+ * |DTLSv1_get_timeout| will return an updated timeout.
+ *
+ * WARNING: This function breaks the usual return value convention. */
+OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);
-#define SSL_CTX_need_tmp_RSA(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_NEED_TMP_RSA, 0, NULL)
-#define SSL_CTX_set_tmp_rsa(ctx, rsa) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_RSA, 0, (char *)rsa)
-#define SSL_CTX_set_tmp_dh(ctx, dh) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
-#define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh)
+/* SSL_session_reused returns one if |ssl| performed an abbreviated handshake
+ * and zero otherwise.
+ *
+ * TODO(davidben): Hammer down the semantics of this API while a handshake,
+ * initial or renego, is in progress. */
+OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl);
-#define SSL_need_tmp_RSA(ssl) SSL_ctrl(ssl, SSL_CTRL_NEED_TMP_RSA, 0, NULL)
-#define SSL_set_tmp_rsa(ssl, rsa) \
- SSL_ctrl(ssl, SSL_CTRL_SET_TMP_RSA, 0, (char *)rsa)
-#define SSL_set_tmp_dh(ssl, dh) \
- SSL_ctrl(ssl, SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
-#define SSL_set_tmp_ecdh(ssl, ecdh) \
- SSL_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh)
+/* SSL_total_renegotiations returns the total number of renegotiation handshakes
+ * peformed by |ssl|. This includes the pending renegotiation, if any. */
+OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
+
+/* SSL_CTX_set_tmp_dh configures |ctx| to use the group from |dh| as the group
+ * for DHE. Only the group is used, so |dh| needn't have a keypair. It returns
+ * one on success and zero on error. */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);
+
+/* SSL_set_tmp_dh configures |ssl| to use the group from |dh| as the group for
+ * DHE. Only the group is used, so |dh| needn't have a keypair. It returns one
+ * on success and zero on error. */
+OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh);
+
+/* SSL_CTX_set_tmp_ecdh configures |ctx| to use the curve from |ecdh| as the
+ * curve for ephemeral ECDH keys. For historical reasons, this API expects an
+ * |EC_KEY|, but only the curve is used. It returns one on success and zero on
+ * error. If unset, an appropriate curve will be chosen automatically. (This is
+ * recommended.) */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);
+
+/* SSL_set_tmp_ecdh configures |ssl| to use the curve from |ecdh| as the curve
+ * for ephemeral ECDH keys. For historical reasons, this API expects an
+ * |EC_KEY|, but only the curve is used. It returns one on success and zero on
+ * error. If unset, an appropriate curve will be chosen automatically. (This is
+ * recommended.) */
+OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
+
+/* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS
+ * client IDs from clients, or configures a client to send TLS client IDs to
+ * a server. It returns one. */
+OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS
* client IDs from clients, or configure a client to send TLS client IDs to
- * server. Returns 1 on success. */
-#define SSL_enable_tls_channel_id(s) SSL_ctrl(s, SSL_CTRL_CHANNEL_ID, 0, NULL)
+ * server. It returns one. */
+OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
+
+/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
+ * to compatible servers. |private_key| must be a P-256 EC key. It returns one
+ * on success and zero on error. */
+OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
+ EVP_PKEY *private_key);
/* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
- * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on
- * success. */
-#define SSL_set1_tls_channel_id(s, private_key) \
- SSL_ctrl(s, SSL_CTRL_SET_CHANNEL_ID, 0, (void *)private_key)
-#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHANNEL_ID, 0, (void *)private_key)
+ * compatible servers. |private_key| must be a P-256 EC key. It returns one on
+ * success and zero on error. */
+OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
/* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL*
- * and copies up to the first |channel_id_len| bytes into |channel_id|. The
- * Channel ID consists of the client's P-256 public key as an (x,y) pair where
- * each is a 32-byte, big-endian field element. Returns 0 if the client didn't
- * offer a Channel ID and the length of the complete Channel ID otherwise. */
-#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \
- SSL_ctrl(ctx, SSL_CTRL_GET_CHANNEL_ID, channel_id_len, (void *)channel_id)
+ * and copies up to the first |max_out| bytes into |out|. The Channel ID
+ * consists of the client's P-256 public key as an (x,y) pair where each is a
+ * 32-byte, big-endian field element. It returns 0 if the client didn't offer a
+ * Channel ID and the length of the complete Channel ID otherwise. */
+OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
+ size_t max_out);
#define SSL_CTX_add_extra_chain_cert(ctx, x509) \
SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509)
@@ -1724,10 +1769,6 @@
SSL_ctrl(ctx, SSL_CTRL_SET_CURVES, clistlen, (char *)clist)
#define SSL_set1_curves_list(ctx, s) \
SSL_ctrl(ctx, SSL_CTRL_SET_CURVES_LIST, 0, (char *)s)
-#define SSL_CTX_set_ecdh_auto(ctx, onoff) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, onoff, NULL)
-#define SSL_set_ecdh_auto(s, onoff) \
- SSL_ctrl(s, SSL_CTRL_SET_ECDH_AUTO, onoff, NULL)
#define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SIGALGS, slistlen, (int *)slist)
@@ -1758,9 +1799,6 @@
#define SSL_get_server_tmp_key(s, pk) \
SSL_ctrl(s, SSL_CTRL_GET_SERVER_TMP_KEY, 0, pk)
-#define SSL_get0_raw_cipherlist(s, plst) \
- SSL_ctrl(s, SSL_CTRL_GET_RAW_CIPHERLIST, 0, (char *)plst)
-
#define SSL_get0_ec_point_formats(s, plst) \
SSL_ctrl(s, SSL_CTRL_GET_EC_POINT_FORMATS, 0, (char *)plst)
@@ -1778,13 +1816,6 @@
OPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
OPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-OPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
-OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
-OPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
-/* SSL_CIPHER_get_kx_name returns a string that describes the key-exchange
- * method used by |c|. For example, "ECDHE-ECDSA". */
-OPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);
-OPENSSL_EXPORT unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c);
OPENSSL_EXPORT int SSL_get_fd(const SSL *s);
OPENSSL_EXPORT int SSL_get_rfd(const SSL *s);
@@ -1862,7 +1893,15 @@
unsigned int *len);
OPENSSL_EXPORT int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
OPENSSL_EXPORT int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
-OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *ses);
+
+/* SSL_SESSION_up_ref, if |session| is not NULL, increments the reference count
+ * of |session|. It then returns |session|. */
+OPENSSL_EXPORT SSL_SESSION *SSL_SESSION_up_ref(SSL_SESSION *session);
+
+/* SSL_SESSION_free decrements the reference count of |session|. If it reaches
+ * zero, all data referenced by |session| and |session| itself are released. */
+OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session);
+
OPENSSL_EXPORT int SSL_set_session(SSL *to, SSL_SESSION *session);
OPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
OPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *, SSL_SESSION *c);
@@ -1968,9 +2007,7 @@
OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);
OPENSSL_EXPORT long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
-OPENSSL_EXPORT long SSL_callback_ctrl(SSL *, int, void (*)(void));
OPENSSL_EXPORT long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
-OPENSSL_EXPORT long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
OPENSSL_EXPORT int SSL_get_error(const SSL *s, int ret_code);
/* SSL_get_version returns a string describing the TLS version used by |s|. For
@@ -1980,58 +2017,16 @@
* |sess|. For example, "TLSv1.2" or "SSLv3". */
OPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *sess);
-OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *c);
-OPENSSL_EXPORT int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *c);
-OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *c);
-OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *c);
-
/* TLS_method is the SSL_METHOD used for TLS (and SSLv3) connections. */
OPENSSL_EXPORT const SSL_METHOD *TLS_method(void);
/* DTLS_method is the SSL_METHOD used for DTLS connections. */
OPENSSL_EXPORT const SSL_METHOD *DTLS_method(void);
-
-/* Deprecated methods. */
-
-/* SSLv23_method calls TLS_method. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);
-
-/* Version-specific methods behave exactly like TLS_method and DTLS_method
- * except they also call SSL_CTX_set_min_version and SSL_CTX_set_max_version to
- * lock connections to that protocol version. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
-
-/* Client- and server-specific methods call their corresponding generic
- * methods. */
-OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);
-OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);
-
-
OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
OPENSSL_EXPORT int SSL_do_handshake(SSL *s);
OPENSSL_EXPORT int SSL_renegotiate(SSL *s);
-OPENSSL_EXPORT int SSL_renegotiate_abbreviated(SSL *s);
OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *s);
OPENSSL_EXPORT int SSL_shutdown(SSL *s);
@@ -2055,12 +2050,6 @@
OPENSSL_EXPORT long SSL_get_default_timeout(const SSL *s);
-/* SSL_library_init initializes the crypto and SSL libraries, loads their error
- * strings, and returns one. */
-OPENSSL_EXPORT int SSL_library_init(void);
-
-OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf,
- int size);
OPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
OPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl);
@@ -2122,61 +2111,132 @@
OPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void);
-#define SSL_CTX_sess_set_cache_size(ctx, t) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_SIZE, t, NULL)
-#define SSL_CTX_sess_get_cache_size(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_GET_SESS_CACHE_SIZE, 0, NULL)
-#define SSL_CTX_set_session_cache_mode(ctx, m) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE, m, NULL)
-#define SSL_CTX_get_session_cache_mode(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_GET_SESS_CACHE_MODE, 0, NULL)
+/* SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s session cache to
+ * |size|. It returns the previous value. */
+OPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx,
+ unsigned long size);
-#define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
-#define SSL_CTX_set_default_read_ahead(ctx, m) SSL_CTX_set_read_ahead(ctx, m)
-#define SSL_CTX_get_read_ahead(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_GET_READ_AHEAD, 0, NULL)
-#define SSL_CTX_set_read_ahead(ctx, m) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_READ_AHEAD, m, NULL)
-#define SSL_CTX_get_max_cert_list(ctx) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_CERT_LIST, 0, NULL)
-#define SSL_CTX_set_max_cert_list(ctx, m) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_CERT_LIST, m, NULL)
-#define SSL_get_max_cert_list(ssl) \
- SSL_ctrl(ssl, SSL_CTRL_GET_MAX_CERT_LIST, 0, NULL)
-#define SSL_set_max_cert_list(ssl, m) \
- SSL_ctrl(ssl, SSL_CTRL_SET_MAX_CERT_LIST, m, NULL)
+/* SSL_CTX_sess_set_cache_size returns the maximum size of |ctx|'s session
+ * cache. */
+OPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx);
-#define SSL_CTX_set_max_send_fragment(ctx, m) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_SEND_FRAGMENT, m, NULL)
-#define SSL_set_max_send_fragment(ssl, m) \
- SSL_ctrl(ssl, SSL_CTRL_SET_MAX_SEND_FRAGMENT, m, NULL)
+/* SSL_SESS_CACHE_* are the possible session cache mode bits.
+ * TODO(davidben): Document. */
+#define SSL_SESS_CACHE_OFF 0x0000
+#define SSL_SESS_CACHE_CLIENT 0x0001
+#define SSL_SESS_CACHE_SERVER 0x0002
+#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)
+#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
+#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100
+#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200
+#define SSL_SESS_CACHE_NO_INTERNAL \
+ (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)
-/* NB: the keylength is only applicable when is_export is true */
-OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(
- SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));
+/* SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to
+ * |mode|. It returns the previous value. */
+OPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);
-OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
- RSA *(*cb)(SSL *ssl, int is_export,
- int keylength));
+/* SSL_CTX_get_session_cache_mode returns the session cache mode bits for
+ * |ctx| */
+OPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx);
+
+/* TODO(davidben): Deprecate read_ahead functions after https://crbug.com/447431
+ * is resolved. */
+OPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx);
+OPENSSL_EXPORT void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
+
+/* SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer
+ * certificate chain accepted by |ctx|. */
+OPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx);
+
+/* SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer
+ * certificate chain to |max_cert_list|. This affects how much memory may be
+ * consumed during the handshake. */
+OPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx,
+ size_t max_cert_list);
+
+/* SSL_get_max_cert_list returns the maximum length, in bytes, of a peer
+ * certificate chain accepted by |ssl|. */
+OPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl);
+
+/* SSL_set_max_cert_list sets the maximum length, in bytes, of a peer
+ * certificate chain to |max_cert_list|. This affects how much memory may be
+ * consumed during the handshake. */
+OPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list);
+
+/* SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records
+ * sent by |ctx|. Beyond this length, handshake messages and application data
+ * will be split into multiple records. */
+OPENSSL_EXPORT void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,
+ size_t max_send_fragment);
+
+/* SSL_set_max_send_fragment sets the maximum length, in bytes, of records
+ * sent by |ssl|. Beyond this length, handshake messages and application data
+ * will be split into multiple records. */
+OPENSSL_EXPORT void SSL_set_max_send_fragment(SSL *ssl,
+ size_t max_send_fragment);
+
+/* SSL_CTX_set_tmp_dh_callback configures |ctx| to use |callback| to determine
+ * the group for DHE ciphers. |callback| should ignore |is_export| and
+ * |keylength| and return a |DH| of the selected group or NULL on error. Only
+ * the parameters are used, so the |DH| needn't have a generated keypair.
+ *
+ * WARNING: The caller does not take ownership of the resulting |DH|, so
+ * |callback| must save and release the object elsewhere. */
OPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(
- SSL_CTX *ctx, DH *(*dh)(SSL *ssl, int is_export, int keylength));
+ SSL_CTX *ctx, DH *(*callback)(SSL *ssl, int is_export, int keylength));
+
+/* SSL_set_tmp_dh_callback configures |ssl| to use |callback| to determine the
+ * group for DHE ciphers. |callback| should ignore |is_export| and |keylength|
+ * and return a |DH| of the selected group or NULL on error. Only the
+ * parameters are used, so the |DH| needn't have a generated keypair.
+ *
+ * WARNING: The caller does not take ownership of the resulting |DH|, so
+ * |callback| must save and release the object elsewhere. */
OPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,
DH *(*dh)(SSL *ssl, int is_export,
int keylength));
+
+/* SSL_CTX_set_tmp_ecdh_callback configures |ctx| to use |callback| to determine
+ * the curve for ephemeral ECDH keys. |callback| should ignore |is_export| and
+ * |keylength| and return an |EC_KEY| of the selected curve or NULL on
+ * error. Only the curve is used, so the |EC_KEY| needn't have a generated
+ * keypair.
+ *
+ * If the callback is unset, an appropriate curve will be chosen automatically.
+ * (This is recommended.)
+ *
+ * WARNING: The caller does not take ownership of the resulting |EC_KEY|, so
+ * |callback| must save and release the object elsewhere. */
OPENSSL_EXPORT void SSL_CTX_set_tmp_ecdh_callback(
- SSL_CTX *ctx, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
+ SSL_CTX *ctx, EC_KEY *(*callback)(SSL *ssl, int is_export, int keylength));
+
+/* SSL_set_tmp_ecdh_callback configures |ssl| to use |callback| to determine the
+ * curve for ephemeral ECDH keys. |callback| should ignore |is_export| and
+ * |keylength| and return an |EC_KEY| of the selected curve or NULL on
+ * error. Only the curve is used, so the |EC_KEY| needn't have a generated
+ * keypair.
+ *
+ * If the callback is unset, an appropriate curve will be chosen automatically.
+ * (This is recommended.)
+ *
+ * WARNING: The caller does not take ownership of the resulting |EC_KEY|, so
+ * |callback| must save and release the object elsewhere. */
OPENSSL_EXPORT void SSL_set_tmp_ecdh_callback(
- SSL *ssl, EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength));
+ SSL *ssl, EC_KEY *(*callback)(SSL *ssl, int is_export, int keylength));
OPENSSL_EXPORT const void *SSL_get_current_compression(SSL *s);
OPENSSL_EXPORT const void *SSL_get_current_expansion(SSL *s);
-OPENSSL_EXPORT const char *SSL_COMP_get_name(const void *comp);
-OPENSSL_EXPORT void *SSL_COMP_get_compression_methods(void);
-OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, void *cm);
OPENSSL_EXPORT int SSL_cache_hit(SSL *s);
OPENSSL_EXPORT int SSL_is_server(SSL *s);
+/* SSL_CTX_set_dos_protection_cb sets a callback that is called once the
+ * resumption decision for a ClientHello has been made. It can return 1 to
+ * allow the handshake to continue or zero to cause the handshake to abort. */
+OPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(
+ SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *));
+
/* SSL_get_structure_sizes returns the sizes of the SSL, SSL_CTX and
* SSL_SESSION structures so that a test can ensure that outside code agrees on
* these values. */
@@ -2186,6 +2246,130 @@
OPENSSL_EXPORT void ERR_load_SSL_strings(void);
+/* SSL_get_rc4_state sets |*read_key| and |*write_key| to the RC4 states for
+ * the read and write directions. It returns one on success or zero if |ssl|
+ * isn't using an RC4-based cipher suite. */
+OPENSSL_EXPORT int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
+ const RC4_KEY **write_key);
+
+
+/* Deprecated functions. */
+
+/* SSL_CIPHER_description writes a description of |cipher| into |buf| and
+ * returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be
+ * freed with |OPENSSL_free|, or NULL on error.
+ *
+ * The description includes a trailing newline and has the form:
+ * AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
+ *
+ * Consider |SSL_CIPHER_get_name| or |SSL_CIPHER_get_rfc_name| instead. */
+OPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,
+ char *buf, int len);
+
+/* SSL_CIPHER_get_version returns the string "TLSv1/SSLv3". */
+OPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
+
+/* SSL_COMP_get_compression_methods returns NULL. */
+OPENSSL_EXPORT void *SSL_COMP_get_compression_methods(void);
+
+/* SSL_COMP_add_compression_method returns one. */
+OPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, void *cm);
+
+/* SSL_COMP_get_name returns NULL. */
+OPENSSL_EXPORT const char *SSL_COMP_get_name(const void *comp);
+
+/* SSLv23_method calls |TLS_method|. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);
+
+/* Version-specific methods behave exactly like |TLS_method| and |DTLS_method|
+ * except they also call |SSL_CTX_set_min_version| and |SSL_CTX_set_max_version|
+ * to lock connections to that protocol version. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);
+
+/* Client- and server-specific methods call their corresponding generic
+ * methods. */
+OPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *SSLv3_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);
+OPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);
+
+/* SSL_CTX_set_tmp_rsa_callback does nothing. */
+OPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(
+ SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));
+
+/* SSL_set_tmp_rsa_callback does nothing. */
+OPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,
+ RSA *(*cb)(SSL *ssl, int is_export,
+ int keylength));
+
+/* SSL_CTX_sess_connect returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_connect_good returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_connect_renegotiate returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_accept returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_accept_renegotiate returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_accept_good returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_hits returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_cb_hits returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_misses returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_timeouts returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx);
+
+/* SSL_CTX_sess_cache_full returns zero. */
+OPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx);
+
+/* SSL_cutthrough_complete calls |SSL_in_false_start|. */
+OPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *s);
+
+/* SSL_num_renegotiations calls |SSL_total_renegotiations|. */
+OPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl);
+
+/* SSL_CTX_need_tmp_RSA returns zero. */
+OPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx);
+
+/* SSL_need_tmp_RSA returns zero. */
+OPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl);
+
+/* SSL_CTX_set_tmp_rsa returns one. */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa);
+
+/* SSL_set_tmp_rsa returns one. */
+OPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa);
+
/* Android compatibility section.
*
@@ -2201,530 +2385,483 @@
OPENSSL_EXPORT int SSL_set_session_ticket_ext_cb(SSL *s, void *cb, void *arg);
OPENSSL_EXPORT int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
+#define OPENSSL_VERSION_TEXT "BoringSSL"
-#ifdef __cplusplus
-}
+#define SSLEAY_VERSION 0
+
+/* SSLeay_version is a compatibility function that returns the string
+ * "BoringSSL". */
+OPENSSL_EXPORT const char *SSLeay_version(int unused);
+
+
+/* Preprocessor compatibility section.
+ *
+ * Historically, a number of APIs were implemented in OpenSSL as macros and
+ * constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this
+ * section defines a number of legacy macros. */
+
+#define SSL_CTRL_NEED_TMP_RSA doesnt_exist
+#define SSL_CTRL_SET_TMP_RSA doesnt_exist
+#define SSL_CTRL_SET_TMP_DH doesnt_exist
+#define SSL_CTRL_SET_TMP_ECDH doesnt_exist
+#define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist
+#define SSL_CTRL_SET_TMP_DH_CB doesnt_exist
+#define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist
+#define SSL_CTRL_GET_SESSION_REUSED doesnt_exist
+#define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist
+#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist
+#define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist
+#define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist
+#define SSL_CTRL_SET_MTU doesnt_exist
+#define SSL_CTRL_SESS_NUMBER doesnt_exist
+#define SSL_CTRL_OPTIONS doesnt_exist
+#define SSL_CTRL_MODE doesnt_exist
+#define SSL_CTRL_GET_READ_AHEAD doesnt_exist
+#define SSL_CTRL_SET_READ_AHEAD doesnt_exist
+#define SSL_CTRL_SET_SESS_CACHE_SIZE doesnt_exist
+#define SSL_CTRL_GET_SESS_CACHE_SIZE doesnt_exist
+#define SSL_CTRL_SET_SESS_CACHE_MODE doesnt_exist
+#define SSL_CTRL_GET_SESS_CACHE_MODE doesnt_exist
+#define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist
+#define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist
+#define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_HOSTNAME doesnt_exist
+#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB doesnt_exist
+#define DTLS_CTRL_GET_TIMEOUT doesnt_exist
+#define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist
+#define SSL_CTRL_GET_RI_SUPPORT doesnt_exist
+#define SSL_CTRL_CLEAR_OPTIONS doesnt_exist
+#define SSL_CTRL_CLEAR_MODE doesnt_exist
+#define SSL_CTRL_CHANNEL_ID doesnt_exist
+#define SSL_CTRL_GET_CHANNEL_ID doesnt_exist
+#define SSL_CTRL_SET_CHANNEL_ID doesnt_exist
+
+#define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA
+#define SSL_need_tmp_RSA SSL_need_tmp_RSA
+#define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa
+#define SSL_set_tmp_rsa SSL_set_tmp_rsa
+#define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh
+#define SSL_set_tmp_dh SSL_set_tmp_dh
+#define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh
+#define SSL_set_tmp_ecdh SSL_set_tmp_ecdh
+#define SSL_session_reused SSL_session_reused
+#define SSL_num_renegotiations SSL_num_renegotiations
+#define SSL_total_renegotiations SSL_total_renegotiations
+#define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg
+#define SSL_set_msg_callback_arg SSL_set_msg_callback_arg
+#define SSL_set_mtu SSL_set_mtu
+#define SSL_CTX_sess_number SSL_CTX_sess_number
+#define SSL_CTX_get_options SSL_CTX_get_options
+#define SSL_CTX_set_options SSL_CTX_set_options
+#define SSL_get_options SSL_get_options
+#define SSL_set_options SSL_set_options
+#define SSL_CTX_get_mode SSL_CTX_get_mode
+#define SSL_CTX_set_mode SSL_CTX_set_mode
+#define SSL_get_mode SSL_get_mode
+#define SSL_set_mode SSL_set_mode
+#define SSL_CTX_get_read_ahead SSL_CTX_get_read_ahead
+#define SSL_CTX_set_read_ahead SSL_CTX_set_read_ahead
+#define SSL_CTX_sess_set_cache_size SSL_CTX_sess_set_cache_size
+#define SSL_CTX_sess_get_cache_size SSL_CTX_sess_get_cache_size
+#define SSL_CTX_set_session_cache_mode SSL_CTX_set_session_cache_mode
+#define SSL_CTX_get_session_cache_mode SSL_CTX_get_session_cache_mode
+#define SSL_CTX_get_max_cert_list SSL_CTX_get_max_cert_list
+#define SSL_get_max_cert_list SSL_get_max_cert_list
+#define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list
+#define SSL_set_max_cert_list SSL_set_max_cert_list
+#define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment
+#define SSL_set_max_send_fragment SSL_set_max_send_fragment
+#define SSL_CTX_set_tlsext_servername_callback \
+ SSL_CTX_set_tlsext_servername_callback
+#define SSL_CTX_set_tlsext_servername_arg SSL_CTX_set_tlsext_servername_arg
+#define SSL_set_tlsext_host_name SSL_set_tlsext_host_name
+#define SSL_CTX_set_tlsext_ticket_key_cb SSL_CTX_set_tlsext_ticket_key_cb
+#define DTLSv1_get_timeout DTLSv1_get_timeout
+#define DTLSv1_handle_timeout DTLSv1_handle_timeout
+#define SSL_get_secure_renegotiation_support \
+ SSL_get_secure_renegotiation_support
+#define SSL_CTX_clear_options SSL_CTX_clear_options
+#define SSL_clear_options SSL_clear_options
+#define SSL_CTX_clear_mode SSL_CTX_clear_mode
+#define SSL_clear_mode SSL_clear_mode
+#define SSL_CTX_enable_tls_channel_id SSL_CTX_enable_tls_channel_id
+#define SSL_enable_tls_channel_id SSL_enable_tls_channel_id
+#define SSL_set1_tls_channel_id SSL_set1_tls_channel_id
+#define SSL_CTX_set1_tls_channel_id SSL_CTX_set1_tls_channel_id
+#define SSL_get_tls_channel_id SSL_get_tls_channel_id
+
+
+#if defined(__cplusplus)
+} /* extern C */
#endif
+
+/* Library consumers assume these headers are included by ssl.h, but they depend
+ * on ssl.h, so include them after all declarations.
+ *
+ * TODO(davidben): The separation between ssl.h and these version-specific
+ * headers introduces circular dependencies and is inconsistent. The function
+ * declarations should move to ssl.h. Many of the constants can probably be
+ * pruned or unexported. */
+#include <openssl/ssl2.h>
+#include <openssl/ssl3.h>
+#include <openssl/tls1.h> /* This is mostly sslv3 with a few tweaks */
+#include <openssl/ssl23.h>
+#include <openssl/srtp.h> /* Support for the use_srtp extension */
+
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script make_errors.go. Any
* changes made after this point may be overwritten when the script is next run.
*/
-#define SSL_F_SSL_use_PrivateKey_file 100
-#define SSL_F_dtls1_write_app_data_bytes 101
-#define SSL_F_ssl_cipher_process_rulestr 102
-#define SSL_F_SSL_set_session_id_context 103
-#define SSL_F_SSL_read 104
-#define SSL_F_ssl_cert_new 105
-#define SSL_F_dtls1_heartbeat 106
-#define SSL_F_ssl3_digest_cached_records 107
-#define SSL_F_SSL_set_wfd 108
-#define SSL_F_ssl_set_pkey 110
+#define SSL_F_SSL_CTX_check_private_key 100
+#define SSL_F_SSL_CTX_new 101
+#define SSL_F_SSL_CTX_set_cipher_list 102
+#define SSL_F_SSL_CTX_set_cipher_list_tls11 103
+#define SSL_F_SSL_CTX_set_session_id_context 104
+#define SSL_F_SSL_CTX_use_PrivateKey 105
+#define SSL_F_SSL_CTX_use_PrivateKey_ASN1 106
+#define SSL_F_SSL_CTX_use_PrivateKey_file 107
+#define SSL_F_SSL_CTX_use_RSAPrivateKey 108
+#define SSL_F_SSL_CTX_use_RSAPrivateKey_ASN1 109
+#define SSL_F_SSL_CTX_use_RSAPrivateKey_file 110
#define SSL_F_SSL_CTX_use_certificate 111
-#define SSL_F_dtls1_read_bytes 112
-#define SSL_F_ssl23_write 113
-#define SSL_F_ssl3_check_client_hello 114
-#define SSL_F_SSL_use_certificate_ASN1 115
-#define SSL_F_ssl_verify_cert_chain 116
-#define SSL_F_ssl_parse_serverhello_renegotiate_ext 117
-#define SSL_F_ssl_undefined_const_function 118
-#define SSL_F_ssl3_get_server_certificate 119
-#define SSL_F_tls1_get_server_supplemental_data 120
-#define SSL_F_dtls1_buffer_record 121
-#define SSL_F_ssl_prepare_clienthello_tlsext 122
-#define SSL_F_ssl3_get_server_hello 123
-#define SSL_F_ssl3_send_client_key_exchange 124
-#define SSL_F_ssl3_write_bytes 125
-#define SSL_F_SSL_use_RSAPrivateKey_file 126
-#define SSL_F_ssl_bad_method 127
-#define SSL_F_ssl3_connect 128
-#define SSL_F_dtls1_connect 129
-#define SSL_F_SSL_use_RSAPrivateKey 130
-#define SSL_F_tls1_prf 131
-#define SSL_F_ssl_bytes_to_cipher_list 132
-#define SSL_F_ssl3_do_change_cipher_spec 133
-#define SSL_F_SSL_SESSION_set1_id_context 134
-#define SSL_F_ssl_add_serverhello_tlsext 135
-#define SSL_F_read_authz 136
-#define SSL_F_ssl3_get_client_hello 137
-#define SSL_F_ssl3_get_certificate_request 138
-#define SSL_F_authz_find_data 139
-#define SSL_F_ssl_add_cert_to_buf 140
-#define SSL_F_ssl_add_serverhello_renegotiate_ext 141
-#define SSL_F_ssl3_get_message 142
-#define SSL_F_ssl_check_srvr_ecc_cert_and_alg 143
-#define SSL_F_ssl_parse_clienthello_tlsext 144
-#define SSL_F_SSL_add_file_cert_subjects_to_stack 145
-#define SSL_F_ssl3_ctx_ctrl 146
-#define SSL_F_ssl3_get_record 147
-#define SSL_F_SSL_CTX_use_RSAPrivateKey 148
-#define SSL_F_SSL_use_certificate_file 149
-#define SSL_F_SSL_load_client_CA_file 151
-#define SSL_F_dtls1_preprocess_fragment 152
-#define SSL_F_SSL_CTX_check_private_key 153
-#define SSL_F_ssl3_get_cert_status 154
-#define SSL_F_printf 155
-#define SSL_F_SSL_CTX_new 156
-#define SSL_F_ssl23_accept 157
-#define SSL_F_SSL_use_authz 158
-#define SSL_F_ssl_undefined_function 159
-#define SSL_F_dtls1_send_hello_verify_request 160
-#define SSL_F_ssl_build_cert_chain 161
-#define SSL_F_SSL_SESSION_print_fp 162
-#define SSL_F_tls1_change_cipher_state 163
-#define SSL_F_tls12_check_peer_sigalg 164
-#define SSL_F_ssl_sess_cert_new 165
-#define SSL_F_ssl3_read_bytes 166
-#define SSL_F_dtls1_get_hello_verify 167
-#define SSL_F_tls1_cert_verify_mac 168
-#define SSL_F_ssl23_client_hello 169
-#define SSL_F_SSL_shutdown 170
-#define SSL_F_ssl_init_wbio_buffer 171
-#define SSL_F_SSL_use_certificate 172
-#define SSL_F_SSL_CTX_use_RSAPrivateKey_ASN1 173
-#define SSL_F_ssl_set_authz 174
-#define SSL_F_ssl23_peek 175
-#define SSL_F_SSL_use_psk_identity_hint 176
-#define SSL_F_ssl3_get_cert_verify 177
-#define SSL_F_ssl_ctx_make_profiles 178
-#define SSL_F_ssl_add_clienthello_use_srtp_ext 179
-#define SSL_F_ssl3_get_client_key_exchange 180
-#define SSL_F_do_ssl3_write 181
-#define SSL_F_ssl3_handshake_mac 182
-#define SSL_F_tls1_setup_key_block 183
-#define SSL_F_SSL_set_fd 184
-#define SSL_F_SSL_check_private_key 185
-#define SSL_F_ssl3_send_cert_verify 186
-#define SSL_F_ssl3_write_pending 187
-#define SSL_F_ssl_cert_inst 188
-#define SSL_F_ssl3_change_cipher_state 189
-#define SSL_F_ssl23_get_server_hello 190
-#define SSL_F_SSL_write 191
-#define SSL_F_ssl_get_sign_pkey 192
-#define SSL_F_ssl_set_cert 193
-#define SSL_F_SSL_CTX_use_RSAPrivateKey_file 194
-#define SSL_F_SSL_CTX_use_authz 195
-#define SSL_F_ssl_get_new_session 196
-#define SSL_F_SSL_set_session_ticket_ext 197
-#define SSL_F_ssl_add_clienthello_renegotiate_ext 198
-#define SSL_F_ssl3_send_server_key_exchange 199
-#define SSL_F_fprintf 200
-#define SSL_F_ssl3_get_new_session_ticket 201
-#define SSL_F_SSL_CTX_use_certificate_ASN1 202
-#define SSL_F_ssl_add_cert_chain 203
-#define SSL_F_ssl_create_cipher_list 204
-#define SSL_F_ssl3_callback_ctrl 205
-#define SSL_F_SSL_CTX_set_cipher_list 206
-#define SSL_F_ssl3_send_certificate_request 207
-#define SSL_F_SSL_use_PrivateKey_ASN1 208
-#define SSL_F_SSL_CTX_use_certificate_chain_file 209
-#define SSL_F_SSL_SESSION_new 210
-#define SSL_F_check_suiteb_cipher_list 211
-#define SSL_F_ssl_scan_clienthello_tlsext 212
-#define SSL_F_ssl3_send_client_hello 213
-#define SSL_F_SSL_use_RSAPrivateKey_ASN1 214
-#define SSL_F_ssl3_ctrl 215
-#define SSL_F_ssl3_setup_write_buffer 216
-#define SSL_F_ssl_parse_serverhello_use_srtp_ext 217
-#define SSL_F_ssl3_get_server_key_exchange 218
-#define SSL_F_ssl3_send_server_hello 219
-#define SSL_F_SSL_add_dir_cert_subjects_to_stack 220
-#define SSL_F_ssl_check_serverhello_tlsext 221
-#define SSL_F_ssl3_get_server_done 222
-#define SSL_F_ssl3_check_cert_and_algorithm 223
-#define SSL_F_do_dtls1_write 224
-#define SSL_F_dtls1_check_timeout_num 225
-#define SSL_F_tls1_export_keying_material 226
-#define SSL_F_SSL_CTX_set_session_id_context 227
-#define SSL_F_SSL_set_rfd 228
-#define SSL_F_ssl3_send_client_certificate 229
-#define SSL_F_ssl_cert_dup 230
-#define SSL_F_dtls1_process_record 231
-#define SSL_F_ssl_new 232
-#define SSL_F_ssl_get_server_cert_index 233
-#define SSL_F_tls1_send_server_supplemental_data 234
-#define SSL_F_D2I_SSL_SESSION 235
-#define SSL_F_ssl_cipher_strength_sort 236
-#define SSL_F_dtls1_get_message 237
-#define SSL_F_ssl23_connect 238
-#define SSL_F_tls1_heartbeat 239
-#define SSL_F_ssl3_read_n 240
-#define SSL_F_ssl_get_prev_session 241
-#define SSL_F_ssl_parse_clienthello_renegotiate_ext 242
-#define SSL_F_ssl3_setup_read_buffer 243
-#define SSL_F_SSL_CTX_set_ssl_version 244
-#define SSL_F_SSL_peek 245
-#define SSL_F_ssl3_send_server_certificate 246
-#define SSL_F_SSL_do_handshake 247
-#define SSL_F_ssl_undefined_void_function 248
-#define SSL_F_ssl_add_serverhello_use_srtp_ext 249
-#define SSL_F_fclose 250
-#define SSL_F_SSL_use_PrivateKey 251
-#define SSL_F_SSL_CTX_use_certificate_file 252
-#define SSL_F_SSL_CTX_use_PrivateKey 253
-#define SSL_F_SSL_set_session 254
-#define SSL_F_SSL_CTX_use_psk_identity_hint 255
-#define SSL_F_ssl_scan_serverhello_tlsext 256
-#define SSL_F_ssl23_read 257
-#define SSL_F_ssl_parse_clienthello_use_srtp_ext 258
-#define SSL_F_ssl3_accept 259
-#define SSL_F_ssl3_get_client_certificate 260
-#define SSL_F_SSL_CTX_use_PrivateKey_ASN1 261
-#define SSL_F_dtls1_get_message_fragment 262
-#define SSL_F_SSL_clear 263
-#define SSL_F_dtls1_accept 264
-#define SSL_F_ssl3_get_next_proto 265
-#define SSL_F_SSL_set_cipher_list 266
-#define SSL_F_ssl_add_clienthello_tlsext 267
-#define SSL_F_ssl23_get_client_hello 268
-#define SSL_F_SSL_CTX_use_PrivateKey_file 269
-#define SSL_F_ssl3_get_finished 270
-#define SSL_F_ssl3_generate_key_block 271
-#define SSL_F_ssl3_setup_key_block 272
-#define SSL_F_SSL_new 273
-#define SSL_F_ssl_parse_serverhello_tlsext 274
-#define SSL_F_ssl3_get_channel_id 275
-#define SSL_F_ssl3_send_channel_id 276
-#define SSL_F_SSL_CTX_set_cipher_list_tls11 277
-#define SSL_F_tls1_change_cipher_state_cipher 278
-#define SSL_F_tls1_change_cipher_state_aead 279
-#define SSL_F_tls1_aead_ctx_init 280
-#define SSL_F_tls1_check_duplicate_extensions 281
-#define SSL_F_ssl3_expect_change_cipher_spec 282
-#define SSL_F_ssl23_get_v2_client_hello 283
-#define SSL_F_ssl3_cert_verify_hash 284
-#define SSL_F_ssl_ctx_log_rsa_client_key_exchange 285
-#define SSL_F_ssl_ctx_log_master_secret 286
-#define SSL_F_d2i_SSL_SESSION 287
-#define SSL_F_i2d_SSL_SESSION 288
-#define SSL_F_d2i_SSL_SESSION_get_octet_string 289
-#define SSL_F_d2i_SSL_SESSION_get_string 290
-#define SSL_F_ssl3_send_new_session_ticket 291
-#define SSL_F_SSL_SESSION_to_bytes_full 292
-#define SSL_F_SSL_accept 293
-#define SSL_F_SSL_connect 294
-#define SSL_F_ssl3_get_v2_client_hello 295
-#define SSL_F_ssl3_get_initial_bytes 296
-#define SSL_F_tls1_enc 297
-#define SSL_F_ssl3_prf 298
-#define SSL_F_dtls1_do_write 299
-#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 100
-#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 101
-#define SSL_R_INVALID_NULL_CMD_NAME 102
-#define SSL_R_BAD_RSA_DECRYPT 103
-#define SSL_R_NO_SHARED_CIPHER 104
-#define SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH 105
-#define SSL_R_SSL_HANDSHAKE_FAILURE 106
-#define SSL_R_INVALID_TICKET_KEYS_LENGTH 107
-#define SSL_R_PEER_ERROR 108
-#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 109
-#define SSL_R_INCONSISTENT_COMPRESSION 110
+#define SSL_F_SSL_CTX_use_certificate_ASN1 112
+#define SSL_F_SSL_CTX_use_certificate_chain_file 113
+#define SSL_F_SSL_CTX_use_certificate_file 114
+#define SSL_F_SSL_CTX_use_psk_identity_hint 115
+#define SSL_F_SSL_SESSION_new 116
+#define SSL_F_SSL_SESSION_print_fp 117
+#define SSL_F_SSL_SESSION_set1_id_context 118
+#define SSL_F_SSL_SESSION_to_bytes_full 119
+#define SSL_F_SSL_accept 120
+#define SSL_F_SSL_add_dir_cert_subjects_to_stack 121
+#define SSL_F_SSL_add_file_cert_subjects_to_stack 122
+#define SSL_F_SSL_check_private_key 123
+#define SSL_F_SSL_clear 124
+#define SSL_F_SSL_connect 125
+#define SSL_F_SSL_do_handshake 126
+#define SSL_F_SSL_load_client_CA_file 127
+#define SSL_F_SSL_new 128
+#define SSL_F_SSL_peek 129
+#define SSL_F_SSL_read 130
+#define SSL_F_SSL_renegotiate 131
+#define SSL_F_SSL_set_cipher_list 132
+#define SSL_F_SSL_set_fd 133
+#define SSL_F_SSL_set_rfd 134
+#define SSL_F_SSL_set_session_id_context 135
+#define SSL_F_SSL_set_wfd 136
+#define SSL_F_SSL_shutdown 137
+#define SSL_F_SSL_use_PrivateKey 138
+#define SSL_F_SSL_use_PrivateKey_ASN1 139
+#define SSL_F_SSL_use_PrivateKey_file 140
+#define SSL_F_SSL_use_RSAPrivateKey 141
+#define SSL_F_SSL_use_RSAPrivateKey_ASN1 142
+#define SSL_F_SSL_use_RSAPrivateKey_file 143
+#define SSL_F_SSL_use_certificate 144
+#define SSL_F_SSL_use_certificate_ASN1 145
+#define SSL_F_SSL_use_certificate_file 146
+#define SSL_F_SSL_use_psk_identity_hint 147
+#define SSL_F_SSL_write 148
+#define SSL_F_d2i_SSL_SESSION 149
+#define SSL_F_d2i_SSL_SESSION_get_octet_string 150
+#define SSL_F_d2i_SSL_SESSION_get_string 151
+#define SSL_F_do_ssl3_write 152
+#define SSL_F_dtls1_accept 153
+#define SSL_F_dtls1_buffer_record 154
+#define SSL_F_dtls1_check_timeout_num 155
+#define SSL_F_dtls1_connect 156
+#define SSL_F_dtls1_do_write 157
+#define SSL_F_dtls1_get_hello_verify 158
+#define SSL_F_dtls1_get_message 159
+#define SSL_F_dtls1_get_message_fragment 160
+#define SSL_F_dtls1_preprocess_fragment 161
+#define SSL_F_dtls1_process_record 162
+#define SSL_F_dtls1_read_bytes 163
+#define SSL_F_dtls1_send_hello_verify_request 164
+#define SSL_F_dtls1_write_app_data_bytes 165
+#define SSL_F_i2d_SSL_SESSION 166
+#define SSL_F_ssl3_accept 167
+#define SSL_F_ssl3_cert_verify_hash 169
+#define SSL_F_ssl3_check_cert_and_algorithm 170
+#define SSL_F_ssl3_connect 171
+#define SSL_F_ssl3_ctrl 172
+#define SSL_F_ssl3_ctx_ctrl 173
+#define SSL_F_ssl3_digest_cached_records 174
+#define SSL_F_ssl3_do_change_cipher_spec 175
+#define SSL_F_ssl3_expect_change_cipher_spec 176
+#define SSL_F_ssl3_get_cert_status 177
+#define SSL_F_ssl3_get_cert_verify 178
+#define SSL_F_ssl3_get_certificate_request 179
+#define SSL_F_ssl3_get_channel_id 180
+#define SSL_F_ssl3_get_client_certificate 181
+#define SSL_F_ssl3_get_client_hello 182
+#define SSL_F_ssl3_get_client_key_exchange 183
+#define SSL_F_ssl3_get_finished 184
+#define SSL_F_ssl3_get_initial_bytes 185
+#define SSL_F_ssl3_get_message 186
+#define SSL_F_ssl3_get_new_session_ticket 187
+#define SSL_F_ssl3_get_next_proto 188
+#define SSL_F_ssl3_get_record 189
+#define SSL_F_ssl3_get_server_certificate 190
+#define SSL_F_ssl3_get_server_done 191
+#define SSL_F_ssl3_get_server_hello 192
+#define SSL_F_ssl3_get_server_key_exchange 193
+#define SSL_F_ssl3_get_v2_client_hello 194
+#define SSL_F_ssl3_handshake_mac 195
+#define SSL_F_ssl3_prf 196
+#define SSL_F_ssl3_read_bytes 197
+#define SSL_F_ssl3_read_n 198
+#define SSL_F_ssl3_send_cert_verify 199
+#define SSL_F_ssl3_send_certificate_request 200
+#define SSL_F_ssl3_send_channel_id 201
+#define SSL_F_ssl3_send_client_certificate 202
+#define SSL_F_ssl3_send_client_hello 203
+#define SSL_F_ssl3_send_client_key_exchange 204
+#define SSL_F_ssl3_send_server_certificate 205
+#define SSL_F_ssl3_send_server_hello 206
+#define SSL_F_ssl3_send_server_key_exchange 207
+#define SSL_F_ssl3_setup_read_buffer 208
+#define SSL_F_ssl3_setup_write_buffer 209
+#define SSL_F_ssl3_write_bytes 210
+#define SSL_F_ssl3_write_pending 211
+#define SSL_F_ssl_add_cert_chain 212
+#define SSL_F_ssl_add_cert_to_buf 213
+#define SSL_F_ssl_add_clienthello_renegotiate_ext 214
+#define SSL_F_ssl_add_clienthello_tlsext 215
+#define SSL_F_ssl_add_clienthello_use_srtp_ext 216
+#define SSL_F_ssl_add_serverhello_renegotiate_ext 217
+#define SSL_F_ssl_add_serverhello_tlsext 218
+#define SSL_F_ssl_add_serverhello_use_srtp_ext 219
+#define SSL_F_ssl_build_cert_chain 220
+#define SSL_F_ssl_bytes_to_cipher_list 221
+#define SSL_F_ssl_cert_dup 222
+#define SSL_F_ssl_cert_inst 223
+#define SSL_F_ssl_cert_new 224
+#define SSL_F_ssl_check_serverhello_tlsext 225
+#define SSL_F_ssl_check_srvr_ecc_cert_and_alg 226
+#define SSL_F_ssl_cipher_process_rulestr 227
+#define SSL_F_ssl_cipher_strength_sort 228
+#define SSL_F_ssl_create_cipher_list 229
+#define SSL_F_ssl_ctx_log_master_secret 230
+#define SSL_F_ssl_ctx_log_rsa_client_key_exchange 231
+#define SSL_F_ssl_ctx_make_profiles 232
+#define SSL_F_ssl_get_new_session 233
+#define SSL_F_ssl_get_prev_session 234
+#define SSL_F_ssl_get_server_cert_index 235
+#define SSL_F_ssl_get_sign_pkey 236
+#define SSL_F_ssl_init_wbio_buffer 237
+#define SSL_F_ssl_parse_clienthello_renegotiate_ext 238
+#define SSL_F_ssl_parse_clienthello_tlsext 239
+#define SSL_F_ssl_parse_clienthello_use_srtp_ext 240
+#define SSL_F_ssl_parse_serverhello_renegotiate_ext 241
+#define SSL_F_ssl_parse_serverhello_tlsext 242
+#define SSL_F_ssl_parse_serverhello_use_srtp_ext 243
+#define SSL_F_ssl_scan_clienthello_tlsext 244
+#define SSL_F_ssl_scan_serverhello_tlsext 245
+#define SSL_F_ssl_sess_cert_new 246
+#define SSL_F_ssl_set_cert 247
+#define SSL_F_ssl_set_pkey 248
+#define SSL_F_ssl_verify_cert_chain 252
+#define SSL_F_tls12_check_peer_sigalg 253
+#define SSL_F_tls1_aead_ctx_init 254
+#define SSL_F_tls1_cert_verify_mac 255
+#define SSL_F_tls1_change_cipher_state 256
+#define SSL_F_tls1_change_cipher_state_aead 257
+#define SSL_F_tls1_check_duplicate_extensions 258
+#define SSL_F_tls1_enc 259
+#define SSL_F_tls1_export_keying_material 260
+#define SSL_F_tls1_prf 261
+#define SSL_F_tls1_setup_key_block 262
+#define SSL_F_dtls1_get_buffered_message 263
+#define SSL_F_dtls1_process_fragment 264
+#define SSL_F_dtls1_hm_fragment_new 265
+#define SSL_F_ssl3_seal_record 266
+#define SSL_F_ssl3_record_sequence_update 267
+#define SSL_F_SSL_CTX_set_tmp_dh 268
+#define SSL_F_SSL_CTX_set_tmp_ecdh 269
+#define SSL_F_SSL_set_tmp_dh 270
+#define SSL_F_SSL_set_tmp_ecdh 271
+#define SSL_F_SSL_CTX_set1_tls_channel_id 272
+#define SSL_F_SSL_set1_tls_channel_id 273
+#define SSL_F_SSL_set_tlsext_host_name 274
+#define SSL_F_ssl3_output_cert_chain 275
+#define SSL_R_APP_DATA_IN_HANDSHAKE 100
+#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
+#define SSL_R_BAD_ALERT 102
+#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
+#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 104
+#define SSL_R_BAD_DH_P_LENGTH 105
+#define SSL_R_BAD_DIGEST_LENGTH 106
+#define SSL_R_BAD_ECC_CERT 107
+#define SSL_R_BAD_ECPOINT 108
+#define SSL_R_BAD_HANDSHAKE_LENGTH 109
+#define SSL_R_BAD_HANDSHAKE_RECORD 110
#define SSL_R_BAD_HELLO_REQUEST 111
-#define SSL_R_NULL_SSL_METHOD_PASSED 112
-#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 113
-#define SSL_R_BAD_ECDSA_SIGNATURE 114
-#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 115
-#define SSL_R_BAD_DH_PUB_KEY_LENGTH 116
-#define SSL_R_COMPRESSED_LENGTH_TOO_LONG 117
-#define SSL_R_APP_DATA_IN_HANDSHAKE 118
-#define SSL_R_NO_PEM_EXTENSIONS 119
-#define SSL_R_BAD_SRP_B_LENGTH 120
-#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 121
-#define SSL_R_UNABLE_TO_DECODE_DH_CERTS 122
-#define SSL_R_MISSING_SRP_PARAM 123
-#define SSL_R_MISSING_RSA_SIGNING_CERT 124
-#define SSL_R_MISSING_DSA_SIGNING_CERT 125
-#define SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE 126
-#define SSL_R_UNEXPECTED_RECORD 127
-#define SSL_R_BAD_DIGEST_LENGTH 128
-#define SSL_R_READ_TIMEOUT_EXPIRED 129
-#define SSL_R_KRB5_C_GET_CRED 130
-#define SSL_R_NULL_SSL_CTX 131
-#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 134
-#define SSL_R_SSL3_SESSION_ID_TOO_LONG 135
-#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 136
-#define SSL_R_REUSE_CERT_LENGTH_NOT_ZERO 137
-#define SSL_R_COOKIE_MISMATCH 139
-#define SSL_R_UNINITIALIZED 140
-#define SSL_R_BAD_CHANGE_CIPHER_SPEC 141
-#define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 142
-#define SSL_R_BAD_SRP_G_LENGTH 143
-#define SSL_R_NO_CERTIFICATE_ASSIGNED 144
-#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 145
-#define SSL_R_PEM_NAME_TOO_SHORT 146
-#define SSL_R_PROTOCOL_IS_SHUTDOWN 148
-#define SSL_R_UNABLE_TO_FIND_SSL_METHOD 149
-#define SSL_R_WRONG_MESSAGE_TYPE 150
-#define SSL_R_BAD_RSA_MODULUS_LENGTH 151
-#define SSL_R_PUBLIC_KEY_IS_NOT_RSA 152
-#define SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE 153
-#define SSL_R_NO_CLIENT_CERT_RECEIVED 154
-#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 155
-#define SSL_R_CERT_LENGTH_MISMATCH 156
-#define SSL_R_MISSING_EXPORT_TMP_DH_KEY 157
-#define SSL_R_DUPLICATE_COMPRESSION_ID 158
-#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 159
-#define SSL_R_REUSE_CIPHER_LIST_NOT_ZERO 160
-#define SSL_R_DATA_LENGTH_TOO_LONG 161
-#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 162
-#define SSL_R_WRONG_SIGNATURE_LENGTH 163
-#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 164
-#define SSL_R_WRONG_VERSION_NUMBER 165
-#define SSL_R_RECORD_TOO_LARGE 166
-#define SSL_R_BIO_NOT_SET 167
-#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 168
-#define SSL_R_UNKNOWN_PKEY_TYPE 170
-#define SSL_R_CIPHER_CODE_WRONG_LENGTH 171
-#define SSL_R_SSL_SESSION_ID_CONFLICT 172
-#define SSL_R_INVALID_COMMAND 173
-#define SSL_R_NO_PROTOCOLS_AVAILABLE 174
-#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 175
-#define SSL_R_LIBRARY_BUG 176
-#define SSL_R_UNSUPPORTED_CIPHER 177
-#define SSL_R_REUSE_CERT_TYPE_NOT_ZERO 178
-#define SSL_R_WRONG_SIGNATURE_TYPE 179
-#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 180
-#define SSL_R_PSK_NO_SERVER_CB 181
-#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 182
-#define SSL_R_INVALID_TRUST 183
-#define SSL_R_PARSE_TLSEXT 184
-#define SSL_R_NO_SRTP_PROFILES 185
-#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 186
-#define SSL_R_UNKNOWN_STATE 187
-#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 188
-#define SSL_R_WRONG_CIPHER_RETURNED 189
-#define SSL_R_BAD_DH_G_LENGTH 190
-#define SSL_R_BAD_ALERT_RECORD 191
-#define SSL_R_CIPHER_TABLE_SRC_ERROR 192
-#define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 194
-#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 195
-#define SSL_R_MESSAGE_TOO_LONG 196
-#define SSL_R_BAD_RSA_SIGNATURE 197
-#define SSL_R_X509_LIB 198
-#define SSL_R_BAD_SRP_N_LENGTH 199
-#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 200
-#define SSL_R_UNKNOWN_CIPHER_TYPE 201
-#define SSL_R_BAD_DH_P_LENGTH 202
-#define SSL_R_MISSING_DH_RSA_CERT 203
-#define SSL_R_NO_METHOD_SPECIFIED 204
-#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 205
-#define SSL_R_MULTIPLE_SGC_RESTARTS 206
-#define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 207
-#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 208
-#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 209
-#define SSL_R_BAD_SRP_S_LENGTH 210
-#define SSL_R_MISSING_TMP_RSA_KEY 211
-#define SSL_R_PSK_NO_CLIENT_CB 212
-#define SSL_R_PEM_NAME_BAD_PREFIX 213
-#define SSL_R_BAD_CHECKSUM 214
-#define SSL_R_NO_CIPHER_MATCH 216
-#define SSL_R_MISSING_TMP_DH_KEY 217
-#define SSL_R_UNSUPPORTED_STATUS_TYPE 218
-#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE 219
-#define SSL_R_CONNECTION_TYPE_NOT_SET 220
-#define SSL_R_MISSING_DH_KEY 221
-#define SSL_R_CHANNEL_ID_NOT_P256 222
-#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE 223
-#define SSL_R_UNKNOWN_PROTOCOL 224
-#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 225
-#define SSL_R_KRB5_S_TKT_SKEW 226
-#define SSL_R_PUBLIC_KEY_NOT_RSA 227
-#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 228
-#define SSL_R_GOST_NOT_SUPPORTED 229
-#define SSL_R_KRB5_C_CC_PRINC 230
-#define SSL_R_INVALID_PURPOSE 234
-#define SSL_R_KRB5_C_MK_REQ 235
-#define SSL_R_BAD_SRTP_MKI_VALUE 237
-#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 238
-#define SSL_R_DIGEST_CHECK_FAILED 239
-#define SSL_R_BAD_SRP_A_LENGTH 240
-#define SSL_R_SERVERHELLO_TLSEXT 241
-#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 242
-#define SSL_R_NO_CIPHERS_AVAILABLE 243
-#define SSL_R_COMPRESSION_FAILURE 244
-#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 245
-#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 246
-#define SSL_R_BAD_RSA_ENCRYPT 247
-#define SSL_R_EXCESSIVE_MESSAGE_SIZE 248
-#define SSL_R_INVALID_COMPRESSION_ALGORITHM 249
-#define SSL_R_SHORT_READ 250
-#define SSL_R_CA_DN_LENGTH_MISMATCH 252
-#define SSL_R_BAD_ECC_CERT 253
-#define SSL_R_NON_SSLV2_INITIAL_PACKET 254
-#define SSL_R_SSL_SESSION_ID_IS_DIFFERENT 255
-#define SSL_R_MISSING_TMP_RSA_PKEY 256
-#define SSL_R_BN_LIB 257
-#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 258
-#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 259
-#define SSL_R_NO_RENEGOTIATION 260
-#define SSL_R_NO_COMPRESSION_SPECIFIED 261
+#define SSL_R_BAD_LENGTH 112
+#define SSL_R_BAD_PACKET_LENGTH 113
+#define SSL_R_BAD_RSA_ENCRYPT 114
+#define SSL_R_BAD_SIGNATURE 115
+#define SSL_R_BAD_SRTP_MKI_VALUE 116
+#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 117
+#define SSL_R_BAD_SSL_FILETYPE 118
+#define SSL_R_BAD_WRITE_RETRY 119
+#define SSL_R_BIO_NOT_SET 120
+#define SSL_R_BN_LIB 121
+#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 122
+#define SSL_R_CA_DN_LENGTH_MISMATCH 123
+#define SSL_R_CA_DN_TOO_LONG 124
+#define SSL_R_CCS_RECEIVED_EARLY 125
+#define SSL_R_CERTIFICATE_VERIFY_FAILED 126
+#define SSL_R_CERT_CB_ERROR 127
+#define SSL_R_CERT_LENGTH_MISMATCH 128
+#define SSL_R_CHANNEL_ID_NOT_P256 129
+#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 130
+#define SSL_R_CIPHER_CODE_WRONG_LENGTH 131
+#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 132
+#define SSL_R_CLIENTHELLO_PARSE_FAILED 133
+#define SSL_R_CLIENTHELLO_TLSEXT 134
+#define SSL_R_CONNECTION_REJECTED 135
+#define SSL_R_CONNECTION_TYPE_NOT_SET 136
+#define SSL_R_COOKIE_MISMATCH 137
+#define SSL_R_D2I_ECDSA_SIG 138
+#define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 139
+#define SSL_R_DATA_LENGTH_TOO_LONG 140
+#define SSL_R_DECODE_ERROR 141
+#define SSL_R_DECRYPTION_FAILED 142
+#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 143
+#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 144
+#define SSL_R_DIGEST_CHECK_FAILED 145
+#define SSL_R_DTLS_MESSAGE_TOO_BIG 146
+#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 147
+#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 148
+#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 149
+#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 150
+#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 151
+#define SSL_R_EVP_DIGESTSIGNINIT_FAILED 152
+#define SSL_R_EXCESSIVE_MESSAGE_SIZE 153
+#define SSL_R_EXTRA_DATA_IN_MESSAGE 154
+#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 155
+#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 156
+#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 157
+#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 158
+#define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 159
+#define SSL_R_HANDSHAKE_RECORD_BEFORE_CCS 160
+#define SSL_R_HTTPS_PROXY_REQUEST 161
+#define SSL_R_HTTP_REQUEST 162
+#define SSL_R_INAPPROPRIATE_FALLBACK 163
+#define SSL_R_INVALID_COMMAND 164
+#define SSL_R_INVALID_MESSAGE 165
+#define SSL_R_INVALID_SSL_SESSION 166
+#define SSL_R_INVALID_TICKET_KEYS_LENGTH 167
+#define SSL_R_LENGTH_MISMATCH 168
+#define SSL_R_LIBRARY_HAS_NO_CIPHERS 169
+#define SSL_R_MISSING_DH_KEY 170
+#define SSL_R_MISSING_ECDSA_SIGNING_CERT 171
+#define SSL_R_MISSING_RSA_CERTIFICATE 172
+#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 173
+#define SSL_R_MISSING_RSA_SIGNING_CERT 174
+#define SSL_R_MISSING_TMP_DH_KEY 175
+#define SSL_R_MISSING_TMP_ECDH_KEY 176
+#define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 177
+#define SSL_R_MTU_TOO_SMALL 178
+#define SSL_R_NESTED_GROUP 179
+#define SSL_R_NO_CERTIFICATES_RETURNED 180
+#define SSL_R_NO_CERTIFICATE_ASSIGNED 181
+#define SSL_R_NO_CERTIFICATE_SET 182
+#define SSL_R_NO_CIPHERS_AVAILABLE 183
+#define SSL_R_NO_CIPHERS_PASSED 184
+#define SSL_R_NO_CIPHERS_SPECIFIED 185
+#define SSL_R_NO_CIPHER_MATCH 186
+#define SSL_R_NO_COMPRESSION_SPECIFIED 187
+#define SSL_R_NO_METHOD_SPECIFIED 188
+#define SSL_R_NO_P256_SUPPORT 189
+#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
+#define SSL_R_NO_RENEGOTIATION 191
+#define SSL_R_NO_REQUIRED_DIGEST 192
+#define SSL_R_NO_SHARED_CIPHER 193
+#define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 194
+#define SSL_R_NO_SRTP_PROFILES 195
+#define SSL_R_NULL_SSL_CTX 196
+#define SSL_R_NULL_SSL_METHOD_PASSED 197
+#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 198
+#define SSL_R_PACKET_LENGTH_TOO_LONG 199
+#define SSL_R_PARSE_TLSEXT 200
+#define SSL_R_PATH_TOO_LONG 201
+#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 202
+#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 203
+#define SSL_R_PROTOCOL_IS_SHUTDOWN 204
+#define SSL_R_PSK_IDENTITY_NOT_FOUND 205
+#define SSL_R_PSK_NO_CLIENT_CB 206
+#define SSL_R_PSK_NO_SERVER_CB 207
+#define SSL_R_READ_BIO_NOT_SET 208
+#define SSL_R_READ_TIMEOUT_EXPIRED 209
+#define SSL_R_RECORD_LENGTH_MISMATCH 210
+#define SSL_R_RECORD_TOO_LARGE 211
+#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 212
+#define SSL_R_RENEGOTIATION_ENCODING_ERR 213
+#define SSL_R_RENEGOTIATION_MISMATCH 214
+#define SSL_R_REQUIRED_CIPHER_MISSING 215
+#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 216
+#define SSL_R_SERVERHELLO_TLSEXT 217
+#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 218
+#define SSL_R_SESSION_MAY_NOT_BE_CREATED 219
+#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 220
+#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 221
+#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 222
+#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 223
+#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 224
+#define SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE 225
+#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 226
+#define SSL_R_SSL_HANDSHAKE_FAILURE 227
+#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 228
+#define SSL_R_SSL_SESSION_ID_CONFLICT 229
+#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 230
+#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 231
+#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
+#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 233
+#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 234
+#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 235
+#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 236
+#define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 237
+#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 238
+#define SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS 239
+#define SSL_R_UNEXPECTED_GROUP_CLOSE 240
+#define SSL_R_UNEXPECTED_MESSAGE 241
+#define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 242
+#define SSL_R_UNEXPECTED_RECORD 243
+#define SSL_R_UNINITIALIZED 244
+#define SSL_R_UNKNOWN_ALERT_TYPE 245
+#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 246
+#define SSL_R_UNKNOWN_CIPHER_RETURNED 247
+#define SSL_R_UNKNOWN_CIPHER_TYPE 248
+#define SSL_R_UNKNOWN_DIGEST 249
+#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
+#define SSL_R_UNKNOWN_PROTOCOL 251
+#define SSL_R_UNKNOWN_SSL_VERSION 252
+#define SSL_R_UNKNOWN_STATE 253
+#define SSL_R_UNPROCESSED_HANDSHAKE_DATA 254
+#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 255
+#define SSL_R_UNSUPPORTED_CIPHER 256
+#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257
+#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 258
+#define SSL_R_UNSUPPORTED_PROTOCOL 259
+#define SSL_R_UNSUPPORTED_SSL_VERSION 260
+#define SSL_R_USE_SRTP_NOT_NEGOTIATED 261
#define SSL_R_WRONG_CERTIFICATE_TYPE 262
-#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 264
-#define SSL_R_READ_BIO_NOT_SET 265
-#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 266
-#define SSL_R_RENEGOTIATE_EXT_TOO_LONG 267
-#define SSL_R_INVALID_CHALLENGE_LENGTH 268
-#define SSL_R_LIBRARY_HAS_NO_CIPHERS 270
-#define SSL_R_WRONG_CURVE 271
-#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 272
-#define SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT 275
-#define SSL_R_MISSING_RSA_CERTIFICATE 276
-#define SSL_R_NO_P256_SUPPORT 277
-#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 278
-#define SSL_R_INVALID_SERVERINFO_DATA 279
-#define SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS 280
-#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 281
-#define SSL_R_KRB5_S_BAD_TICKET 282
-#define SSL_R_EVP_DIGESTSIGNFINAL_FAILED 283
-#define SSL_R_PACKET_LENGTH_TOO_LONG 284
-#define SSL_R_BAD_STATE 285
-#define SSL_R_USE_SRTP_NOT_NEGOTIATED 286
-#define SSL_R_BAD_RSA_E_LENGTH 287
-#define SSL_R_ILLEGAL_PADDING 288
-#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 289
-#define SSL_R_BAD_VALUE 290
-#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 291
-#define SSL_R_COMPRESSION_DISABLED 292
-#define SSL_R_BAD_DECOMPRESSION 293
-#define SSL_R_CHALLENGE_IS_DIFFERENT 294
-#define SSL_R_NO_CLIENT_CERT_METHOD 295
-#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 296
-#define SSL_R_INVALID_MESSAGE 297
-#define SSL_R_HTTPS_PROXY_REQUEST 298
-#define SSL_R_AUTHZ_DATA_TOO_LARGE 299
-#define SSL_R_KRB5_S_TKT_EXPIRED 300
-#define SSL_R_NO_CERTIFICATE_SPECIFIED 301
-#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 302
-#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 303
-#define SSL_R_INVALID_STATUS_RESPONSE 304
-#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 305
-#define SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE 306
-#define SSL_R_MISSING_TMP_ECDH_KEY 307
-#define SSL_R_CERTIFICATE_VERIFY_FAILED 308
-#define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 309
-#define SSL_R_RENEGOTIATION_ENCODING_ERR 310
-#define SSL_R_NO_PRIVATEKEY 311
-#define SSL_R_READ_WRONG_PACKET_TYPE 313
-#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 314
-#define SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES 315
-#define SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS 316
-#define SSL_R_HTTP_REQUEST 317
-#define SSL_R_KRB5_S_INIT 318
-#define SSL_R_RECORD_LENGTH_MISMATCH 320
-#define SSL_R_BAD_LENGTH 321
-#define SSL_R_NO_REQUIRED_DIGEST 322
-#define SSL_R_KRB5 323
-#define SSL_R_CCS_RECEIVED_EARLY 325
-#define SSL_R_MISSING_ECDSA_SIGNING_CERT 326
-#define SSL_R_D2I_ECDSA_SIG 327
-#define SSL_R_PATH_TOO_LONG 328
-#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 329
-#define SSL_R_UNSUPPORTED_DIGEST_TYPE 330
-#define SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED 331
-#define SSL_R_PEER_ERROR_CERTIFICATE 332
-#define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 333
-#define SSL_R_NO_CERTIFICATE_SET 334
-#define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 335
-#define SSL_R_NO_CERTIFICATES_RETURNED 337
-#define SSL_R_BAD_WRITE_RETRY 338
-#define SSL_R_BAD_SSL_FILETYPE 339
-#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 340
-#define SSL_R_NO_CIPHERS_SPECIFIED 341
-#define SSL_R_LENGTH_MISMATCH 342
-#define SSL_R_NO_CIPHERS_PASSED 343
-#define SSL_R_NO_VERIFY_CALLBACK 344
-#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 345
-#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 347
-#define SSL_R_UNEXPECTED_MESSAGE 348
-#define SSL_R_MISSING_DH_DSA_CERT 349
-#define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 350
-#define SSL_R_OPAQUE_PRF_INPUT_TOO_LONG 351
-#define SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES 352
-#define SSL_R_ILLEGAL_SUITEB_DIGEST 353
-#define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS 354
-#define SSL_R_CLIENTHELLO_TLSEXT 355
-#define SSL_R_INVALID_AUTHZ_DATA 356
-#define SSL_R_BAD_RESPONSE_ARGUMENT 357
-#define SSL_R_PUBLIC_KEY_ENCRYPT_ERROR 358
-#define SSL_R_REQUIRED_CIPHER_MISSING 359
-#define SSL_R_INVALID_AUDIT_PROOF 360
-#define SSL_R_PSK_IDENTITY_NOT_FOUND 361
-#define SSL_R_UNKNOWN_ALERT_TYPE 362
-#define SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER 363
-#define SSL_R_BAD_AUTHENTICATION_TYPE 365
-#define SSL_R_DECRYPTION_FAILED 366
-#define SSL_R_WRONG_SSL_VERSION 367
-#define SSL_R_NO_CERTIFICATE_RETURNED 368
-#define SSL_R_CA_DN_TOO_LONG 370
-#define SSL_R_GOT_A_FIN_BEFORE_A_CCS 371
-#define SSL_R_COMPRESSION_LIBRARY_ERROR 372
-#define SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS 374
-#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 375
-#define SSL_R_BAD_ECPOINT 376
-#define SSL_R_BAD_HANDSHAKE_LENGTH 377
-#define SSL_R_KRB5_S_RD_REQ 380
-#define SSL_R_PEER_ERROR_NO_CERTIFICATE 381
-#define SSL_R_PRE_MAC_LENGTH_TOO_LONG 382
-#define SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS 383
-#define SSL_R_UNKNOWN_DIGEST 384
-#define SSL_R_WRONG_SIGNATURE_SIZE 385
-#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 386
-#define SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING 387
-#define SSL_R_BAD_SIGNATURE 388
-#define SSL_R_BAD_PACKET_LENGTH 389
-#define SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY 390
-#define SSL_R_RENEGOTIATION_MISMATCH 391
-#define SSL_R_BAD_MAC_LENGTH 392
-#define SSL_R_NO_PUBLICKEY 393
-#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 394
-#define SSL_R_BAD_MAC_DECODE 395
-#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 396
-#define SSL_R_EXTRA_DATA_IN_MESSAGE 397
-#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 398
-#define SSL_R_CONNECTION_ID_IS_DIFFERENT 399
-#define SSL_R_MISSING_VERIFY_MESSAGE 402
-#define SSL_R_BAD_DSA_SIGNATURE 403
-#define SSL_R_UNKNOWN_SSL_VERSION 404
-#define SSL_R_KEY_ARG_TOO_LONG 405
-#define SSL_R_KRB5_C_INIT 406
-#define SSL_R_NO_CIPHER_LIST 407
-#define SSL_R_PEER_ERROR_NO_CIPHER 408
-#define SSL_R_UNKNOWN_CMD_NAME 409
-#define SSL_R_UNKNOWN_CIPHER_RETURNED 410
-#define SSL_R_RECORD_TOO_SMALL 411
-#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 412
-#define SSL_R_UNSUPPORTED_SSL_VERSION 413
-#define SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY 415
-#define SSL_R_MISSING_EXPORT_TMP_RSA_KEY 416
-#define SSL_R_BAD_DATA 417
-#define SSL_R_KRB5_S_TKT_NYV 418
-#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER 420
-#define SSL_R_BAD_MESSAGE_TYPE 421
-#define SSL_R_MISSING_ECDH_CERT 422
-#define SSL_R_UNSUPPORTED_PROTOCOL 423
-#define SSL_R_SRP_A_CALC 424
-#define SSL_R_WRITE_BIO_NOT_SET 425
-#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 426
-#define SSL_R_LENGTH_TOO_SHORT 427
-#define SSL_R_CERT_CB_ERROR 428
-#define SSL_R_DTLS_MESSAGE_TOO_BIG 429
-#define SSL_R_INVALID_SRP_USERNAME 430
-#define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 431
-#define SSL_R_NESTED_GROUP 432
-#define SSL_R_UNEXPECTED_GROUP_CLOSE 433
-#define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 434
-#define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 435
-#define SSL_R_INAPPROPRIATE_FALLBACK 436
-#define SSL_R_CLIENTHELLO_PARSE_FAILED 437
-#define SSL_R_CONNECTION_REJECTED 438
-#define SSL_R_DECODE_ERROR 439
-#define SSL_R_UNPROCESSED_HANDSHAKE_DATA 440
-#define SSL_R_HANDSHAKE_RECORD_BEFORE_CCS 441
-#define SSL_R_SESSION_MAY_NOT_BE_CREATED 442
-#define SSL_R_INVALID_SSL_SESSION 443
-#define SSL_R_BAD_ALERT 444
-#define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 445
-#define SSL_R_MTU_TOO_SMALL 446
+#define SSL_R_WRONG_CIPHER_RETURNED 263
+#define SSL_R_WRONG_CURVE 264
+#define SSL_R_WRONG_MESSAGE_TYPE 265
+#define SSL_R_WRONG_SIGNATURE_TYPE 266
+#define SSL_R_WRONG_SSL_VERSION 267
+#define SSL_R_WRONG_VERSION_NUMBER 268
+#define SSL_R_X509_LIB 269
+#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 270
+#define SSL_R_FRAGMENT_MISMATCH 271
+#define SSL_R_BUFFER_TOO_SMALL 272
+#define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 273
#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000
#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010
#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
@@ -2756,4 +2893,4 @@
#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113
#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114
-#endif
+#endif /* OPENSSL_HEADER_SSL_H */
diff --git a/src/include/openssl/ssl2.h b/src/include/openssl/ssl2.h
index eb25dcb..b8401fa 100644
--- a/src/include/openssl/ssl2.h
+++ b/src/include/openssl/ssl2.h
@@ -151,10 +151,6 @@
#define SSL2_MIN_CERT_CHALLENGE_LENGTH 16
#define SSL2_MAX_KEY_MATERIAL_LENGTH 24
-#ifndef HEADER_SSL_LOCL_H
-#define CERT char
-#endif
-
#ifndef OPENSSL_NO_SSL_INTERN
typedef struct ssl2_state_st
diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h
index 8745281..96f00cf 100644
--- a/src/include/openssl/ssl3.h
+++ b/src/include/openssl/ssl3.h
@@ -117,9 +117,11 @@
#ifndef HEADER_SSL3_H
#define HEADER_SSL3_H
+#include <openssl/aead.h>
#include <openssl/buf.h>
#include <openssl/evp.h>
#include <openssl/ssl.h>
+#include <openssl/type_check.h>
#ifdef __cplusplus
extern "C" {
@@ -237,19 +239,28 @@
/* The standards give a maximum encryption overhead of 1024 bytes. In practice
* the value is lower than this. The overhead is the maximum number of padding
- * bytes (256) plus the mac size. */
+ * bytes (256) plus the mac size.
+ *
+ * TODO(davidben): This derivation doesn't take AEADs into account, or TLS 1.1
+ * explicit nonces. It happens to work because |SSL3_RT_MAX_MD_SIZE| is larger
+ * than necessary and no true AEAD has variable overhead in TLS 1.2. */
#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)
-/* OpenSSL currently only uses a padding length of at most one block so the
- * send overhead is smaller. */
-
+/* SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD is the maximum overhead in encrypting a
+ * record. This does not include the record header. Some ciphers use explicit
+ * nonces, so it includes both the AEAD overhead as well as the nonce. */
#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \
- (SSL_RT_MAX_CIPHER_BLOCK_SIZE + SSL3_RT_MAX_MD_SIZE)
+ (EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH)
-/* If compression isn't used don't include the compression overhead */
+OPENSSL_COMPILE_ASSERT(
+ SSL3_RT_MAX_ENCRYPTED_OVERHEAD >= SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,
+ max_overheads_are_consistent);
-#define SSL3_RT_MAX_COMPRESSED_LENGTH \
- (SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_COMPRESSED_OVERHEAD)
+/* SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for
+ * |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the
+ * compression overhead. */
+#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH
+
#define SSL3_RT_MAX_ENCRYPTED_LENGTH \
(SSL3_RT_MAX_ENCRYPTED_OVERHEAD + SSL3_RT_MAX_COMPRESSED_LENGTH)
#define SSL3_RT_MAX_PACKET_SIZE \
@@ -347,7 +358,6 @@
/* flags for countermeasure against known-IV weakness */
int need_record_splitting;
- int record_split_done;
/* The value of 'extra' when the buffers were initialized */
int init_extra;
@@ -399,9 +409,6 @@
* no more data in the read or write buffers */
int renegotiate;
int total_renegotiations;
- int num_renegotiations;
-
- int in_read_app_data;
/* State pertaining to the pending handshake.
*
@@ -486,6 +493,10 @@
/* new_mac_secret_size is unused and exists only until wpa_supplicant can
* be updated. It is only needed for EAP-FAST, which we don't support. */
uint8_t new_mac_secret_size;
+
+ /* Client-only: in_false_start is one if there is a pending handshake in
+ * False Start. The client may write data at this point. */
+ char in_false_start;
} tmp;
/* Connection binding to prevent renegotiation attacks */
@@ -528,7 +539,7 @@
/* client */
/* extra state */
#define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT)
-#define SSL3_ST_CUTTHROUGH_COMPLETE (0x101 | SSL_ST_CONNECT)
+#define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT)
/* write to server */
#define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT)
#define SSL3_ST_CW_CLNT_HELLO_B (0x111 | SSL_ST_CONNECT)
@@ -583,8 +594,6 @@
#define SSL3_ST_SR_CLNT_HELLO_C (0x112 | SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_D (0x115 | SSL_ST_ACCEPT)
/* write to client */
-#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113 | SSL_ST_ACCEPT)
-#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_HELLO_REQ_A (0x120 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_HELLO_REQ_B (0x121 | SSL_ST_ACCEPT)
#define SSL3_ST_SW_HELLO_REQ_C (0x122 | SSL_ST_ACCEPT)
diff --git a/src/include/openssl/stack.h b/src/include/openssl/stack.h
index 0eeda7f..350fa14 100644
--- a/src/include/openssl/stack.h
+++ b/src/include/openssl/stack.h
@@ -114,7 +114,7 @@
#define DEFINE_STACK_OF(type) \
STACK_OF(type) {\
_STACK stack; \
-};
+}
#define DECLARE_STACK_OF(type) STACK_OF(type);
@@ -286,6 +286,13 @@
* the previous one. */
OPENSSL_EXPORT stack_cmp_func sk_set_cmp_func(_STACK *sk, stack_cmp_func comp);
+/* sk_deep_copy performs a copy of |sk| and of each of the non-NULL elements in
+ * |sk| by using |copy_func|. If an error occurs, |free_func| is used to free
+ * any copies already made and NULL is returned. */
+OPENSSL_EXPORT _STACK *sk_deep_copy(const _STACK *sk,
+ void *(*copy_func)(void *),
+ void (*free_func)(void *));
+
#if defined(__cplusplus)
} /* extern C */
diff --git a/src/include/openssl/stack_macros.h b/src/include/openssl/stack_macros.h
index a62fce3..dadcf6b 100644
--- a/src/include/openssl/stack_macros.h
+++ b/src/include/openssl/stack_macros.h
@@ -88,14 +88,21 @@
#define sk_ACCESS_DESCRIPTION_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ACCESS_DESCRIPTION) *, sk))
-#define sk_ACCESS_DESCRIPTION_set_cmp_func(sk, comp) \
- ((int (*)(const ACCESS_DESCRIPTION **a, const ACCESS_DESCRIPTION **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(ACCESS_DESCRIPTION) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const ACCESS_DESCRIPTION **a, \
- const ACCESS_DESCRIPTION **b), \
- comp)))
+#define sk_ACCESS_DESCRIPTION_set_cmp_func(sk, comp) \
+ ((int (*)(const ACCESS_DESCRIPTION **a, const ACCESS_DESCRIPTION **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(ACCESS_DESCRIPTION) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const ACCESS_DESCRIPTION **a, \
+ const ACCESS_DESCRIPTION **b), \
+ comp)))
+#define sk_ACCESS_DESCRIPTION_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ACCESS_DESCRIPTION) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ACCESS_DESCRIPTION) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ ACCESS_DESCRIPTION *(*)(ACCESS_DESCRIPTION *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ACCESS_DESCRIPTION *), \
+ free_func)))
/* ASN1_ADB_TABLE */
#define sk_ASN1_ADB_TABLE_new(comp) \
@@ -167,14 +174,20 @@
#define sk_ASN1_ADB_TABLE_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_ADB_TABLE) *, sk))
-#define sk_ASN1_ADB_TABLE_set_cmp_func(sk, comp) \
- ((int (*)(const ASN1_ADB_TABLE **a, const ASN1_ADB_TABLE **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(ASN1_ADB_TABLE) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_ADB_TABLE **a, \
- const ASN1_ADB_TABLE **b), \
- comp)))
+#define sk_ASN1_ADB_TABLE_set_cmp_func(sk, comp) \
+ ((int (*)(const ASN1_ADB_TABLE **a, const ASN1_ADB_TABLE **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(ASN1_ADB_TABLE) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_ADB_TABLE **a, \
+ const ASN1_ADB_TABLE **b), \
+ comp)))
+#define sk_ASN1_ADB_TABLE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_ADB_TABLE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_ADB_TABLE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), ASN1_ADB_TABLE *(*)(ASN1_ADB_TABLE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_ADB_TABLE *), free_func)))
/* ASN1_GENERALSTRING */
#define sk_ASN1_GENERALSTRING_new(comp) \
@@ -248,14 +261,21 @@
#define sk_ASN1_GENERALSTRING_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_GENERALSTRING) *, sk))
-#define sk_ASN1_GENERALSTRING_set_cmp_func(sk, comp) \
- ((int (*)(const ASN1_GENERALSTRING **a, const ASN1_GENERALSTRING **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(ASN1_GENERALSTRING) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_GENERALSTRING **a, \
- const ASN1_GENERALSTRING **b), \
- comp)))
+#define sk_ASN1_GENERALSTRING_set_cmp_func(sk, comp) \
+ ((int (*)(const ASN1_GENERALSTRING **a, const ASN1_GENERALSTRING **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(ASN1_GENERALSTRING) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_GENERALSTRING **a, \
+ const ASN1_GENERALSTRING **b), \
+ comp)))
+#define sk_ASN1_GENERALSTRING_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_GENERALSTRING) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_GENERALSTRING) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ ASN1_GENERALSTRING *(*)(ASN1_GENERALSTRING *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_GENERALSTRING *), \
+ free_func)))
/* ASN1_INTEGER */
#define sk_ASN1_INTEGER_new(comp) \
@@ -333,6 +353,12 @@
int (*)(const ASN1_INTEGER **a, const ASN1_INTEGER **b), \
comp)))
+#define sk_ASN1_INTEGER_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_INTEGER) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_INTEGER) *, sk), \
+ CHECKED_CAST(void *(*)(void *), ASN1_INTEGER *(*)(ASN1_INTEGER *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_INTEGER *), free_func)))
/* ASN1_OBJECT */
#define sk_ASN1_OBJECT_new(comp) \
@@ -408,6 +434,12 @@
int (*)(const ASN1_OBJECT **a, const ASN1_OBJECT **b), \
comp)))
+#define sk_ASN1_OBJECT_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_OBJECT) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_OBJECT) *, sk), \
+ CHECKED_CAST(void *(*)(void *), ASN1_OBJECT *(*)(ASN1_OBJECT *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_OBJECT *), free_func)))
/* ASN1_STRING_TABLE */
#define sk_ASN1_STRING_TABLE_new(comp) \
@@ -481,14 +513,21 @@
#define sk_ASN1_STRING_TABLE_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(ASN1_STRING_TABLE) *, sk))
-#define sk_ASN1_STRING_TABLE_set_cmp_func(sk, comp) \
- ((int (*)(const ASN1_STRING_TABLE **a, const ASN1_STRING_TABLE **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(ASN1_STRING_TABLE) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_STRING_TABLE **a, \
- const ASN1_STRING_TABLE **b), \
- comp)))
+#define sk_ASN1_STRING_TABLE_set_cmp_func(sk, comp) \
+ ((int (*)(const ASN1_STRING_TABLE **a, const ASN1_STRING_TABLE **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(ASN1_STRING_TABLE) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const ASN1_STRING_TABLE **a, \
+ const ASN1_STRING_TABLE **b), \
+ comp)))
+#define sk_ASN1_STRING_TABLE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_STRING_TABLE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_STRING_TABLE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ ASN1_STRING_TABLE *(*)(ASN1_STRING_TABLE *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_STRING_TABLE *), \
+ free_func)))
/* ASN1_TYPE */
#define sk_ASN1_TYPE_new(comp) \
@@ -563,6 +602,11 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const ASN1_TYPE **a, const ASN1_TYPE **b), comp)))
+#define sk_ASN1_TYPE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_TYPE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_TYPE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), ASN1_TYPE *(*)(ASN1_TYPE *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_TYPE *), free_func)))
/* ASN1_VALUE */
#define sk_ASN1_VALUE_new(comp) \
@@ -638,6 +682,12 @@
int (*)(const ASN1_VALUE **a, const ASN1_VALUE **b), \
comp)))
+#define sk_ASN1_VALUE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(ASN1_VALUE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(ASN1_VALUE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), ASN1_VALUE *(*)(ASN1_VALUE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(ASN1_VALUE *), free_func)))
/* BIO */
#define sk_BIO_new(comp) \
@@ -702,6 +752,11 @@
CHECKED_CAST(stack_cmp_func, int (*)(const BIO **a, const BIO **b), \
comp)))
+#define sk_BIO_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(BIO) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(BIO) *, sk), \
+ CHECKED_CAST(void *(*)(void *), BIO *(*)(BIO *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(BIO *), free_func)))
/* BY_DIR_ENTRY */
#define sk_BY_DIR_ENTRY_new(comp) \
@@ -779,6 +834,12 @@
int (*)(const BY_DIR_ENTRY **a, const BY_DIR_ENTRY **b), \
comp)))
+#define sk_BY_DIR_ENTRY_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(BY_DIR_ENTRY) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(BY_DIR_ENTRY) *, sk), \
+ CHECKED_CAST(void *(*)(void *), BY_DIR_ENTRY *(*)(BY_DIR_ENTRY *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(BY_DIR_ENTRY *), free_func)))
/* BY_DIR_HASH */
#define sk_BY_DIR_HASH_new(comp) \
@@ -854,6 +915,12 @@
int (*)(const BY_DIR_HASH **a, const BY_DIR_HASH **b), \
comp)))
+#define sk_BY_DIR_HASH_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(BY_DIR_HASH) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(BY_DIR_HASH) *, sk), \
+ CHECKED_CAST(void *(*)(void *), BY_DIR_HASH *(*)(BY_DIR_HASH *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(BY_DIR_HASH *), free_func)))
/* CONF_VALUE */
#define sk_CONF_VALUE_new(comp) \
@@ -929,6 +996,12 @@
int (*)(const CONF_VALUE **a, const CONF_VALUE **b), \
comp)))
+#define sk_CONF_VALUE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(CONF_VALUE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(CONF_VALUE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), CONF_VALUE *(*)(CONF_VALUE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(CONF_VALUE *), free_func)))
/* CRYPTO_EX_DATA_FUNCS */
#define sk_CRYPTO_EX_DATA_FUNCS_new(comp) \
@@ -1006,12 +1079,22 @@
#define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func(sk, comp) \
((int (*)(const CRYPTO_EX_DATA_FUNCS **a, const CRYPTO_EX_DATA_FUNCS **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(CRYPTO_EX_DATA_FUNCS) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const CRYPTO_EX_DATA_FUNCS **a, \
- const CRYPTO_EX_DATA_FUNCS **b), \
- comp)))
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(CRYPTO_EX_DATA_FUNCS) *, sk), \
+ CHECKED_CAST(stack_cmp_func, \
+ int (*)(const CRYPTO_EX_DATA_FUNCS **a, \
+ const CRYPTO_EX_DATA_FUNCS **b), \
+ comp)))
+#define sk_CRYPTO_EX_DATA_FUNCS_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(CRYPTO_EX_DATA_FUNCS) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(CRYPTO_EX_DATA_FUNCS) *, \
+ sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ CRYPTO_EX_DATA_FUNCS *(*)(CRYPTO_EX_DATA_FUNCS *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(CRYPTO_EX_DATA_FUNCS *), \
+ free_func)))
/* DIST_POINT */
#define sk_DIST_POINT_new(comp) \
@@ -1087,6 +1170,12 @@
int (*)(const DIST_POINT **a, const DIST_POINT **b), \
comp)))
+#define sk_DIST_POINT_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(DIST_POINT) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(DIST_POINT) *, sk), \
+ CHECKED_CAST(void *(*)(void *), DIST_POINT *(*)(DIST_POINT *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(DIST_POINT *), free_func)))
/* GENERAL_NAME */
#define sk_GENERAL_NAME_new(comp) \
@@ -1164,6 +1253,12 @@
int (*)(const GENERAL_NAME **a, const GENERAL_NAME **b), \
comp)))
+#define sk_GENERAL_NAME_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(GENERAL_NAME) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(GENERAL_NAME) *, sk), \
+ CHECKED_CAST(void *(*)(void *), GENERAL_NAME *(*)(GENERAL_NAME *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(GENERAL_NAME *), free_func)))
/* GENERAL_NAMES */
#define sk_GENERAL_NAMES_new(comp) \
@@ -1242,6 +1337,12 @@
int (*)(const GENERAL_NAMES **a, const GENERAL_NAMES **b), \
comp)))
+#define sk_GENERAL_NAMES_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(GENERAL_NAMES) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(GENERAL_NAMES) *, sk), \
+ CHECKED_CAST(void *(*)(void *), GENERAL_NAMES *(*)(GENERAL_NAMES *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(GENERAL_NAMES *), free_func)))
/* GENERAL_SUBTREE */
#define sk_GENERAL_SUBTREE_new(comp) \
@@ -1314,14 +1415,20 @@
#define sk_GENERAL_SUBTREE_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(GENERAL_SUBTREE) *, sk))
-#define sk_GENERAL_SUBTREE_set_cmp_func(sk, comp) \
- ((int (*)(const GENERAL_SUBTREE **a, const GENERAL_SUBTREE **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(GENERAL_SUBTREE) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const GENERAL_SUBTREE **a, \
- const GENERAL_SUBTREE **b), \
- comp)))
+#define sk_GENERAL_SUBTREE_set_cmp_func(sk, comp) \
+ ((int (*)(const GENERAL_SUBTREE **a, const GENERAL_SUBTREE **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(GENERAL_SUBTREE) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const GENERAL_SUBTREE **a, \
+ const GENERAL_SUBTREE **b), \
+ comp)))
+#define sk_GENERAL_SUBTREE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(GENERAL_SUBTREE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(GENERAL_SUBTREE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), GENERAL_SUBTREE *(*)(GENERAL_SUBTREE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(GENERAL_SUBTREE *), free_func)))
/* MIME_HEADER */
#define sk_MIME_HEADER_new(comp) \
@@ -1397,6 +1504,12 @@
int (*)(const MIME_HEADER **a, const MIME_HEADER **b), \
comp)))
+#define sk_MIME_HEADER_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(MIME_HEADER) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(MIME_HEADER) *, sk), \
+ CHECKED_CAST(void *(*)(void *), MIME_HEADER *(*)(MIME_HEADER *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(MIME_HEADER *), free_func)))
/* PKCS7_SIGNER_INFO */
#define sk_PKCS7_SIGNER_INFO_new(comp) \
@@ -1470,14 +1583,21 @@
#define sk_PKCS7_SIGNER_INFO_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(PKCS7_SIGNER_INFO) *, sk))
-#define sk_PKCS7_SIGNER_INFO_set_cmp_func(sk, comp) \
- ((int (*)(const PKCS7_SIGNER_INFO **a, const PKCS7_SIGNER_INFO **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(PKCS7_SIGNER_INFO) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_SIGNER_INFO **a, \
- const PKCS7_SIGNER_INFO **b), \
- comp)))
+#define sk_PKCS7_SIGNER_INFO_set_cmp_func(sk, comp) \
+ ((int (*)(const PKCS7_SIGNER_INFO **a, const PKCS7_SIGNER_INFO **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(PKCS7_SIGNER_INFO) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_SIGNER_INFO **a, \
+ const PKCS7_SIGNER_INFO **b), \
+ comp)))
+#define sk_PKCS7_SIGNER_INFO_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(PKCS7_SIGNER_INFO) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(PKCS7_SIGNER_INFO) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ PKCS7_SIGNER_INFO *(*)(PKCS7_SIGNER_INFO *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(PKCS7_SIGNER_INFO *), \
+ free_func)))
/* PKCS7_RECIP_INFO */
#define sk_PKCS7_RECIP_INFO_new(comp) \
@@ -1550,14 +1670,21 @@
#define sk_PKCS7_RECIP_INFO_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(PKCS7_RECIP_INFO) *, sk))
-#define sk_PKCS7_RECIP_INFO_set_cmp_func(sk, comp) \
- ((int (*)(const PKCS7_RECIP_INFO **a, const PKCS7_RECIP_INFO **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(PKCS7_RECIP_INFO) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_RECIP_INFO **a, \
- const PKCS7_RECIP_INFO **b), \
- comp)))
+#define sk_PKCS7_RECIP_INFO_set_cmp_func(sk, comp) \
+ ((int (*)(const PKCS7_RECIP_INFO **a, const PKCS7_RECIP_INFO **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(PKCS7_RECIP_INFO) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const PKCS7_RECIP_INFO **a, \
+ const PKCS7_RECIP_INFO **b), \
+ comp)))
+#define sk_PKCS7_RECIP_INFO_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(PKCS7_RECIP_INFO) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(PKCS7_RECIP_INFO) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ PKCS7_RECIP_INFO *(*)(PKCS7_RECIP_INFO *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(PKCS7_RECIP_INFO *), \
+ free_func)))
/* POLICYINFO */
#define sk_POLICYINFO_new(comp) \
@@ -1633,6 +1760,12 @@
int (*)(const POLICYINFO **a, const POLICYINFO **b), \
comp)))
+#define sk_POLICYINFO_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(POLICYINFO) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(POLICYINFO) *, sk), \
+ CHECKED_CAST(void *(*)(void *), POLICYINFO *(*)(POLICYINFO *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(POLICYINFO *), free_func)))
/* POLICYQUALINFO */
#define sk_POLICYQUALINFO_new(comp) \
@@ -1704,14 +1837,20 @@
#define sk_POLICYQUALINFO_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(POLICYQUALINFO) *, sk))
-#define sk_POLICYQUALINFO_set_cmp_func(sk, comp) \
- ((int (*)(const POLICYQUALINFO **a, const POLICYQUALINFO **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(POLICYQUALINFO) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const POLICYQUALINFO **a, \
- const POLICYQUALINFO **b), \
- comp)))
+#define sk_POLICYQUALINFO_set_cmp_func(sk, comp) \
+ ((int (*)(const POLICYQUALINFO **a, const POLICYQUALINFO **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(POLICYQUALINFO) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const POLICYQUALINFO **a, \
+ const POLICYQUALINFO **b), \
+ comp)))
+#define sk_POLICYQUALINFO_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(POLICYQUALINFO) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(POLICYQUALINFO) *, sk), \
+ CHECKED_CAST(void *(*)(void *), POLICYQUALINFO *(*)(POLICYQUALINFO *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(POLICYQUALINFO *), free_func)))
/* POLICY_MAPPING */
#define sk_POLICY_MAPPING_new(comp) \
@@ -1783,14 +1922,20 @@
#define sk_POLICY_MAPPING_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(POLICY_MAPPING) *, sk))
-#define sk_POLICY_MAPPING_set_cmp_func(sk, comp) \
- ((int (*)(const POLICY_MAPPING **a, const POLICY_MAPPING **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(POLICY_MAPPING) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const POLICY_MAPPING **a, \
- const POLICY_MAPPING **b), \
- comp)))
+#define sk_POLICY_MAPPING_set_cmp_func(sk, comp) \
+ ((int (*)(const POLICY_MAPPING **a, const POLICY_MAPPING **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(POLICY_MAPPING) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const POLICY_MAPPING **a, \
+ const POLICY_MAPPING **b), \
+ comp)))
+#define sk_POLICY_MAPPING_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(POLICY_MAPPING) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(POLICY_MAPPING) *, sk), \
+ CHECKED_CAST(void *(*)(void *), POLICY_MAPPING *(*)(POLICY_MAPPING *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(POLICY_MAPPING *), free_func)))
/* SSL_COMP */
#define sk_SSL_COMP_new(comp) \
@@ -1862,6 +2007,11 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const SSL_COMP **a, const SSL_COMP **b), comp)))
+#define sk_SSL_COMP_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(SSL_COMP) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(SSL_COMP) *, sk), \
+ CHECKED_CAST(void *(*)(void *), SSL_COMP *(*)(SSL_COMP *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(SSL_COMP *), free_func)))
/* STACK_OF_X509_NAME_ENTRY */
#define sk_STACK_OF_X509_NAME_ENTRY_new(comp) \
@@ -1939,16 +2089,25 @@
sk_is_sorted( \
CHECKED_CAST(_STACK *, const STACK_OF(STACK_OF_X509_NAME_ENTRY) *, sk))
-#define sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func(sk, comp) \
- ((int (*)(const STACK_OF_X509_NAME_ENTRY **a, \
- const STACK_OF_X509_NAME_ENTRY **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(STACK_OF_X509_NAME_ENTRY) *, sk), \
- CHECKED_CAST(stack_cmp_func, \
- int (*)(const STACK_OF_X509_NAME_ENTRY **a, \
- const STACK_OF_X509_NAME_ENTRY **b), \
- comp)))
+#define sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func(sk, comp) \
+ ((int (*)(const STACK_OF_X509_NAME_ENTRY **a, \
+ const STACK_OF_X509_NAME_ENTRY **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(STACK_OF_X509_NAME_ENTRY) *, sk), \
+ CHECKED_CAST(stack_cmp_func, \
+ int (*)(const STACK_OF_X509_NAME_ENTRY **a, \
+ const STACK_OF_X509_NAME_ENTRY **b), \
+ comp)))
+#define sk_STACK_OF_X509_NAME_ENTRY_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(STACK_OF_X509_NAME_ENTRY) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(STACK_OF_X509_NAME_ENTRY) *, \
+ sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ STACK_OF_X509_NAME_ENTRY *(*)(STACK_OF_X509_NAME_ENTRY *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(STACK_OF_X509_NAME_ENTRY *), \
+ free_func)))
/* SXNETID */
#define sk_SXNETID_new(comp) \
@@ -2020,6 +2179,11 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const SXNETID **a, const SXNETID **b), comp)))
+#define sk_SXNETID_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(SXNETID) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(SXNETID) *, sk), \
+ CHECKED_CAST(void *(*)(void *), SXNETID *(*)(SXNETID *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(SXNETID *), free_func)))
/* X509 */
#define sk_X509_new(comp) \
@@ -2084,6 +2248,11 @@
CHECKED_CAST(stack_cmp_func, int (*)(const X509 **a, const X509 **b), \
comp)))
+#define sk_X509_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509 *(*)(X509 *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509 *), free_func)))
/* X509V3_EXT_METHOD */
#define sk_X509V3_EXT_METHOD_new(comp) \
@@ -2157,14 +2326,21 @@
#define sk_X509V3_EXT_METHOD_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509V3_EXT_METHOD) *, sk))
-#define sk_X509V3_EXT_METHOD_set_cmp_func(sk, comp) \
- ((int (*)(const X509V3_EXT_METHOD **a, const X509V3_EXT_METHOD **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509V3_EXT_METHOD) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509V3_EXT_METHOD **a, \
- const X509V3_EXT_METHOD **b), \
- comp)))
+#define sk_X509V3_EXT_METHOD_set_cmp_func(sk, comp) \
+ ((int (*)(const X509V3_EXT_METHOD **a, const X509V3_EXT_METHOD **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509V3_EXT_METHOD) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509V3_EXT_METHOD **a, \
+ const X509V3_EXT_METHOD **b), \
+ comp)))
+#define sk_X509V3_EXT_METHOD_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509V3_EXT_METHOD) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509V3_EXT_METHOD) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ X509V3_EXT_METHOD *(*)(X509V3_EXT_METHOD *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509V3_EXT_METHOD *), \
+ free_func)))
/* X509_ALGOR */
#define sk_X509_ALGOR_new(comp) \
@@ -2240,6 +2416,12 @@
int (*)(const X509_ALGOR **a, const X509_ALGOR **b), \
comp)))
+#define sk_X509_ALGOR_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_ALGOR) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_ALGOR) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_ALGOR *(*)(X509_ALGOR *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_ALGOR *), free_func)))
/* X509_ATTRIBUTE */
#define sk_X509_ATTRIBUTE_new(comp) \
@@ -2311,14 +2493,20 @@
#define sk_X509_ATTRIBUTE_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_ATTRIBUTE) *, sk))
-#define sk_X509_ATTRIBUTE_set_cmp_func(sk, comp) \
- ((int (*)(const X509_ATTRIBUTE **a, const X509_ATTRIBUTE **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509_ATTRIBUTE) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509_ATTRIBUTE **a, \
- const X509_ATTRIBUTE **b), \
- comp)))
+#define sk_X509_ATTRIBUTE_set_cmp_func(sk, comp) \
+ ((int (*)(const X509_ATTRIBUTE **a, const X509_ATTRIBUTE **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509_ATTRIBUTE) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509_ATTRIBUTE **a, \
+ const X509_ATTRIBUTE **b), \
+ comp)))
+#define sk_X509_ATTRIBUTE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_ATTRIBUTE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_ATTRIBUTE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_ATTRIBUTE *(*)(X509_ATTRIBUTE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_ATTRIBUTE *), free_func)))
/* X509_CRL */
#define sk_X509_CRL_new(comp) \
@@ -2390,6 +2578,11 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const X509_CRL **a, const X509_CRL **b), comp)))
+#define sk_X509_CRL_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_CRL) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_CRL) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_CRL *(*)(X509_CRL *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_CRL *), free_func)))
/* X509_EXTENSION */
#define sk_X509_EXTENSION_new(comp) \
@@ -2461,14 +2654,20 @@
#define sk_X509_EXTENSION_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_EXTENSION) *, sk))
-#define sk_X509_EXTENSION_set_cmp_func(sk, comp) \
- ((int (*)(const X509_EXTENSION **a, const X509_EXTENSION **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509_EXTENSION) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509_EXTENSION **a, \
- const X509_EXTENSION **b), \
- comp)))
+#define sk_X509_EXTENSION_set_cmp_func(sk, comp) \
+ ((int (*)(const X509_EXTENSION **a, const X509_EXTENSION **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509_EXTENSION) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509_EXTENSION **a, \
+ const X509_EXTENSION **b), \
+ comp)))
+#define sk_X509_EXTENSION_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_EXTENSION) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_EXTENSION) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_EXTENSION *(*)(X509_EXTENSION *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_EXTENSION *), free_func)))
/* X509_INFO */
#define sk_X509_INFO_new(comp) \
@@ -2543,6 +2742,11 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const X509_INFO **a, const X509_INFO **b), comp)))
+#define sk_X509_INFO_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_INFO) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_INFO) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_INFO *(*)(X509_INFO *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_INFO *), free_func)))
/* X509_LOOKUP */
#define sk_X509_LOOKUP_new(comp) \
@@ -2618,6 +2822,12 @@
int (*)(const X509_LOOKUP **a, const X509_LOOKUP **b), \
comp)))
+#define sk_X509_LOOKUP_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_LOOKUP) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_LOOKUP) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_LOOKUP *(*)(X509_LOOKUP *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_LOOKUP *), free_func)))
/* X509_NAME */
#define sk_X509_NAME_new(comp) \
@@ -2692,6 +2902,11 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const X509_NAME **a, const X509_NAME **b), comp)))
+#define sk_X509_NAME_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_NAME) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_NAME) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_NAME *(*)(X509_NAME *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_NAME *), free_func)))
/* X509_NAME_ENTRY */
#define sk_X509_NAME_ENTRY_new(comp) \
@@ -2764,14 +2979,20 @@
#define sk_X509_NAME_ENTRY_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_NAME_ENTRY) *, sk))
-#define sk_X509_NAME_ENTRY_set_cmp_func(sk, comp) \
- ((int (*)(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509_NAME_ENTRY) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509_NAME_ENTRY **a, \
- const X509_NAME_ENTRY **b), \
- comp)))
+#define sk_X509_NAME_ENTRY_set_cmp_func(sk, comp) \
+ ((int (*)(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509_NAME_ENTRY) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509_NAME_ENTRY **a, \
+ const X509_NAME_ENTRY **b), \
+ comp)))
+#define sk_X509_NAME_ENTRY_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_NAME_ENTRY) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_NAME_ENTRY) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_NAME_ENTRY *(*)(X509_NAME_ENTRY *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_NAME_ENTRY *), free_func)))
/* X509_OBJECT */
#define sk_X509_OBJECT_new(comp) \
@@ -2847,6 +3068,12 @@
int (*)(const X509_OBJECT **a, const X509_OBJECT **b), \
comp)))
+#define sk_X509_OBJECT_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_OBJECT) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_OBJECT) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_OBJECT *(*)(X509_OBJECT *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_OBJECT *), free_func)))
/* X509_POLICY_DATA */
#define sk_X509_POLICY_DATA_new(comp) \
@@ -2919,14 +3146,21 @@
#define sk_X509_POLICY_DATA_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_POLICY_DATA) *, sk))
-#define sk_X509_POLICY_DATA_set_cmp_func(sk, comp) \
- ((int (*)(const X509_POLICY_DATA **a, const X509_POLICY_DATA **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_DATA) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_DATA **a, \
- const X509_POLICY_DATA **b), \
- comp)))
+#define sk_X509_POLICY_DATA_set_cmp_func(sk, comp) \
+ ((int (*)(const X509_POLICY_DATA **a, const X509_POLICY_DATA **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_DATA) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_DATA **a, \
+ const X509_POLICY_DATA **b), \
+ comp)))
+#define sk_X509_POLICY_DATA_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_POLICY_DATA) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_POLICY_DATA) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ X509_POLICY_DATA *(*)(X509_POLICY_DATA *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_POLICY_DATA *), \
+ free_func)))
/* X509_POLICY_NODE */
#define sk_X509_POLICY_NODE_new(comp) \
@@ -2999,14 +3233,21 @@
#define sk_X509_POLICY_NODE_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_POLICY_NODE) *, sk))
-#define sk_X509_POLICY_NODE_set_cmp_func(sk, comp) \
- ((int (*)(const X509_POLICY_NODE **a, const X509_POLICY_NODE **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_NODE) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_NODE **a, \
- const X509_POLICY_NODE **b), \
- comp)))
+#define sk_X509_POLICY_NODE_set_cmp_func(sk, comp) \
+ ((int (*)(const X509_POLICY_NODE **a, const X509_POLICY_NODE **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509_POLICY_NODE) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509_POLICY_NODE **a, \
+ const X509_POLICY_NODE **b), \
+ comp)))
+#define sk_X509_POLICY_NODE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_POLICY_NODE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_POLICY_NODE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ X509_POLICY_NODE *(*)(X509_POLICY_NODE *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_POLICY_NODE *), \
+ free_func)))
/* X509_PURPOSE */
#define sk_X509_PURPOSE_new(comp) \
@@ -3084,6 +3325,12 @@
int (*)(const X509_PURPOSE **a, const X509_PURPOSE **b), \
comp)))
+#define sk_X509_PURPOSE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_PURPOSE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_PURPOSE) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_PURPOSE *(*)(X509_PURPOSE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_PURPOSE *), free_func)))
/* X509_REVOKED */
#define sk_X509_REVOKED_new(comp) \
@@ -3161,6 +3408,12 @@
int (*)(const X509_REVOKED **a, const X509_REVOKED **b), \
comp)))
+#define sk_X509_REVOKED_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_REVOKED) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_REVOKED) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_REVOKED *(*)(X509_REVOKED *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_REVOKED *), free_func)))
/* X509_TRUST */
#define sk_X509_TRUST_new(comp) \
@@ -3236,6 +3489,12 @@
int (*)(const X509_TRUST **a, const X509_TRUST **b), \
comp)))
+#define sk_X509_TRUST_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_TRUST) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_TRUST) *, sk), \
+ CHECKED_CAST(void *(*)(void *), X509_TRUST *(*)(X509_TRUST *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_TRUST *), free_func)))
/* X509_VERIFY_PARAM */
#define sk_X509_VERIFY_PARAM_new(comp) \
@@ -3309,14 +3568,21 @@
#define sk_X509_VERIFY_PARAM_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(X509_VERIFY_PARAM) *, sk))
-#define sk_X509_VERIFY_PARAM_set_cmp_func(sk, comp) \
- ((int (*)(const X509_VERIFY_PARAM **a, const X509_VERIFY_PARAM **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(X509_VERIFY_PARAM) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const X509_VERIFY_PARAM **a, \
- const X509_VERIFY_PARAM **b), \
- comp)))
+#define sk_X509_VERIFY_PARAM_set_cmp_func(sk, comp) \
+ ((int (*)(const X509_VERIFY_PARAM **a, const X509_VERIFY_PARAM **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(X509_VERIFY_PARAM) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const X509_VERIFY_PARAM **a, \
+ const X509_VERIFY_PARAM **b), \
+ comp)))
+#define sk_X509_VERIFY_PARAM_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(X509_VERIFY_PARAM) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(X509_VERIFY_PARAM) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ X509_VERIFY_PARAM *(*)(X509_VERIFY_PARAM *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(X509_VERIFY_PARAM *), \
+ free_func)))
/* void */
#define sk_void_new(comp) \
@@ -3381,6 +3647,11 @@
CHECKED_CAST(stack_cmp_func, int (*)(const void **a, const void **b), \
comp)))
+#define sk_void_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(void)*)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(void)*, sk), \
+ CHECKED_CAST(void *(*)(void *), void *(*)(void *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(void *), free_func)))
/* SRTP_PROTECTION_PROFILE */
#define sk_SRTP_PROTECTION_PROFILE_new(comp) \
@@ -3459,16 +3730,25 @@
sk_is_sorted( \
CHECKED_CAST(_STACK *, const STACK_OF(SRTP_PROTECTION_PROFILE) *, sk))
-#define sk_SRTP_PROTECTION_PROFILE_set_cmp_func(sk, comp) \
- ((int (*)(const SRTP_PROTECTION_PROFILE **a, \
- const SRTP_PROTECTION_PROFILE **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(SRTP_PROTECTION_PROFILE) *, sk), \
- CHECKED_CAST(stack_cmp_func, \
- int (*)(const SRTP_PROTECTION_PROFILE **a, \
- const SRTP_PROTECTION_PROFILE **b), \
- comp)))
+#define sk_SRTP_PROTECTION_PROFILE_set_cmp_func(sk, comp) \
+ ((int (*)(const SRTP_PROTECTION_PROFILE **a, \
+ const SRTP_PROTECTION_PROFILE **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(SRTP_PROTECTION_PROFILE) *, sk), \
+ CHECKED_CAST(stack_cmp_func, \
+ int (*)(const SRTP_PROTECTION_PROFILE **a, \
+ const SRTP_PROTECTION_PROFILE **b), \
+ comp)))
+#define sk_SRTP_PROTECTION_PROFILE_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(SRTP_PROTECTION_PROFILE) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(SRTP_PROTECTION_PROFILE) *, \
+ sk), \
+ CHECKED_CAST(void *(*)(void *), const SRTP_PROTECTION_PROFILE *(*)( \
+ const SRTP_PROTECTION_PROFILE *), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), \
+ void (*)(const SRTP_PROTECTION_PROFILE *), free_func)))
/* SSL_CIPHER */
#define sk_SSL_CIPHER_new(comp) \
@@ -3547,6 +3827,13 @@
int (*)(const SSL_CIPHER **a, const SSL_CIPHER **b), \
comp)))
+#define sk_SSL_CIPHER_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(SSL_CIPHER) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(SSL_CIPHER) *, sk), \
+ CHECKED_CAST(void *(*)(void *), \
+ const SSL_CIPHER *(*)(const SSL_CIPHER *), copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(const SSL_CIPHER *), \
+ free_func)))
/* OPENSSL_STRING */
#define sk_OPENSSL_STRING_new(comp) \
@@ -3618,14 +3905,20 @@
#define sk_OPENSSL_STRING_is_sorted(sk) \
sk_is_sorted(CHECKED_CAST(_STACK *, const STACK_OF(OPENSSL_STRING) *, sk))
-#define sk_OPENSSL_STRING_set_cmp_func(sk, comp) \
- ((int (*)(const OPENSSL_STRING **a, const OPENSSL_STRING **b)) \
- sk_set_cmp_func( \
- CHECKED_CAST(_STACK *, STACK_OF(OPENSSL_STRING) *, sk), \
- CHECKED_CAST(stack_cmp_func, int (*)(const OPENSSL_STRING **a, \
- const OPENSSL_STRING **b), \
- comp)))
+#define sk_OPENSSL_STRING_set_cmp_func(sk, comp) \
+ ((int (*)(const OPENSSL_STRING **a, const OPENSSL_STRING **b)) \
+ sk_set_cmp_func( \
+ CHECKED_CAST(_STACK *, STACK_OF(OPENSSL_STRING) *, sk), \
+ CHECKED_CAST(stack_cmp_func, int (*)(const OPENSSL_STRING **a, \
+ const OPENSSL_STRING **b), \
+ comp)))
+#define sk_OPENSSL_STRING_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(OPENSSL_STRING) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(OPENSSL_STRING) *, sk), \
+ CHECKED_CAST(void *(*)(void *), OPENSSL_STRING (*)(OPENSSL_STRING), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(OPENSSL_STRING), free_func)))
/* OPENSSL_BLOCK */
#define sk_OPENSSL_BLOCK_new(comp) \
@@ -3702,3 +3995,10 @@
CHECKED_CAST(stack_cmp_func, \
int (*)(const OPENSSL_BLOCK **a, const OPENSSL_BLOCK **b), \
comp)))
+
+#define sk_OPENSSL_BLOCK_deep_copy(sk, copy_func, free_func) \
+ ((STACK_OF(OPENSSL_BLOCK) *)sk_deep_copy( \
+ CHECKED_CAST(const _STACK *, const STACK_OF(OPENSSL_BLOCK) *, sk), \
+ CHECKED_CAST(void *(*)(void *), OPENSSL_BLOCK (*)(OPENSSL_BLOCK), \
+ copy_func), \
+ CHECKED_CAST(void (*)(void *), void (*)(OPENSSL_BLOCK), free_func)))
diff --git a/src/include/openssl/thread.h b/src/include/openssl/thread.h
index ea65405..f6e7529 100644
--- a/src/include/openssl/thread.h
+++ b/src/include/openssl/thread.h
@@ -57,6 +57,8 @@
#ifndef OPENSSL_HEADER_THREAD_H
#define OPENSSL_HEADER_THREAD_H
+#include <sys/types.h>
+
#include <openssl/base.h>
#if defined(__cplusplus)
@@ -64,21 +66,40 @@
#endif
+#if defined(OPENSSL_NO_THREADS)
+typedef struct crypto_mutex_st {} CRYPTO_MUTEX;
+#elif defined(OPENSSL_WINDOWS)
+/* CRYPTO_MUTEX can appear in public header files so we really don't want to
+ * pull in windows.h. It's statically asserted that this structure is large
+ * enough to contain a Windows CRITICAL_SECTION by thread_win.c. */
+typedef union crypto_mutex_st {
+ double alignment;
+ uint8_t padding[4*sizeof(void*) + 2*sizeof(int)];
+} CRYPTO_MUTEX;
+#elif defined(__MACH__) && defined(__APPLE__)
+typedef pthread_rwlock_t CRYPTO_MUTEX;
+#else
+/* It is reasonable to include pthread.h on non-Windows systems, however the
+ * |pthread_rwlock_t| that we need is hidden under feature flags, and we can't
+ * ensure that we'll be able to get it. It's statically asserted that this
+ * structure is large enough to contain a |pthread_rwlock_t| by
+ * thread_pthread.c. */
+typedef union crypto_mutex_st {
+ double alignment;
+ uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8];
+} CRYPTO_MUTEX;
+#endif
+
+
/* Functions to support multithreading.
*
* OpenSSL can safely be used in multi-threaded applications provided that at
- * least two callback functions are set with |CRYPTO_set_locking_callback| and
- * |CRYPTO_THREADID_set_callback|.
+ * least |CRYPTO_set_locking_callback| is set.
*
* The locking callback performs mutual exclusion. Rather than using a single
* lock for all, shared data-structures, OpenSSL requires that the locking
* callback support a fixed (at run-time) number of different locks, given by
- * |CRYPTO_num_locks|.
- *
- * The thread ID callback is called to record the currently executing thread's
- * identifier in a |CRYPTO_THREADID| structure. If this callback is not
- * provided then the address of |errno| is used as the thread identifier. This
- * is sufficient only if the system has a thread-local |errno| value. */
+ * |CRYPTO_num_locks|. */
/* CRYPTO_num_locks returns the number of static locks that the callback
@@ -116,27 +137,22 @@
OPENSSL_EXPORT const char *CRYPTO_get_lock_name(int lock_num);
-/* CRYPTO_THREADID identifies a thread in a multithreaded program. This
- * structure should not be used directly. Rather applications should use
- * |CRYPTO_THREADID_set_numeric| and |CRYPTO_THREADID_set_pointer|. */
-typedef struct crypto_threadid_st {
- void *ptr;
- unsigned long val;
-} CRYPTO_THREADID;
+/* Deprecated functions */
-/* CRYPTO_THREADID_set_callback sets a callback function that stores an
- * identifier of the currently executing thread into |threadid|. The
- * CRYPTO_THREADID structure should not be accessed directly. Rather one of
- * |CRYPTO_THREADID_set_numeric| or |CRYPTO_THREADID_set_pointer| should be
- * used depending on whether thread IDs are numbers or pointers on the host
- * system. */
+/* CRYPTO_THREADID_set_callback does nothing. */
OPENSSL_EXPORT int CRYPTO_THREADID_set_callback(
void (*threadid_func)(CRYPTO_THREADID *threadid));
+/* CRYPTO_THREADID_set_numeric does nothing. */
OPENSSL_EXPORT void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id,
unsigned long val);
+
+/* CRYPTO_THREADID_set_pointer does nothing. */
OPENSSL_EXPORT void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr);
+/* CRYPTO_THREADID_current does nothing. */
+OPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
+
/* Private functions: */
@@ -158,70 +174,43 @@
/* CRYPTO_add_lock adds |amount| to |*pointer|, protected by the lock specified
* by |lock_num|. It returns the new value of |*pointer|. Don't call this
- * function directly, rather use the |CRYPTO_add_lock| macro.
- *
- * TODO(fork): rename to CRYPTO_add_locked. */
+ * function directly, rather use the |CRYPTO_add| macro. */
OPENSSL_EXPORT int CRYPTO_add_lock(int *pointer, int amount, int lock_num,
const char *file, int line);
+/* Lock IDs start from 1. CRYPTO_LOCK_INVALID_LOCK is an unused placeholder
+ * used to ensure no lock has ID 0. */
+#define CRYPTO_LOCK_LIST \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_INVALID_LOCK), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_BIO), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_DH), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_DSA), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EC), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EC_PRE_COMP), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_ERR), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EVP_PKEY), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_EX_DATA), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_OBJ), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RAND), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_READDIR), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RSA), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_RSA_BLINDING), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_SSL_CTX), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_SSL_SESSION), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_INFO), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_PKEY), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_CRL), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_REQ), \
+ CRYPTO_LOCK_ITEM(CRYPTO_LOCK_X509_STORE), \
-/* CRYPTO_THREADID_current stores the current thread identifier in |id|. */
-OPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
+#define CRYPTO_LOCK_ITEM(x) x
-/* CRYPTO_THREADID_cmp returns < 0, 0 or > 0 if |a| is less than, equal to or
- * greater than |b|, respectively. */
-int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b);
+enum {
+ CRYPTO_LOCK_LIST
+};
-/* CRYPTO_THREADID_cpy sets |*dest| equal to |*src|. */
-void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src);
-
-/* CRYPTO_THREADID_hash returns a hash of the numeric value of |id|. */
-uint32_t CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
-
-/* These are the locks used by OpenSSL. These values should match up with the
- * table in thread.c. */
-#define CRYPTO_LOCK_ERR 1
-#define CRYPTO_LOCK_EX_DATA 2
-#define CRYPTO_LOCK_X509 3
-#define CRYPTO_LOCK_X509_INFO 4
-#define CRYPTO_LOCK_X509_PKEY 5
-#define CRYPTO_LOCK_X509_CRL 6
-#define CRYPTO_LOCK_X509_REQ 7
-#define CRYPTO_LOCK_DSA 8
-#define CRYPTO_LOCK_RSA 9
-#define CRYPTO_LOCK_EVP_PKEY 10
-#define CRYPTO_LOCK_X509_STORE 11
-#define CRYPTO_LOCK_SSL_CTX 12
-#define CRYPTO_LOCK_SSL_CERT 13
-#define CRYPTO_LOCK_SSL_SESSION 14
-#define CRYPTO_LOCK_SSL_SESS_CERT 15
-#define CRYPTO_LOCK_SSL 16
-#define CRYPTO_LOCK_SSL_METHOD 17
-#define CRYPTO_LOCK_RAND 18
-#define CRYPTO_LOCK_RAND2 19
-#define CRYPTO_LOCK_MALLOC 20
-#define CRYPTO_LOCK_BIO 21
-#define CRYPTO_LOCK_GETHOSTBYNAME 22
-#define CRYPTO_LOCK_GETSERVBYNAME 23
-#define CRYPTO_LOCK_READDIR 24
-#define CRYPTO_LOCK_RSA_BLINDING 25
-#define CRYPTO_LOCK_DH 26
-#define CRYPTO_LOCK_MALLOC2 27
-#define CRYPTO_LOCK_DSO 28
-#define CRYPTO_LOCK_DYNLOCK 29
-#define CRYPTO_LOCK_ENGINE 30
-#define CRYPTO_LOCK_UI 31
-#define CRYPTO_LOCK_ECDSA 32
-#define CRYPTO_LOCK_EC 33
-#define CRYPTO_LOCK_ECDH 34
-#define CRYPTO_LOCK_BN 35
-#define CRYPTO_LOCK_EC_PRE_COMP 36
-#define CRYPTO_LOCK_STORE 37
-#define CRYPTO_LOCK_COMP 38
-#define CRYPTO_LOCK_FIPS 39
-#define CRYPTO_LOCK_FIPS2 40
-#define CRYPTO_LOCK_OBJ 40
-#define CRYPTO_NUM_LOCKS 42
+#undef CRYPTO_LOCK_ITEM
#define CRYPTO_LOCK 1
#define CRYPTO_UNLOCK 2
diff --git a/src/include/openssl/time_support.h b/src/include/openssl/time_support.h
index d03a99d..912e672 100644
--- a/src/include/openssl/time_support.h
+++ b/src/include/openssl/time_support.h
@@ -60,7 +60,6 @@
#include <openssl/base.h>
-#include <time.h>
#if defined(__cplusplus)
extern "C" {
diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h
index 95731ff..e085e15 100644
--- a/src/include/openssl/tls1.h
+++ b/src/include/openssl/tls1.h
@@ -161,24 +161,6 @@
#define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
-#define TLS1_2_VERSION 0x0303
-#define TLS1_2_VERSION_MAJOR 0x03
-#define TLS1_2_VERSION_MINOR 0x03
-
-#define TLS1_1_VERSION 0x0302
-#define TLS1_1_VERSION_MAJOR 0x03
-#define TLS1_1_VERSION_MINOR 0x02
-
-#define TLS1_VERSION 0x0301
-#define TLS1_VERSION_MAJOR 0x03
-#define TLS1_VERSION_MINOR 0x01
-
-#define TLS1_get_version(s) \
- ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
-
-#define TLS1_get_client_version(s) \
- ((s->client_version >> 8) == TLS1_VERSION_MAJOR ? s->client_version : 0)
-
#define TLS1_AD_DECRYPTION_FAILED 21
#define TLS1_AD_RECORD_OVERFLOW 22
#define TLS1_AD_UNKNOWN_CA 48 /* fatal */
@@ -298,16 +280,16 @@
OPENSSL_EXPORT const char *SSL_get_servername(const SSL *s, const int type);
OPENSSL_EXPORT int SSL_get_servername_type(const SSL *s);
-/* SSL_export_keying_material exports a value derived from the master secret,
- * as specified in RFC 5705. It writes |olen| bytes to |out| given a label and
+
+/* SSL_export_keying_material exports a value derived from the master secret, as
+ * specified in RFC 5705. It writes |out_len| bytes to |out| given a label and
* optional context. (Since a zero length context is allowed, the |use_context|
* flag controls whether a context is included.)
*
- * It returns 1 on success and zero otherwise. */
-OPENSSL_EXPORT int SSL_export_keying_material(SSL *s, uint8_t *out, size_t olen,
- const char *label, size_t llen,
- const uint8_t *p, size_t plen,
- int use_context);
+ * It returns one on success and zero otherwise. */
+OPENSSL_EXPORT int SSL_export_keying_material(
+ SSL *s, uint8_t *out, size_t out_len, const char *label, size_t label_len,
+ const uint8_t *context, size_t context_len, int use_context);
OPENSSL_EXPORT int SSL_get_sigalgs(SSL *s, int idx, int *psign, int *phash,
int *psignandhash, uint8_t *rsig,
@@ -317,44 +299,61 @@
int *phash, int *psignandhash,
uint8_t *rsig, uint8_t *rhash);
-#define SSL_set_tlsext_host_name(s, name) \
- SSL_ctrl(s, SSL_CTRL_SET_TLSEXT_HOSTNAME, TLSEXT_NAMETYPE_host_name, \
- (char *)name)
+/* SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name|
+ * in the server_name extension. It returns one on success and zero on error. */
+OPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name);
-#define SSL_set_tlsext_debug_callback(ssl, cb) \
- SSL_callback_ctrl(ssl, SSL_CTRL_SET_TLSEXT_DEBUG_CB, (void (*)(void))cb)
-
-#define SSL_set_tlsext_debug_arg(ssl, arg) \
- SSL_ctrl(ssl, SSL_CTRL_SET_TLSEXT_DEBUG_ARG, 0, (void *)arg)
-
-#define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
- SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_CB, \
- (void (*)(void))cb)
+/* SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on
+ * the server after ClientHello extensions have been parsed and returns one.
+ * |callback| may use |SSL_get_servername| to examine the server_name extension
+ * and return a |SSL_TLSEXT_ERR_*| value. If it returns |SSL_TLSEXT_ERR_NOACK|,
+ * the server_name extension is not acknowledged in the ServerHello. If the
+ * return value signals an alert, |callback| should set |*out_alert| to the
+ * alert to send. */
+OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
+ SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg));
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_WARNING 1
#define SSL_TLSEXT_ERR_ALERT_FATAL 2
#define SSL_TLSEXT_ERR_NOACK 3
-#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
- SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG, 0, (void *)arg)
+/* SSL_CTX_set_tlsext_servername_arg sets the argument to the servername
+ * callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|. */
+OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
#define SSL_CTX_get_tlsext_ticket_keys(ctx, keys, keylen) \
SSL_CTX_ctrl((ctx), SSL_CTRL_GET_TLSEXT_TICKET_KEYS, (keylen), (keys))
#define SSL_CTX_set_tlsext_ticket_keys(ctx, keys, keylen) \
SSL_CTX_ctrl((ctx), SSL_CTRL_SET_TLSEXT_TICKET_KEYS, (keylen), (keys))
-#define SSL_CTX_set_tlsext_status_cb(ssl, cb) \
- SSL_CTX_callback_ctrl(ssl, SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB, \
- (void (*)(void))cb)
-
-#define SSL_CTX_set_tlsext_status_arg(ssl, arg) \
- SSL_CTX_ctrl(ssl, SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG, 0, (void *)arg)
-
-#define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
- SSL_CTX_callback_ctrl(ssl, SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB, \
- (void (*)(void))cb)
-
+/* SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and
+ * returns one. |callback| will be called when encrypting a new ticket and when
+ * decrypting a ticket from the client.
+ *
+ * In both modes, |ctx| and |hmac_ctx| will already have been initialized with
+ * |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback|
+ * configures |hmac_ctx| with an HMAC digest and key, and configures |ctx|
+ * for encryption or decryption, based on the mode.
+ *
+ * When encrypting a new ticket, |encrypt| will be one. It writes a public
+ * 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length
+ * must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
+ * |callback| returns 1 on success and -1 on error.
+ *
+ * When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a
+ * 16-byte key name and |iv| points to an IV. The length of the IV consumed must
+ * match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,
+ * |callback| returns -1 to abort the handshake, 0 if decrypting the ticket
+ * failed, and 1 or 2 on success. If it returns 2, the ticket will be renewed.
+ * This may be used to re-key the ticket.
+ *
+ * WARNING: |callback| wildly breaks the usual return value convention and is
+ * called in two different modes. */
+OPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb(
+ SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
+ EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
+ int encrypt));
/* PSK ciphersuites from 4279 */
#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A
@@ -689,8 +688,6 @@
#define TLS_CT_RSA_FIXED_ECDH 65
#define TLS_CT_ECDSA_FIXED_ECDH 66
-#define TLS1_FINISH_MAC_LENGTH 12
-
#define TLS_MD_MAX_CONST_SIZE 20
#define TLS_MD_CLIENT_FINISH_CONST "client finished"
#define TLS_MD_CLIENT_FINISH_CONST_SIZE 15
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 2a79887..ef1d7fb 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -748,8 +748,6 @@
OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
OPENSSL_EXPORT EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key);
-OPENSSL_EXPORT int X509_get_pubkey_parameters(EVP_PKEY *pkey,
- STACK_OF(X509) *chain);
OPENSSL_EXPORT int i2d_PUBKEY(const EVP_PKEY *a,unsigned char **pp);
OPENSSL_EXPORT EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
long length);
@@ -1221,112 +1219,101 @@
}
#endif
-#define X509_F_x509_name_ex_new 100
-#define X509_F_X509_EXTENSION_create_by_NID 101
-#define X509_F_X509_load_crl_file 102
-#define X509_F_X509_TRUST_set 103
-#define X509_F_X509_EXTENSION_create_by_OBJ 104
-#define X509_F_by_file_ctrl 105
-#define X509_F_X509_load_cert_crl_file 106
-#define X509_F_X509_CRL_add0_revoked 107
-#define X509_F_bitstr_cb 108
-#define X509_F_X509_STORE_CTX_new 109
-#define X509_F_X509_REQ_to_X509 110
-#define X509_F_X509v3_add_ext 111
-#define X509_F_ASN1_sign 112
-#define X509_F_asn1_str2type 113
-#define X509_F_i2d_RSA_PUBKEY 114
-#define X509_F_ASN1_item_sign_ctx 115
-#define X509_F_x509_name_encode 116
-#define X509_F_d2i_X509_PKEY 117
-#define X509_F_ASN1_generate_v3 118
-#define X509_F_dir_ctrl 119
-#define X509_F_X509_print_ex_fp 120
-#define X509_F_X509_ATTRIBUTE_get0_data 121
-#define X509_F_X509_NAME_oneline 122
-#define X509_F_X509_CRL_print_fp 123
-#define X509_F_X509_STORE_CTX_get1_issuer 124
-#define X509_F_add_cert_dir 125
-#define X509_F_PKCS7_get_certificates 126
-#define X509_F_X509_ATTRIBUTE_create_by_NID 127
-#define X509_F_X509_ATTRIBUTE_set1_data 128
+#define X509_F_ASN1_digest 100
+#define X509_F_ASN1_item_sign_ctx 101
+#define X509_F_ASN1_item_verify 102
+#define X509_F_NETSCAPE_SPKI_b64_decode 103
+#define X509_F_NETSCAPE_SPKI_b64_encode 104
+#define X509_F_PKCS7_get_certificates 105
+#define X509_F_X509_ATTRIBUTE_create_by_NID 106
+#define X509_F_X509_ATTRIBUTE_create_by_OBJ 107
+#define X509_F_X509_ATTRIBUTE_create_by_txt 108
+#define X509_F_X509_ATTRIBUTE_get0_data 109
+#define X509_F_X509_ATTRIBUTE_set1_data 110
+#define X509_F_X509_CRL_add0_revoked 111
+#define X509_F_X509_CRL_diff 112
+#define X509_F_X509_CRL_print_fp 113
+#define X509_F_X509_EXTENSION_create_by_NID 114
+#define X509_F_X509_EXTENSION_create_by_OBJ 115
+#define X509_F_X509_INFO_new 116
+#define X509_F_X509_NAME_ENTRY_create_by_NID 117
+#define X509_F_X509_NAME_ENTRY_create_by_txt 118
+#define X509_F_X509_NAME_ENTRY_set_object 119
+#define X509_F_X509_NAME_add_entry 120
+#define X509_F_X509_NAME_oneline 121
+#define X509_F_X509_NAME_print 122
+#define X509_F_X509_PKEY_new 123
+#define X509_F_X509_PUBKEY_get 124
+#define X509_F_X509_PUBKEY_set 125
+#define X509_F_X509_REQ_check_private_key 126
+#define X509_F_X509_REQ_to_X509 127
+#define X509_F_X509_STORE_CTX_get1_issuer 128
#define X509_F_X509_STORE_CTX_init 129
-#define X509_F_NETSCAPE_SPKI_b64_decode 130
-#define X509_F_X509_NAME_print 131
-#define X509_F_x509_name_ex_d2i 132
-#define X509_F_X509_PKEY_new 133
-#define X509_F_X509_STORE_add_cert 134
-#define X509_F_parse_tagging 135
-#define X509_F_check_policy 136
-#define X509_F_ASN1_digest 137
-#define X509_F_X509_load_cert_file 138
-#define X509_F_X509_ATTRIBUTE_create_by_txt 139
-#define X509_F_X509_PUBKEY_set 140
-#define X509_F_X509_PUBKEY_get 141
-#define X509_F_get_cert_by_subject 142
-#define X509_F_X509_NAME_add_entry 143
+#define X509_F_X509_STORE_CTX_new 130
+#define X509_F_X509_STORE_CTX_purpose_inherit 131
+#define X509_F_X509_STORE_add_cert 132
+#define X509_F_X509_STORE_add_crl 133
+#define X509_F_X509_TRUST_add 134
+#define X509_F_X509_TRUST_set 135
+#define X509_F_X509_check_private_key 136
+#define X509_F_X509_get_pubkey_parameters 137
+#define X509_F_X509_load_cert_crl_file 138
+#define X509_F_X509_load_cert_file 139
+#define X509_F_X509_load_crl_file 140
+#define X509_F_X509_print_ex_fp 141
+#define X509_F_X509_to_X509_REQ 142
+#define X509_F_X509_verify_cert 143
#define X509_F_X509at_add1_attr 144
-#define X509_F_X509_check_private_key 145
-#define X509_F_append_exp 146
-#define X509_F_i2d_EC_PUBKEY 147
-#define X509_F_X509_INFO_new 148
-#define X509_F_X509_STORE_CTX_purpose_inherit 149
-#define X509_F_NETSCAPE_SPKI_b64_encode 150
-#define X509_F_X509_to_X509_REQ 151
-#define X509_F_X509_NAME_ENTRY_create_by_txt 152
-#define X509_F_X509_NAME_ENTRY_set_object 153
-#define X509_F_asn1_cb 154
-#define X509_F_X509_verify_cert 155
-#define X509_F_X509_CRL_diff 156
-#define X509_F_i2d_PrivateKey 157
-#define X509_F_X509_REQ_check_private_key 158
-#define X509_F_X509_STORE_add_crl 159
-#define X509_F_X509_get_pubkey_parameters 160
-#define X509_F_ASN1_item_verify 161
-#define X509_F_X509_ATTRIBUTE_create_by_OBJ 162
-#define X509_F_i2d_DSA_PUBKEY 163
-#define X509_F_X509_TRUST_add 164
-#define X509_F_X509_NAME_ENTRY_create_by_NID 165
-#define X509_F_PKCS7_get_CRLs 166
-#define X509_F_pkcs7_parse_header 167
-#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 100
-#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 101
-#define X509_R_METHOD_NOT_SUPPORTED 102
-#define X509_R_UNSUPPORTED_ALGORITHM 103
-#define X509_R_CRL_VERIFY_FAILURE 104
-#define X509_R_BASE64_DECODE_ERROR 105
-#define X509_R_INVALID_TRUST 106
-#define X509_R_UNKNOWN_NID 107
-#define X509_R_INVALID_DIRECTORY 108
-#define X509_R_KEY_VALUES_MISMATCH 109
-#define X509_R_CERT_ALREADY_IN_HASH_TABLE 110
-#define X509_R_PUBLIC_KEY_DECODE_ERROR 111
-#define X509_R_NOT_PKCS7_SIGNED_DATA 112
-#define X509_R_PUBLIC_KEY_ENCODE_ERROR 113
-#define X509_R_LOADING_CERT_DIR 114
-#define X509_R_WRONG_TYPE 115
-#define X509_R_UNKNOWN_PURPOSE_ID 116
-#define X509_R_NEWER_CRL_NOT_NEWER 117
-#define X509_R_UNKNOWN_TRUST_ID 118
-#define X509_R_KEY_TYPE_MISMATCH 120
-#define X509_R_UNKNOWN_KEY_TYPE 121
-#define X509_R_BAD_X509_FILETYPE 122
-#define X509_R_ISSUER_MISMATCH 123
-#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 124
-#define X509_R_WRONG_LOOKUP_TYPE 125
-#define X509_R_CONTEXT_NOT_INITIALISED 126
-#define X509_R_CANT_CHECK_DH_KEY 127
-#define X509_R_NO_CERTIFICATES_INCLUDED 128
-#define X509_R_INVALID_FIELD_NAME 129
-#define X509_R_SHOULD_RETRY 130
-#define X509_R_NO_CRL_NUMBER 131
-#define X509_R_IDP_MISMATCH 132
-#define X509_R_LOADING_DEFAULTS 133
-#define X509_R_BAD_PKCS7_VERSION 134
-#define X509_R_CRL_ALREADY_DELTA 135
-#define X509_R_ERR_ASN1_LIB 136
-#define X509_R_AKID_MISMATCH 137
-#define X509_R_INVALID_BIT_STRING_BITS_LEFT 138
-#define X509_R_NO_CRLS_INCLUDED 139
+#define X509_F_X509v3_add_ext 145
+#define X509_F_add_cert_dir 146
+#define X509_F_by_file_ctrl 147
+#define X509_F_check_policy 148
+#define X509_F_dir_ctrl 149
+#define X509_F_get_cert_by_subject 150
+#define X509_F_i2d_DSA_PUBKEY 151
+#define X509_F_i2d_EC_PUBKEY 152
+#define X509_F_i2d_RSA_PUBKEY 153
+#define X509_F_x509_name_encode 154
+#define X509_F_x509_name_ex_d2i 155
+#define X509_F_x509_name_ex_new 156
+#define X509_F_pkcs7_parse_header 157
+#define X509_F_PKCS7_get_CRLs 158
+#define X509_R_AKID_MISMATCH 100
+#define X509_R_BAD_PKCS7_VERSION 101
+#define X509_R_BAD_X509_FILETYPE 102
+#define X509_R_BASE64_DECODE_ERROR 103
+#define X509_R_CANT_CHECK_DH_KEY 104
+#define X509_R_CERT_ALREADY_IN_HASH_TABLE 105
+#define X509_R_CRL_ALREADY_DELTA 106
+#define X509_R_CRL_VERIFY_FAILURE 107
+#define X509_R_IDP_MISMATCH 108
+#define X509_R_INVALID_BIT_STRING_BITS_LEFT 109
+#define X509_R_INVALID_DIRECTORY 110
+#define X509_R_INVALID_FIELD_NAME 111
+#define X509_R_INVALID_TRUST 112
+#define X509_R_ISSUER_MISMATCH 113
+#define X509_R_KEY_TYPE_MISMATCH 114
+#define X509_R_KEY_VALUES_MISMATCH 115
+#define X509_R_LOADING_CERT_DIR 116
+#define X509_R_LOADING_DEFAULTS 117
+#define X509_R_METHOD_NOT_SUPPORTED 118
+#define X509_R_NEWER_CRL_NOT_NEWER 119
+#define X509_R_NOT_PKCS7_SIGNED_DATA 120
+#define X509_R_NO_CERTIFICATES_INCLUDED 121
+#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 122
+#define X509_R_NO_CRL_NUMBER 123
+#define X509_R_PUBLIC_KEY_DECODE_ERROR 124
+#define X509_R_PUBLIC_KEY_ENCODE_ERROR 125
+#define X509_R_SHOULD_RETRY 126
+#define X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN 127
+#define X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY 128
+#define X509_R_UNKNOWN_KEY_TYPE 129
+#define X509_R_UNKNOWN_NID 130
+#define X509_R_UNKNOWN_PURPOSE_ID 131
+#define X509_R_UNKNOWN_TRUST_ID 132
+#define X509_R_UNSUPPORTED_ALGORITHM 133
+#define X509_R_WRONG_LOOKUP_TYPE 134
+#define X509_R_WRONG_TYPE 135
+#define X509_R_NO_CRLS_INCLUDED 136
#endif
diff --git a/src/include/openssl/x509_vfy.h b/src/include/openssl/x509_vfy.h
index c65bfde..299cad7 100644
--- a/src/include/openssl/x509_vfy.h
+++ b/src/include/openssl/x509_vfy.h
@@ -202,7 +202,6 @@
STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
int (*cleanup)(X509_STORE_CTX *ctx);
- CRYPTO_EX_DATA ex_data;
int references;
} /* X509_STORE */;
@@ -554,11 +553,15 @@
STACK_OF(ASN1_OBJECT) *policies);
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
- const unsigned char *name, size_t namelen);
+ const char *name, size_t namelen);
+OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
+ const char *name,
+ size_t namelen);
OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
unsigned int flags);
+OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *);
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
- const unsigned char *email, size_t emaillen);
+ const char *email, size_t emaillen);
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
const unsigned char *ip, size_t iplen);
OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);
diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index c891022..5caa5c1 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -607,14 +607,6 @@
OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req);
OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
-OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- int ext_nid, char *value);
-OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *name, char *value);
-OPENSSL_EXPORT int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509 *cert);
-OPENSSL_EXPORT int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
- char *section, X509_REQ *req);
OPENSSL_EXPORT int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
char *section, X509_CRL *crl);
@@ -623,7 +615,6 @@
OPENSSL_EXPORT int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
OPENSSL_EXPORT int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-OPENSSL_EXPORT void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
OPENSSL_EXPORT char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section);
OPENSSL_EXPORT STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section);
@@ -713,9 +704,9 @@
*/
#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
-OPENSSL_EXPORT int X509_check_host(X509 *x, const unsigned char *chk, size_t chklen,
- unsigned int flags);
-OPENSSL_EXPORT int X509_check_email(X509 *x, const unsigned char *chk, size_t chklen,
+OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen,
+ unsigned int flags, char **peername);
+OPENSSL_EXPORT int X509_check_email(X509 *x, const char *chk, size_t chklen,
unsigned int flags);
OPENSSL_EXPORT int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags);
@@ -740,131 +731,125 @@
#ifdef __cplusplus
}
#endif
-#define X509V3_F_do_ext_i2d 100
-#define X509V3_F_v2i_AUTHORITY_KEYID 101
-#define X509V3_F_X509V3_parse_list 102
-#define X509V3_F_SXNET_add_id_asc 103
+#define X509V3_F_SXNET_add_id_INTEGER 100
+#define X509V3_F_SXNET_add_id_asc 101
+#define X509V3_F_SXNET_add_id_ulong 102
+#define X509V3_F_SXNET_get_id_asc 103
#define X509V3_F_SXNET_get_id_ulong 104
-#define X509V3_F_v2i_AUTHORITY_INFO_ACCESS 105
-#define X509V3_F_X509V3_EXT_add 106
-#define X509V3_F_i2s_ASN1_INTEGER 107
-#define X509V3_F_s2i_ASN1_OCTET_STRING 108
-#define X509V3_F_copy_issuer 109
-#define X509V3_F_v2i_subject_alt 110
-#define X509V3_F_copy_email 111
-#define X509V3_F_X509V3_EXT_i2d 112
-#define X509V3_F_v2i_crld 113
-#define X509V3_F_policy_section 114
-#define X509V3_F_a2i_GENERAL_NAME 115
-#define X509V3_F_hex_to_string 116
-#define X509V3_F_i2s_ASN1_IA5STRING 117
-#define X509V3_F_string_to_hex 118
-#define X509V3_F_v3_generic_extension 119
-#define X509V3_F_X509V3_get_section 120
-#define X509V3_F_s2i_skey_id 121
-#define X509V3_F_nref_nos 122
-#define X509V3_F_X509V3_get_value_bool 123
-#define X509V3_F_v2i_NAME_CONSTRAINTS 124
-#define X509V3_F_v2i_POLICY_MAPPINGS 125
-#define X509V3_F_v2i_GENERAL_NAMES 126
-#define X509V3_F_do_dirname 127
-#define X509V3_F_v2i_ASN1_BIT_STRING 128
-#define X509V3_F_SXNET_add_id_ulong 129
-#define X509V3_F_X509V3_EXT_add_alias 130
-#define X509V3_F_X509V3_add1_i2d 131
-#define X509V3_F_r2i_pci 132
-#define X509V3_F_X509V3_get_string 133
-#define X509V3_F_gnames_from_sectname 134
-#define X509V3_F_r2i_certpol 135
-#define X509V3_F_X509V3_add_value 136
+#define X509V3_F_X509V3_EXT_add 105
+#define X509V3_F_X509V3_EXT_add_alias 106
+#define X509V3_F_X509V3_EXT_free 107
+#define X509V3_F_X509V3_EXT_i2d 108
+#define X509V3_F_X509V3_EXT_nconf 109
+#define X509V3_F_X509V3_add1_i2d 110
+#define X509V3_F_X509V3_add_value 111
+#define X509V3_F_X509V3_get_section 112
+#define X509V3_F_X509V3_get_string 113
+#define X509V3_F_X509V3_get_value_bool 114
+#define X509V3_F_X509V3_parse_list 115
+#define X509V3_F_X509_PURPOSE_add 116
+#define X509V3_F_X509_PURPOSE_set 117
+#define X509V3_F_a2i_GENERAL_NAME 118
+#define X509V3_F_copy_email 119
+#define X509V3_F_copy_issuer 120
+#define X509V3_F_do_dirname 121
+#define X509V3_F_do_ext_i2d 122
+#define X509V3_F_do_ext_nconf 123
+#define X509V3_F_gnames_from_sectname 124
+#define X509V3_F_hex_to_string 125
+#define X509V3_F_i2s_ASN1_ENUMERATED 126
+#define X509V3_F_i2s_ASN1_IA5STRING 127
+#define X509V3_F_i2s_ASN1_INTEGER 128
+#define X509V3_F_i2v_AUTHORITY_INFO_ACCESS 129
+#define X509V3_F_notice_section 130
+#define X509V3_F_nref_nos 131
+#define X509V3_F_policy_section 132
+#define X509V3_F_process_pci_value 133
+#define X509V3_F_r2i_certpol 134
+#define X509V3_F_r2i_pci 135
+#define X509V3_F_s2i_ASN1_IA5STRING 136
#define X509V3_F_s2i_ASN1_INTEGER 137
-#define X509V3_F_v2i_issuer_alt 138
-#define X509V3_F_v2i_GENERAL_NAME_ex 139
-#define X509V3_F_X509V3_EXT_nconf 140
-#define X509V3_F_v2i_BASIC_CONSTRAINTS 141
-#define X509V3_F_process_pci_value 142
-#define X509V3_F_notice_section 143
-#define X509V3_F_X509_PURPOSE_set 144
-#define X509V3_F_do_ext_nconf 145
-#define X509V3_F_i2s_ASN1_ENUMERATED 146
-#define X509V3_F_s2i_ASN1_IA5STRING 147
-#define X509V3_F_v2i_POLICY_CONSTRAINTS 148
-#define X509V3_F_v2i_EXTENDED_KEY_USAGE 149
-#define X509V3_F_SXNET_get_id_asc 150
-#define X509V3_F_set_dist_point_name 151
-#define X509V3_F_v2i_idp 152
-#define X509V3_F_X509_PURPOSE_add 153
-#define X509V3_F_SXNET_add_id_INTEGER 154
-#define X509V3_F_i2v_AUTHORITY_INFO_ACCESS 155
-#define X509V3_F_X509V3_EXT_free 156
-#define X509V3_R_INVALID_BOOLEAN_STRING 100
-#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED 101
-#define X509V3_R_INVALID_NAME 102
-#define X509V3_R_OPERATION_NOT_DEFINED 103
-#define X509V3_R_POLICY_PATH_LENGTH 104
-#define X509V3_R_INVALID_PROXY_POLICY_SETTING 105
-#define X509V3_R_INVALID_ASRANGE 106
-#define X509V3_R_ERROR_CREATING_EXTENSION 107
-#define X509V3_R_ISSUER_DECODE_ERROR 108
-#define X509V3_R_OTHERNAME_ERROR 109
-#define X509V3_R_ILLEGAL_HEX_DIGIT 110
-#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 111
-#define X509V3_R_USER_TOO_LONG 112
-#define X509V3_R_INVALID_INHERITANCE 113
-#define X509V3_R_INVALID_SAFI 114
-#define X509V3_R_INVALID_NULL_VALUE 115
-#define X509V3_R_NO_SUBJECT_DETAILS 116
-#define X509V3_R_BAD_OBJECT 117
-#define X509V3_R_DIRNAME_ERROR 118
-#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 119
-#define X509V3_R_INVALID_EXTENSION_STRING 120
-#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 121
-#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 122
-#define X509V3_R_INVALID_OPTION 123
-#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 124
-#define X509V3_R_INVALID_POLICY_IDENTIFIER 125
-#define X509V3_R_INVALID_PURPOSE 126
-#define X509V3_R_UNKNOWN_EXTENSION 127
-#define X509V3_R_NO_ISSUER_CERTIFICATE 128
-#define X509V3_R_BN_DEC2BN_ERROR 129
-#define X509V3_R_EXPECTED_A_SECTION_NAME 130
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 131
-#define X509V3_R_MISSING_VALUE 132
-#define X509V3_R_SECTION_NOT_FOUND 133
-#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 134
-#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 135
-#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 136
-#define X509V3_R_NO_POLICY_IDENTIFIER 137
-#define X509V3_R_NO_ISSUER_DETAILS 138
+#define X509V3_F_s2i_ASN1_OCTET_STRING 138
+#define X509V3_F_s2i_skey_id 139
+#define X509V3_F_set_dist_point_name 140
+#define X509V3_F_string_to_hex 141
+#define X509V3_F_v2i_ASN1_BIT_STRING 142
+#define X509V3_F_v2i_AUTHORITY_INFO_ACCESS 143
+#define X509V3_F_v2i_AUTHORITY_KEYID 144
+#define X509V3_F_v2i_BASIC_CONSTRAINTS 145
+#define X509V3_F_v2i_EXTENDED_KEY_USAGE 146
+#define X509V3_F_v2i_GENERAL_NAMES 147
+#define X509V3_F_v2i_GENERAL_NAME_ex 148
+#define X509V3_F_v2i_NAME_CONSTRAINTS 149
+#define X509V3_F_v2i_POLICY_CONSTRAINTS 150
+#define X509V3_F_v2i_POLICY_MAPPINGS 151
+#define X509V3_F_v2i_crld 152
+#define X509V3_F_v2i_idp 153
+#define X509V3_F_v2i_issuer_alt 154
+#define X509V3_F_v2i_subject_alt 155
+#define X509V3_F_v3_generic_extension 156
+#define X509V3_R_BAD_IP_ADDRESS 100
+#define X509V3_R_BAD_OBJECT 101
+#define X509V3_R_BN_DEC2BN_ERROR 102
+#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103
+#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104
+#define X509V3_R_DIRNAME_ERROR 105
+#define X509V3_R_DISTPOINT_ALREADY_SET 106
+#define X509V3_R_DUPLICATE_ZONE_ID 107
+#define X509V3_R_ERROR_CONVERTING_ZONE 108
+#define X509V3_R_ERROR_CREATING_EXTENSION 109
+#define X509V3_R_ERROR_IN_EXTENSION 110
+#define X509V3_R_EXPECTED_A_SECTION_NAME 111
+#define X509V3_R_EXTENSION_EXISTS 112
+#define X509V3_R_EXTENSION_NAME_ERROR 113
+#define X509V3_R_EXTENSION_NOT_FOUND 114
+#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115
+#define X509V3_R_EXTENSION_VALUE_ERROR 116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117
+#define X509V3_R_ILLEGAL_HEX_DIGIT 118
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119
+#define X509V3_R_INVALID_BOOLEAN_STRING 120
+#define X509V3_R_INVALID_EXTENSION_STRING 121
+#define X509V3_R_INVALID_MULTIPLE_RDNS 122
+#define X509V3_R_INVALID_NAME 123
+#define X509V3_R_INVALID_NULL_ARGUMENT 124
+#define X509V3_R_INVALID_NULL_NAME 125
+#define X509V3_R_INVALID_NULL_VALUE 126
+#define X509V3_R_INVALID_NUMBER 127
+#define X509V3_R_INVALID_NUMBERS 128
+#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129
+#define X509V3_R_INVALID_OPTION 130
+#define X509V3_R_INVALID_POLICY_IDENTIFIER 131
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132
+#define X509V3_R_INVALID_PURPOSE 133
+#define X509V3_R_INVALID_SECTION 134
+#define X509V3_R_INVALID_SYNTAX 135
+#define X509V3_R_ISSUER_DECODE_ERROR 136
+#define X509V3_R_MISSING_VALUE 137
+#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138
#define X509V3_R_NO_CONFIG_DATABASE 139
-#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 140
-#define X509V3_R_INVALID_SECTION 141
-#define X509V3_R_INVALID_IPADDRESS 142
-#define X509V3_R_EXTENSION_VALUE_ERROR 143
-#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 144
-#define X509V3_R_INVALID_NULL_ARGUMENT 145
-#define X509V3_R_ERROR_IN_EXTENSION 146
-#define X509V3_R_INVALID_NULL_NAME 147
-#define X509V3_R_BAD_IP_ADDRESS 148
-#define X509V3_R_UNSUPPORTED_OPTION 149
-#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 150
-#define X509V3_R_EXTENSION_EXISTS 151
-#define X509V3_R_UNKNOWN_OPTION 152
-#define X509V3_R_ERROR_CONVERTING_ZONE 153
-#define X509V3_R_NO_PUBLIC_KEY 154
-#define X509V3_R_INVALID_MULTIPLE_RDNS 155
-#define X509V3_R_INVALID_SYNTAX 156
-#define X509V3_R_UNKNOWN_EXTENSION_NAME 157
-#define X509V3_R_ODD_NUMBER_OF_DIGITS 158
-#define X509V3_R_DISTPOINT_ALREADY_SET 159
-#define X509V3_R_UNSUPPORTED_TYPE 160
-#define X509V3_R_EXTENSION_NAME_ERROR 161
-#define X509V3_R_INVALID_NUMBERS 162
-#define X509V3_R_INVALID_NUMBER 163
-#define X509V3_R_INVALID_OBJECT_IDENTIFIER 164
-#define X509V3_R_DUPLICATE_ZONE_ID 165
-#define X509V3_R_EXTENSION_NOT_FOUND 166
-#define X509V3_R_INVALID_ASNUMBER 167
-#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 168
+#define X509V3_R_NO_ISSUER_CERTIFICATE 140
+#define X509V3_R_NO_ISSUER_DETAILS 141
+#define X509V3_R_NO_POLICY_IDENTIFIER 142
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143
+#define X509V3_R_NO_PUBLIC_KEY 144
+#define X509V3_R_NO_SUBJECT_DETAILS 145
+#define X509V3_R_ODD_NUMBER_OF_DIGITS 146
+#define X509V3_R_OPERATION_NOT_DEFINED 147
+#define X509V3_R_OTHERNAME_ERROR 148
+#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149
+#define X509V3_R_POLICY_PATH_LENGTH 150
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152
+#define X509V3_R_SECTION_NOT_FOUND 153
+#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154
+#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155
+#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156
+#define X509V3_R_UNKNOWN_EXTENSION 157
+#define X509V3_R_UNKNOWN_EXTENSION_NAME 158
+#define X509V3_R_UNKNOWN_OPTION 159
+#define X509V3_R_UNSUPPORTED_OPTION 160
+#define X509V3_R_UNSUPPORTED_TYPE 161
+#define X509V3_R_USER_TOO_LONG 162
#endif
diff --git a/src/ssl/CMakeLists.txt b/src/ssl/CMakeLists.txt
index 91bd5ea..9cc6de4 100644
--- a/src/ssl/CMakeLists.txt
+++ b/src/ssl/CMakeLists.txt
@@ -22,8 +22,7 @@
ssl_algs.c
ssl_asn1.c
ssl_cert.c
- ssl_ciph.c
- ssl_error.c
+ ssl_cipher.c
ssl_lib.c
ssl_rsa.c
ssl_sess.c
@@ -39,7 +38,7 @@
add_executable(
ssl_test
- ssl_test.c
+ ssl_test.cc
)
target_link_libraries(ssl_test ssl crypto)
diff --git a/src/ssl/d1_both.c b/src/ssl/d1_both.c
index 5edc93f..662f518 100644
--- a/src/ssl/d1_both.c
+++ b/src/ssl/d1_both.c
@@ -124,44 +124,8 @@
#include <openssl/rand.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
-#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8)
-
-#define RSMBLY_BITMASK_MARK(bitmask, start, end) \
- { \
- if ((end) - (start) <= 8) { \
- long ii; \
- for (ii = (start); ii < (end); ii++) \
- bitmask[((ii) >> 3)] |= (1 << ((ii)&7)); \
- } else { \
- long ii; \
- bitmask[((start) >> 3)] |= bitmask_start_values[((start)&7)]; \
- for (ii = (((start) >> 3) + 1); ii < ((((end)-1)) >> 3); ii++) \
- bitmask[ii] = 0xff; \
- bitmask[(((end)-1) >> 3)] |= bitmask_end_values[((end)&7)]; \
- } \
- }
-
-#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) \
- { \
- long ii; \
- assert((msg_len) > 0); \
- is_complete = 1; \
- if (bitmask[(((msg_len)-1) >> 3)] != bitmask_end_values[((msg_len)&7)]) \
- is_complete = 0; \
- if (is_complete) \
- for (ii = (((msg_len)-1) >> 3) - 1; ii >= 0; ii--) \
- if (bitmask[ii] != 0xff) { \
- is_complete = 0; \
- break; \
- } \
- }
-
-static const uint8_t bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8,
- 0xf0, 0xe0, 0xc0, 0x80};
-static const uint8_t bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07,
- 0x0f, 0x1f, 0x3f, 0x7f};
/* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
* for these values? Notably, why is kMinMTU a function of the transport
@@ -175,25 +139,30 @@
* the underlying BIO supplies one. */
static const unsigned int kDefaultMTU = 1500 - 28;
+/* kMaxHandshakeBuffer is the maximum number of handshake messages ahead of the
+ * current one to buffer. */
+static const unsigned int kHandshakeBufferSize = 10;
+
static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
unsigned long frag_len);
static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p);
-static long dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok);
static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len,
int reassembly) {
hm_fragment *frag = NULL;
- unsigned char *buf = NULL;
- unsigned char *bitmask = NULL;
+ uint8_t *buf = NULL;
+ uint8_t *bitmask = NULL;
frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment));
if (frag == NULL) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (frag_len) {
- buf = (unsigned char *)OPENSSL_malloc(frag_len);
+ buf = (uint8_t *)OPENSSL_malloc(frag_len);
if (buf == NULL) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);
OPENSSL_free(frag);
return NULL;
}
@@ -203,16 +172,22 @@
frag->fragment = buf;
/* Initialize reassembly bitmask if necessary */
- if (reassembly) {
- bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len));
+ if (reassembly && frag_len > 0) {
+ if (frag_len + 7 < frag_len) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_OVERFLOW);
+ return NULL;
+ }
+ size_t bitmask_len = (frag_len + 7) / 8;
+ bitmask = (uint8_t *)OPENSSL_malloc(bitmask_len);
if (bitmask == NULL) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_hm_fragment_new, ERR_R_MALLOC_FAILURE);
if (buf != NULL) {
OPENSSL_free(buf);
}
OPENSSL_free(frag);
return NULL;
}
- memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len));
+ memset(bitmask, 0, bitmask_len);
}
frag->reassembly = bitmask;
@@ -221,23 +196,65 @@
}
void dtls1_hm_fragment_free(hm_fragment *frag) {
- if (frag->msg_header.is_ccs) {
- /* TODO(davidben): Simplify aead_write_ctx ownership, probably by just
- * forbidding DTLS renego. */
- SSL_AEAD_CTX *aead_write_ctx =
- frag->msg_header.saved_retransmit_state.aead_write_ctx;
- if (aead_write_ctx) {
- EVP_AEAD_CTX_cleanup(&aead_write_ctx->ctx);
- OPENSSL_free(aead_write_ctx);
+ if (frag == NULL) {
+ return;
+ }
+ OPENSSL_free(frag->fragment);
+ OPENSSL_free(frag->reassembly);
+ OPENSSL_free(frag);
+}
+
+#if !defined(inline)
+#define inline __inline
+#endif
+
+/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
+ * exclusive, set. */
+static inline uint8_t bit_range(size_t start, size_t end) {
+ return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
+}
+
+/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
+ * as received in |frag|. If |frag| becomes complete, it clears
+ * |frag->reassembly|. The range must be within the bounds of |frag|'s message
+ * and |frag->reassembly| must not be NULL. */
+static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
+ size_t end) {
+ size_t i;
+ size_t msg_len = frag->msg_header.msg_len;
+
+ if (frag->reassembly == NULL || start > end || end > msg_len) {
+ assert(0);
+ return;
+ }
+ /* A zero-length message will never have a pending reassembly. */
+ assert(msg_len > 0);
+
+ if ((start >> 3) == (end >> 3)) {
+ frag->reassembly[start >> 3] |= bit_range(start & 7, end & 7);
+ } else {
+ frag->reassembly[start >> 3] |= bit_range(start & 7, 8);
+ for (i = (start >> 3) + 1; i < (end >> 3); i++) {
+ frag->reassembly[i] = 0xff;
+ }
+ if ((end & 7) != 0) {
+ frag->reassembly[end >> 3] |= bit_range(0, end & 7);
}
}
- if (frag->fragment) {
- OPENSSL_free(frag->fragment);
+
+ /* Check if the fragment is complete. */
+ for (i = 0; i < (msg_len >> 3); i++) {
+ if (frag->reassembly[i] != 0xff) {
+ return;
+ }
}
- if (frag->reassembly) {
- OPENSSL_free(frag->reassembly);
+ if ((msg_len & 7) != 0 &&
+ frag->reassembly[msg_len >> 3] != bit_range(0, msg_len & 7)) {
+ return;
}
- OPENSSL_free(frag);
+
+ OPENSSL_free(frag->reassembly);
+ frag->reassembly = NULL;
}
/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
@@ -368,26 +385,189 @@
return 0;
}
+/* dtls1_is_next_message_complete returns one if the next handshake message is
+ * complete and zero otherwise. */
+static int dtls1_is_next_message_complete(SSL *s) {
+ pitem *item = pqueue_peek(s->d1->buffered_messages);
+ if (item == NULL) {
+ return 0;
+ }
-/* Obtain handshake message of message type 'mt' (any if mt == -1), maximum
- * acceptable body length 'max'. Read an entire handshake message. Handshake
- * messages arrive in fragments. */
-long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max,
- int hash_message, int *ok) {
- int i, al;
- struct hm_header_st *msg_hdr;
- uint8_t *p;
- unsigned long msg_len;
+ hm_fragment *frag = (hm_fragment *)item->data;
+ assert(s->d1->handshake_read_seq <= frag->msg_header.seq);
+
+ return s->d1->handshake_read_seq == frag->msg_header.seq &&
+ frag->reassembly == NULL;
+}
+
+/* dtls1_discard_fragment_body discards a handshake fragment body of length
+ * |frag_len|. It returns one on success and zero on error.
+ *
+ * TODO(davidben): This function will go away when ssl_read_bytes is gone from
+ * the DTLS side. */
+static int dtls1_discard_fragment_body(SSL *s, size_t frag_len) {
+ uint8_t discard[256];
+ while (frag_len > 0) {
+ size_t chunk = frag_len < sizeof(discard) ? frag_len : sizeof(discard);
+ int ret = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, discard, chunk,
+ 0);
+ if (ret != chunk) {
+ return 0;
+ }
+ frag_len -= chunk;
+ }
+ return 1;
+}
+
+/* dtls1_get_buffered_message returns the buffered message corresponding to
+ * |msg_hdr|. If none exists, it creates a new one and inserts it in the
+ * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
+ * returns NULL on failure. The caller does not take ownership of the result. */
+static hm_fragment *dtls1_get_buffered_message(
+ SSL *s, const struct hm_header_st *msg_hdr) {
+ uint8_t seq64be[8];
+ memset(seq64be, 0, sizeof(seq64be));
+ seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
+ seq64be[7] = (uint8_t)msg_hdr->seq;
+ pitem *item = pqueue_find(s->d1->buffered_messages, seq64be);
+
+ hm_fragment *frag;
+ if (item == NULL) {
+ /* This is the first fragment from this message. */
+ frag = dtls1_hm_fragment_new(msg_hdr->msg_len,
+ 1 /* reassembly buffer needed */);
+ if (frag == NULL) {
+ return NULL;
+ }
+ memcpy(&frag->msg_header, msg_hdr, sizeof(*msg_hdr));
+ item = pitem_new(seq64be, frag);
+ if (item == NULL) {
+ dtls1_hm_fragment_free(frag);
+ return NULL;
+ }
+ item = pqueue_insert(s->d1->buffered_messages, item);
+ /* |pqueue_insert| fails iff a duplicate item is inserted, but |item| cannot
+ * be a duplicate. */
+ assert(item != NULL);
+ } else {
+ frag = item->data;
+ assert(frag->msg_header.seq == msg_hdr->seq);
+ if (frag->msg_header.type != msg_hdr->type ||
+ frag->msg_header.msg_len != msg_hdr->msg_len) {
+ /* The new fragment must be compatible with the previous fragments from
+ * this message. */
+ OPENSSL_PUT_ERROR(SSL, dtls1_get_buffered_message,
+ SSL_R_FRAGMENT_MISMATCH);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return NULL;
+ }
+ }
+ return frag;
+}
+
+/* dtls1_max_handshake_message_len returns the maximum number of bytes
+ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
+ * be greater if the maximum certificate list size requires it. */
+static size_t dtls1_max_handshake_message_len(const SSL *s) {
+ size_t max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
+ if (max_len < s->max_cert_list) {
+ return s->max_cert_list;
+ }
+ return max_len;
+}
+
+/* dtls1_process_fragment reads a handshake fragment and processes it. It
+ * returns one if a fragment was successfully processed and 0 or -1 on error. */
+static int dtls1_process_fragment(SSL *s) {
+ /* Read handshake message header.
+ *
+ * TODO(davidben): ssl_read_bytes allows splitting the fragment header and
+ * body across two records. Change this interface to consume the fragment in
+ * one pass. */
+ uint8_t header[DTLS1_HM_HEADER_LENGTH];
+ int ret = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, header,
+ DTLS1_HM_HEADER_LENGTH, 0);
+ if (ret <= 0) {
+ return ret;
+ }
+ if (ret != DTLS1_HM_HEADER_LENGTH) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+ return -1;
+ }
+
+ /* Parse the message fragment header. */
+ struct hm_header_st msg_hdr;
+ dtls1_get_message_header(header, &msg_hdr);
+
+ const size_t frag_off = msg_hdr.frag_off;
+ const size_t frag_len = msg_hdr.frag_len;
+ const size_t msg_len = msg_hdr.msg_len;
+ if (frag_off > msg_len || frag_off + frag_len < frag_off ||
+ frag_off + frag_len > msg_len ||
+ msg_len > dtls1_max_handshake_message_len(s)) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment,
+ SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return -1;
+ }
+
+ if (msg_hdr.seq < s->d1->handshake_read_seq ||
+ msg_hdr.seq > (unsigned)s->d1->handshake_read_seq +
+ kHandshakeBufferSize) {
+ /* Ignore fragments from the past, or ones too far in the future. */
+ if (!dtls1_discard_fragment_body(s, frag_len)) {
+ return -1;
+ }
+ return 1;
+ }
+
+ hm_fragment *frag = dtls1_get_buffered_message(s, &msg_hdr);
+ if (frag == NULL) {
+ return -1;
+ }
+ assert(frag->msg_header.msg_len == msg_len);
+
+ if (frag->reassembly == NULL) {
+ /* The message is already assembled. */
+ if (!dtls1_discard_fragment_body(s, frag_len)) {
+ return -1;
+ }
+ return 1;
+ }
+ assert(msg_len > 0);
+
+ /* Read the body of the fragment. */
+ ret = s->method->ssl_read_bytes(
+ s, SSL3_RT_HANDSHAKE, frag->fragment + frag_off, frag_len, 0);
+ if (ret != frag_len) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_process_fragment, SSL_R_UNEXPECTED_MESSAGE);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+ return -1;
+ }
+ dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
+
+ return 1;
+}
+
+/* dtls1_get_message reads a handshake message of message type |msg_type| (any
+ * if |msg_type| == -1), maximum acceptable body length |max|. Read an entire
+ * handshake message. Handshake messages arrive in fragments. */
+long dtls1_get_message(SSL *s, int st1, int stn, int msg_type, long max,
+ enum ssl_hash_message_t hash_message, int *ok) {
+ pitem *item = NULL;
+ hm_fragment *frag = NULL;
+ int al;
/* s3->tmp is used to store messages that are unexpected, caused
* by the absence of an optional handshake message */
if (s->s3->tmp.reuse_message) {
- /* A SSL_GET_MESSAGE_DONT_HASH_MESSAGE call cannot be combined
- * with reuse_message; the SSL_GET_MESSAGE_DONT_HASH_MESSAGE
- * would have to have been applied to the previous call. */
- assert(hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE);
+ /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
+ * ssl_dont_hash_message would have to have been applied to the previous
+ * call. */
+ assert(hash_message == ssl_hash_message);
s->s3->tmp.reuse_message = 0;
- if (mt >= 0 && s->s3->tmp.message_type != mt) {
+ if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
@@ -398,484 +578,86 @@
return s->init_num;
}
- msg_hdr = &s->d1->r_msg_hdr;
- memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
-
-again:
- i = dtls1_get_message_fragment(s, stn, max, ok);
- if (i == DTLS1_HM_BAD_FRAGMENT ||
- i == DTLS1_HM_FRAGMENT_RETRY) {
- /* bad fragment received */
- goto again;
- } else if (i <= 0 && !*ok) {
- return i;
+ /* Process fragments until one is found. */
+ while (!dtls1_is_next_message_complete(s)) {
+ int ret = dtls1_process_fragment(s);
+ if (ret <= 0) {
+ *ok = 0;
+ return ret;
+ }
}
- p = (uint8_t *)s->init_buf->data;
- msg_len = msg_hdr->msg_len;
+ /* Read out the next complete handshake message. */
+ item = pqueue_pop(s->d1->buffered_messages);
+ assert(item != NULL);
+ frag = (hm_fragment *)item->data;
+ assert(s->d1->handshake_read_seq == frag->msg_header.seq);
+ assert(frag->reassembly == NULL);
- /* reconstruct message header */
- *(p++) = msg_hdr->type;
- l2n3(msg_len, p);
- s2n(msg_hdr->seq, p);
- l2n3(0, p);
- l2n3(msg_len, p);
- p -= DTLS1_HM_HEADER_LENGTH;
- msg_len += DTLS1_HM_HEADER_LENGTH;
-
- s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-
- if (hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE) {
- ssl3_hash_current_message(s);
- }
- if (s->msg_callback) {
- s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, s,
- s->msg_callback_arg);
+ if (frag->msg_header.msg_len > (size_t)max) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto err;
}
- memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
+ CBB cbb;
+ if (!BUF_MEM_grow(s->init_buf,
+ (size_t)frag->msg_header.msg_len +
+ DTLS1_HM_HEADER_LENGTH) ||
+ !CBB_init_fixed(&cbb, (uint8_t *)s->init_buf->data, s->init_buf->max)) {
+ OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ /* Reconstruct the assembled message. */
+ size_t len;
+ if (!CBB_add_u8(&cbb, frag->msg_header.type) ||
+ !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||
+ !CBB_add_u16(&cbb, frag->msg_header.seq) ||
+ !CBB_add_u24(&cbb, 0 /* frag_off */) ||
+ !CBB_add_u24(&cbb, frag->msg_header.msg_len) ||
+ !CBB_add_bytes(&cbb, frag->fragment, frag->msg_header.msg_len) ||
+ !CBB_finish(&cbb, NULL, &len)) {
+ CBB_cleanup(&cbb);
+ OPENSSL_PUT_ERROR(SSL, dtls1_get_message, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ assert(len == (size_t)frag->msg_header.msg_len + DTLS1_HM_HEADER_LENGTH);
s->d1->handshake_read_seq++;
+ /* TODO(davidben): This function has a lot of implicit outputs. Simplify the
+ * |ssl_get_message| API. */
+ s->s3->tmp.message_type = frag->msg_header.type;
+ s->s3->tmp.message_size = frag->msg_header.msg_len;
+ s->init_msg = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
+ s->init_num = frag->msg_header.msg_len;
+
+ if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ OPENSSL_PUT_ERROR(SSL, dtls1_get_message, SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
+ if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) {
+ goto err;
+ }
+ if (s->msg_callback) {
+ s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
+ s->init_num + DTLS1_HM_HEADER_LENGTH, s,
+ s->msg_callback_arg);
+ }
+
+ pitem_free(item);
+ dtls1_hm_fragment_free(frag);
+
+ s->state = stn;
+ *ok = 1;
return s->init_num;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
- *ok = 0;
- return -1;
-}
-
-static int dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr,
- int max) {
- size_t frag_off, frag_len, msg_len;
-
- msg_len = msg_hdr->msg_len;
- frag_off = msg_hdr->frag_off;
- frag_len = msg_hdr->frag_len;
-
- /* sanity checking */
- if ((frag_off + frag_len) > msg_len) {
- OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,
- SSL_R_EXCESSIVE_MESSAGE_SIZE);
- return SSL_AD_ILLEGAL_PARAMETER;
- }
-
- if ((frag_off + frag_len) > (unsigned long)max) {
- OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,
- SSL_R_EXCESSIVE_MESSAGE_SIZE);
- return SSL_AD_ILLEGAL_PARAMETER;
- }
-
- if (s->d1->r_msg_hdr.frag_off == 0) {
- /* first fragment */
- /* msg_len is limited to 2^24, but is effectively checked
- * against max above */
- if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
- OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment, ERR_R_BUF_LIB);
- return SSL_AD_INTERNAL_ERROR;
- }
-
- s->s3->tmp.message_size = msg_len;
- s->d1->r_msg_hdr.msg_len = msg_len;
- s->s3->tmp.message_type = msg_hdr->type;
- s->d1->r_msg_hdr.type = msg_hdr->type;
- s->d1->r_msg_hdr.seq = msg_hdr->seq;
- } else if (msg_len != s->d1->r_msg_hdr.msg_len) {
- /* They must be playing with us! BTW, failure to enforce
- * upper limit would open possibility for buffer overrun. */
- OPENSSL_PUT_ERROR(SSL, dtls1_preprocess_fragment,
- SSL_R_EXCESSIVE_MESSAGE_SIZE);
- return SSL_AD_ILLEGAL_PARAMETER;
- }
-
- return 0; /* no error */
-}
-
-
-static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) {
- /* (0) check whether the desired fragment is available
- * if so:
- * (1) copy over the fragment to s->init_buf->data[]
- * (2) update s->init_num */
- pitem *item;
- hm_fragment *frag;
- int al;
- unsigned long frag_len;
-
- *ok = 0;
- item = pqueue_peek(s->d1->buffered_messages);
- if (item == NULL) {
- return 0;
- }
-
- frag = (hm_fragment *)item->data;
-
- /* Don't return if reassembly still in progress */
- if (frag->reassembly != NULL) {
- return 0;
- }
-
- if (s->d1->handshake_read_seq != frag->msg_header.seq) {
- return 0;
- }
-
- frag_len = frag->msg_header.frag_len;
- pqueue_pop(s->d1->buffered_messages);
-
- al = dtls1_preprocess_fragment(s, &frag->msg_header, max);
-
- if (al == 0) {
- /* no alert */
- uint8_t *p = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
- memcpy(&p[frag->msg_header.frag_off], frag->fragment,
- frag->msg_header.frag_len);
- }
-
- dtls1_hm_fragment_free(frag);
+err:
pitem_free(item);
-
- if (al == 0) {
- *ok = 1;
- return frag_len;
- }
-
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
- s->init_num = 0;
- *ok = 0;
- return -1;
-}
-
-/* dtls1_max_handshake_message_len returns the maximum number of bytes
- * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
- * be greater if the maximum certificate list size requires it. */
-static unsigned long dtls1_max_handshake_message_len(const SSL *s) {
- unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
- if (max_len < (unsigned long)s->max_cert_list) {
- return s->max_cert_list;
- }
- return max_len;
-}
-
-static int dtls1_reassemble_fragment(SSL *s, const struct hm_header_st *msg_hdr,
- int *ok) {
- hm_fragment *frag = NULL;
- pitem *item = NULL;
- int i = -1, is_complete;
- uint8_t seq64be[8];
- unsigned long frag_len = msg_hdr->frag_len;
-
- if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len ||
- msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) {
- goto err;
- }
-
- if (frag_len == 0) {
- return DTLS1_HM_FRAGMENT_RETRY;
- }
-
- /* Try to find item in queue */
- memset(seq64be, 0, sizeof(seq64be));
- seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
- seq64be[7] = (uint8_t)msg_hdr->seq;
- item = pqueue_find(s->d1->buffered_messages, seq64be);
-
- if (item == NULL) {
- frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1);
- if (frag == NULL) {
- goto err;
- }
- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
- frag->msg_header.frag_len = frag->msg_header.msg_len;
- frag->msg_header.frag_off = 0;
- } else {
- frag = (hm_fragment *)item->data;
- if (frag->msg_header.msg_len != msg_hdr->msg_len) {
- item = NULL;
- frag = NULL;
- goto err;
- }
- }
-
- /* If message is already reassembled, this must be a
- * retransmit and can be dropped. In this case item != NULL and so frag
- * does not need to be freed. */
- if (frag->reassembly == NULL) {
- uint8_t devnull[256];
-
- assert(item != NULL);
- while (frag_len) {
- i = s->method->ssl_read_bytes(
- s, SSL3_RT_HANDSHAKE, devnull,
- frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0);
- if (i <= 0) {
- goto err;
- }
- frag_len -= i;
- }
- return DTLS1_HM_FRAGMENT_RETRY;
- }
-
- /* read the body of the fragment (header has already been read */
- i = s->method->ssl_read_bytes(
- s, SSL3_RT_HANDSHAKE, frag->fragment + msg_hdr->frag_off, frag_len, 0);
- if ((unsigned long)i != frag_len) {
- i = -1;
- }
- if (i <= 0) {
- goto err;
- }
-
- RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
- (long)(msg_hdr->frag_off + frag_len));
-
- RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len,
- is_complete);
-
- if (is_complete) {
- OPENSSL_free(frag->reassembly);
- frag->reassembly = NULL;
- }
-
- if (item == NULL) {
- item = pitem_new(seq64be, frag);
- if (item == NULL) {
- i = -1;
- goto err;
- }
-
- item = pqueue_insert(s->d1->buffered_messages, item);
- /* pqueue_insert fails iff a duplicate item is inserted.
- * However, |item| cannot be a duplicate. If it were,
- * |pqueue_find|, above, would have returned it and control
- * would never have reached this branch. */
- assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
-
-err:
- if (frag != NULL && item == NULL) {
- dtls1_hm_fragment_free(frag);
- }
- *ok = 0;
- return i;
-}
-
-static int dtls1_process_out_of_seq_message(SSL *s,
- const struct hm_header_st *msg_hdr,
- int *ok) {
- int i = -1;
- hm_fragment *frag = NULL;
- pitem *item = NULL;
- uint8_t seq64be[8];
- unsigned long frag_len = msg_hdr->frag_len;
-
- if ((msg_hdr->frag_off + frag_len) > msg_hdr->msg_len) {
- goto err;
- }
-
- /* Try to find item in queue, to prevent duplicate entries */
- memset(seq64be, 0, sizeof(seq64be));
- seq64be[6] = (uint8_t)(msg_hdr->seq >> 8);
- seq64be[7] = (uint8_t)msg_hdr->seq;
- item = pqueue_find(s->d1->buffered_messages, seq64be);
-
- /* If we already have an entry and this one is a fragment,
- * don't discard it and rather try to reassemble it. */
- if (item != NULL && frag_len != msg_hdr->msg_len) {
- item = NULL;
- }
-
- /* Discard the message if sequence number was already there, is
- * too far in the future, already in the queue or if we received
- * a FINISHED before the SERVER_HELLO, which then must be a stale
- * retransmit. */
- if (msg_hdr->seq <= s->d1->handshake_read_seq ||
- msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL ||
- (s->d1->handshake_read_seq == 0 && msg_hdr->type == SSL3_MT_FINISHED)) {
- uint8_t devnull[256];
-
- while (frag_len) {
- i = s->method->ssl_read_bytes(
- s, SSL3_RT_HANDSHAKE, devnull,
- frag_len > sizeof(devnull) ? sizeof(devnull) : frag_len, 0);
- if (i <= 0) {
- goto err;
- }
- frag_len -= i;
- }
- } else {
- if (frag_len != msg_hdr->msg_len) {
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
- }
-
- if (frag_len > dtls1_max_handshake_message_len(s)) {
- goto err;
- }
-
- frag = dtls1_hm_fragment_new(frag_len, 0);
- if (frag == NULL) {
- goto err;
- }
-
- memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr));
-
- if (frag_len) {
- /* read the body of the fragment (header has already been read */
- i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, frag->fragment,
- frag_len, 0);
- if ((unsigned long)i != frag_len) {
- i = -1;
- }
- if (i <= 0) {
- goto err;
- }
- }
-
- item = pitem_new(seq64be, frag);
- if (item == NULL) {
- goto err;
- }
-
- item = pqueue_insert(s->d1->buffered_messages, item);
- /* pqueue_insert fails iff a duplicate item is inserted.
- * However, |item| cannot be a duplicate. If it were,
- * |pqueue_find|, above, would have returned it. Then, either
- * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
- * to NULL and it will have been processed with
- * |dtls1_reassemble_fragment|, above, or the record will have
- * been discarded. */
- assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
-
-err:
- if (frag != NULL && item == NULL) {
- dtls1_hm_fragment_free(frag);
- }
- *ok = 0;
- return i;
-}
-
-
-static long dtls1_get_message_fragment(SSL *s, int stn, long max, int *ok) {
- uint8_t wire[DTLS1_HM_HEADER_LENGTH];
- unsigned long len, frag_off, frag_len;
- int i, al;
- struct hm_header_st msg_hdr;
-
-redo:
- /* see if we have the required fragment already */
- if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) {
- if (*ok) {
- s->init_num = frag_len;
- }
- return frag_len;
- }
-
- /* read handshake message header */
- i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, wire,
- DTLS1_HM_HEADER_LENGTH, 0);
- if (i <= 0) {
- /* nbio, or an error */
- s->rwstate = SSL_READING;
- *ok = 0;
- return i;
- }
-
- /* Handshake fails if message header is incomplete */
- if (i != DTLS1_HM_HEADER_LENGTH) {
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,
- SSL_R_UNEXPECTED_MESSAGE);
- goto f_err;
- }
-
- /* parse the message fragment header */
- dtls1_get_message_header(wire, &msg_hdr);
-
- /* if this is a future (or stale) message it gets buffered
- * (or dropped)--no further processing at this time. */
- if (msg_hdr.seq != s->d1->handshake_read_seq) {
- return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
- }
-
- len = msg_hdr.msg_len;
- frag_off = msg_hdr.frag_off;
- frag_len = msg_hdr.frag_len;
-
- if (frag_len && frag_len < len) {
- return dtls1_reassemble_fragment(s, &msg_hdr, ok);
- }
-
- if (!s->server && s->d1->r_msg_hdr.frag_off == 0 &&
- wire[0] == SSL3_MT_HELLO_REQUEST) {
- /* The server may always send 'Hello Request' messages --
- * we are doing a handshake anyway now, so ignore them
- * if their format is correct. Does not count for
- * 'Finished' MAC. */
- if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) {
- if (s->msg_callback) {
- s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire,
- DTLS1_HM_HEADER_LENGTH, s, s->msg_callback_arg);
- }
-
- s->init_num = 0;
- goto redo;
- } else {
- /* Incorrectly formated Hello request */
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,
- SSL_R_UNEXPECTED_MESSAGE);
- goto f_err;
- }
- }
-
- if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) {
- goto f_err;
- }
-
- /* XDTLS: ressurect this when restart is in place */
- s->state = stn;
-
- if (frag_len > 0) {
- uint8_t *p = (uint8_t *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
-
- i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len,
- 0);
- /* XDTLS: fix this--message fragments cannot span multiple packets */
- if (i <= 0) {
- s->rwstate = SSL_READING;
- *ok = 0;
- return i;
- }
- } else {
- i = 0;
- }
-
- /* XDTLS: an incorrectly formatted fragment should cause the
- * handshake to fail */
- if (i != (int)frag_len) {
- al = SSL3_AD_ILLEGAL_PARAMETER;
- OPENSSL_PUT_ERROR(SSL, dtls1_get_message_fragment,
- SSL3_AD_ILLEGAL_PARAMETER);
- goto f_err;
- }
-
- *ok = 1;
-
- /* Note that s->init_num is *not* used as current offset in
- * s->init_buf->data, but as a counter summing up fragments'
- * lengths: as soon as they sum up to handshake packet
- * length, we assume we have got all the fragments. */
- s->init_num = frag_len;
- return frag_len;
-
-f_err:
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
- s->init_num = 0;
-
+ dtls1_hm_fragment_free(frag);
*ok = 0;
return -1;
}
@@ -913,7 +695,7 @@
int dtls1_read_failed(SSL *s, int code) {
if (code > 0) {
- fprintf(stderr, "invalid state reached %s:%d", __FILE__, __LINE__);
+ assert(0);
return 1;
}
@@ -929,7 +711,7 @@
return code;
}
- return dtls1_handle_timeout(s);
+ return DTLSv1_handle_timeout(s);
}
int dtls1_get_queue_priority(unsigned short seq, int is_ccs) {
@@ -944,23 +726,82 @@
return seq * 2 - is_ccs;
}
+static int dtls1_retransmit_message(SSL *s, hm_fragment *frag) {
+ int ret;
+ /* XDTLS: for now assuming that read/writes are blocking */
+ unsigned long header_length;
+ uint8_t save_write_sequence[8];
+
+ /* assert(s->init_num == 0);
+ assert(s->init_off == 0); */
+
+ if (frag->msg_header.is_ccs) {
+ header_length = DTLS1_CCS_HEADER_LENGTH;
+ } else {
+ header_length = DTLS1_HM_HEADER_LENGTH;
+ }
+
+ memcpy(s->init_buf->data, frag->fragment,
+ frag->msg_header.msg_len + header_length);
+ s->init_num = frag->msg_header.msg_len + header_length;
+
+ dtls1_set_message_header(s, frag->msg_header.type,
+ frag->msg_header.msg_len, frag->msg_header.seq,
+ 0, frag->msg_header.frag_len);
+
+ /* Save current state. */
+ SSL_AEAD_CTX *aead_write_ctx = s->aead_write_ctx;
+ uint16_t epoch = s->d1->w_epoch;
+
+ /* DTLS renegotiation is unsupported, so only epochs 0 (NULL cipher) and 1
+ * (negotiated cipher) exist. */
+ assert(epoch == 0 || epoch == 1);
+ assert(frag->msg_header.epoch <= epoch);
+ const int fragment_from_previous_epoch = (epoch == 1 &&
+ frag->msg_header.epoch == 0);
+ if (fragment_from_previous_epoch) {
+ /* Rewind to the previous epoch.
+ *
+ * TODO(davidben): Instead of swapping out connection-global state, this
+ * logic should pass a "use previous epoch" parameter down to lower-level
+ * functions. */
+ s->d1->w_epoch = frag->msg_header.epoch;
+ s->aead_write_ctx = NULL;
+ memcpy(save_write_sequence, s->s3->write_sequence,
+ sizeof(s->s3->write_sequence));
+ memcpy(s->s3->write_sequence, s->d1->last_write_sequence,
+ sizeof(s->s3->write_sequence));
+ } else {
+ /* Otherwise the messages must be from the same epoch. */
+ assert(frag->msg_header.epoch == epoch);
+ }
+
+ ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC
+ : SSL3_RT_HANDSHAKE);
+
+ if (fragment_from_previous_epoch) {
+ /* Restore the current epoch. */
+ s->aead_write_ctx = aead_write_ctx;
+ s->d1->w_epoch = epoch;
+ memcpy(s->d1->last_write_sequence, s->s3->write_sequence,
+ sizeof(s->s3->write_sequence));
+ memcpy(s->s3->write_sequence, save_write_sequence,
+ sizeof(s->s3->write_sequence));
+ }
+
+ (void)BIO_flush(SSL_get_wbio(s));
+ return ret;
+}
+
+
int dtls1_retransmit_buffered_messages(SSL *s) {
pqueue sent = s->d1->sent_messages;
- piterator iter;
+ piterator iter = pqueue_iterator(sent);
pitem *item;
- hm_fragment *frag;
- int found = 0;
-
- iter = pqueue_iterator(sent);
for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
- frag = (hm_fragment *)item->data;
- if (dtls1_retransmit_message(
- s, (unsigned short)dtls1_get_queue_priority(
- frag->msg_header.seq, frag->msg_header.is_ccs),
- 0, &found) <= 0 &&
- found) {
- fprintf(stderr, "dtls1_retransmit_message() failed\n");
+ hm_fragment *frag = (hm_fragment *)item->data;
+ if (dtls1_retransmit_message(s, frag) <= 0) {
return -1;
}
}
@@ -998,11 +839,7 @@
frag->msg_header.frag_off = 0;
frag->msg_header.frag_len = s->d1->w_msg_hdr.msg_len;
frag->msg_header.is_ccs = is_ccs;
-
- /* save current state*/
- frag->msg_header.saved_retransmit_state.aead_write_ctx = s->aead_write_ctx;
- frag->msg_header.saved_retransmit_state.session = s->session;
- frag->msg_header.saved_retransmit_state.epoch = s->d1->w_epoch;
+ frag->msg_header.epoch = s->d1->w_epoch;
memset(seq64be, 0, sizeof(seq64be));
seq64be[6] = (uint8_t)(
@@ -1021,85 +858,6 @@
return 1;
}
-int dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
- int *found) {
- int ret;
- /* XDTLS: for now assuming that read/writes are blocking */
- pitem *item;
- hm_fragment *frag;
- unsigned long header_length;
- uint8_t seq64be[8];
- struct dtls1_retransmit_state saved_state;
- uint8_t save_write_sequence[8];
-
- /* assert(s->init_num == 0);
- assert(s->init_off == 0); */
-
- /* XDTLS: the requested message ought to be found, otherwise error */
- memset(seq64be, 0, sizeof(seq64be));
- seq64be[6] = (uint8_t)(seq >> 8);
- seq64be[7] = (uint8_t)seq;
-
- item = pqueue_find(s->d1->sent_messages, seq64be);
- if (item == NULL) {
- fprintf(stderr, "retransmit: message %d non-existant\n", seq);
- *found = 0;
- return 0;
- }
-
- *found = 1;
- frag = (hm_fragment *)item->data;
-
- if (frag->msg_header.is_ccs) {
- header_length = DTLS1_CCS_HEADER_LENGTH;
- } else {
- header_length = DTLS1_HM_HEADER_LENGTH;
- }
-
- memcpy(s->init_buf->data, frag->fragment,
- frag->msg_header.msg_len + header_length);
- s->init_num = frag->msg_header.msg_len + header_length;
-
- dtls1_set_message_header(s, frag->msg_header.type,
- frag->msg_header.msg_len, frag->msg_header.seq,
- 0, frag->msg_header.frag_len);
-
- /* save current state */
- saved_state.aead_write_ctx = s->aead_write_ctx;
- saved_state.session = s->session;
- saved_state.epoch = s->d1->w_epoch;
-
- /* restore state in which the message was originally sent */
- s->aead_write_ctx = frag->msg_header.saved_retransmit_state.aead_write_ctx;
- s->session = frag->msg_header.saved_retransmit_state.session;
- s->d1->w_epoch = frag->msg_header.saved_retransmit_state.epoch;
-
- if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {
- memcpy(save_write_sequence, s->s3->write_sequence,
- sizeof(s->s3->write_sequence));
- memcpy(s->s3->write_sequence, s->d1->last_write_sequence,
- sizeof(s->s3->write_sequence));
- }
-
- ret = dtls1_do_write(s, frag->msg_header.is_ccs ? SSL3_RT_CHANGE_CIPHER_SPEC
- : SSL3_RT_HANDSHAKE);
-
- /* restore current state */
- s->aead_write_ctx = saved_state.aead_write_ctx;
- s->session = saved_state.session;
- s->d1->w_epoch = saved_state.epoch;
-
- if (frag->msg_header.saved_retransmit_state.epoch == saved_state.epoch - 1) {
- memcpy(s->d1->last_write_sequence, s->s3->write_sequence,
- sizeof(s->s3->write_sequence));
- memcpy(s->s3->write_sequence, save_write_sequence,
- sizeof(s->s3->write_sequence));
- }
-
- (void)BIO_flush(SSL_get_wbio(s));
- return ret;
-}
-
/* call this function when the buffered messages are no longer needed */
void dtls1_clear_record_buffer(SSL *s) {
pitem *item;
@@ -1160,12 +918,6 @@
n2l3(data, msg_hdr->frag_len);
}
-void dtls1_get_ccs_header(uint8_t *data, struct ccs_header_st *ccs_hdr) {
- memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st));
-
- ccs_hdr->type = *(data++);
-}
-
int dtls1_shutdown(SSL *s) {
int ret;
ret = ssl3_shutdown(s);
diff --git a/src/ssl/d1_clnt.c b/src/ssl/d1_clnt.c
index 3f9e814..1827a67 100644
--- a/src/ssl/d1_clnt.c
+++ b/src/ssl/d1_clnt.c
@@ -114,17 +114,19 @@
#include <assert.h>
#include <stdio.h>
+#include <string.h>
#include <openssl/bn.h>
#include <openssl/buf.h>
#include <openssl/dh.h>
#include <openssl/evp.h>
+#include <openssl/err.h>
#include <openssl/md5.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "internal.h"
static int dtls1_get_hello_verify(SSL *s);
@@ -156,7 +158,6 @@
case SSL_ST_RENEGOTIATE:
s->renegotiate = 1;
s->state = SSL_ST_CONNECT;
- s->ctx->stats.sess_connect_renegotiate++;
/* break */
case SSL_ST_CONNECT:
case SSL_ST_BEFORE | SSL_ST_CONNECT:
@@ -175,8 +176,7 @@
buf = NULL;
}
- if (!ssl3_setup_buffers(s) ||
- !ssl_init_wbio_buffer(s, 0)) {
+ if (!ssl_init_wbio_buffer(s, 0)) {
ret = -1;
goto end;
}
@@ -184,7 +184,6 @@
/* don't push the buffering BIO quite yet */
s->state = SSL3_ST_CW_CLNT_HELLO_A;
- s->ctx->stats.sess_connect++;
s->init_num = 0;
s->d1->send_cookie = 0;
s->hit = 0;
@@ -458,12 +457,6 @@
case SSL3_ST_CW_FLUSH:
s->rwstate = SSL_WRITING;
if (BIO_flush(s->wbio) <= 0) {
- /* If the write error was fatal, stop trying */
- if (!BIO_should_retry(s->wbio)) {
- s->rwstate = SSL_NOTHING;
- s->state = s->s3->tmp.next_state;
- }
-
ret = -1;
goto end;
}
@@ -483,15 +476,12 @@
s->new_session = 0;
ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
- if (s->hit) {
- s->ctx->stats.sess_hit++;
- }
ret = 1;
- s->ctx->stats.sess_connect_good++;
- if (cb != NULL)
+ if (cb != NULL) {
cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ }
/* done with handshaking */
s->d1->handshake_read_seq = 0;
@@ -519,9 +509,7 @@
end:
s->in_handshake--;
- if (buf != NULL) {
- BUF_MEM_free(buf);
- }
+ BUF_MEM_free(buf);
if (cb != NULL) {
cb(s, SSL_CB_CONNECT_EXIT, ret);
}
@@ -538,7 +526,7 @@
s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B,
-1,
/* Use the same maximum size as ssl3_get_server_hello. */
- 20000, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ 20000, ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -556,7 +544,7 @@
!CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
CBS_len(&hello_verify_request) != 0) {
al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_cert_status, SSL_R_DECODE_ERROR);
+ OPENSSL_PUT_ERROR(SSL, dtls1_get_hello_verify, SSL_R_DECODE_ERROR);
goto f_err;
}
diff --git a/src/ssl/d1_lib.c b/src/ssl/d1_lib.c
index 8244cb9..e53156f 100644
--- a/src/ssl/d1_lib.c
+++ b/src/ssl/d1_lib.c
@@ -58,6 +58,7 @@
#include <limits.h>
#include <stdio.h>
+#include <string.h>
#if defined(OPENSSL_WINDOWS)
#include <sys/timeb.h>
@@ -70,51 +71,17 @@
#include <openssl/mem.h>
#include <openssl/obj.h>
-#include "ssl_locl.h"
+#include "internal.h"
-static void get_current_time(OPENSSL_timeval *t);
-static OPENSSL_timeval *dtls1_get_timeout(SSL *s, OPENSSL_timeval *timeleft);
-static void dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
-static int dtls1_handshake_write(SSL *s);
+/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
+ * before starting to decrease the MTU. */
+#define DTLS1_MTU_TIMEOUTS 2
-const SSL3_ENC_METHOD DTLSv1_enc_data = {
- tls1_enc,
- tls1_prf,
- tls1_setup_key_block,
- tls1_generate_master_secret,
- tls1_change_cipher_state,
- tls1_final_finish_mac,
- TLS1_FINISH_MAC_LENGTH,
- tls1_cert_verify_mac,
- TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
- TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
- tls1_alert_code,
- tls1_export_keying_material,
- SSL_ENC_FLAG_DTLS|SSL_ENC_FLAG_EXPLICIT_IV,
- DTLS1_HM_HEADER_LENGTH,
- dtls1_set_handshake_header,
- dtls1_handshake_write,
-};
+/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
+ * before failing the DTLS handshake. */
+#define DTLS1_MAX_TIMEOUTS 12
-const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
- tls1_enc,
- tls1_prf,
- tls1_setup_key_block,
- tls1_generate_master_secret,
- tls1_change_cipher_state,
- tls1_final_finish_mac,
- TLS1_FINISH_MAC_LENGTH,
- tls1_cert_verify_mac,
- TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
- TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
- tls1_alert_code,
- tls1_export_keying_material,
- SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV | SSL_ENC_FLAG_SIGALGS |
- SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
- DTLS1_HM_HEADER_LENGTH,
- dtls1_set_handshake_header,
- dtls1_handshake_write,
-};
+static void get_current_time(const SSL *ssl, struct timeval *out_clock);
int dtls1_new(SSL *s) {
DTLS1_STATE *d1;
@@ -129,30 +96,12 @@
}
memset(d1, 0, sizeof *d1);
- d1->unprocessed_rcds.q = pqueue_new();
- d1->processed_rcds.q = pqueue_new();
d1->buffered_messages = pqueue_new();
d1->sent_messages = pqueue_new();
- d1->buffered_app_data.q = pqueue_new();
- if (!d1->unprocessed_rcds.q || !d1->processed_rcds.q ||
- !d1->buffered_messages || !d1->sent_messages ||
- !d1->buffered_app_data.q) {
- if (d1->unprocessed_rcds.q) {
- pqueue_free(d1->unprocessed_rcds.q);
- }
- if (d1->processed_rcds.q) {
- pqueue_free(d1->processed_rcds.q);
- }
- if (d1->buffered_messages) {
- pqueue_free(d1->buffered_messages);
- }
- if (d1->sent_messages) {
- pqueue_free(d1->sent_messages);
- }
- if (d1->buffered_app_data.q) {
- pqueue_free(d1->buffered_app_data.q);
- }
+ if (!d1->buffered_messages || !d1->sent_messages) {
+ pqueue_free(d1->buffered_messages);
+ pqueue_free(d1->sent_messages);
OPENSSL_free(d1);
ssl3_free(s);
return 0;
@@ -172,25 +121,6 @@
static void dtls1_clear_queues(SSL *s) {
pitem *item = NULL;
hm_fragment *frag = NULL;
- DTLS1_RECORD_DATA *rdata;
-
- while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
- rdata = (DTLS1_RECORD_DATA *)item->data;
- if (rdata->rbuf.buf) {
- OPENSSL_free(rdata->rbuf.buf);
- }
- OPENSSL_free(item->data);
- pitem_free(item);
- }
-
- while ((item = pqueue_pop(s->d1->processed_rcds.q)) != NULL) {
- rdata = (DTLS1_RECORD_DATA *)item->data;
- if (rdata->rbuf.buf) {
- OPENSSL_free(rdata->rbuf.buf);
- }
- OPENSSL_free(item->data);
- pitem_free(item);
- }
while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
frag = (hm_fragment *)item->data;
@@ -203,15 +133,6 @@
dtls1_hm_fragment_free(frag);
pitem_free(item);
}
-
- while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
- rdata = (DTLS1_RECORD_DATA *)item->data;
- if (rdata->rbuf.buf) {
- OPENSSL_free(rdata->rbuf.buf);
- }
- OPENSSL_free(item->data);
- pitem_free(item);
- }
}
void dtls1_free(SSL *s) {
@@ -223,40 +144,15 @@
dtls1_clear_queues(s);
- pqueue_free(s->d1->unprocessed_rcds.q);
- pqueue_free(s->d1->processed_rcds.q);
pqueue_free(s->d1->buffered_messages);
pqueue_free(s->d1->sent_messages);
- pqueue_free(s->d1->buffered_app_data.q);
OPENSSL_free(s->d1);
s->d1 = NULL;
}
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg) {
- int ret = 0;
-
- switch (cmd) {
- case DTLS_CTRL_GET_TIMEOUT:
- if (dtls1_get_timeout(s, (OPENSSL_timeval *)parg) != NULL) {
- ret = 1;
- }
- break;
-
- case DTLS_CTRL_HANDLE_TIMEOUT:
- ret = dtls1_handle_timeout(s);
- break;
-
- default:
- ret = ssl3_ctrl(s, cmd, larg, parg);
- break;
- }
-
- return ret;
-}
-
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u) {
- const SSL_CIPHER *ciph = ssl3_get_cipher(u);
+const SSL_CIPHER *dtls1_get_cipher(size_t i) {
+ const SSL_CIPHER *ciph = ssl3_get_cipher(i);
/* DTLS does not support stream ciphers. */
if (ciph == NULL || ciph->algorithm_enc == SSL_RC4) {
return NULL;
@@ -272,7 +168,7 @@
}
/* Set timeout to current time */
- get_current_time(&s->d1->next_timeout);
+ get_current_time(s, &s->d1->next_timeout);
/* Add duration to current time */
s->d1->next_timeout.tv_sec += s->d1->timeout_duration;
@@ -280,48 +176,51 @@
&s->d1->next_timeout);
}
-static OPENSSL_timeval *dtls1_get_timeout(SSL *s, OPENSSL_timeval *timeleft) {
- OPENSSL_timeval timenow;
+int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {
+ if (!SSL_IS_DTLS(ssl)) {
+ return 0;
+ }
/* If no timeout is set, just return NULL */
- if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
- return NULL;
+ if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
+ return 0;
}
/* Get current time */
- get_current_time(&timenow);
+ struct timeval timenow;
+ get_current_time(ssl, &timenow);
/* If timer already expired, set remaining time to 0 */
- if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
- (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
- s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
- memset(timeleft, 0, sizeof(OPENSSL_timeval));
- return timeleft;
+ if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec ||
+ (ssl->d1->next_timeout.tv_sec == timenow.tv_sec &&
+ ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
+ memset(out, 0, sizeof(struct timeval));
+ return 1;
}
/* Calculate time left until timer expires */
- memcpy(timeleft, &s->d1->next_timeout, sizeof(OPENSSL_timeval));
- timeleft->tv_sec -= timenow.tv_sec;
- timeleft->tv_usec -= timenow.tv_usec;
- if (timeleft->tv_usec < 0) {
- timeleft->tv_sec--;
- timeleft->tv_usec += 1000000;
+ memcpy(out, &ssl->d1->next_timeout, sizeof(struct timeval));
+ out->tv_sec -= timenow.tv_sec;
+ out->tv_usec -= timenow.tv_usec;
+ if (out->tv_usec < 0) {
+ out->tv_sec--;
+ out->tv_usec += 1000000;
}
/* If remaining time is less than 15 ms, set it to 0 to prevent issues
* because of small devergences with socket timeouts. */
- if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
- memset(timeleft, 0, sizeof(OPENSSL_timeval));
+ if (out->tv_sec == 0 && out->tv_usec < 15000) {
+ memset(out, 0, sizeof(struct timeval));
}
- return timeleft;
+ return 1;
}
int dtls1_is_timer_expired(SSL *s) {
- OPENSSL_timeval timeleft;
+ struct timeval timeleft;
/* Get time left until timeout, return false if no timer running */
- if (dtls1_get_timeout(s, &timeleft) == NULL) {
+ if (!DTLSv1_get_timeout(s, &timeleft)) {
return 0;
}
@@ -344,8 +243,8 @@
void dtls1_stop_timer(SSL *s) {
/* Reset everything */
- memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
- memset(&s->d1->next_timeout, 0, sizeof(OPENSSL_timeval));
+ s->d1->num_timeouts = 0;
+ memset(&s->d1->next_timeout, 0, sizeof(struct timeval));
s->d1->timeout_duration = 1;
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
&s->d1->next_timeout);
@@ -354,10 +253,10 @@
}
int dtls1_check_timeout_num(SSL *s) {
- s->d1->timeout.num_alerts++;
+ s->d1->num_timeouts++;
/* Reduce MTU after 2 unsuccessful retransmissions */
- if (s->d1->timeout.num_alerts > 2 &&
+ if (s->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
!(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,
NULL);
@@ -366,7 +265,7 @@
}
}
- if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) {
+ if (s->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) {
/* fail the connection, enough alerts have been sent */
OPENSSL_PUT_ERROR(SSL, dtls1_check_timeout_num, SSL_R_READ_TIMEOUT_EXPIRED);
return -1;
@@ -375,39 +274,43 @@
return 0;
}
-int dtls1_handle_timeout(SSL *s) {
- /* if no timer is expired, don't do anything */
- if (!dtls1_is_timer_expired(s)) {
- return 0;
- }
-
- dtls1_double_timeout(s);
-
- if (dtls1_check_timeout_num(s) < 0) {
+int DTLSv1_handle_timeout(SSL *ssl) {
+ if (!SSL_IS_DTLS(ssl)) {
return -1;
}
- s->d1->timeout.read_timeouts++;
- if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT) {
- s->d1->timeout.read_timeouts = 1;
+ /* if no timer is expired, don't do anything */
+ if (!dtls1_is_timer_expired(ssl)) {
+ return 0;
}
- dtls1_start_timer(s);
- return dtls1_retransmit_buffered_messages(s);
+ dtls1_double_timeout(ssl);
+
+ if (dtls1_check_timeout_num(ssl) < 0) {
+ return -1;
+ }
+
+ dtls1_start_timer(ssl);
+ return dtls1_retransmit_buffered_messages(ssl);
}
-static void get_current_time(OPENSSL_timeval *t) {
+static void get_current_time(const SSL *ssl, struct timeval *out_clock) {
+ if (ssl->ctx->current_time_cb != NULL) {
+ ssl->ctx->current_time_cb(ssl, out_clock);
+ return;
+ }
+
#if defined(OPENSSL_WINDOWS)
struct _timeb time;
_ftime(&time);
- t->tv_sec = time.time;
- t->tv_usec = time.millitm * 1000;
+ out_clock->tv_sec = time.time;
+ out_clock->tv_usec = time.millitm * 1000;
#else
- gettimeofday(t, NULL);
+ gettimeofday(out_clock, NULL);
#endif
}
-static void dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) {
+int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) {
uint8_t *message = (uint8_t *)s->init_buf->data;
const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
uint8_t serialised_header[DTLS1_HM_HEADER_LENGTH];
@@ -430,10 +333,10 @@
s2n(msg_hdr->seq, p);
l2n3(0, p);
l2n3(msg_hdr->msg_len, p);
- ssl3_finish_mac(s, serialised_header, sizeof(serialised_header));
- ssl3_finish_mac(s, message + DTLS1_HM_HEADER_LENGTH, len);
+ return ssl3_finish_mac(s, serialised_header, sizeof(serialised_header)) &&
+ ssl3_finish_mac(s, message + DTLS1_HM_HEADER_LENGTH, len);
}
-static int dtls1_handshake_write(SSL *s) {
+int dtls1_handshake_write(SSL *s) {
return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
}
diff --git a/src/ssl/d1_meth.c b/src/ssl/d1_meth.c
index a894222..a11fbdd 100644
--- a/src/ssl/d1_meth.c
+++ b/src/ssl/d1_meth.c
@@ -55,32 +55,33 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
-#include "ssl_locl.h"
+#include "internal.h"
static const SSL_PROTOCOL_METHOD DTLS_protocol_method = {
- dtls1_new,
- dtls1_free,
- dtls1_accept,
- dtls1_connect,
- ssl3_read,
- ssl3_peek,
- ssl3_write,
- dtls1_shutdown,
- ssl3_renegotiate,
- ssl3_renegotiate_check,
- dtls1_get_message,
- dtls1_read_bytes,
- dtls1_write_app_data_bytes,
- dtls1_dispatch_alert,
- dtls1_ctrl,
- ssl3_ctx_ctrl,
- ssl3_pending,
- ssl3_num_ciphers,
- dtls1_get_cipher,
- ssl_undefined_void_function,
- ssl3_callback_ctrl,
- ssl3_ctx_callback_ctrl,
+ 1 /* is_dtls */,
+ dtls1_new,
+ dtls1_free,
+ dtls1_accept,
+ dtls1_connect,
+ ssl3_read,
+ ssl3_peek,
+ ssl3_write,
+ dtls1_shutdown,
+ ssl3_renegotiate,
+ ssl3_renegotiate_check,
+ dtls1_get_message,
+ dtls1_read_bytes,
+ dtls1_write_app_data_bytes,
+ dtls1_dispatch_alert,
+ ssl3_ctrl,
+ ssl3_ctx_ctrl,
+ ssl3_pending,
+ ssl3_num_ciphers,
+ dtls1_get_cipher,
+ DTLS1_HM_HEADER_LENGTH,
+ dtls1_set_handshake_header,
+ dtls1_handshake_write,
};
const SSL_METHOD *DTLS_method(void) {
diff --git a/src/ssl/d1_pkt.c b/src/ssl/d1_pkt.c
index a77ad4e..9e056ac 100644
--- a/src/ssl/d1_pkt.c
+++ b/src/ssl/d1_pkt.c
@@ -109,9 +109,9 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
-#include <stdio.h>
-#include <errno.h>
#include <assert.h>
+#include <stdio.h>
+#include <string.h>
#include <openssl/buf.h>
#include <openssl/mem.h>
@@ -119,7 +119,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "internal.h"
/* mod 128 saturating subtract of two 64-bit values in big-endian order */
@@ -181,152 +181,12 @@
}
}
-static int have_handshake_fragment(SSL *s, int type, uint8_t *buf, int len,
- int peek);
static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
-static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
- unsigned int *is_next_epoch);
-static int dtls1_buffer_record(SSL *s, record_pqueue *q,
- uint8_t *priority);
static int dtls1_process_record(SSL *s);
static int do_dtls1_write(SSL *s, int type, const uint8_t *buf,
unsigned int len);
-/* copy buffered record into SSL structure */
-static int dtls1_copy_record(SSL *s, pitem *item) {
- DTLS1_RECORD_DATA *rdata;
-
- rdata = (DTLS1_RECORD_DATA *)item->data;
-
- if (s->s3->rbuf.buf != NULL) {
- OPENSSL_free(s->s3->rbuf.buf);
- }
-
- s->packet = rdata->packet;
- s->packet_length = rdata->packet_length;
- memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
- memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-
- /* Set proper sequence number for mac calculation */
- memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6);
-
- return 1;
-}
-
-static int dtls1_buffer_record(SSL *s, record_pqueue *queue,
- uint8_t *priority) {
- DTLS1_RECORD_DATA *rdata;
- pitem *item;
-
- /* Limit the size of the queue to prevent DOS attacks */
- if (pqueue_size(queue->q) >= 100) {
- return 0;
- }
-
- rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- item = pitem_new(priority, rdata);
- if (rdata == NULL || item == NULL) {
- if (rdata != NULL) {
- OPENSSL_free(rdata);
- }
- if (item != NULL) {
- pitem_free(item);
- }
-
- OPENSSL_PUT_ERROR(SSL, dtls1_buffer_record, ERR_R_INTERNAL_ERROR);
- return -1;
- }
-
- rdata->packet = s->packet;
- rdata->packet_length = s->packet_length;
- memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER));
- memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD));
-
- item->data = rdata;
-
- s->packet = NULL;
- s->packet_length = 0;
- memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
- memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
-
- if (!ssl3_setup_buffers(s)) {
- goto internal_error;
- }
-
- /* insert should not fail, since duplicates are dropped */
- if (pqueue_insert(queue->q, item) == NULL) {
- goto internal_error;
- }
-
- return 1;
-
-internal_error:
- OPENSSL_PUT_ERROR(SSL, dtls1_buffer_record, ERR_R_INTERNAL_ERROR);
- if (rdata->rbuf.buf != NULL) {
- OPENSSL_free(rdata->rbuf.buf);
- }
- OPENSSL_free(rdata);
- pitem_free(item);
- return -1;
-}
-
-static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) {
- pitem *item;
-
- item = pqueue_pop(queue->q);
- if (item) {
- dtls1_copy_record(s, item);
-
- OPENSSL_free(item->data);
- pitem_free(item);
-
- return 1;
- }
-
- return 0;
-}
-
-/* retrieve a buffered record that belongs to the new epoch, i.e., not
- * processed yet */
-#define dtls1_get_unprocessed_record(s) \
- dtls1_retrieve_buffered_record((s), &((s)->d1->unprocessed_rcds))
-
-/* retrieve a buffered record that belongs to the current epoch, i.e.,
- * processed */
-#define dtls1_get_processed_record(s) \
- dtls1_retrieve_buffered_record((s), &((s)->d1->processed_rcds))
-
-static int dtls1_process_buffered_records(SSL *s) {
- pitem *item;
-
- item = pqueue_peek(s->d1->unprocessed_rcds.q);
- if (item) {
- /* Check if epoch is current. */
- if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) {
- return 1; /* Nothing to do. */
- }
-
- /* Process all the records. */
- while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
- dtls1_get_unprocessed_record(s);
- if (!dtls1_process_record(s)) {
- return 0;
- }
- if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
- s->s3->rrec.seq_num) < 0) {
- return -1;
- }
- }
- }
-
- /* sync epoch numbers once all the unprocessed records have been processed */
- s->d1->processed_rcds.epoch = s->d1->r_epoch;
- s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
-
- return 1;
-}
-
static int dtls1_process_record(SSL *s) {
int al;
SSL3_RECORD *rr;
@@ -405,28 +265,15 @@
SSL3_RECORD *rr;
unsigned char *p = NULL;
unsigned short version;
- DTLS1_BITMAP *bitmap;
- unsigned int is_next_epoch;
rr = &(s->s3->rrec);
- /* The epoch may have changed. If so, process all the pending records. This
- * is a non-blocking operation. */
- if (dtls1_process_buffered_records(s) < 0) {
- return -1;
- }
-
- /* If we're renegotiating, then there may be buffered records. */
- if (dtls1_get_processed_record(s)) {
- return 1;
- }
-
/* get something from the wire */
again:
/* check if we have the header */
if ((s->rstate != SSL_ST_READ_BODY) ||
(s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
- n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+ n = ssl3_read_n(s, DTLS1_RT_HEADER_LENGTH, 0);
/* read timeout is handled by dtls1_read_bytes */
if (n <= 0) {
return n; /* error or non-blocking */
@@ -498,7 +345,7 @@
if (rr->length > s->packet_length - DTLS1_RT_HEADER_LENGTH) {
/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
i = rr->length;
- n = ssl3_read_n(s, i, i, 1);
+ n = ssl3_read_n(s, i, 1);
if (n <= 0) {
return n; /* error or non-blocking io */
}
@@ -515,16 +362,17 @@
}
s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */
- /* match epochs. NULL means the packet is dropped on the floor */
- bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
- if (bitmap == NULL) {
+ if (rr->epoch != s->d1->r_epoch) {
+ /* This record is from the wrong epoch. If it is the next epoch, it could be
+ * buffered. For simplicity, drop it and expect retransmit to handle it
+ * later; DTLS is supposed to handle packet loss. */
rr->length = 0;
- s->packet_length = 0; /* dump this record */
- goto again; /* get another record */
+ s->packet_length = 0;
+ goto again;
}
/* Check whether this is a repeat, or aged record. */
- if (!dtls1_record_replay_check(s, bitmap)) {
+ if (!dtls1_record_replay_check(s, &s->d1->bitmap)) {
rr->length = 0;
s->packet_length = 0; /* dump this record */
goto again; /* get another record */
@@ -535,28 +383,12 @@
goto again;
}
- /* If this record is from the next epoch (either HM or ALERT),
- * and a handshake is currently in progress, buffer it since it
- * cannot be processed at this time.
- */
- if (is_next_epoch) {
- if (SSL_in_init(s) || s->in_handshake) {
- if (dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) {
- return -1;
- }
- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
- }
- rr->length = 0;
- s->packet_length = 0;
- goto again;
- }
-
if (!dtls1_process_record(s)) {
rr->length = 0;
s->packet_length = 0; /* dump this record */
goto again; /* get another record */
}
- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
+ dtls1_record_bitmap_update(s, &s->d1->bitmap); /* Mark receipt of record. */
return 1;
}
@@ -589,15 +421,11 @@
* none of our business
*/
int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) {
- int al, i, j, ret;
+ int al, i, ret;
unsigned int n;
SSL3_RECORD *rr;
void (*cb)(const SSL *ssl, int type2, int val) = NULL;
- if (s->s3->rbuf.buf == NULL && !ssl3_setup_buffers(s)) {
- return -1;
- }
-
/* XXX: check what the second '&& type' is about */
if ((type && (type != SSL3_RT_APPLICATION_DATA) &&
(type != SSL3_RT_HANDSHAKE) && type) ||
@@ -606,14 +434,6 @@
return -1;
}
- /* check whether there's a handshake message (client hello?) waiting */
- ret = have_handshake_fragment(s, type, buf, len, peek);
- if (ret) {
- return ret;
- }
-
- /* Now s->d1->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
-
if (!s->in_handshake && SSL_in_init(s)) {
/* type == SSL3_RT_APPLICATION_DATA */
i = s->handshake_func(s);
@@ -635,23 +455,8 @@
* s->s3->rrec.length - number of bytes. */
rr = &s->s3->rrec;
- /* We are not handshaking and have no data yet,
- * so process data buffered during the last handshake
- * in advance, if any.
- */
- if (s->state == SSL_ST_OK && rr->length == 0) {
- pitem *item;
- item = pqueue_pop(s->d1->buffered_app_data.q);
- if (item) {
- dtls1_copy_record(s, item);
-
- OPENSSL_free(item->data);
- pitem_free(item);
- }
- }
-
/* Check for timeout */
- if (dtls1_handle_timeout(s) > 0) {
+ if (DTLSv1_handle_timeout(s) > 0) {
goto start;
}
@@ -673,14 +478,11 @@
/* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by
* ssl3_get_finished. */
- if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) {
- /* We now have application data between CCS and Finished. Most likely the
- * packets were reordered on their way, so buffer the application data for
- * later processing rather than dropping the connection. */
- if (dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num) < 0) {
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, ERR_R_INTERNAL_ERROR);
- return -1;
- }
+ if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE &&
+ rr->type != SSL3_RT_ALERT) {
+ /* We now have an unexpected record between CCS and Finished. Most likely
+ * the packets were reordered on their way. DTLS is unreliable, so drop the
+ * packet and expect the peer to retransmit. */
rr->length = 0;
goto start;
}
@@ -729,118 +531,25 @@
return n;
}
- /* If we get here, then type != rr->type; if we have a handshake message,
- * then it was unexpected (Hello Request or Client Hello). */
+ /* If we get here, then type != rr->type. */
- /* In case of record types for which we have 'fragment' storage, fill that so
- * that we can process the data at a fixed place. */
- {
- unsigned int k, dest_maxlen = 0;
- uint8_t *dest = NULL;
- unsigned int *dest_len = NULL;
-
- if (rr->type == SSL3_RT_HANDSHAKE) {
- dest_maxlen = sizeof s->d1->handshake_fragment;
- dest = s->d1->handshake_fragment;
- dest_len = &s->d1->handshake_fragment_len;
- } else if (rr->type == SSL3_RT_ALERT) {
- dest_maxlen = sizeof(s->d1->alert_fragment);
- dest = s->d1->alert_fragment;
- dest_len = &s->d1->alert_fragment_len;
- }
- /* else it's a CCS message, or application data or wrong */
- else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC) {
- /* Application data while renegotiating is allowed. Try again reading. */
- if (rr->type == SSL3_RT_APPLICATION_DATA) {
- BIO *bio;
- s->s3->in_read_app_data = 2;
- bio = SSL_get_rbio(s);
- s->rwstate = SSL_READING;
- BIO_clear_retry_flags(bio);
- BIO_set_retry_read(bio);
- return -1;
- }
-
- /* Not certain if this is the right error handling */
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
- goto f_err;
- }
-
- if (dest_maxlen > 0) {
- /* XDTLS: In a pathalogical case, the Client Hello
- * may be fragmented--don't always expect dest_maxlen bytes */
- if (rr->length < dest_maxlen) {
- s->rstate = SSL_ST_READ_HEADER;
- rr->length = 0;
- goto start;
- }
-
- /* now move 'n' bytes: */
- for (k = 0; k < dest_maxlen; k++) {
- dest[k] = rr->data[rr->off++];
- rr->length--;
- }
- *dest_len = dest_maxlen;
- }
- }
-
- /* s->d1->handshake_fragment_len == 12 iff rr->type == SSL3_RT_HANDSHAKE;
- * s->d1->alert_fragment_len == 7 iff rr->type == SSL3_RT_ALERT.
- * (Possibly rr is 'empty' now, i.e. rr->length may be 0.) */
-
- /* If we are a client, check for an incoming 'Hello Request': */
- if (!s->server && s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH &&
- s->d1->handshake_fragment[0] == SSL3_MT_HELLO_REQUEST &&
- s->session != NULL && s->session->cipher != NULL) {
- s->d1->handshake_fragment_len = 0;
-
- if ((s->d1->handshake_fragment[1] != 0) ||
- (s->d1->handshake_fragment[2] != 0) ||
- (s->d1->handshake_fragment[3] != 0)) {
+ /* If an alert record, process one alert out of the record. Note that we allow
+ * a single record to contain multiple alerts. */
+ if (rr->type == SSL3_RT_ALERT) {
+ /* Alerts may not be fragmented. */
+ if (rr->length < 2) {
al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_HELLO_REQUEST);
+ OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_ALERT);
goto f_err;
}
- /* no need to check sequence number on HELLO REQUEST messages */
-
if (s->msg_callback) {
- s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
- s->d1->handshake_fragment, 4, s, s->msg_callback_arg);
- }
-
- if (SSL_is_init_finished(s) && !s->s3->renegotiate) {
- s->d1->handshake_read_seq++;
- s->new_session = 1;
- ssl3_renegotiate(s);
- if (ssl3_renegotiate_check(s)) {
- i = s->handshake_func(s);
- if (i < 0) {
- return i;
- }
- if (i == 0) {
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);
- return -1;
- }
- }
- }
-
- /* we either finished a handshake or ignored the request, now try again to
- * obtain the (application) data we were asked for */
- goto start;
- }
-
- if (s->d1->alert_fragment_len >= DTLS1_AL_HEADER_LENGTH) {
- int alert_level = s->d1->alert_fragment[0];
- int alert_descr = s->d1->alert_fragment[1];
-
- s->d1->alert_fragment_len = 0;
-
- if (s->msg_callback) {
- s->msg_callback(0, s->version, SSL3_RT_ALERT, s->d1->alert_fragment, 2, s,
+ s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,
s->msg_callback_arg);
}
+ const uint8_t alert_level = rr->data[rr->off++];
+ const uint8_t alert_descr = rr->data[rr->off++];
+ rr->length -= 2;
if (s->info_callback != NULL) {
cb = s->info_callback;
@@ -849,17 +558,17 @@
}
if (cb != NULL) {
- j = (alert_level << 8) | alert_descr;
- cb(s, SSL_CB_READ_ALERT, j);
+ uint16_t alert = (alert_level << 8) | alert_descr;
+ cb(s, SSL_CB_READ_ALERT, alert);
}
- if (alert_level == 1) { /* warning */
+ if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
return 0;
}
- } else if (alert_level == 2) { /* fatal */
+ } else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
s->rwstate = SSL_NOTHING;
@@ -888,16 +597,9 @@
}
if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
- struct ccs_header_st ccs_hdr;
- unsigned int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
-
- dtls1_get_ccs_header(rr->data, &ccs_hdr);
-
- /* 'Change Cipher Spec' is just a single byte, so we know
- * exactly what the record payload has to look like */
- /* XDTLS: check that epoch is consistent */
- if ((rr->length != ccs_hdr_len) || (rr->off != 0) ||
- (rr->data[0] != SSL3_MT_CCS)) {
+ /* 'Change Cipher Spec' is just a single byte, so we know exactly what the
+ * record payload has to look like */
+ if (rr->length != 1 || rr->off != 0 || rr->data[0] != SSL3_MT_CCS) {
al = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_CHANGE_CIPHER_SPEC);
goto f_err;
@@ -930,91 +632,41 @@
goto start;
}
- /* Unexpected handshake message (Client Hello, or protocol violation) */
- if ((s->d1->handshake_fragment_len >= DTLS1_HM_HEADER_LENGTH) &&
- !s->in_handshake) {
+ /* Unexpected handshake message. It may be a retransmitted Finished (the only
+ * post-CCS message). Otherwise, it's a pre-CCS handshake message from an
+ * unsupported renegotiation attempt. */
+ if (rr->type == SSL3_RT_HANDSHAKE && !s->in_handshake) {
+ if (rr->length < DTLS1_HM_HEADER_LENGTH) {
+ al = SSL_AD_DECODE_ERROR;
+ OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_BAD_HANDSHAKE_RECORD);
+ goto f_err;
+ }
struct hm_header_st msg_hdr;
+ dtls1_get_message_header(&rr->data[rr->off], &msg_hdr);
- /* this may just be a stale retransmit */
- dtls1_get_message_header(rr->data, &msg_hdr);
- if (rr->epoch != s->d1->r_epoch) {
- rr->length = 0;
- goto start;
- }
-
- /* If we are server, we may have a repeated FINISHED of the client here,
- * then retransmit our CCS and FINISHED. */
+ /* Ignore a stray Finished from the previous handshake. */
if (msg_hdr.type == SSL3_MT_FINISHED) {
- if (dtls1_check_timeout_num(s) < 0) {
- return -1;
+ if (msg_hdr.frag_off == 0) {
+ /* Retransmit our last flight of messages. If the peer sends the second
+ * Finished, they may not have received ours. Only do this for the
+ * first fragment, in case the Finished was fragmented. */
+ if (dtls1_check_timeout_num(s) < 0) {
+ return -1;
+ }
+
+ dtls1_retransmit_buffered_messages(s);
}
- dtls1_retransmit_buffered_messages(s);
rr->length = 0;
goto start;
}
-
- if ((s->state & SSL_ST_MASK) == SSL_ST_OK) {
- s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
- s->renegotiate = 1;
- s->new_session = 1;
- }
- i = s->handshake_func(s);
- if (i < 0) {
- return i;
- }
- if (i == 0) {
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_SSL_HANDSHAKE_FAILURE);
- return -1;
- }
-
- goto start;
}
- switch (rr->type) {
- default:
- /* TLS just ignores unknown message types */
- if (s->version == TLS1_VERSION) {
- rr->length = 0;
- goto start;
- }
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
- goto f_err;
+ /* We already handled these. */
+ assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT);
- case SSL3_RT_CHANGE_CIPHER_SPEC:
- case SSL3_RT_ALERT:
- case SSL3_RT_HANDSHAKE:
- /* we already handled all of these, with the possible exception of
- * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
- * happen when type != rr->type */
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, ERR_R_INTERNAL_ERROR);
- goto f_err;
-
- case SSL3_RT_APPLICATION_DATA:
- /* At this point, we were expecting handshake data, but have application
- * data. If the library was running inside ssl3_read() (i.e.
- * in_read_app_data is set) and it makes sense to read application data
- * at this point (session renegotiation not yet started), we will indulge
- * it. */
- if (s->s3->in_read_app_data && (s->s3->total_renegotiations != 0) &&
- (((s->state & SSL_ST_CONNECT) &&
- (s->state >= SSL3_ST_CW_CLNT_HELLO_A) &&
- (s->state <= SSL3_ST_CR_SRVR_HELLO_A)) ||
- ((s->state & SSL_ST_ACCEPT) &&
- (s->state <= SSL3_ST_SW_HELLO_REQ_A) &&
- (s->state >= SSL3_ST_SR_CLNT_HELLO_A)))) {
- s->s3->in_read_app_data = 2;
- return -1;
- } else {
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
- goto f_err;
- }
- }
-
- /* not reached */
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ OPENSSL_PUT_ERROR(SSL, dtls1_read_bytes, SSL_R_UNEXPECTED_RECORD);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1047,35 +699,6 @@
return i;
}
-
-/* this only happens when a client hello is received and a handshake is
- * started. */
-static int have_handshake_fragment(SSL *s, int type, uint8_t *buf,
- int len, int peek) {
- if (type == SSL3_RT_HANDSHAKE && s->d1->handshake_fragment_len > 0) {
- /* (partially) satisfy request from storage */
- uint8_t *src = s->d1->handshake_fragment;
- uint8_t *dst = buf;
- unsigned int k, n;
-
- /* peek == 0 */
- n = 0;
- while (len > 0 && s->d1->handshake_fragment_len > 0) {
- *dst++ = *src++;
- len--;
- s->d1->handshake_fragment_len--;
- n++;
- }
- /* move any remaining fragment bytes: */
- for (k = 0; k < s->d1->handshake_fragment_len; k++) {
- s->d1->handshake_fragment[k] = *src++;
- }
- return n;
- }
-
- return 0;
-}
-
/* Call this to write data in records of type 'type' It will return <= 0 if not
* all data has been sent or non-blocking IO. */
int dtls1_write_bytes(SSL *s, int type, const void *buf, int len) {
@@ -1096,12 +719,9 @@
SSL3_RECORD *wr;
SSL3_BUFFER *wb;
- /* first check if there is a SSL3_BUFFER still being written
- * out. This will happen with non blocking IO */
- if (s->s3->wbuf.left != 0) {
- assert(0); /* XDTLS: want to see if we ever get here */
- return ssl3_write_pending(s, type, buf, len);
- }
+ /* ssl3_write_pending drops the write if |BIO_write| fails in DTLS, so there
+ * is never pending data. */
+ assert(s->s3->wbuf.left == 0);
/* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch) {
@@ -1119,6 +739,9 @@
wr = &(s->s3->wrec);
wb = &(s->s3->wbuf);
+ if (wb->buf == NULL && !ssl3_setup_write_buffer(s)) {
+ return -1;
+ }
p = wb->buf + prefix_len;
/* write the header */
@@ -1147,19 +770,14 @@
eivlen = s->aead_write_ctx->variable_nonce_len;
}
- /* lets setup the record stuff. */
- wr->data = p + eivlen; /* make room for IV in case of CBC */
- wr->length = (int)len;
- wr->input = (unsigned char *)buf;
-
- /* we now 'read' from wr->input, wr->length bytes into wr->data */
- memcpy(wr->data, wr->input, wr->length);
- wr->input = wr->data;
-
- /* this is true regardless of mac size */
+ /* Assemble the input for |s->enc_method->enc|. The input is the plaintext
+ * with |eivlen| bytes of space prepended for the explicit nonce. */
wr->input = p;
+ wr->length = eivlen + len;
+ memcpy(p + eivlen, buf, len);
+
+ /* Encrypt in-place, so the output also goes into |p|. */
wr->data = p;
- wr->length += eivlen;
if (!s->enc_method->enc(s, 1)) {
goto err;
@@ -1182,7 +800,9 @@
wr->type = type; /* not needed but helps for debugging */
wr->length += DTLS1_RT_HEADER_LENGTH;
- ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
+ if (!ssl3_record_sequence_update(&s->s3->write_sequence[2], 6)) {
+ goto err;
+ }
/* now let's set up wb */
wb->left = prefix_len + wr->length;
@@ -1285,23 +905,6 @@
return i;
}
-static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
- unsigned int *is_next_epoch) {
- *is_next_epoch = 0;
-
- /* In current epoch, accept HM, CCS, DATA, & ALERT */
- if (rr->epoch == s->d1->r_epoch) {
- return &s->d1->bitmap;
- } else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
- (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
- /* Only HM and ALERT messages can be from the next epoch */
- *is_next_epoch = 1;
- return &s->d1->next_bitmap;
- }
-
- return NULL;
-}
-
void dtls1_reset_seq_numbers(SSL *s, int rw) {
uint8_t *seq;
unsigned int seq_bytes = sizeof(s->s3->read_sequence);
@@ -1309,8 +912,7 @@
if (rw & SSL3_CC_READ) {
seq = s->s3->read_sequence;
s->d1->r_epoch++;
- memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
- memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
+ memset(&s->d1->bitmap, 0, sizeof(DTLS1_BITMAP));
} else {
seq = s->s3->write_sequence;
memcpy(s->d1->last_write_sequence, seq, sizeof(s->s3->write_sequence));
diff --git a/src/ssl/d1_srtp.c b/src/ssl/d1_srtp.c
index b85ff9b..5928fc8 100644
--- a/src/ssl/d1_srtp.c
+++ b/src/ssl/d1_srtp.c
@@ -115,12 +115,13 @@
*/
#include <stdio.h>
+#include <string.h>
#include <openssl/bytestring.h>
-#include <openssl/obj.h>
#include <openssl/err.h>
+#include <openssl/obj.h>
-#include "ssl_locl.h"
+#include "internal.h"
#include <openssl/srtp.h>
@@ -169,7 +170,7 @@
}
static int ssl_ctx_make_profiles(const char *profiles_string,
- STACK_OF(SRTP_PROTECTION_PROFILE) * *out) {
+ STACK_OF(SRTP_PROTECTION_PROFILE) **out) {
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
const char *col;
diff --git a/src/ssl/d1_srvr.c b/src/ssl/d1_srvr.c
index 5bce98e..e314910 100644
--- a/src/ssl/d1_srvr.c
+++ b/src/ssl/d1_srvr.c
@@ -118,21 +118,20 @@
#include <openssl/bn.h>
#include <openssl/buf.h>
#include <openssl/dh.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
#include <openssl/obj.h>
#include <openssl/rand.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
-static int dtls1_send_hello_verify_request(SSL *s);
-
int dtls1_accept(SSL *s) {
BUF_MEM *buf = NULL;
void (*cb)(const SSL *ssl, int type, int val) = NULL;
- unsigned long alg_a;
+ uint32_t alg_a;
int ret = -1;
int new_state, state, skip = 0;
@@ -180,11 +179,6 @@
buf = NULL;
}
- if (!ssl3_setup_buffers(s)) {
- ret = -1;
- goto end;
- }
-
s->init_num = 0;
if (s->state != SSL_ST_RENEGOTIATE) {
@@ -200,11 +194,9 @@
}
s->state = SSL3_ST_SR_CLNT_HELLO_A;
- s->ctx->stats.sess_accept++;
} else {
/* s->state == SSL_ST_RENEGOTIATE, * we will just send a
* HelloRequest */
- s->ctx->stats.sess_accept_renegotiate++;
s->state = SSL3_ST_SW_HELLO_REQ_A;
}
@@ -244,33 +236,10 @@
goto end;
}
dtls1_stop_timer(s);
-
- if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
- s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
- } else {
- s->state = SSL3_ST_SW_SRVR_HELLO_A;
- }
-
+ s->state = SSL3_ST_SW_SRVR_HELLO_A;
s->init_num = 0;
break;
- case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
- case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
- ret = dtls1_send_hello_verify_request(s);
- if (ret <= 0) {
- goto end;
- }
- s->state = SSL3_ST_SW_FLUSH;
- s->s3->tmp.next_state = SSL3_ST_SR_CLNT_HELLO_A;
-
- /* HelloVerifyRequest resets Finished MAC */
- if (!ssl3_init_finished_mac(s)) {
- OPENSSL_PUT_ERROR(SSL, dtls1_accept, ERR_R_INTERNAL_ERROR);
- ret = -1;
- goto end;
- }
- break;
-
case SSL3_ST_SW_SRVR_HELLO_A:
case SSL3_ST_SW_SRVR_HELLO_B:
s->renegotiate = 2;
@@ -347,13 +316,6 @@
* don't request cert during re-negotiation: */
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
- /* never request cert in anonymous ciphersuites
- * (see section "Certificate request" in SSL 3 drafts
- * and in RFC 2246): */
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- /* ... except when the application insists on verification
- * (against the specs, but s3_clnt.c accepts this for SSL 3) */
- !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* With normal PSK Certificates and
* Certificate Requests are omitted */
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
@@ -368,12 +330,7 @@
if (ret <= 0) {
goto end;
}
-#ifndef NETSCAPE_HANG_BUG
s->state = SSL3_ST_SW_SRVR_DONE_A;
-#else
- s->state = SSL3_ST_SW_FLUSH;
- s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
-#endif
s->init_num = 0;
}
break;
@@ -393,12 +350,6 @@
case SSL3_ST_SW_FLUSH:
s->rwstate = SSL_WRITING;
if (BIO_flush(s->wbio) <= 0) {
- /* If the write error was fatal, stop trying */
- if (!BIO_should_retry(s->wbio)) {
- s->rwstate = SSL_NOTHING;
- s->state = s->s3->tmp.next_state;
- }
-
ret = -1;
goto end;
}
@@ -527,8 +478,6 @@
ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
- s->ctx->stats.sess_accept_good++;
-
if (cb != NULL) {
cb(s, SSL_CB_HANDSHAKE_DONE, 1);
}
@@ -562,44 +511,9 @@
end:
s->in_handshake--;
- if (buf != NULL) {
- BUF_MEM_free(buf);
- }
+ BUF_MEM_free(buf);
if (cb != NULL) {
cb(s, SSL_CB_ACCEPT_EXIT, ret);
}
return ret;
}
-
-int dtls1_send_hello_verify_request(SSL *s) {
- uint8_t *msg, *p;
-
- if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
- msg = p = ssl_handshake_start(s);
- /* Always use DTLS 1.0 version: see RFC 6347 */
- *(p++) = DTLS1_VERSION >> 8;
- *(p++) = DTLS1_VERSION & 0xFF;
-
- /* Inform the callback how much space is in the
- * cookie's buffer. */
- s->d1->cookie_len = sizeof(s->d1->cookie);
-
- if (s->ctx->app_gen_cookie_cb == NULL ||
- s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &(s->d1->cookie_len)) ==
- 0) {
- OPENSSL_PUT_ERROR(SSL, dtls1_send_hello_verify_request,
- ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
- *(p++) = (uint8_t)s->d1->cookie_len;
- memcpy(p, s->d1->cookie, s->d1->cookie_len);
- p += s->d1->cookie_len;
-
- ssl_set_handshake_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, p - msg);
- s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
- }
-
- /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
- return ssl_do_write(s);
-}
diff --git a/src/ssl/ssl_locl.h b/src/ssl/internal.h
similarity index 79%
rename from src/ssl/ssl_locl.h
rename to src/ssl/internal.h
index a0c323c..3bd749d 100644
--- a/src/ssl/ssl_locl.h
+++ b/src/ssl/internal.h
@@ -139,25 +139,161 @@
* OTHERWISE.
*/
-#ifndef HEADER_SSL_LOCL_H
-#define HEADER_SSL_LOCL_H
+#ifndef OPENSSL_HEADER_SSL_INTERNAL_H
+#define OPENSSL_HEADER_SSL_INTERNAL_H
#include <openssl/base.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
#include <openssl/aead.h>
-#include <openssl/bio.h>
-#include <openssl/buf.h>
-#include <openssl/dsa.h>
-#include <openssl/err.h>
-#include <openssl/rsa.h>
+#include <openssl/pqueue.h>
#include <openssl/ssl.h>
#include <openssl/stack.h>
+#if defined(OPENSSL_WINDOWS)
+/* Windows defines struct timeval in winsock2.h. */
+#pragma warning(push, 3)
+#include <winsock2.h>
+#pragma warning(pop)
+#else
+#include <sys/types.h>
+#endif
+
+
+/* Cipher suites. */
+
+/* Bits for |algorithm_mkey| (key exchange algorithm). */
+#define SSL_kRSA 0x00000001L
+#define SSL_kDHE 0x00000002L
+#define SSL_kECDHE 0x00000004L
+/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */
+#define SSL_kPSK 0x00000008L
+
+/* Bits for |algorithm_auth| (server authentication). */
+#define SSL_aRSA 0x00000001L
+#define SSL_aECDSA 0x00000002L
+/* SSL_aPSK is set for both PSK and ECDHE_PSK. */
+#define SSL_aPSK 0x00000004L
+
+/* Bits for |algorithm_enc| (symmetric encryption). */
+#define SSL_3DES 0x00000001L
+#define SSL_RC4 0x00000002L
+#define SSL_AES128 0x00000004L
+#define SSL_AES256 0x00000008L
+#define SSL_AES128GCM 0x00000010L
+#define SSL_AES256GCM 0x00000020L
+#define SSL_CHACHA20POLY1305 0x00000040L
+
+#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
+
+/* Bits for |algorithm_mac| (symmetric authentication). */
+#define SSL_MD5 0x00000001L
+#define SSL_SHA1 0x00000002L
+#define SSL_SHA256 0x00000004L
+#define SSL_SHA384 0x00000008L
+/* SSL_AEAD is set for all AEADs. */
+#define SSL_AEAD 0x00000010L
+
+/* Bits for |algorithm_ssl| (protocol version). These denote the first protocol
+ * version which introduced the cipher.
+ *
+ * TODO(davidben): These are extremely confusing, both in code and in
+ * cipher rules. Try to remove them. */
+#define SSL_SSLV3 0x00000002L
+#define SSL_TLSV1 SSL_SSLV3
+#define SSL_TLSV1_2 0x00000004L
+
+/* Bits for |algorithm2| (handshake digests and other extra flags). */
+
+#define SSL_HANDSHAKE_MAC_MD5 0x10
+#define SSL_HANDSHAKE_MAC_SHA 0x20
+#define SSL_HANDSHAKE_MAC_SHA256 0x40
+#define SSL_HANDSHAKE_MAC_SHA384 0x80
+#define SSL_HANDSHAKE_MAC_DEFAULT \
+ (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
+
+/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
+ * one, update the table in ssl_cipher.c. */
+#define SSL_MAX_DIGEST 4
+
+#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
+
+#define TLS1_PRF_DGST_SHIFT 10
+#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
+#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
+
+/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
+ * indicates that the cipher is implemented via an EVP_AEAD. */
+#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
+
+/* SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD is a flag in
+ * SSL_CIPHER.algorithm2 which indicates that the variable part of the nonce is
+ * included as a prefix of the record. (AES-GCM, for example, does with with an
+ * 8-byte variable nonce.) */
+#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD (1<<22)
+
+/* Bits for |algo_strength|, cipher strength information. */
+#define SSL_MEDIUM 0x00000001L
+#define SSL_HIGH 0x00000002L
+#define SSL_FIPS 0x00000004L
+
+/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
+ * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
+ * and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
+ * respectively. The MAC key length is zero except for legacy block and stream
+ * ciphers. It returns 1 on success and 0 on error. */
+int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
+ size_t *out_mac_secret_len,
+ size_t *out_fixed_iv_len,
+ const SSL_CIPHER *cipher, uint16_t version);
+
+/* ssl_get_handshake_digest looks up the |i|th handshake digest type and sets
+ * |*out_mask| to the |SSL_HANDSHAKE_MAC_*| mask and |*out_md| to the
+ * |EVP_MD|. It returns one on successs and zero if |i| >= |SSL_MAX_DIGEST|. */
+int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md,
+ size_t i);
+
+/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
+ * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
+ * |ssl_cipher_preference_list_st| containing the result.
+ * |*out_cipher_list_by_id| is set to a list of selected ciphers sorted by
+ * id. It returns |(*out_cipher_list)->ciphers| on success and NULL on
+ * failure. */
+STACK_OF(SSL_CIPHER) *
+ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
+ struct ssl_cipher_preference_list_st **out_cipher_list,
+ STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
+ const char *rule_str);
+
+/* SSL_PKEY_* denote certificate types. */
+#define SSL_PKEY_RSA_ENC 0
+#define SSL_PKEY_RSA_SIGN 1
+#define SSL_PKEY_ECC 2
+#define SSL_PKEY_NUM 3
+
+/* ssl_cipher_get_cert_index returns the |SSL_PKEY_*| value corresponding to the
+ * certificate type of |cipher| or -1 if there is none. */
+int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher);
+
+/* ssl_cipher_has_server_public_key returns 1 if |cipher| involves a server
+ * public key in the key exchange, sent in a server Certificate message.
+ * Otherwise it returns 0. */
+int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher);
+
+/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
+ * ServerKeyExchange message. Otherwise it returns 0.
+ *
+ * Unlike ssl_cipher_has_server_public_key, some ciphers take optional
+ * ServerKeyExchanges. PSK and RSA_PSK only use the ServerKeyExchange to
+ * communicate a psk_identity_hint, so it is optional. */
+int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
+
+
+/* Underdocumented functions.
+ *
+ * Functions below here haven't been touched up and may be underdocumented. */
#define c2l(c, l) \
(l = ((unsigned long)(*((c)++))), l |= (((unsigned long)(*((c)++))) << 8), \
@@ -261,110 +397,10 @@
/* LOCAL STUFF */
-#define SSL_DECRYPT 0
-#define SSL_ENCRYPT 1
-
-#define TWO_BYTE_BIT 0x80
-#define SEC_ESC_BIT 0x40
-#define TWO_BYTE_MASK 0x7fff
-#define THREE_BYTE_MASK 0x3fff
-
-#define INC32(a) ((a) = ((a) + 1) & 0xffffffffL)
-#define DEC32(a) ((a) = ((a)-1) & 0xffffffffL)
-#define MAX_MAC_SIZE 20 /* up from 16 for SSLv3 */
-
-/* Define the Bitmasks for SSL_CIPHER.algorithms.
- *
- * This bits are used packed as dense as possible. If new methods/ciphers etc
- * will be added, the bits a likely to change, so this information is for
- * internal library use only, even though SSL_CIPHER.algorithms can be publicly
- * accessed. Use the according functions for cipher management instead.
- *
- * The bit mask handling in the selection and sorting scheme in
- * ssl_create_cipher_list() has only limited capabilities, reflecting that the
- * different entities within are mutually exclusive:
- * ONLY ONE BIT PER MASK CAN BE SET AT A TIME. */
-
-/* Bits for algorithm_mkey (key exchange algorithm) */
-#define SSL_kRSA 0x00000001L /* RSA key exchange */
-#define SSL_kEDH 0x00000002L /* tmp DH key no DH cert */
-#define SSL_kEECDH 0x00000004L /* ephemeral ECDH */
-#define SSL_kPSK 0x00000008L /* PSK */
-
-/* Bits for algorithm_auth (server authentication) */
-#define SSL_aRSA 0x00000001L /* RSA auth */
-#define SSL_aNULL 0x00000002L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDSA 0x00000004L /* ECDSA auth*/
-#define SSL_aPSK 0x00000008L /* PSK auth */
-
-/* Bits for algorithm_enc (symmetric encryption) */
-#define SSL_3DES 0x00000001L
-#define SSL_RC4 0x00000002L
-#define SSL_AES128 0x00000004L
-#define SSL_AES256 0x00000008L
-#define SSL_AES128GCM 0x00000010L
-#define SSL_AES256GCM 0x00000020L
-#define SSL_CHACHA20POLY1305 0x00000040L
-
-#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
-
-/* Bits for algorithm_mac (symmetric authentication) */
-
-#define SSL_MD5 0x00000001L
-#define SSL_SHA1 0x00000002L
-#define SSL_SHA256 0x00000004L
-#define SSL_SHA384 0x00000008L
-/* Not a real MAC, just an indication it is part of cipher */
-#define SSL_AEAD 0x00000010L
-
-/* Bits for algorithm_ssl (protocol version) */
-#define SSL_SSLV3 0x00000002L
-#define SSL_TLSV1 SSL_SSLV3 /* for now */
-#define SSL_TLSV1_2 0x00000004L
-
-/* Bits for algorithm2 (handshake digests and other extra flags) */
-
-#define SSL_HANDSHAKE_MAC_MD5 0x10
-#define SSL_HANDSHAKE_MAC_SHA 0x20
-#define SSL_HANDSHAKE_MAC_SHA256 0x40
-#define SSL_HANDSHAKE_MAC_SHA384 0x80
-#define SSL_HANDSHAKE_MAC_DEFAULT \
- (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA)
-
-/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX
- * make sure to update this constant too */
-#define SSL_MAX_DIGEST 4
-
-#define TLS1_PRF_DGST_MASK (0xff << TLS1_PRF_DGST_SHIFT)
-
-#define TLS1_PRF_DGST_SHIFT 10
-#define TLS1_PRF_MD5 (SSL_HANDSHAKE_MAC_MD5 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA1 (SSL_HANDSHAKE_MAC_SHA << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA256 (SSL_HANDSHAKE_MAC_SHA256 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF_SHA384 (SSL_HANDSHAKE_MAC_SHA384 << TLS1_PRF_DGST_SHIFT)
-#define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1)
-
#define TLSEXT_CHANNEL_ID_SIZE 128
-/* SSL_CIPHER_ALGORITHM2_AEAD is a flag in SSL_CIPHER.algorithm2 which
- * indicates that the cipher is implemented via an EVP_AEAD. */
-#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23)
-
-/* SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD is a flag in
- * SSL_CIPHER.algorithm2 which indicates that the variable part of the nonce is
- * included as a prefix of the record. (AES-GCM, for example, does with with an
- * 8-byte variable nonce.) */
-#define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD (1<<22)
-
-/* Cipher strength information. */
-#define SSL_MEDIUM 0x00000001L
-#define SSL_HIGH 0x00000002L
-#define SSL_FIPS 0x00000004L
-
-/* we have used 000001ff - 23 bits left to go */
-
/* Check if an SSL structure is using DTLS */
-#define SSL_IS_DTLS(s) (s->enc_method->enc_flags & SSL_ENC_FLAG_DTLS)
+#define SSL_IS_DTLS(s) (s->method->is_dtls)
/* See if we need explicit IV */
#define SSL_USE_EXPLICIT_IV(s) \
(s->enc_method->enc_flags & SSL_ENC_FLAG_EXPLICIT_IV)
@@ -381,36 +417,30 @@
((SSL_IS_DTLS(s) && s->client_version <= DTLS1_2_VERSION) || \
(!SSL_IS_DTLS(s) && s->client_version >= TLS1_2_VERSION))
-/* Mostly for SSLv3 */
-#define SSL_PKEY_RSA_ENC 0
-#define SSL_PKEY_RSA_SIGN 1
-#define SSL_PKEY_ECC 2
-#define SSL_PKEY_NUM 3
-
/* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) |
* <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN)
* SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
- * SSL_kEDH <- RSA_ENC | RSA_SIGN | DSA_SIGN
+ * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN
* SSL_aRSA <- RSA_ENC | RSA_SIGN
* SSL_aDSS <- DSA_SIGN */
#define PENDING_SESSION -10000
-#define CERTIFICATE_SELECTION_PENDING -10001
/* From RFC4492, used in encoding the curve type in ECParameters */
#define EXPLICIT_PRIME_CURVE_TYPE 1
#define EXPLICIT_CHAR2_CURVE_TYPE 2
#define NAMED_CURVE_TYPE 3
-/* Values for the |hash_message| parameter of |s->method->ssl_get_message|. */
-#define SSL_GET_MESSAGE_DONT_HASH_MESSAGE 0
-#define SSL_GET_MESSAGE_HASH_MESSAGE 1
+enum ssl_hash_message_t {
+ ssl_dont_hash_message,
+ ssl_hash_message,
+};
typedef struct cert_pkey_st {
X509 *x509;
EVP_PKEY *privatekey;
/* Chain for this certificate */
- STACK_OF(X509) * chain;
+ STACK_OF(X509) *chain;
} CERT_PKEY;
typedef struct cert_st {
@@ -428,19 +458,20 @@
* round-about way of checking the server's cipher was one of the advertised
* ones. (Currently it checks the masks and then the list of ciphers prior to
* applying the masks in ClientHello.) */
- unsigned long mask_k;
- unsigned long mask_a;
- unsigned long mask_ssl;
+ uint32_t mask_k;
+ uint32_t mask_a;
+ uint32_t mask_ssl;
DH *dh_tmp;
DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize);
- EC_KEY *ecdh_tmp;
- /* Callback for generating ephemeral ECDH keys */
+
+ /* ecdh_nid, if not |NID_undef|, is the NID of the curve to use for ephemeral
+ * ECDH keys. If unset, |ecdh_tmp_cb| is consulted. */
+ int ecdh_nid;
+ /* ecdh_tmp_cb is a callback for selecting the curve to use for ephemeral ECDH
+ * keys. If NULL, a curve is selected automatically. See
+ * |SSL_CTX_set_tmp_ecdh_callback|. */
EC_KEY *(*ecdh_tmp_cb)(SSL *ssl, int is_export, int keysize);
- /* Select ECDH parameters automatically */
- int ecdh_tmp_auto;
- /* Flags related to certificates */
- unsigned int cert_flags;
CERT_PKEY pkeys[SSL_PKEY_NUM];
/* Server-only: client_certificate_types is list of certificate types to
@@ -488,14 +519,10 @@
* If NULL the parent SSL_CTX store is used instead. */
X509_STORE *chain_store;
X509_STORE *verify_store;
-
- /* Raw values of the cipher list from a client */
- uint8_t *ciphers_raw;
- size_t ciphers_rawlen;
} CERT;
typedef struct sess_cert_st {
- STACK_OF(X509) * cert_chain; /* as received from peer (not for SSL2) */
+ STACK_OF(X509) *cert_chain; /* as received from peer (not for SSL2) */
/* The 'peer_...' members are used only by clients. */
int peer_cert_type;
@@ -535,6 +562,8 @@
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
struct ssl_protocol_method_st {
+ /* is_dtls is one if the protocol is DTLS and zero otherwise. */
+ char is_dtls;
int (*ssl_new)(SSL *s);
void (*ssl_free)(SSL *s);
int (*ssl_accept)(SSL *s);
@@ -546,18 +575,22 @@
int (*ssl_renegotiate)(SSL *s);
int (*ssl_renegotiate_check)(SSL *s);
long (*ssl_get_message)(SSL *s, int header_state, int body_state,
- int msg_type, long max, int hash_message, int *ok);
+ int msg_type, long max,
+ enum ssl_hash_message_t hash_message, int *ok);
int (*ssl_read_bytes)(SSL *s, int type, uint8_t *buf, int len, int peek);
int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len);
int (*ssl_dispatch_alert)(SSL *s);
long (*ssl_ctrl)(SSL *s, int cmd, long larg, void *parg);
long (*ssl_ctx_ctrl)(SSL_CTX *ctx, int cmd, long larg, void *parg);
int (*ssl_pending)(const SSL *s);
- int (*num_ciphers)(void);
- const SSL_CIPHER *(*get_cipher)(unsigned ncipher);
- int (*ssl_version)(void);
- long (*ssl_callback_ctrl)(SSL *s, int cb_id, void (*fp)(void));
- long (*ssl_ctx_callback_ctrl)(SSL_CTX *s, int cb_id, void (*fp)(void));
+ size_t (*num_ciphers)(void);
+ const SSL_CIPHER *(*get_cipher)(size_t i);
+ /* Handshake header length */
+ unsigned int hhlen;
+ /* Set the handshake header */
+ int (*set_handshake_header)(SSL *s, int type, unsigned long len);
+ /* Write out handshake message */
+ int (*do_write)(SSL *s);
};
/* This is for the SSLv3/TLSv1.0 differences in crypto/hash stuff It is a bit
@@ -570,7 +603,6 @@
int (*generate_master_secret)(SSL *, uint8_t *, const uint8_t *, size_t);
int (*change_cipher_state)(SSL *, int);
int (*final_finish_mac)(SSL *, const char *, int, uint8_t *);
- int finish_mac_length;
int (*cert_verify_mac)(SSL *, int, uint8_t *);
const char *client_finished_label;
int client_finished_label_len;
@@ -581,20 +613,14 @@
const uint8_t *, size_t, int use_context);
/* Various flags indicating protocol version requirements */
unsigned int enc_flags;
- /* Handshake header length */
- unsigned int hhlen;
- /* Set the handshake header */
- void (*set_handshake_header)(SSL *s, int type, unsigned long len);
- /* Write out handshake message */
- int (*do_write)(SSL *s);
};
-#define SSL_HM_HEADER_LENGTH(s) s->enc_method->hhlen
+#define SSL_HM_HEADER_LENGTH(s) s->method->hhlen
#define ssl_handshake_start(s) \
- (((uint8_t *)s->init_buf->data) + s->enc_method->hhlen)
+ (((uint8_t *)s->init_buf->data) + s->method->hhlen)
#define ssl_set_handshake_header(s, htype, len) \
- s->enc_method->set_handshake_header(s, htype, len)
-#define ssl_do_write(s) s->enc_method->do_write(s)
+ s->method->set_handshake_header(s, htype, len)
+#define ssl_do_write(s) s->method->do_write(s)
/* Values for enc_flags */
@@ -604,11 +630,9 @@
#define SSL_ENC_FLAG_SIGALGS 0x2
/* Uses SHA256 default PRF */
#define SSL_ENC_FLAG_SHA256_PRF 0x4
-/* Is DTLS */
-#define SSL_ENC_FLAG_DTLS 0x8
/* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2:
* may apply to others in future. */
-#define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x10
+#define SSL_ENC_FLAG_TLS1_2_CIPHERS 0x8
/* ssl_aead_ctx_st contains information about an AEAD that is being used to
* encrypt an SSL connection. */
@@ -633,20 +657,117 @@
char omit_version_in_ad;
};
+/* lengths of messages */
+#define DTLS1_COOKIE_LENGTH 256
+
+#define DTLS1_RT_HEADER_LENGTH 13
+
+#define DTLS1_HM_HEADER_LENGTH 12
+
+#define DTLS1_CCS_HEADER_LENGTH 1
+
+#define DTLS1_AL_HEADER_LENGTH 2
+
+typedef struct dtls1_bitmap_st {
+ /* map is a bit mask of the last 64 sequence numbers. Bit
+ * |1<<i| corresponds to |max_seq_num - i|. */
+ uint64_t map;
+ /* max_seq_num is the largest sequence number seen so far. It
+ * is a 64-bit value in big-endian encoding. */
+ uint8_t max_seq_num[8];
+} DTLS1_BITMAP;
+
+/* TODO(davidben): This structure is used for both incoming messages and
+ * outgoing messages. |is_ccs| and |epoch| are only used in the latter and
+ * should be moved elsewhere. */
+struct hm_header_st {
+ uint8_t type;
+ uint32_t msg_len;
+ uint16_t seq;
+ uint32_t frag_off;
+ uint32_t frag_len;
+ int is_ccs;
+ /* epoch, for buffered outgoing messages, is the epoch the message was
+ * originally sent in. */
+ uint16_t epoch;
+};
+
+/* TODO(davidben): This structure is used for both incoming messages and
+ * outgoing messages. |fragment| and |reassembly| are only used in the former
+ * and should be moved elsewhere. */
+typedef struct hm_fragment_st {
+ struct hm_header_st msg_header;
+ uint8_t *fragment;
+ uint8_t *reassembly;
+} hm_fragment;
+
+typedef struct dtls1_state_st {
+ /* send_cookie is true if we are resending the ClientHello
+ * with a cookie from a HelloVerifyRequest. */
+ unsigned int send_cookie;
+
+ uint8_t cookie[DTLS1_COOKIE_LENGTH];
+ size_t cookie_len;
+
+ /* The current data and handshake epoch. This is initially undefined, and
+ * starts at zero once the initial handshake is completed. */
+ uint16_t r_epoch;
+ uint16_t w_epoch;
+
+ /* records being received in the current epoch */
+ DTLS1_BITMAP bitmap;
+
+ /* handshake message numbers */
+ uint16_t handshake_write_seq;
+ uint16_t next_handshake_write_seq;
+
+ uint16_t handshake_read_seq;
+
+ /* save last sequence number for retransmissions */
+ uint8_t last_write_sequence[8];
+
+ /* buffered_messages is a priority queue of incoming handshake messages that
+ * have yet to be processed.
+ *
+ * TODO(davidben): This data structure may as well be a ring buffer of fixed
+ * size. */
+ pqueue buffered_messages;
+
+ /* send_messages is a priority queue of outgoing handshake messages sent in
+ * the most recent handshake flight.
+ *
+ * TODO(davidben): This data structure may as well be a STACK_OF(T). */
+ pqueue sent_messages;
+
+ unsigned int mtu; /* max DTLS packet size */
+
+ struct hm_header_st w_msg_hdr;
+
+ /* num_timeouts is the number of times the retransmit timer has fired since
+ * the last time it was reset. */
+ unsigned int num_timeouts;
+
+ /* Indicates when the last handshake msg or heartbeat sent will
+ * timeout. */
+ struct timeval next_timeout;
+
+ /* Timeout duration */
+ unsigned short timeout_duration;
+
+ unsigned int change_cipher_spec_ok;
+} DTLS1_STATE;
+
extern const SSL_CIPHER ssl3_ciphers[];
extern const SSL3_ENC_METHOD TLSv1_enc_data;
extern const SSL3_ENC_METHOD TLSv1_1_enc_data;
extern const SSL3_ENC_METHOD TLSv1_2_enc_data;
extern const SSL3_ENC_METHOD SSLv3_enc_data;
-extern const SSL3_ENC_METHOD DTLSv1_enc_data;
-extern const SSL3_ENC_METHOD DTLSv1_2_enc_data;
void ssl_clear_cipher_ctx(SSL *s);
int ssl_clear_bad_session(SSL *s);
CERT *ssl_cert_new(void);
CERT *ssl_cert_dup(CERT *cert);
-int ssl_cert_inst(CERT **o);
void ssl_cert_clear_certs(CERT *c);
void ssl_cert_free(CERT *c);
SESS_CERT *ssl_sess_cert_new(void);
@@ -655,50 +776,27 @@
int ssl_get_prev_session(SSL *s, const struct ssl_early_callback_ctx *ctx);
int ssl_cipher_id_cmp(const void *in_a, const void *in_b);
int ssl_cipher_ptr_id_cmp(const SSL_CIPHER **ap, const SSL_CIPHER **bp);
-STACK_OF(SSL_CIPHER) * ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs);
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) * sk, uint8_t *p);
-STACK_OF(SSL_CIPHER) *
- ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *meth,
- struct ssl_cipher_preference_list_st **pref,
- STACK_OF(SSL_CIPHER) * *sorted, const char *rule_str,
- CERT *c);
+STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs);
+int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, uint8_t *p);
struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_dup(
struct ssl_cipher_preference_list_st *cipher_list);
void ssl_cipher_preference_list_free(
struct ssl_cipher_preference_list_st *cipher_list);
struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_from_ciphers(
- STACK_OF(SSL_CIPHER) * ciphers);
+ STACK_OF(SSL_CIPHER) *ciphers);
struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(SSL *s);
-/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
-* object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
-* and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
-* respectively. The MAC key length is zero except for legacy block and stream
-* ciphers. It returns 1 on success and 0 on error. */
-int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
- size_t *out_mac_secret_len,
- size_t *out_fixed_iv_len,
- const SSL_CIPHER *cipher, uint16_t version);
-
-int ssl_get_handshake_digest(size_t i, long *mask, const EVP_MD **md);
-int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
-int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher);
-int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
-
-int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) * chain);
-int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) * chain);
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain);
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain);
int ssl_cert_add0_chain_cert(CERT *c, X509 *x);
int ssl_cert_add1_chain_cert(CERT *c, X509 *x);
int ssl_cert_select_current(CERT *c, X509 *x);
void ssl_cert_set_cert_cb(CERT *c, int (*cb)(SSL *ssl, void *arg), void *arg);
-int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) * sk);
+int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk);
int ssl_add_cert_chain(SSL *s, CERT_PKEY *cpk, unsigned long *l);
int ssl_build_cert_chain(CERT *c, X509_STORE *chain_store, int flags);
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref);
-int ssl_undefined_function(SSL *s);
-int ssl_undefined_void_function(void);
-int ssl_undefined_const_function(const SSL *s);
CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c);
int ssl_cert_type(EVP_PKEY *pkey);
@@ -707,10 +805,10 @@
* authentication cipher suite masks compatible with the server configuration
* and current ClientHello parameters of |s|. It sets |*out_mask_k| to the key
* exchange mask and |*out_mask_a| to the authentication mask. */
-void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
- unsigned long *out_mask_a);
+void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
+ uint32_t *out_mask_a);
-STACK_OF(SSL_CIPHER) * ssl_get_ciphers_by_id(SSL *s);
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
int ssl_verify_alarm_type(long type);
int ssl_fill_hello_random(SSL *s, int server, uint8_t *field, size_t len);
@@ -731,11 +829,11 @@
int ssl3_send_alert(SSL *s, int level, int desc);
int ssl3_get_req_cert_type(SSL *s, uint8_t *p);
long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type,
- long max, int hash_message, int *ok);
+ long max, enum ssl_hash_message_t hash_message, int *ok);
-/* ssl3_hash_current_message incorporates the current handshake message into
- * the handshake hash. */
-void ssl3_hash_current_message(SSL *s);
+/* ssl3_hash_current_message incorporates the current handshake message into the
+ * handshake hash. It returns one on success and zero on allocation failure. */
+int ssl3_hash_current_message(SSL *s);
/* ssl3_cert_verify_hash writes the CertificateVerify hash into the bytes
* pointed to by |out| and writes the number of bytes to |*out_len|. |out| must
@@ -747,8 +845,8 @@
const EVP_MD **out_md, EVP_PKEY *pkey);
int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen);
-int ssl3_num_ciphers(void);
-const SSL_CIPHER *ssl3_get_cipher(unsigned int u);
+size_t ssl3_num_ciphers(void);
+const SSL_CIPHER *ssl3_get_cipher(size_t i);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl);
int ssl3_dispatch_alert(SSL *s);
@@ -757,13 +855,12 @@
int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
int ssl3_final_finish_mac(SSL *s, const char *sender, int slen, uint8_t *p);
int ssl3_cert_verify_mac(SSL *s, int md_nid, uint8_t *p);
-void ssl3_finish_mac(SSL *s, const uint8_t *buf, int len);
+int ssl3_finish_mac(SSL *s, const uint8_t *buf, int len);
void ssl3_free_digest_list(SSL *s);
-unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
+int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk);
const SSL_CIPHER *ssl3_choose_cipher(
- SSL *ssl, STACK_OF(SSL_CIPHER) * clnt,
+ SSL *ssl, STACK_OF(SSL_CIPHER) *clnt,
struct ssl_cipher_preference_list_st *srvr);
-int ssl3_setup_buffers(SSL *s);
int ssl3_setup_read_buffer(SSL *s);
int ssl3_setup_write_buffer(SSL *s);
int ssl3_release_read_buffer(SSL *s);
@@ -785,18 +882,19 @@
int ssl3_shutdown(SSL *s);
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg);
long ssl3_ctx_ctrl(SSL_CTX *s, int cmd, long larg, void *parg);
-long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void));
-long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void));
int ssl3_pending(const SSL *s);
-void ssl3_record_sequence_update(uint8_t *seq);
+/* ssl3_record_sequence_update increments the sequence number in |seq|. It
+ * returns one on success and zero on wraparound. */
+int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len);
+
int ssl3_do_change_cipher_spec(SSL *ssl);
-void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len);
+int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len);
int ssl3_handshake_write(SSL *s);
int dtls1_do_write(SSL *s, int type);
-int ssl3_read_n(SSL *s, int n, int max, int extend);
+int ssl3_read_n(SSL *s, int n, int extend);
int dtls1_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek);
int ssl3_write_pending(SSL *s, int type, const uint8_t *buf, unsigned int len);
void dtls1_set_message_header(SSL *s, uint8_t mt, unsigned long len,
@@ -810,17 +908,16 @@
int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen);
int dtls1_read_failed(SSL *s, int code);
int dtls1_buffer_message(SSL *s, int ccs);
-int dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
- int *found);
int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
int dtls1_retransmit_buffered_messages(SSL *s);
void dtls1_clear_record_buffer(SSL *s);
void dtls1_get_message_header(uint8_t *data, struct hm_header_st *msg_hdr);
-void dtls1_get_ccs_header(uint8_t *data, struct ccs_header_st *ccs_hdr);
void dtls1_reset_seq_numbers(SSL *s, int rw);
int dtls1_check_timeout_num(SSL *s);
-int dtls1_handle_timeout(SSL *s);
-const SSL_CIPHER *dtls1_get_cipher(unsigned int u);
+int dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
+int dtls1_handshake_write(SSL *s);
+
+const SSL_CIPHER *dtls1_get_cipher(size_t i);
void dtls1_start_timer(SSL *s);
void dtls1_stop_timer(SSL *s);
int dtls1_is_timer_expired(SSL *s);
@@ -866,11 +963,10 @@
int dtls1_accept(SSL *s);
int dtls1_connect(SSL *s);
void dtls1_free(SSL *s);
-long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg);
int dtls1_shutdown(SSL *s);
long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max,
- int hash_message, int *ok);
+ enum ssl_hash_message_t hash_message, int *ok);
int dtls1_get_record(SSL *s);
int dtls1_dispatch_alert(SSL *s);
@@ -895,9 +991,10 @@
int tls1_cert_verify_mac(SSL *s, int md_nid, uint8_t *p);
int tls1_generate_master_secret(SSL *s, uint8_t *out, const uint8_t *premaster,
size_t premaster_len);
-int tls1_export_keying_material(SSL *s, uint8_t *out, size_t olen,
- const char *label, size_t llen,
- const uint8_t *p, size_t plen, int use_context);
+int tls1_export_keying_material(SSL *s, uint8_t *out, size_t out_len,
+ const char *label, size_t label_len,
+ const uint8_t *context, size_t context_len,
+ int use_context);
int tls1_alert_code(int code);
int ssl3_alert_code(int code);
int ssl_ok(SSL *s);
@@ -975,7 +1072,9 @@
size_t client_random_len, const uint8_t *master,
size_t master_len);
-int ssl3_can_cutthrough(const SSL *s);
+/* ssl3_can_false_start returns one if |s| is allowed to False Start and zero
+ * otherwise. */
+int ssl3_can_false_start(const SSL *s);
/* ssl3_get_enc_method returns the SSL3_ENC_METHOD corresponding to
* |version|. */
@@ -1015,7 +1114,7 @@
int ssl_add_clienthello_renegotiate_ext(SSL *s, uint8_t *p, int *len,
int maxlen);
int ssl_parse_clienthello_renegotiate_ext(SSL *s, CBS *cbs, int *out_alert);
-long ssl_get_algorithm2(SSL *s);
+uint32_t ssl_get_algorithm2(SSL *s);
int tls1_process_sigalgs(SSL *s, const CBS *sigalgs);
/* tls1_choose_signing_digest returns a digest for use with |pkey| based on the
@@ -1032,4 +1131,4 @@
int ssl_add_serverhello_use_srtp_ext(SSL *s, uint8_t *p, int *len, int maxlen);
int ssl_parse_serverhello_use_srtp_ext(SSL *s, CBS *cbs, int *out_alert);
-#endif
+#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */
diff --git a/src/ssl/pqueue/pqueue.c b/src/ssl/pqueue/pqueue.c
index ecaa139..14bd9b6 100644
--- a/src/ssl/pqueue/pqueue.c
+++ b/src/ssl/pqueue/pqueue.c
@@ -56,6 +56,7 @@
#include <openssl/pqueue.h>
+#include <assert.h>
#include <string.h>
#include <openssl/mem.h>
@@ -104,6 +105,8 @@
return;
}
+ /* The queue must be empty. */
+ assert(pq->items == NULL);
OPENSSL_free(pq);
}
diff --git a/src/ssl/pqueue/pqueue_test.c b/src/ssl/pqueue/pqueue_test.c
index c4b4b9d..cb688f7 100644
--- a/src/ssl/pqueue/pqueue_test.c
+++ b/src/ssl/pqueue/pqueue_test.c
@@ -19,6 +19,17 @@
#include <openssl/ssl.h>
+static void clear_and_free_queue(pqueue q) {
+ for (;;) {
+ pitem *item = pqueue_pop(q);
+ if (item == NULL) {
+ break;
+ }
+ pitem_free(item);
+ }
+ pqueue_free(q);
+}
+
static int trivial(void) {
pqueue q = pqueue_new();
if (q == NULL) {
@@ -37,7 +48,7 @@
return 0;
}
pitem_free(item);
- pqueue_free(q);
+ clear_and_free_queue(q);
return 1;
}
@@ -101,7 +112,7 @@
}
curr = next;
}
- pqueue_free(q);
+ clear_and_free_queue(q);
return 1;
}
diff --git a/src/ssl/s3_both.c b/src/ssl/s3_both.c
index a34d221..b78f6d3 100644
--- a/src/ssl/s3_both.c
+++ b/src/ssl/s3_both.c
@@ -116,6 +116,7 @@
#include <string.h>
#include <openssl/buf.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/mem.h>
#include <openssl/md5.h>
@@ -124,7 +125,7 @@
#include <openssl/sha.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
/* ssl3_do_write sends |s->init_buf| in records of type 'type'
@@ -173,8 +174,7 @@
return 0;
}
- /* Copy the finished so we can use it for
- * renegotiation checks */
+ /* Copy the finished so we can use it for renegotiation checks */
if (s->server) {
assert(n <= EVP_MAX_MD_SIZE);
memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, n);
@@ -185,7 +185,9 @@
s->s3->previous_client_finished_len = n;
}
- ssl_set_handshake_header(s, SSL3_MT_FINISHED, n);
+ if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, n)) {
+ return 0;
+ }
s->state = b;
}
@@ -224,7 +226,7 @@
message_len =
s->method->ssl_get_message(s, a, b, SSL3_MT_FINISHED, EVP_MAX_MD_SIZE,
- SSL_GET_MESSAGE_DONT_HASH_MESSAGE, &ok);
+ ssl_dont_hash_message, &ok);
if (!ok) {
return message_len;
@@ -232,7 +234,9 @@
/* Snapshot the finished hash before incorporating the new message. */
ssl3_take_mac(s);
- ssl3_hash_current_message(s);
+ if (!ssl3_hash_current_message(s)) {
+ goto err;
+ }
/* If this occurs, we have missed a message.
* TODO(davidben): Is this check now redundant with SSL3_FLAGS_EXPECT_CCS? */
@@ -273,6 +277,7 @@
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
+err:
return 0;
}
@@ -296,11 +301,17 @@
return ssl3_do_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
}
-unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) {
+int ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) {
uint8_t *p;
unsigned long l = 3 + SSL_HM_HEADER_LENGTH(s);
- if (!ssl_add_cert_chain(s, cpk, &l)) {
+ if (cpk == NULL) {
+ /* TLSv1 sends a chain with nothing in it, instead of an alert. */
+ if (!BUF_MEM_grow_clean(s->init_buf, l)) {
+ OPENSSL_PUT_ERROR(SSL, ssl3_output_cert_chain, ERR_R_BUF_LIB);
+ return 0;
+ }
+ } else if (!ssl_add_cert_chain(s, cpk, &l)) {
return 0;
}
@@ -308,25 +319,24 @@
p = ssl_handshake_start(s);
l2n3(l, p);
l += 3;
- ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l);
- return l + SSL_HM_HEADER_LENGTH(s);
+ return ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l);
}
/* Obtain handshake message of message type |msg_type| (any if |msg_type| == -1),
* maximum acceptable body length |max|. The first four bytes (msg_type and
* length) are read in state |header_state|, the body is read in state |body_state|. */
long ssl3_get_message(SSL *s, int header_state, int body_state, int msg_type,
- long max, int hash_message, int *ok) {
+ long max, enum ssl_hash_message_t hash_message, int *ok) {
uint8_t *p;
unsigned long l;
long n;
int al;
if (s->s3->tmp.reuse_message) {
- /* A SSL_GET_MESSAGE_DONT_HASH_MESSAGE call cannot be combined with
- * reuse_message; the SSL_GET_MESSAGE_DONT_HASH_MESSAGE would have to have
- * been applied to the previous call. */
- assert(hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE);
+ /* A ssl_dont_hash_message call cannot be combined with reuse_message; the
+ * ssl_dont_hash_message would have to have been applied to the previous
+ * call. */
+ assert(hash_message == ssl_hash_message);
s->s3->tmp.reuse_message = 0;
if (msg_type >= 0 && s->s3->tmp.message_type != msg_type) {
al = SSL_AD_UNEXPECTED_MESSAGE;
@@ -350,7 +360,6 @@
int bytes_read = s->method->ssl_read_bytes(
s, SSL3_RT_HANDSHAKE, &p[s->init_num], 4 - s->init_num, 0);
if (bytes_read <= 0) {
- s->rwstate = SSL_READING;
*ok = 0;
return bytes_read;
}
@@ -416,8 +425,8 @@
}
/* Feed this message into MAC computation. */
- if (hash_message != SSL_GET_MESSAGE_DONT_HASH_MESSAGE) {
- ssl3_hash_current_message(s);
+ if (hash_message == ssl_hash_message && !ssl3_hash_current_message(s)) {
+ goto err;
}
if (s->msg_callback) {
s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
@@ -434,11 +443,12 @@
return -1;
}
-void ssl3_hash_current_message(SSL *s) {
+int ssl3_hash_current_message(SSL *s) {
/* The handshake header (different size between DTLS and TLS) is included in
* the hash. */
size_t header_len = s->init_msg - (uint8_t *)s->init_buf->data;
- ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num + header_len);
+ return ssl3_finish_mac(s, (uint8_t *)s->init_buf->data,
+ s->init_num + header_len);
}
/* ssl3_cert_verify_hash is documented as needing EVP_MAX_MD_SIZE because that
@@ -586,8 +596,7 @@
#endif
if (s->s3->rbuf.buf == NULL) {
- len = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD +
- headerlen + align;
+ len = SSL3_RT_MAX_ENCRYPTED_LENGTH + headerlen + align;
if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) {
s->s3->init_extra = 1;
len += SSL3_RT_MAX_EXTRA;
@@ -645,28 +654,16 @@
return 0;
}
-
-int ssl3_setup_buffers(SSL *s) {
- if (!ssl3_setup_read_buffer(s) ||
- !ssl3_setup_write_buffer(s)) {
- return 0;
- }
- return 1;
-}
-
int ssl3_release_write_buffer(SSL *s) {
- if (s->s3->wbuf.buf != NULL) {
- OPENSSL_free(s->s3->wbuf.buf);
- s->s3->wbuf.buf = NULL;
- }
+ OPENSSL_free(s->s3->wbuf.buf);
+ s->s3->wbuf.buf = NULL;
return 1;
}
int ssl3_release_read_buffer(SSL *s) {
- if (s->s3->rbuf.buf != NULL) {
- OPENSSL_free(s->s3->rbuf.buf);
- s->s3->rbuf.buf = NULL;
- }
+ OPENSSL_free(s->s3->rbuf.buf);
+ s->s3->rbuf.buf = NULL;
+ s->packet = NULL;
return 1;
}
diff --git a/src/ssl/s3_clnt.c b/src/ssl/s3_clnt.c
index 231cc65..d01acae 100644
--- a/src/ssl/s3_clnt.c
+++ b/src/ssl/s3_clnt.c
@@ -150,20 +150,21 @@
#include <assert.h>
#include <stdio.h>
+#include <string.h>
#include <openssl/buf.h>
#include <openssl/bytestring.h>
#include <openssl/rand.h>
#include <openssl/obj.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/mem.h>
#include <openssl/md5.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
-#include <openssl/engine.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
#include "../crypto/dh/internal.h"
@@ -195,12 +196,21 @@
case SSL_ST_RENEGOTIATE:
s->renegotiate = 1;
s->state = SSL_ST_CONNECT;
- s->ctx->stats.sess_connect_renegotiate++;
/* fallthrough */
case SSL_ST_CONNECT:
case SSL_ST_BEFORE | SSL_ST_CONNECT:
- if (cb != NULL)
+ if (cb != NULL) {
cb(s, SSL_CB_HANDSHAKE_START, 1);
+ }
+
+ if ((s->version >> 8) != 3) {
+ /* TODO(davidben): Some consumers clear |s->version| to break the
+ * handshake in a callback. Remove this when they're using proper
+ * APIs. */
+ OPENSSL_PUT_ERROR(SSL, ssl3_connect, ERR_R_INTERNAL_ERROR);
+ ret = -1;
+ goto end;
+ }
if (s->init_buf == NULL) {
buf = BUF_MEM_new();
@@ -214,8 +224,7 @@
buf = NULL;
}
- if (!ssl3_setup_buffers(s) ||
- !ssl_init_wbio_buffer(s, 0)) {
+ if (!ssl_init_wbio_buffer(s, 0)) {
ret = -1;
goto end;
}
@@ -229,7 +238,6 @@
}
s->state = SSL3_ST_CW_CLNT_HELLO_A;
- s->ctx->stats.sess_connect++;
s->init_num = 0;
break;
@@ -389,12 +397,8 @@
s->init_num = 0;
s->session->cipher = s->s3->tmp.new_cipher;
- if (!s->enc_method->setup_key_block(s)) {
- ret = -1;
- goto end;
- }
-
- if (!s->enc_method->change_cipher_state(
+ if (!s->enc_method->setup_key_block(s) ||
+ !s->enc_method->change_cipher_state(
s, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
ret = -1;
goto end;
@@ -445,15 +449,16 @@
* hashes. */
if (s->s3->tlsext_channel_id_new) {
ret = tls1_record_handshake_hashes_for_channel_id(s);
- if (ret <= 0)
+ if (ret <= 0) {
goto end;
+ }
}
- if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) &&
- ssl3_can_cutthrough(s) &&
- /* no cutthrough on renegotiation (would complicate the state
- * machine) */
+ if ((SSL_get_mode(s) & SSL_MODE_ENABLE_FALSE_START) &&
+ ssl3_can_false_start(s) &&
+ /* No False Start on renegotiation (would complicate the state
+ * machine). */
s->s3->previous_server_finished_len == 0) {
- s->s3->tmp.next_state = SSL3_ST_CUTTHROUGH_COMPLETE;
+ s->s3->tmp.next_state = SSL3_ST_FALSE_START;
} else {
/* Allow NewSessionTicket if ticket expected */
if (s->tlsext_ticket_expected) {
@@ -522,13 +527,14 @@
s->state = s->s3->tmp.next_state;
break;
- case SSL3_ST_CUTTHROUGH_COMPLETE:
+ case SSL3_ST_FALSE_START:
/* Allow NewSessionTicket if ticket expected */
if (s->tlsext_ticket_expected) {
s->state = SSL3_ST_CR_SESSION_TICKET_A;
} else {
s->state = SSL3_ST_CR_CHANGE;
}
+ s->s3->tmp.in_false_start = 1;
ssl_free_wbio_buffer(s);
ret = 1;
@@ -538,10 +544,8 @@
/* clean a few things up */
ssl3_cleanup_key_block(s);
- if (s->init_buf != NULL) {
- BUF_MEM_free(s->init_buf);
- s->init_buf = NULL;
- }
+ BUF_MEM_free(s->init_buf);
+ s->init_buf = NULL;
/* Remove write buffering now. */
ssl_free_wbio_buffer(s);
@@ -549,15 +553,12 @@
s->init_num = 0;
s->renegotiate = 0;
s->new_session = 0;
+ s->s3->tmp.in_false_start = 0;
ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
- if (s->hit) {
- s->ctx->stats.sess_hit++;
- }
ret = 1;
/* s->server=0; */
- s->ctx->stats.sess_connect_good++;
if (cb != NULL) {
cb(s, SSL_CB_HANDSHAKE_DONE, 1);
@@ -584,9 +585,7 @@
end:
s->in_handshake--;
- if (buf != NULL) {
- BUF_MEM_free(buf);
- }
+ BUF_MEM_free(buf);
if (cb != NULL) {
cb(s, SSL_CB_CONNECT_EXIT, ret);
}
@@ -625,8 +624,9 @@
/* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
* renegerate the client_random. The random must be reused. */
- if (!SSL_IS_DTLS(s) || !s->d1->send_cookie) {
- ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random));
+ if ((!SSL_IS_DTLS(s) || !s->d1->send_cookie) &&
+ !ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random))) {
+ goto err;
}
/* Do the message type and length last. Note: the final argument to
@@ -720,7 +720,9 @@
}
l = p - d;
- ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l);
+ if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
+ goto err;
+ }
s->state = SSL3_ST_CW_CLNT_HELLO_B;
}
@@ -732,7 +734,7 @@
}
int ssl3_get_server_hello(SSL *s) {
- STACK_OF(SSL_CIPHER) * sk;
+ STACK_OF(SSL_CIPHER) *sk;
const SSL_CIPHER *c;
CERT *ct = s->cert;
int al = SSL_AD_INTERNAL_ERROR, ok;
@@ -740,12 +742,12 @@
CBS server_hello, server_random, session_id;
uint16_t server_version, cipher_suite;
uint8_t compression_method;
- unsigned long mask_ssl;
+ uint32_t mask_ssl;
n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
SSL3_ST_CR_SRVR_HELLO_B, SSL3_MT_SERVER_HELLO,
20000, /* ?? */
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
uint32_t err = ERR_peek_error();
@@ -858,24 +860,22 @@
goto f_err;
}
- if (s->hit && s->session->cipher != c) {
- al = SSL_AD_ILLEGAL_PARAMETER;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
- SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
- goto f_err;
+ if (s->hit) {
+ if (s->session->cipher != c) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
+ SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+ goto f_err;
+ }
+ if (s->session->ssl_version != s->version) {
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_server_hello,
+ SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
+ goto f_err;
+ }
}
s->s3->tmp.new_cipher = c;
- /* Most clients also require that the negotiated version match the session's
- * version if resuming. However OpenSSL has historically not had the
- * corresponding logic on the server, so this may not be compatible,
- * depending on other factors. (Whether the ClientHello version is clamped to
- * the session's version and whether the session cache is keyed on IP
- * address.)
- *
- * TODO(davidben): See if we can still enforce this? Perhaps for the future
- * TLS 1.3 and forward if this is fixed upstream. */
-
/* Don't digest cached records if no sigalgs: we may need them for client
* authentication. */
if (!SSL_USE_SIGALGS(s) &&
@@ -924,8 +924,8 @@
const uint8_t *data;
n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B,
- SSL3_MT_CERTIFICATE, s->max_cert_list,
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ SSL3_MT_CERTIFICATE, (long)s->max_cert_list,
+ ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -988,9 +988,7 @@
goto err;
}
- if (s->session->sess_cert) {
- ssl_sess_cert_free(s->session->sess_cert);
- }
+ ssl_sess_cert_free(s->session->sess_cert);
s->session->sess_cert = sc;
sc->cert_chain = sk;
@@ -1028,17 +1026,11 @@
goto f_err;
}
sc->peer_cert_type = i;
- /* Why would the following ever happen? We just created sc a couple of lines
- * ago. */
- if (sc->peer_pkeys[i].x509 != NULL) {
- X509_free(sc->peer_pkeys[i].x509);
- }
+ X509_free(sc->peer_pkeys[i].x509);
sc->peer_pkeys[i].x509 = X509_up_ref(x);
sc->peer_key = &(sc->peer_pkeys[i]);
- if (s->session->peer != NULL) {
- X509_free(s->session->peer);
- }
+ X509_free(s->session->peer);
s->session->peer = X509_up_ref(x);
s->session->verify_result = s->verify_result;
@@ -1075,7 +1067,7 @@
* ServerKeyExchange message may be skipped */
n = s->method->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list,
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
return n;
}
@@ -1096,14 +1088,15 @@
* initialized |sess_cert|. */
if (s->session->sess_cert == NULL) {
s->session->sess_cert = ssl_sess_cert_new();
+ if (s->session->sess_cert == NULL) {
+ return -1;
+ }
}
/* TODO(davidben): This should be reset in one place with the rest of the
* handshake state. */
- if (s->s3->tmp.peer_psk_identity_hint) {
- OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
- s->s3->tmp.peer_psk_identity_hint = NULL;
- }
+ OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+ s->s3->tmp.peer_psk_identity_hint = NULL;
}
s->s3->tmp.reuse_message = 1;
return 1;
@@ -1114,16 +1107,15 @@
server_key_exchange_orig = server_key_exchange;
if (s->session->sess_cert != NULL) {
- if (s->session->sess_cert->peer_dh_tmp) {
- DH_free(s->session->sess_cert->peer_dh_tmp);
- s->session->sess_cert->peer_dh_tmp = NULL;
- }
- if (s->session->sess_cert->peer_ecdh_tmp) {
- EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
- s->session->sess_cert->peer_ecdh_tmp = NULL;
- }
+ DH_free(s->session->sess_cert->peer_dh_tmp);
+ s->session->sess_cert->peer_dh_tmp = NULL;
+ EC_KEY_free(s->session->sess_cert->peer_ecdh_tmp);
+ s->session->sess_cert->peer_ecdh_tmp = NULL;
} else {
s->session->sess_cert = ssl_sess_cert_new();
+ if (s->session->sess_cert == NULL) {
+ return -1;
+ }
}
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
@@ -1165,7 +1157,7 @@
}
}
- if (alg_k & SSL_kEDH) {
+ if (alg_k & SSL_kDHE) {
CBS dh_p, dh_g, dh_Ys;
if (!CBS_get_u16_length_prefixed(&server_key_exchange, &dh_p) ||
@@ -1207,10 +1199,9 @@
s->session->sess_cert->peer_dh_tmp = dh;
dh = NULL;
- } else if (alg_k & SSL_kEECDH) {
+ } else if (alg_k & SSL_kECDHE) {
uint16_t curve_id;
int curve_nid = 0;
- EC_GROUP *ngroup;
const EC_GROUP *group;
CBS point;
@@ -1231,21 +1222,13 @@
goto f_err;
}
- ecdh = EC_KEY_new();
+ ecdh = EC_KEY_new_by_curve_name(curve_nid);
if (ecdh == NULL) {
OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange,
- ERR_R_MALLOC_FAILURE);
+ ERR_R_EC_LIB);
goto err;
}
- ngroup = EC_GROUP_new_by_curve_name(curve_nid);
- if (ngroup == NULL ||
- EC_KEY_set_group(ecdh, ngroup) == 0) {
- OPENSSL_PUT_ERROR(SSL, ssl3_get_server_key_exchange, ERR_R_EC_LIB);
- goto err;
- }
- EC_GROUP_free(ngroup);
-
group = EC_KEY_get0_group(ecdh);
/* Next, get the encoded ECPoint */
@@ -1362,17 +1345,11 @@
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
EVP_PKEY_free(pkey);
- if (rsa != NULL) {
- RSA_free(rsa);
- }
- if (dh != NULL) {
- DH_free(dh);
- }
+ RSA_free(rsa);
+ DH_free(dh);
BN_CTX_free(bn_ctx);
EC_POINT_free(srvr_ecpoint);
- if (ecdh != NULL) {
- EC_KEY_free(ecdh);
- }
+ EC_KEY_free(ecdh);
EVP_MD_CTX_cleanup(&md_ctx);
return -1;
}
@@ -1393,7 +1370,7 @@
n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A,
SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list,
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -1419,15 +1396,6 @@
goto err;
}
- /* TLS does not like anon-DH with client cert */
- if (s->version > SSL3_VERSION &&
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) {
- ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request,
- SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
- goto err;
- }
-
CBS_init(&cbs, s->init_msg, n);
ca_sk = sk_X509_NAME_new(ca_dn_cmp);
@@ -1493,7 +1461,7 @@
if (!CBS_skip(&distinguished_name, data - CBS_data(&distinguished_name))) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, ERR_R_INTERNAL_ERROR);
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_certificate_request, ERR_R_INTERNAL_ERROR);
goto err;
}
@@ -1513,29 +1481,25 @@
/* we should setup a certificate to return.... */
s->s3->tmp.cert_req = 1;
- if (s->s3->tmp.ca_names != NULL) {
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
- }
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
s->s3->tmp.ca_names = ca_sk;
ca_sk = NULL;
ret = 1;
err:
- if (ca_sk != NULL) {
- sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
- }
+ sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return ret;
}
int ssl3_get_new_session_ticket(SSL *s) {
- int ok, al, ret = 0;
+ int ok, al;
long n;
CBS new_session_ticket, ticket;
n = s->method->ssl_get_message(
s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B,
- SSL3_MT_NEWSESSION_TICKET, 16384, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ SSL3_MT_NEWSESSION_TICKET, 16384, ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -1558,21 +1522,15 @@
goto err;
}
- /* There are two ways to detect a resumed ticket sesion. One is to set an
- * appropriate session ID and then the server must return a match in
- * ServerHello. This allows the normal client session ID matching to work and
- * we know much earlier that the ticket has been accepted.
- *
- * The other way is to set zero length session ID when the ticket is
- * presented and rely on the handshake to determine session resumption.
- *
- * We choose the former approach because this fits in with assumptions
- * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
- * SHA256 is disabled) hash of the ticket. */
- EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), s->session->session_id,
- &s->session->session_id_length, EVP_sha256(), NULL);
- ret = 1;
- return ret;
+ /* Generate a session ID for this session based on the session ticket. We use
+ * the session ID mechanism for detecting ticket resumption. This also fits in
+ * with assumptions elsewhere in OpenSSL.*/
+ if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), s->session->session_id,
+ &s->session->session_id_length, EVP_sha256(), NULL)) {
+ goto err;
+ }
+
+ return 1;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1588,12 +1546,19 @@
n = s->method->ssl_get_message(
s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B,
- SSL3_MT_CERTIFICATE_STATUS, 16384, SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ -1, 16384, ssl_hash_message, &ok);
if (!ok) {
return n;
}
+ if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) {
+ /* A server may send status_request in ServerHello and then change
+ * its mind about sending CertificateStatus. */
+ s->s3->tmp.reuse_message = 1;
+ return 1;
+ }
+
CBS_init(&certificate_status, s->init_msg, n);
if (!CBS_get_u8(&certificate_status, &status_type) ||
status_type != TLSEXT_STATUSTYPE_ocsp ||
@@ -1625,7 +1590,7 @@
n = s->method->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE,
30, /* should be very small, like 0 :-) */
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -1645,8 +1610,8 @@
int ssl3_send_client_key_exchange(SSL *s) {
uint8_t *p;
int n = 0;
- unsigned long alg_k;
- unsigned long alg_a;
+ uint32_t alg_k;
+ uint32_t alg_a;
uint8_t *q;
EVP_PKEY *pkey = NULL;
EC_KEY *clnt_ecdh = NULL;
@@ -1699,10 +1664,7 @@
goto err;
}
- if (s->session->psk_identity != NULL) {
- OPENSSL_free(s->session->psk_identity);
- }
-
+ OPENSSL_free(s->session->psk_identity);
s->session->psk_identity = BUF_strdup(identity);
if (s->session->psk_identity == NULL) {
OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
@@ -1744,9 +1706,7 @@
pkey->pkey.rsa == NULL) {
OPENSSL_PUT_ERROR(SSL, ssl3_send_client_key_exchange,
ERR_R_INTERNAL_ERROR);
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
+ EVP_PKEY_free(pkey);
goto err;
}
@@ -1785,7 +1745,7 @@
if (s->version > SSL3_VERSION) {
s2n(enc_pms_len, q);
}
- } else if (alg_k & SSL_kEDH) {
+ } else if (alg_k & SSL_kDHE) {
DH *dh_srvr, *dh_clnt;
SESS_CERT *scert = s->session->sess_cert;
int dh_len;
@@ -1841,7 +1801,7 @@
n += 2 + pub_len;
DH_free(dh_clnt);
- } else if (alg_k & SSL_kEECDH) {
+ } else if (alg_k & SSL_kECDHE) {
const EC_GROUP *srvr_group = NULL;
EC_KEY *tkey;
int field_size = 0, ecdh_len;
@@ -1993,7 +1953,9 @@
/* The message must be added to the finished hash before calculating the
* master secret. */
- ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n);
+ if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) {
+ goto err;
+ }
s->state = SSL3_ST_CW_KEY_EXCH_B;
s->session->master_key_length = s->enc_method->generate_master_secret(
@@ -2007,16 +1969,12 @@
}
/* SSL3_ST_CW_KEY_EXCH_B */
- return s->enc_method->do_write(s);
+ return s->method->do_write(s);
err:
BN_CTX_free(bn_ctx);
- if (encodedPoint != NULL) {
- OPENSSL_free(encodedPoint);
- }
- if (clnt_ecdh != NULL) {
- EC_KEY_free(clnt_ecdh);
- }
+ OPENSSL_free(encodedPoint);
+ EC_KEY_free(clnt_ecdh);
EVP_PKEY_free(srvr_pub_pkey);
if (pms) {
OPENSSL_cleanse(pms, pms_len);
@@ -2089,7 +2047,9 @@
s2n(signature_length, p);
n += signature_length + 2;
- ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n);
+ if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
+ goto err;
+ }
s->state = SSL3_ST_CW_CERT_VRFY_B;
}
@@ -2156,12 +2116,8 @@
SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
}
- if (x509 != NULL) {
- X509_free(x509);
- }
- if (pkey != NULL) {
- EVP_PKEY_free(pkey);
- }
+ X509_free(x509);
+ EVP_PKEY_free(pkey);
if (i && !ssl3_has_client_certificate(s)) {
i = 0;
}
@@ -2180,8 +2136,10 @@
}
if (s->state == SSL3_ST_CW_CERT_C) {
- s->state = SSL3_ST_CW_CERT_D;
- ssl3_output_cert_chain(s, (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key);
+ CERT_PKEY *cert_pkey = (s->s3->tmp.cert_req == 2) ? NULL : s->cert->key;
+ if (!ssl3_output_cert_chain(s, cert_pkey)) {
+ return -1;
+ }
}
/* SSL3_ST_CW_CERT_D */
@@ -2246,7 +2204,7 @@
goto f_err;
}
- if ((alg_k & SSL_kEDH) &&
+ if ((alg_k & SSL_kDHE) &&
!(has_bits(i, EVP_PK_DH | EVP_PKT_EXCH) || dh != NULL)) {
OPENSSL_PUT_ERROR(SSL, ssl3_check_cert_and_algorithm, SSL_R_MISSING_DH_KEY);
goto f_err;
@@ -2276,7 +2234,9 @@
memset(p, 0, padding_len);
p += padding_len;
- ssl_set_handshake_header(s, SSL3_MT_NEXT_PROTO, p - d);
+ if (!ssl_set_handshake_header(s, SSL3_MT_NEXT_PROTO, p - d)) {
+ return -1;
+ }
s->state = SSL3_ST_CW_NEXT_PROTO_B;
}
@@ -2387,23 +2347,19 @@
goto err;
}
- ssl_set_handshake_header(s, SSL3_MT_ENCRYPTED_EXTENSIONS,
- 2 + 2 + TLSEXT_CHANNEL_ID_SIZE);
+ if (!ssl_set_handshake_header(s, SSL3_MT_ENCRYPTED_EXTENSIONS,
+ 2 + 2 + TLSEXT_CHANNEL_ID_SIZE)) {
+ goto err;
+ }
s->state = SSL3_ST_CW_CHANNEL_ID_B;
ret = ssl_do_write(s);
err:
EVP_MD_CTX_cleanup(&md_ctx);
- if (public_key) {
- OPENSSL_free(public_key);
- }
- if (der_sig) {
- OPENSSL_free(der_sig);
- }
- if (sig) {
- ECDSA_SIG_free(sig);
- }
+ OPENSSL_free(public_key);
+ OPENSSL_free(der_sig);
+ ECDSA_SIG_free(sig);
return ret;
}
diff --git a/src/ssl/s3_enc.c b/src/ssl/s3_enc.c
index 562cb84..fbe68da 100644
--- a/src/ssl/s3_enc.c
+++ b/src/ssl/s3_enc.c
@@ -133,8 +133,9 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-#include <stdio.h>
#include <assert.h>
+#include <stdio.h>
+#include <string.h>
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -142,7 +143,7 @@
#include <openssl/md5.h>
#include <openssl/obj.h>
-#include "ssl_locl.h"
+#include "internal.h"
static const uint8_t ssl3_pad_1[48] = {
@@ -235,12 +236,8 @@
}
int ssl3_init_finished_mac(SSL *s) {
- if (s->s3->handshake_buffer) {
- BIO_free(s->s3->handshake_buffer);
- }
- if (s->s3->handshake_dgst) {
- ssl3_free_digest_list(s);
- }
+ BIO_free(s->s3->handshake_buffer);
+ ssl3_free_digest_list(s);
s->s3->handshake_buffer = BIO_new(BIO_s_mem());
if (s->s3->handshake_buffer == NULL) {
return 0;
@@ -264,12 +261,11 @@
s->s3->handshake_dgst = NULL;
}
-void ssl3_finish_mac(SSL *s, const uint8_t *buf, int len) {
+int ssl3_finish_mac(SSL *s, const uint8_t *buf, int len) {
int i;
if (s->s3->handshake_buffer) {
- BIO_write(s->s3->handshake_buffer, (void *)buf, len);
- return;
+ return BIO_write(s->s3->handshake_buffer, (void *)buf, len) >= 0;
}
for (i = 0; i < SSL_MAX_DIGEST; i++) {
@@ -277,12 +273,13 @@
EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
}
}
+ return 1;
}
int ssl3_digest_cached_records(
SSL *s, enum should_free_handshake_buffer_t should_free_handshake_buffer) {
int i;
- long mask;
+ uint32_t mask;
const EVP_MD *md;
const uint8_t *hdata;
size_t hdatalen;
@@ -303,7 +300,7 @@
}
/* Loop through bits of algorithm2 field and create MD_CTX-es */
- for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
+ for (i = 0; ssl_get_handshake_digest(&mask, &md, i); i++) {
if ((mask & ssl_get_algorithm2(s)) && md) {
s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
if (s->s3->handshake_dgst[i] == NULL) {
@@ -383,7 +380,7 @@
EVP_MD_CTX_init(&ctx);
if (!EVP_MD_CTX_copy_ex(&ctx, d)) {
EVP_MD_CTX_cleanup(&ctx);
- OPENSSL_PUT_ERROR(SSL, ssl3_generate_key_block, ERR_LIB_EVP);
+ OPENSSL_PUT_ERROR(SSL, ssl3_handshake_mac, ERR_LIB_EVP);
return 0;
}
@@ -402,7 +399,7 @@
if (!EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL)) {
EVP_MD_CTX_cleanup(&ctx);
- OPENSSL_PUT_ERROR(SSL, ssl3_generate_key_block, ERR_LIB_EVP);
+ OPENSSL_PUT_ERROR(SSL, ssl3_handshake_mac, ERR_LIB_EVP);
return 0;
}
EVP_DigestUpdate(&ctx, s->session->master_key, s->session->master_key_length);
@@ -415,15 +412,16 @@
return ret;
}
-void ssl3_record_sequence_update(uint8_t *seq) {
- int i;
-
- for (i = 7; i >= 0; i--) {
+int ssl3_record_sequence_update(uint8_t *seq, size_t seq_len) {
+ size_t i;
+ for (i = seq_len - 1; i < seq_len; i--) {
++seq[i];
if (seq[i] != 0) {
- break;
+ return 1;
}
}
+ OPENSSL_PUT_ERROR(SSL, ssl3_record_sequence_update, ERR_R_OVERFLOW);
+ return 0;
}
int ssl3_alert_code(int code) {
diff --git a/src/ssl/s3_lib.c b/src/ssl/s3_lib.c
index e0ccedc..674277f 100644
--- a/src/ssl/s3_lib.c
+++ b/src/ssl/s3_lib.c
@@ -148,14 +148,16 @@
#include <assert.h>
#include <stdio.h>
+#include <string.h>
#include <openssl/buf.h>
#include <openssl/dh.h>
+#include <openssl/err.h>
#include <openssl/md5.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
-#include "ssl_locl.h"
+#include "internal.h"
#define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER))
@@ -165,77 +167,53 @@
/* The RSA ciphers */
/* Cipher 04 */
{
- 1, SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA,
+ SSL3_TXT_RSA_RC4_128_MD5, SSL3_CK_RSA_RC4_128_MD5, SSL_kRSA, SSL_aRSA,
SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher 05 */
{
- 1, SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA,
+ SSL3_TXT_RSA_RC4_128_SHA, SSL3_CK_RSA_RC4_128_SHA, SSL_kRSA, SSL_aRSA,
SSL_RC4, SSL_SHA1, SSL_SSLV3, SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher 0A */
{
- 1, SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA,
+ SSL3_TXT_RSA_DES_192_CBC3_SHA, SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA,
SSL_aRSA, SSL_3DES, SSL_SHA1, SSL_SSLV3, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 112, 168,
},
- /* The Ephemeral DH ciphers */
-
- /* Cipher 18 */
- {
- 1, SSL3_TXT_ADH_RC4_128_MD5, SSL3_CK_ADH_RC4_128_MD5, SSL_kEDH, SSL_aNULL,
- SSL_RC4, SSL_MD5, SSL_SSLV3, SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
-
/* New AES ciphersuites */
/* Cipher 2F */
{
- 1, TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA,
+ TLS1_TXT_RSA_WITH_AES_128_SHA, TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA,
SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher 33 */
{
- 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
- SSL_kEDH, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
- /* Cipher 34 */
- {
- 1, TLS1_TXT_ADH_WITH_AES_128_SHA, TLS1_CK_ADH_WITH_AES_128_SHA, SSL_kEDH,
- SSL_aNULL, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA, TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
+ SSL_kDHE, SSL_aRSA, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher 35 */
{
- 1, TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
+ TLS1_TXT_RSA_WITH_AES_256_SHA, TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA,
SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
/* Cipher 39 */
{
- 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
- SSL_kEDH, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
- },
-
- /* Cipher 3A */
- {
- 1, TLS1_TXT_ADH_WITH_AES_256_SHA, TLS1_CK_ADH_WITH_AES_256_SHA, SSL_kEDH,
- SSL_aNULL, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
+ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA, TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
+ SSL_kDHE, SSL_aRSA, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
@@ -244,65 +222,51 @@
/* Cipher 3C */
{
- 1, TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256,
+ TLS1_TXT_RSA_WITH_AES_128_SHA256, TLS1_CK_RSA_WITH_AES_128_SHA256,
SSL_kRSA, SSL_aRSA, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
- SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
+ SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
},
/* Cipher 3D */
{
- 1, TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256,
+ TLS1_TXT_RSA_WITH_AES_256_SHA256, TLS1_CK_RSA_WITH_AES_256_SHA256,
SSL_kRSA, SSL_aRSA, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
- SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
+ SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
},
/* Cipher 67 */
{
- 1, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES128,
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
+ TLS1_CK_DHE_RSA_WITH_AES_128_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128,
SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
},
/* Cipher 6B */
{
- 1, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES256,
+ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
+ TLS1_CK_DHE_RSA_WITH_AES_256_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES256,
SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
- },
-
- /* Cipher 6C */
- {
- 1, TLS1_TXT_ADH_WITH_AES_128_SHA256, TLS1_CK_ADH_WITH_AES_128_SHA256,
- SSL_kEDH, SSL_aNULL, SSL_AES128, SSL_SHA256, SSL_TLSV1_2,
- SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
- /* Cipher 6D */
- {
- 1, TLS1_TXT_ADH_WITH_AES_256_SHA256, TLS1_CK_ADH_WITH_AES_256_SHA256,
- SSL_kEDH, SSL_aNULL, SSL_AES256, SSL_SHA256, SSL_TLSV1_2,
- SSL_HIGH | SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
+ SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 256, 256,
},
/* Cipher 8A */
{
- 1, TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
+ TLS1_TXT_PSK_WITH_RC4_128_SHA, TLS1_CK_PSK_WITH_RC4_128_SHA, SSL_kPSK,
SSL_aPSK, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher 8C */
{
- 1, TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
+ TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
SSL_kPSK, SSL_aPSK, SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher 8D */
{
- 1, TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
+ TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
SSL_kPSK, SSL_aPSK, SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
@@ -312,7 +276,7 @@
/* Cipher 9C */
{
- 1, TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
+ TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, SSL_aRSA, SSL_AES128GCM,
SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
@@ -322,7 +286,7 @@
/* Cipher 9D */
{
- 1, TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
+ TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, SSL_aRSA, SSL_AES256GCM,
SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
@@ -332,8 +296,8 @@
/* Cipher 9E */
{
- 1, TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEDH, SSL_aRSA, SSL_AES128GCM,
+ TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kDHE, SSL_aRSA, SSL_AES128GCM,
SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -342,28 +306,8 @@
/* Cipher 9F */
{
- 1, TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEDH, SSL_aRSA, SSL_AES256GCM,
- SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 256, 256,
- },
-
- /* Cipher A6 */
- {
- 1, TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ADH_WITH_AES_128_GCM_SHA256, SSL_kEDH, SSL_aNULL, SSL_AES128GCM,
- SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
- SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
- 128, 128,
- },
-
- /* Cipher A7 */
- {
- 1, TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ADH_WITH_AES_256_GCM_SHA384, SSL_kEDH, SSL_aNULL, SSL_AES256GCM,
+ TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kDHE, SSL_aRSA, SSL_AES256GCM,
SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -372,70 +316,47 @@
/* Cipher C007 */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kEECDH, SSL_aECDSA, SSL_RC4,
+ TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE, SSL_aECDSA, SSL_RC4,
SSL_SHA1, SSL_TLSV1, SSL_MEDIUM, SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128,
128,
},
/* Cipher C009 */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aECDSA,
SSL_AES128, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher C00A */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aECDSA,
SSL_AES256, SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
/* Cipher C011 */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
- SSL_kEECDH, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
+ TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA, TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
+ SSL_kECDHE, SSL_aRSA, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher C013 */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aRSA, SSL_AES128,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES128,
SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
},
/* Cipher C014 */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aRSA, SSL_AES256,
- SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
- },
-
- /* Cipher C016 */
- {
- 1, TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA, TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
- SSL_kEECDH, SSL_aNULL, SSL_RC4, SSL_SHA1, SSL_TLSV1, SSL_MEDIUM,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
- /* Cipher C018 */
- {
- 1, TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
- TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_kEECDH, SSL_aNULL, SSL_AES128,
- SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 128, 128,
- },
-
- /* Cipher C019 */
- {
- 1, TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
- TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_kEECDH, SSL_aNULL, SSL_AES256,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, SSL_aRSA, SSL_AES256,
SSL_SHA1, SSL_TLSV1, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, 256, 256,
},
@@ -445,32 +366,32 @@
/* Cipher C023 */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aECDSA,
SSL_AES128, SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
},
/* Cipher C024 */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aECDSA,
SSL_AES256, SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256,
},
/* Cipher C027 */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
- TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kEECDH, SSL_aRSA, SSL_AES128,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, SSL_kECDHE, SSL_aRSA, SSL_AES128,
SSL_SHA256, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, 128, 128,
},
/* Cipher C028 */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
- TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kEECDH, SSL_aRSA, SSL_AES256,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
+ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384, SSL_kECDHE, SSL_aRSA, SSL_AES256,
SSL_SHA384, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384, 256, 256,
},
@@ -480,8 +401,8 @@
/* Cipher C02B */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aECDSA,
SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -490,8 +411,8 @@
/* Cipher C02C */
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aECDSA,
SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -500,8 +421,8 @@
/* Cipher C02F */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aRSA,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aRSA,
SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -510,8 +431,8 @@
/* Cipher C030 */
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kEECDH, SSL_aRSA,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, SSL_aRSA,
SSL_AES256GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -523,8 +444,8 @@
/* Cipher CAFE */
{
- 1, TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
- TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kEECDH, SSL_aPSK,
+ TLS1_TXT_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+ TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256, SSL_kECDHE, SSL_aPSK,
SSL_AES128GCM, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD |
SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD,
@@ -532,24 +453,24 @@
},
{
- 1, TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
- TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kEECDH, SSL_aRSA,
+ TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+ TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aRSA,
SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD,
256, 0,
},
{
- 1, TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
- TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kEECDH, SSL_aECDSA,
+ TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+ TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, SSL_kECDHE, SSL_aECDSA,
SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD,
256, 0,
},
{
- 1, TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
- TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kEDH, SSL_aRSA,
+ TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
+ TLS1_CK_DHE_RSA_CHACHA20_POLY1305, SSL_kDHE, SSL_aRSA,
SSL_CHACHA20POLY1305, SSL_AEAD, SSL_TLSV1_2, SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256 | SSL_CIPHER_ALGORITHM2_AEAD,
256, 0,
@@ -563,27 +484,22 @@
tls1_generate_master_secret,
tls1_change_cipher_state,
ssl3_final_finish_mac,
- MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH,
ssl3_cert_verify_mac,
SSL3_MD_CLIENT_FINISHED_CONST, 4,
SSL3_MD_SERVER_FINISHED_CONST, 4,
ssl3_alert_code,
- (int (*)(SSL *, uint8_t *, size_t, const char *, size_t, const uint8_t *,
- size_t, int use_context)) ssl_undefined_function,
+ tls1_export_keying_material,
0,
- SSL3_HM_HEADER_LENGTH,
- ssl3_set_handshake_header,
- ssl3_handshake_write,
};
-int ssl3_num_ciphers(void) { return SSL3_NUM_CIPHERS; }
+size_t ssl3_num_ciphers(void) { return SSL3_NUM_CIPHERS; }
-const SSL_CIPHER *ssl3_get_cipher(unsigned int u) {
- if (u >= SSL3_NUM_CIPHERS) {
+const SSL_CIPHER *ssl3_get_cipher(size_t i) {
+ if (i >= SSL3_NUM_CIPHERS) {
return NULL;
}
- return &ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u];
+ return &ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - i];
}
int ssl3_pending(const SSL *s) {
@@ -595,7 +511,7 @@
: 0;
}
-void ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) {
+int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len) {
uint8_t *p = (uint8_t *)s->init_buf->data;
*(p++) = htype;
l2n3(len, p);
@@ -603,7 +519,7 @@
s->init_off = 0;
/* Add the message to the handshake hash. */
- ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num);
+ return ssl3_finish_mac(s, (uint8_t *)s->init_buf->data, s->init_num);
}
int ssl3_handshake_write(SSL *s) { return ssl3_do_write(s, SSL3_RT_HANDSHAKE); }
@@ -637,47 +553,21 @@
return;
}
- if (s->s3->sniff_buffer != NULL) {
- BUF_MEM_free(s->s3->sniff_buffer);
- }
+ BUF_MEM_free(s->s3->sniff_buffer);
ssl3_cleanup_key_block(s);
- if (s->s3->rbuf.buf != NULL) {
- ssl3_release_read_buffer(s);
- }
- if (s->s3->wbuf.buf != NULL) {
- ssl3_release_write_buffer(s);
- }
- if (s->s3->tmp.dh != NULL) {
- DH_free(s->s3->tmp.dh);
- }
- if (s->s3->tmp.ecdh != NULL) {
- EC_KEY_free(s->s3->tmp.ecdh);
- }
+ ssl3_release_read_buffer(s);
+ ssl3_release_write_buffer(s);
+ DH_free(s->s3->tmp.dh);
+ EC_KEY_free(s->s3->tmp.ecdh);
- if (s->s3->tmp.ca_names != NULL) {
- sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
- }
- if (s->s3->tmp.certificate_types != NULL) {
- OPENSSL_free(s->s3->tmp.certificate_types);
- }
- if (s->s3->tmp.peer_ecpointformatlist) {
- OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
- }
- if (s->s3->tmp.peer_ellipticcurvelist) {
- OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
- }
- if (s->s3->tmp.peer_psk_identity_hint) {
- OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
- }
- if (s->s3->handshake_buffer) {
- BIO_free(s->s3->handshake_buffer);
- }
- if (s->s3->handshake_dgst) {
- ssl3_free_digest_list(s);
- }
- if (s->s3->alpn_selected) {
- OPENSSL_free(s->s3->alpn_selected);
- }
+ sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free);
+ OPENSSL_free(s->s3->tmp.certificate_types);
+ OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+ OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+ OPENSSL_free(s->s3->tmp.peer_psk_identity_hint);
+ BIO_free(s->s3->handshake_buffer);
+ ssl3_free_digest_list(s);
+ OPENSSL_free(s->s3->alpn_selected);
OPENSSL_cleanse(s->s3, sizeof *s->s3);
OPENSSL_free(s->s3);
@@ -686,145 +576,139 @@
static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len);
+int SSL_session_reused(const SSL *ssl) {
+ return ssl->hit;
+}
+
+int SSL_total_renegotiations(const SSL *ssl) {
+ return ssl->s3->total_renegotiations;
+}
+
+int SSL_num_renegotiations(const SSL *ssl) {
+ return SSL_total_renegotiations(ssl);
+}
+
+int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) {
+ return 0;
+}
+
+int SSL_need_rsa(const SSL *ssl) {
+ return 0;
+}
+
+int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) {
+ return 1;
+}
+
+int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) {
+ return 1;
+}
+
+int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
+ DH_free(ctx->cert->dh_tmp);
+ ctx->cert->dh_tmp = DHparams_dup(dh);
+ if (ctx->cert->dh_tmp == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_dh, ERR_R_DH_LIB);
+ return 0;
+ }
+ return 1;
+}
+
+int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
+ DH_free(ssl->cert->dh_tmp);
+ ssl->cert->dh_tmp = DHparams_dup(dh);
+ if (ssl->cert->dh_tmp == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_dh, ERR_R_DH_LIB);
+ return 0;
+ }
+ return 1;
+}
+
+int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {
+ if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+ ctx->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
+ return 1;
+}
+
+int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
+ if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+ ssl->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
+ return 1;
+}
+
+int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
+ ctx->tlsext_channel_id_enabled = 1;
+ return 1;
+}
+
+int SSL_enable_tls_channel_id(SSL *ssl) {
+ ssl->tlsext_channel_id_enabled = 1;
+ return 1;
+}
+
+int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
+ ctx->tlsext_channel_id_enabled = 1;
+ if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
+ EVP_PKEY_bits(private_key) != 256) {
+ OPENSSL_PUT_ERROR(SSL, SSL_CTX_set1_tls_channel_id,
+ SSL_R_CHANNEL_ID_NOT_P256);
+ return 0;
+ }
+ EVP_PKEY_free(ctx->tlsext_channel_id_private);
+ ctx->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key);
+ return 1;
+}
+
+int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
+ ssl->tlsext_channel_id_enabled = 1;
+ if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
+ EVP_PKEY_bits(private_key) != 256) {
+ OPENSSL_PUT_ERROR(SSL, SSL_set1_tls_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
+ return 0;
+ }
+ EVP_PKEY_free(ssl->tlsext_channel_id_private);
+ ssl->tlsext_channel_id_private = EVP_PKEY_up_ref(private_key);
+ return 1;
+}
+
+size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
+ if (!ssl->s3->tlsext_channel_id_valid) {
+ return 0;
+ }
+ memcpy(out, ssl->s3->tlsext_channel_id, (max_out < 64) ? max_out : 64);
+ return 64;
+}
+
+int SSL_set_tlsext_host_name(SSL *ssl, const char *name) {
+ OPENSSL_free(ssl->tlsext_hostname);
+ ssl->tlsext_hostname = NULL;
+
+ if (name == NULL) {
+ return 1;
+ }
+ if (strlen(name) > TLSEXT_MAXLEN_host_name) {
+ OPENSSL_PUT_ERROR(SSL, SSL_set_tlsext_host_name,
+ SSL_R_SSL3_EXT_INVALID_SERVERNAME);
+ return 0;
+ }
+ ssl->tlsext_hostname = BUF_strdup(name);
+ if (ssl->tlsext_hostname == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_set_tlsext_host_name, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ return 1;
+}
+
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
int ret = 0;
- if (cmd == SSL_CTRL_SET_TMP_RSA || cmd == SSL_CTRL_SET_TMP_RSA_CB ||
- cmd == SSL_CTRL_SET_TMP_DH || cmd == SSL_CTRL_SET_TMP_DH_CB) {
- if (!ssl_cert_inst(&s->cert)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- }
-
switch (cmd) {
- case SSL_CTRL_GET_SESSION_REUSED:
- ret = s->hit;
- break;
-
- case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
- break;
-
- case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
- ret = s->s3->num_renegotiations;
- break;
-
- case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
- ret = s->s3->num_renegotiations;
- s->s3->num_renegotiations = 0;
- break;
-
- case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
- ret = s->s3->total_renegotiations;
- break;
-
- case SSL_CTRL_GET_FLAGS:
- ret = (int)(s->s3->flags);
- break;
-
- case SSL_CTRL_NEED_TMP_RSA:
- /* Temporary RSA keys are never used. */
- ret = 0;
- break;
-
- case SSL_CTRL_SET_TMP_RSA:
- /* Temporary RSA keys are never used. */
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- break;
-
- case SSL_CTRL_SET_TMP_RSA_CB:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return ret;
-
- case SSL_CTRL_SET_TMP_DH: {
- DH *dh = (DH *)parg;
- if (dh == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
- return ret;
- }
- dh = DHparams_dup(dh);
- if (dh == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);
- return ret;
- }
- if (!(s->options & SSL_OP_SINGLE_DH_USE) && !DH_generate_key(dh)) {
- DH_free(dh);
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_DH_LIB);
- return ret;
- }
- if (s->cert->dh_tmp != NULL) {
- DH_free(s->cert->dh_tmp);
- }
- s->cert->dh_tmp = dh;
- ret = 1;
- break;
- }
-
- case SSL_CTRL_SET_TMP_DH_CB:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return ret;
-
- case SSL_CTRL_SET_TMP_ECDH: {
- EC_KEY *ecdh = NULL;
-
- if (parg == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
- return ret;
- }
- if (!EC_KEY_up_ref((EC_KEY *)parg)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);
- return ret;
- }
- ecdh = (EC_KEY *)parg;
- if (!(s->options & SSL_OP_SINGLE_ECDH_USE) && !EC_KEY_generate_key(ecdh)) {
- EC_KEY_free(ecdh);
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_ECDH_LIB);
- return ret;
- }
- if (s->cert->ecdh_tmp != NULL) {
- EC_KEY_free(s->cert->ecdh_tmp);
- }
- s->cert->ecdh_tmp = ecdh;
- ret = 1;
- break;
- }
-
- case SSL_CTRL_SET_TMP_ECDH_CB:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return ret;
-
- case SSL_CTRL_SET_TLSEXT_HOSTNAME:
- if (larg == TLSEXT_NAMETYPE_host_name) {
- if (s->tlsext_hostname != NULL) {
- OPENSSL_free(s->tlsext_hostname);
- }
- s->tlsext_hostname = NULL;
-
- ret = 1;
- if (parg == NULL) {
- break;
- }
- if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
- return 0;
- }
- s->tlsext_hostname = BUF_strdup((char *) parg);
- if (s->tlsext_hostname == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- } else {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl,
- SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
- return 0;
- }
- break;
-
- case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
- s->tlsext_debug_arg = parg;
- ret = 1;
- break;
-
case SSL_CTRL_CHAIN:
if (larg) {
return ssl_cert_set1_chain(s->cert, (STACK_OF(X509) *)parg);
@@ -870,10 +754,6 @@
return tls1_set_curves(&s->tlsext_ellipticcurvelist,
&s->tlsext_ellipticcurvelist_length, parg, larg);
- case SSL_CTRL_SET_ECDH_AUTO:
- s->cert->ecdh_tmp_auto = larg;
- return 1;
-
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
@@ -943,65 +823,6 @@
return (int)s->s3->tmp.peer_ecpointformatlist_length;
}
- case SSL_CTRL_CHANNEL_ID:
- s->tlsext_channel_id_enabled = 1;
- ret = 1;
- break;
-
- case SSL_CTRL_SET_CHANNEL_ID:
- s->tlsext_channel_id_enabled = 1;
- if (EVP_PKEY_bits(parg) != 256) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
- break;
- }
- if (s->tlsext_channel_id_private) {
- EVP_PKEY_free(s->tlsext_channel_id_private);
- }
- s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);
- ret = 1;
- break;
-
- case SSL_CTRL_GET_CHANNEL_ID:
- if (!s->s3->tlsext_channel_id_valid) {
- break;
- }
- memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
- return 64;
-
- default:
- break;
- }
-
- return ret;
-}
-
-long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) {
- int ret = 0;
-
- if ((cmd == SSL_CTRL_SET_TMP_RSA_CB || cmd == SSL_CTRL_SET_TMP_DH_CB) &&
- !ssl_cert_inst(&s->cert)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_callback_ctrl, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
- switch (cmd) {
- case SSL_CTRL_SET_TMP_RSA_CB:
- /* Ignore the callback; temporary RSA keys are never used. */
- break;
-
- case SSL_CTRL_SET_TMP_DH_CB:
- s->cert->dh_tmp_cb = (DH * (*)(SSL *, int, int))fp;
- break;
-
- case SSL_CTRL_SET_TMP_ECDH_CB:
- s->cert->ecdh_tmp_cb = (EC_KEY * (*)(SSL *, int, int))fp;
- break;
-
- case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
- s->tlsext_debug_cb =
- (void (*)(SSL *, int, int, uint8_t *, int, void *))fp;
- break;
-
default:
break;
}
@@ -1010,82 +831,7 @@
}
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
- CERT *cert;
-
- cert = ctx->cert;
-
switch (cmd) {
- case SSL_CTRL_NEED_TMP_RSA:
- /* Temporary RSA keys are never used. */
- return 0;
-
- case SSL_CTRL_SET_TMP_RSA:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-
- case SSL_CTRL_SET_TMP_RSA_CB:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-
- case SSL_CTRL_SET_TMP_DH: {
- DH *new = NULL, *dh;
-
- dh = (DH *)parg;
- new = DHparams_dup(dh);
- if (new == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
- return 0;
- }
- if (!(ctx->options & SSL_OP_SINGLE_DH_USE) && !DH_generate_key(new)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
- DH_free(new);
- return 0;
- }
- if (cert->dh_tmp != NULL) {
- DH_free(cert->dh_tmp);
- }
- cert->dh_tmp = new;
- return 1;
- }
-
- case SSL_CTRL_SET_TMP_DH_CB:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-
- case SSL_CTRL_SET_TMP_ECDH: {
- EC_KEY *ecdh = NULL;
-
- if (parg == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);
- return 0;
- }
- ecdh = EC_KEY_dup((EC_KEY *)parg);
- if (ecdh == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_EC_LIB);
- return 0;
- }
- if (!(ctx->options & SSL_OP_SINGLE_ECDH_USE) &&
- !EC_KEY_generate_key(ecdh)) {
- EC_KEY_free(ecdh);
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_ECDH_LIB);
- return 0;
- }
-
- if (cert->ecdh_tmp != NULL) {
- EC_KEY_free(cert->ecdh_tmp);
- }
- cert->ecdh_tmp = ecdh;
- return 1;
- }
-
- case SSL_CTRL_SET_TMP_ECDH_CB:
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-
- case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
- ctx->tlsext_servername_arg = parg;
- break;
-
case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
case SSL_CTRL_GET_TLSEXT_TICKET_KEYS: {
uint8_t *keys = parg;
@@ -1108,19 +854,10 @@
return 1;
}
- case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
- ctx->tlsext_status_arg = parg;
- return 1;
- break;
-
case SSL_CTRL_SET_CURVES:
return tls1_set_curves(&ctx->tlsext_ellipticcurvelist,
&ctx->tlsext_ellipticcurvelist_length, parg, larg);
- case SSL_CTRL_SET_ECDH_AUTO:
- ctx->cert->ecdh_tmp_auto = larg;
- return 1;
-
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
@@ -1158,10 +895,8 @@
break;
case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
- if (ctx->extra_certs) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ sk_X509_pop_free(ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
break;
case SSL_CTRL_CHAIN:
@@ -1185,22 +920,6 @@
case SSL_CTRL_SELECT_CURRENT_CERT:
return ssl_cert_select_current(ctx->cert, (X509 *)parg);
- case SSL_CTRL_CHANNEL_ID:
- ctx->tlsext_channel_id_enabled = 1;
- return 1;
-
- case SSL_CTRL_SET_CHANNEL_ID:
- ctx->tlsext_channel_id_enabled = 1;
- if (EVP_PKEY_bits(parg) != 256) {
- OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
- break;
- }
- if (ctx->tlsext_channel_id_private) {
- EVP_PKEY_free(ctx->tlsext_channel_id_private);
- }
- ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);
- break;
-
default:
return 0;
}
@@ -1208,41 +927,22 @@
return 1;
}
-long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) {
- CERT *cert;
+int SSL_CTX_set_tlsext_servername_callback(
+ SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {
+ ctx->tlsext_servername_callback = callback;
+ return 1;
+}
- cert = ctx->cert;
+int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {
+ ctx->tlsext_servername_arg = arg;
+ return 1;
+}
- switch (cmd) {
- case SSL_CTRL_SET_TMP_RSA_CB:
- /* Ignore the callback; temporary RSA keys are never used. */
- break;
-
- case SSL_CTRL_SET_TMP_DH_CB:
- cert->dh_tmp_cb = (DH * (*)(SSL *, int, int))fp;
- break;
-
- case SSL_CTRL_SET_TMP_ECDH_CB:
- cert->ecdh_tmp_cb = (EC_KEY * (*)(SSL *, int, int))fp;
- break;
-
- case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
- ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
- break;
-
- case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
- ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
- break;
-
- case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
- ctx->tlsext_ticket_key_cb = (int (
- *)(SSL *, uint8_t *, uint8_t *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
- break;
-
- default:
- return 0;
- }
-
+int SSL_CTX_set_tlsext_ticket_key_cb(
+ SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
+ EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
+ int encrypt)) {
+ ctx->tlsext_ticket_key_cb = callback;
return 1;
}
@@ -1261,7 +961,7 @@
/* ssl3_get_cipher_by_value returns the cipher value of |c|. */
uint16_t ssl3_get_cipher_value(const SSL_CIPHER *c) {
- unsigned long id = c->id;
+ uint32_t id = c->id;
/* All ciphers are SSLv3 now. */
assert((id & 0xff000000) == 0x03000000);
return id & 0xffff;
@@ -1285,14 +985,14 @@
}
const SSL_CIPHER *ssl3_choose_cipher(
- SSL *s, STACK_OF(SSL_CIPHER) * clnt,
+ SSL *s, STACK_OF(SSL_CIPHER) *clnt,
struct ssl_cipher_preference_list_st *server_pref) {
const SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *srvr = server_pref->ciphers, *prio, *allow;
size_t i;
int ok;
size_t cipher_index;
- unsigned long alg_k, alg_a, mask_k, mask_a;
+ uint32_t alg_k, alg_a, mask_k, mask_a;
/* in_group_flags will either be NULL, or will point to an array of bytes
* which indicate equal-preference groups in the |prio| stack. See the
* comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
@@ -1389,7 +1089,7 @@
}
/* ECDSA certs can be used with RSA cipher suites as well so we don't need to
- * check for SSL_kECDH or SSL_kEECDH. */
+ * check for SSL_kECDH or SSL_kECDHE. */
if (s->version >= TLS1_VERSION && have_ecdsa_sign) {
p[ret++] = TLS_CT_ECDSA_SIGN;
}
@@ -1398,12 +1098,10 @@
}
static int ssl3_set_req_cert_type(CERT *c, const uint8_t *p, size_t len) {
- if (c->client_certificate_types) {
- OPENSSL_free(c->client_certificate_types);
- c->client_certificate_types = NULL;
- }
-
+ OPENSSL_free(c->client_certificate_types);
+ c->client_certificate_types = NULL;
c->num_client_certificate_types = 0;
+
if (!p || !len) {
return 1;
}
@@ -1474,29 +1172,12 @@
}
static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) {
- int ret;
-
ERR_clear_system_error();
if (s->s3->renegotiate) {
ssl3_renegotiate_check(s);
}
- s->s3->in_read_app_data = 1;
- ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);
- if (ret == -1 && s->s3->in_read_app_data == 2) {
- /* ssl3_read_bytes decided to call s->handshake_func, which called
- * ssl3_read_bytes to read handshake data. However, ssl3_read_bytes
- * actually found application data and thinks that application data makes
- * sense here; so disable handshake processing and try to read application
- * data again. */
- s->in_handshake++;
- ret =
- s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);
- s->in_handshake--;
- } else {
- s->s3->in_read_app_data = 0;
- }
- return ret;
+ return s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek);
}
int ssl3_read(SSL *s, void *buf, int len) {
@@ -1523,7 +1204,6 @@
* need to go to SSL_ST_ACCEPT. */
s->state = SSL_ST_RENEGOTIATE;
s->s3->renegotiate = 0;
- s->s3->num_renegotiations++;
s->s3->total_renegotiations++;
return 1;
}
@@ -1533,9 +1213,9 @@
/* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
* handshake macs if required. */
-long ssl_get_algorithm2(SSL *s) {
- static const unsigned long kMask = SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
- long alg2 = s->s3->tmp.new_cipher->algorithm2;
+uint32_t ssl_get_algorithm2(SSL *s) {
+ static const uint32_t kMask = SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
+ uint32_t alg2 = s->s3->tmp.new_cipher->algorithm2;
if (s->enc_method->enc_flags & SSL_ENC_FLAG_SHA256_PRF &&
(alg2 & kMask) == kMask) {
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
diff --git a/src/ssl/s3_meth.c b/src/ssl/s3_meth.c
index 5a25d7b..28b9051 100644
--- a/src/ssl/s3_meth.c
+++ b/src/ssl/s3_meth.c
@@ -54,10 +54,11 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
-#include "ssl_locl.h"
+#include "internal.h"
static const SSL_PROTOCOL_METHOD TLS_protocol_method = {
+ 0 /* is_dtls */,
ssl3_new,
ssl3_free,
ssl3_accept,
@@ -77,9 +78,9 @@
ssl3_pending,
ssl3_num_ciphers,
ssl3_get_cipher,
- ssl_undefined_void_function,
- ssl3_callback_ctrl,
- ssl3_ctx_callback_ctrl,
+ SSL3_HM_HEADER_LENGTH,
+ ssl3_set_handshake_header,
+ ssl3_handshake_write,
};
const SSL_METHOD *TLS_method(void) {
diff --git a/src/ssl/s3_pkt.c b/src/ssl/s3_pkt.c
index 3a42c3a..c42d000 100644
--- a/src/ssl/s3_pkt.c
+++ b/src/ssl/s3_pkt.c
@@ -107,9 +107,9 @@
* Hudson (tjh@cryptsoft.com). */
#include <assert.h>
-#include <errno.h>
#include <limits.h>
#include <stdio.h>
+#include <string.h>
#include <openssl/buf.h>
#include <openssl/err.h>
@@ -117,23 +117,23 @@
#include <openssl/mem.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "internal.h"
static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,
- char fragment, char is_fragment);
+ char fragment);
static int ssl3_get_record(SSL *s);
-int ssl3_read_n(SSL *s, int n, int max, int extend) {
+int ssl3_read_n(SSL *s, int n, int extend) {
/* If |extend| is 0, obtain new n-byte packet;
* if |extend| is 1, increase packet by another n bytes.
*
* The packet will be in the sub-array of |s->s3->rbuf.buf| specified by
- * |s->packet| and |s->packet_length|. (If |s->read_ahead| is set, |max|
- * bytes may be stored in |rbuf| (plus |s->packet_length| bytes if |extend|
- * is one.) */
+ * |s->packet| and |s->packet_length|. (If |s->read_ahead| is set and |extend|
+ * is 0, additional bytes may be read into |rbuf|, up to the size of the
+ * buffer.) */
int i, len, left;
- long align = 0;
+ uintptr_t align = 0;
uint8_t *pkt;
SSL3_BUFFER *rb;
@@ -148,8 +148,8 @@
left = rb->left;
- align = (long)rb->buf + SSL3_RT_HEADER_LENGTH;
- align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
+ align = (uintptr_t)rb->buf + SSL3_RT_HEADER_LENGTH;
+ align = (0 - align) & (SSL3_ALIGN_PAYLOAD - 1);
if (!extend) {
/* start with empty packet ... */
@@ -201,22 +201,14 @@
rb->offset = len + align;
}
- assert(n <= (int)(rb->len - rb->offset));
if (n > (int)(rb->len - rb->offset)) {
OPENSSL_PUT_ERROR(SSL, ssl3_read_n, ERR_R_INTERNAL_ERROR);
return -1;
}
- if (!s->read_ahead) {
- /* ignore max parameter */
- max = n;
- } else {
- if (max < n) {
- max = n;
- }
- if (max > (int)(rb->len - rb->offset)) {
- max = rb->len - rb->offset;
- }
+ int max = n;
+ if (s->read_ahead && !extend) {
+ max = rb->len - rb->offset;
}
while (left < n) {
@@ -233,8 +225,7 @@
if (i <= 0) {
rb->left = left;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s) &&
- len + left == 0) {
+ if (len + left == 0) {
ssl3_release_read_buffer(s);
}
return i;
@@ -281,29 +272,21 @@
rr = &s->s3->rrec;
- if (s->options & SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER) {
- extra = SSL3_RT_MAX_EXTRA;
- } else {
- extra = 0;
- }
-
- if (extra && !s->s3->init_extra) {
- /* An application error: SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER set after
- * ssl3_setup_buffers() was done */
- OPENSSL_PUT_ERROR(SSL, ssl3_get_record, ERR_R_INTERNAL_ERROR);
- return -1;
- }
-
again:
/* check if we have the header */
if (s->rstate != SSL_ST_READ_BODY ||
s->packet_length < SSL3_RT_HEADER_LENGTH) {
- n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, s->s3->rbuf.len, 0);
+ n = ssl3_read_n(s, SSL3_RT_HEADER_LENGTH, 0);
if (n <= 0) {
return n; /* error or non-blocking */
}
s->rstate = SSL_ST_READ_BODY;
+ /* Some bytes were read, so the read buffer must be existant and
+ * |s->s3->init_extra| is defined. */
+ assert(s->s3->rbuf.buf != NULL);
+ extra = s->s3->init_extra ? SSL3_RT_MAX_EXTRA : 0;
+
p = s->packet;
if (s->msg_callback) {
s->msg_callback(0, 0, SSL3_RT_HEADER, p, 5, s, s->msg_callback_arg);
@@ -318,10 +301,6 @@
if (s->s3->have_version && version != s->version) {
OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_WRONG_VERSION_NUMBER);
- if ((s->version & 0xFF00) == (version & 0xFF00)) {
- /* Send back error using their minor version number. */
- s->version = (unsigned short)version;
- }
al = SSL_AD_PROTOCOL_VERSION;
goto f_err;
}
@@ -331,13 +310,18 @@
goto err;
}
- if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) {
+ if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
al = SSL_AD_RECORD_OVERFLOW;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_PACKET_LENGTH_TOO_LONG);
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
goto f_err;
}
/* now s->rstate == SSL_ST_READ_BODY */
+ } else {
+ /* |packet_length| is non-zero and |s->rstate| is |SSL_ST_READ_BODY|. The
+ * read buffer must be existant and |s->s3->init_extra| is defined. */
+ assert(s->s3->rbuf.buf != NULL);
+ extra = s->s3->init_extra ? SSL3_RT_MAX_EXTRA : 0;
}
/* s->rstate == SSL_ST_READ_BODY, get and decode the data */
@@ -345,7 +329,7 @@
if (rr->length > s->packet_length - SSL3_RT_HEADER_LENGTH) {
/* now s->packet_length == SSL3_RT_HEADER_LENGTH */
i = rr->length;
- n = ssl3_read_n(s, i, i, 1);
+ n = ssl3_read_n(s, i, 1);
if (n <= 0) {
/* Error or non-blocking IO. Now |n| == |rr->length|, and
* |s->packet_length| == |SSL3_RT_HEADER_LENGTH| + |rr->length|. */
@@ -367,13 +351,6 @@
/* We now have - encrypted [ MAC [ compressed [ plain ] ] ]
* rr->length bytes of encrypted compressed stuff. */
- /* check is not needed I believe */
- if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH + extra) {
- al = SSL_AD_RECORD_OVERFLOW;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_record, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
- goto f_err;
- }
-
/* decrypt in place in 'rr->input' */
rr->data = rr->input;
@@ -431,7 +408,7 @@
tot = s->s3->wnum;
s->s3->wnum = 0;
- if (SSL_in_init(s) && !s->in_handshake) {
+ if (!s->in_handshake && SSL_in_init(s) && !SSL_in_false_start(s)) {
i = s->handshake_func(s);
if (i < 0) {
return i;
@@ -454,6 +431,7 @@
return -1;
}
+ int record_split_done = 0;
n = (len - tot);
for (;;) {
/* max contains the maximum number of bytes that we can put into a
@@ -462,34 +440,27 @@
/* fragment is true if do_ssl3_write should send the first byte in its own
* record in order to randomise a CBC IV. */
int fragment = 0;
-
- if (n > 1 && s->s3->need_record_splitting &&
- type == SSL3_RT_APPLICATION_DATA && !s->s3->record_split_done) {
+ if (!record_split_done && s->s3->need_record_splitting &&
+ type == SSL3_RT_APPLICATION_DATA) {
+ /* Only the the first record per write call needs to be split. The
+ * remaining plaintext was determined before the IV was randomized. */
fragment = 1;
- /* record_split_done records that the splitting has been done in case we
- * hit an SSL_WANT_WRITE condition. In that case, we don't need to do the
- * split again. */
- s->s3->record_split_done = 1;
+ record_split_done = 1;
}
-
if (n > max) {
nw = max;
} else {
nw = n;
}
- i = do_ssl3_write(s, type, &(buf[tot]), nw, fragment, 0);
+ i = do_ssl3_write(s, type, &buf[tot], nw, fragment);
if (i <= 0) {
s->s3->wnum = tot;
- s->s3->record_split_done = 0;
return i;
}
if (i == (int)n || (type == SSL3_RT_APPLICATION_DATA &&
(s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) {
- /* next chunk of data should get another prepended, one-byte fragment in
- * ciphersuites with known-IV weakness. */
- s->s3->record_split_done = 0;
return tot + i;
}
@@ -498,20 +469,92 @@
}
}
+/* ssl3_seal_record seals a new record of type |type| and plaintext |in| and
+ * writes it to |out|. At most |max_out| bytes will be written. It returns one
+ * on success and zero on error. On success, |s->s3->wrec| is updated to include
+ * the new record. */
+static int ssl3_seal_record(SSL *s, uint8_t *out, size_t *out_len,
+ size_t max_out, uint8_t type, const uint8_t *in,
+ size_t in_len) {
+ if (max_out < SSL3_RT_HEADER_LENGTH) {
+ OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, SSL_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+
+ out[0] = type;
+
+ /* Some servers hang if initial ClientHello is larger than 256 bytes and
+ * record version number > TLS 1.0. */
+ if (!s->s3->have_version && s->version > SSL3_VERSION) {
+ out[1] = TLS1_VERSION >> 8;
+ out[2] = TLS1_VERSION & 0xff;
+ } else {
+ out[1] = s->version >> 8;
+ out[2] = s->version & 0xff;
+ }
+
+ size_t explicit_nonce_len = 0;
+ if (s->aead_write_ctx != NULL &&
+ s->aead_write_ctx->variable_nonce_included_in_record) {
+ explicit_nonce_len = s->aead_write_ctx->variable_nonce_len;
+ }
+ size_t max_overhead = 0;
+ if (s->aead_write_ctx != NULL) {
+ max_overhead = s->aead_write_ctx->tag_len;
+ }
+
+ /* Assemble the input for |s->enc_method->enc|. The input is the plaintext
+ * with |explicit_nonce_len| bytes of space prepended for the explicit
+ * nonce. The input is copied into |out| and then encrypted in-place to take
+ * advantage of alignment.
+ *
+ * TODO(davidben): |tls1_enc| should accept its inputs and outputs directly
+ * rather than looking up in |wrec| and friends. The |max_overhead| bounds
+ * check would also be unnecessary if |max_out| were passed down. */
+ SSL3_RECORD *wr = &s->s3->wrec;
+ size_t plaintext_len = in_len + explicit_nonce_len;
+ if (plaintext_len < in_len || plaintext_len > INT_MAX ||
+ plaintext_len + max_overhead < plaintext_len) {
+ OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, ERR_R_OVERFLOW);
+ return 0;
+ }
+ if (max_out - SSL3_RT_HEADER_LENGTH < plaintext_len + max_overhead) {
+ OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, SSL_R_BUFFER_TOO_SMALL);
+ return 0;
+ }
+ wr->type = type;
+ wr->input = out + SSL3_RT_HEADER_LENGTH;
+ wr->data = wr->input;
+ wr->length = plaintext_len;
+ memcpy(wr->input + explicit_nonce_len, in, in_len);
+
+ if (!s->enc_method->enc(s, 1)) {
+ return 0;
+ }
+
+ /* |wr->length| has now been set to the ciphertext length. */
+ if (wr->length >= 1 << 16) {
+ OPENSSL_PUT_ERROR(SSL, ssl3_seal_record, ERR_R_OVERFLOW);
+ return 0;
+ }
+ out[3] = wr->length >> 8;
+ out[4] = wr->length & 0xff;
+ *out_len = SSL3_RT_HEADER_LENGTH + (size_t)wr->length;
+
+ if (s->msg_callback) {
+ s->msg_callback(1 /* write */, 0, SSL3_RT_HEADER, out, SSL3_RT_HEADER_LENGTH,
+ s, s->msg_callback_arg);
+ }
+
+ return 1;
+}
+
/* do_ssl3_write writes an SSL record of the given type. If |fragment| is 1
* then it splits the record into a one byte record and a record with the rest
- * of the data in order to randomise a CBC IV. If |is_fragment| is true then
- * this call resulted from do_ssl3_write calling itself in order to create that
- * one byte fragment. */
+ * of the data in order to randomise a CBC IV. */
static int do_ssl3_write(SSL *s, int type, const uint8_t *buf, unsigned int len,
- char fragment, char is_fragment) {
- uint8_t *p, *plen;
- int i;
- int prefix_len = 0;
- int eivlen = 0;
- long align = 0;
- SSL3_RECORD *wr;
- SSL3_BUFFER *wb = &(s->s3->wbuf);
+ char fragment) {
+ SSL3_BUFFER *wb = &s->s3->wbuf;
/* first check if there is a SSL3_BUFFER still being written out. This will
* happen with non blocking IO */
@@ -521,9 +564,9 @@
/* If we have an alert to send, lets send it */
if (s->s3->alert_dispatch) {
- i = s->method->ssl_dispatch_alert(s);
- if (i <= 0) {
- return i;
+ int ret = s->method->ssl_dispatch_alert(s);
+ if (ret <= 0) {
+ return ret;
}
/* if it went, fall through and send more stuff */
}
@@ -535,122 +578,62 @@
if (len == 0) {
return 0;
}
+ if (len == 1) {
+ /* No sense in fragmenting a one-byte record. */
+ fragment = 0;
+ }
- wr = &s->s3->wrec;
-
+ /* Align the output so the ciphertext is aligned to |SSL3_ALIGN_PAYLOAD|. */
+ uintptr_t align;
if (fragment) {
- /* countermeasure against known-IV weakness in CBC ciphersuites (see
- * http://www.openssl.org/~bodo/tls-cbc.txt) */
- prefix_len = do_ssl3_write(s, type, buf, 1 /* length */, 0 /* fragment */,
- 1 /* is_fragment */);
- if (prefix_len <= 0) {
- goto err;
- }
-
- if (prefix_len >
- (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) {
- /* insufficient space */
- OPENSSL_PUT_ERROR(SSL, do_ssl3_write, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- }
-
- if (is_fragment) {
- /* The extra fragment would be couple of cipher blocks, and that will be a
- * multiple of SSL3_ALIGN_PAYLOAD. So, if we want to align the real
- * payload, we can just pretend that we have two headers and a byte. */
- align = (long)wb->buf + 2 * SSL3_RT_HEADER_LENGTH + 1;
- align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
- p = wb->buf + align;
- wb->offset = align;
- } else if (prefix_len) {
- p = wb->buf + wb->offset + prefix_len;
+ /* Only CBC-mode ciphers require fragmenting. CBC-mode ciphertext is a
+ * multiple of the block size which we may assume is aligned. Thus we only
+ * need to account for a second copy of the record header. */
+ align = (uintptr_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH;
} else {
- align = (long)wb->buf + SSL3_RT_HEADER_LENGTH;
- align = (-align) & (SSL3_ALIGN_PAYLOAD - 1);
- p = wb->buf + align;
- wb->offset = align;
+ align = (uintptr_t)wb->buf + SSL3_RT_HEADER_LENGTH;
+ }
+ align = (0 - align) & (SSL3_ALIGN_PAYLOAD - 1);
+ uint8_t *out = wb->buf + align;
+ wb->offset = align;
+ size_t max_out = wb->len - wb->offset;
+
+ const uint8_t *orig_buf = buf;
+ unsigned int orig_len = len;
+ size_t fragment_len = 0;
+ if (fragment) {
+ /* Write the first byte in its own record as a countermeasure against
+ * known-IV weaknesses in CBC ciphersuites. (See
+ * http://www.openssl.org/~bodo/tls-cbc.txt.) */
+ if (!ssl3_seal_record(s, out, &fragment_len, max_out, type, buf, 1)) {
+ return -1;
+ }
+ out += fragment_len;
+ max_out -= fragment_len;
+ buf++;
+ len--;
}
- /* write the header */
-
- *(p++) = type & 0xff;
- wr->type = type;
-
- /* Some servers hang if initial ClientHello is larger than 256 bytes and
- * record version number > TLS 1.0. */
- if (!s->s3->have_version && s->version > SSL3_VERSION) {
- *(p++) = TLS1_VERSION >> 8;
- *(p++) = TLS1_VERSION & 0xff;
- } else {
- *(p++) = s->version >> 8;
- *(p++) = s->version & 0xff;
+ assert((((uintptr_t)out + SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1))
+ == 0);
+ size_t ciphertext_len;
+ if (!ssl3_seal_record(s, out, &ciphertext_len, max_out, type, buf, len)) {
+ return -1;
}
-
- /* field where we are to write out packet length */
- plen = p;
- p += 2;
-
- /* Leave room for the variable nonce for AEADs which specify it explicitly. */
- if (s->aead_write_ctx != NULL &&
- s->aead_write_ctx->variable_nonce_included_in_record) {
- eivlen = s->aead_write_ctx->variable_nonce_len;
- }
-
- /* lets setup the record stuff. */
- wr->data = p + eivlen;
- wr->length = (int)(len - (fragment != 0));
- wr->input = (uint8_t *)buf + (fragment != 0);
-
- /* we now 'read' from wr->input, wr->length bytes into wr->data */
-
- memcpy(wr->data, wr->input, wr->length);
- wr->input = wr->data;
-
- /* we should still have the output to wr->data and the input from wr->input.
- * Length should be wr->length. wr->data still points in the wb->buf */
-
- wr->input = p;
- wr->data = p;
- wr->length += eivlen;
-
- if (!s->enc_method->enc(s, 1)) {
- goto err;
- }
-
- /* record length after mac and block padding */
- s2n(wr->length, plen);
-
- if (s->msg_callback) {
- s->msg_callback(1, 0, SSL3_RT_HEADER, plen - 5, 5, s, s->msg_callback_arg);
- }
-
- /* we should now have wr->data pointing to the encrypted data, which is
- * wr->length long. */
- wr->type = type; /* not needed but helps for debugging */
- wr->length += SSL3_RT_HEADER_LENGTH;
-
- if (is_fragment) {
- /* we are in a recursive call; just return the length, don't write out
- * anything. */
- return wr->length;
- }
+ ciphertext_len += fragment_len;
/* now let's set up wb */
- wb->left = prefix_len + wr->length;
+ wb->left = ciphertext_len;
/* memorize arguments so that ssl3_write_pending can detect bad write retries
* later */
- s->s3->wpend_tot = len;
- s->s3->wpend_buf = buf;
+ s->s3->wpend_tot = orig_len;
+ s->s3->wpend_buf = orig_buf;
s->s3->wpend_type = type;
- s->s3->wpend_ret = len;
+ s->s3->wpend_ret = orig_len;
/* we now just need to write the buffer */
- return ssl3_write_pending(s, type, buf, len);
-
-err:
- return -1;
+ return ssl3_write_pending(s, type, orig_buf, orig_len);
}
/* if s->s3->wbuf.left != 0, we need to call this */
@@ -679,19 +662,19 @@
if (i == wb->left) {
wb->left = 0;
wb->offset += i;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s)) {
- ssl3_release_write_buffer(s);
- }
+ ssl3_release_write_buffer(s);
s->rwstate = SSL_NOTHING;
return s->s3->wpend_ret;
} else if (i <= 0) {
if (SSL_IS_DTLS(s)) {
- /* For DTLS, just drop it. That's kind of the whole
- point in using a datagram service */
+ /* For DTLS, just drop it. That's kind of the whole point in
+ * using a datagram service */
wb->left = 0;
}
return i;
}
+ /* TODO(davidben): This codepath is used in DTLS, but the write
+ * payload may not split across packets. */
wb->offset += i;
wb->left -= i;
}
@@ -741,15 +724,10 @@
* none of our business
*/
int ssl3_read_bytes(SSL *s, int type, uint8_t *buf, int len, int peek) {
- int al, i, j, ret;
+ int al, i, ret;
unsigned int n;
SSL3_RECORD *rr;
void (*cb)(const SSL *ssl, int type2, int val) = NULL;
- uint8_t alert_buffer[2];
-
- if (s->s3->rbuf.buf == NULL && !ssl3_setup_read_buffer(s)) {
- return -1;
- }
if ((type && type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_HANDSHAKE) ||
(peek && type != SSL3_RT_APPLICATION_DATA)) {
@@ -780,8 +758,13 @@
/* Now s->s3->handshake_fragment_len == 0 if type == SSL3_RT_HANDSHAKE. */
- if (!s->in_handshake && SSL_in_init(s)) {
- /* type == SSL3_RT_APPLICATION_DATA */
+ /* This may require multiple iterations. False Start will cause
+ * |s->handshake_func| to signal success one step early, but the handshake
+ * must be completely finished before other modes are accepted.
+ *
+ * TODO(davidben): Move this check up to a higher level. */
+ while (!s->in_handshake && SSL_in_init(s)) {
+ assert(type == SSL3_RT_APPLICATION_DATA);
i = s->handshake_func(s);
if (i < 0) {
return i;
@@ -811,9 +794,10 @@
/* we now have a packet which can be read and processed */
- if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
- * reset by ssl3_get_finished */
- && rr->type != SSL3_RT_HANDSHAKE) {
+ /* |change_cipher_spec is set when we receive a ChangeCipherSpec and reset by
+ * ssl3_get_finished. */
+ if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE &&
+ rr->type != SSL3_RT_ALERT) {
al = SSL_AD_UNEXPECTED_MESSAGE;
OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes,
SSL_R_DATA_BETWEEN_CCS_AND_FINISHED);
@@ -866,7 +850,7 @@
if (rr->length == 0) {
s->rstate = SSL_ST_READ_HEADER;
rr->off = 0;
- if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) {
+ if (s->s3->rbuf.left == 0) {
ssl3_release_read_buffer(s);
}
}
@@ -883,6 +867,14 @@
* that we can process the data at a fixed place. */
if (rr->type == SSL3_RT_HANDSHAKE) {
+ /* If peer renegotiations are disabled, all out-of-order handshake records
+ * are fatal. */
+ if (s->reject_peer_renegotiations) {
+ al = SSL_AD_NO_RENEGOTIATION;
+ OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);
+ goto f_err;
+ }
+
const size_t size = sizeof(s->s3->handshake_fragment);
const size_t avail = size - s->s3->handshake_fragment_len;
const size_t todo = (rr->length < avail) ? rr->length : avail;
@@ -894,17 +886,6 @@
if (s->s3->handshake_fragment_len < size) {
goto start; /* fragment was too small */
}
- } else if (rr->type == SSL3_RT_ALERT) {
- /* Note that this will still allow multiple alerts to be processed in the
- * same record */
- if (rr->length < sizeof(alert_buffer)) {
- al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_ALERT);
- goto f_err;
- }
- memcpy(alert_buffer, &rr->data[rr->off], sizeof(alert_buffer));
- rr->off += sizeof(alert_buffer);
- rr->length -= sizeof(alert_buffer);
}
/* s->s3->handshake_fragment_len == 4 iff rr->type == SSL3_RT_HANDSHAKE;
@@ -947,14 +928,23 @@
goto start;
}
+ /* If an alert record, process one alert out of the record. Note that we allow
+ * a single record to contain multiple alerts. */
if (rr->type == SSL3_RT_ALERT) {
- const uint8_t alert_level = alert_buffer[0];
- const uint8_t alert_descr = alert_buffer[1];
+ /* Alerts may not be fragmented. */
+ if (rr->length < 2) {
+ al = SSL_AD_DECODE_ERROR;
+ OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_BAD_ALERT);
+ goto f_err;
+ }
if (s->msg_callback) {
- s->msg_callback(0, s->version, SSL3_RT_ALERT, alert_buffer, 2, s,
+ s->msg_callback(0, s->version, SSL3_RT_ALERT, &rr->data[rr->off], 2, s,
s->msg_callback_arg);
}
+ const uint8_t alert_level = rr->data[rr->off++];
+ const uint8_t alert_descr = rr->data[rr->off++];
+ rr->length -= 2;
if (s->info_callback != NULL) {
cb = s->info_callback;
@@ -963,12 +953,11 @@
}
if (cb != NULL) {
- j = (alert_level << 8) | alert_descr;
- cb(s, SSL_CB_READ_ALERT, j);
+ uint16_t alert = (alert_level << 8) | alert_descr;
+ cb(s, SSL_CB_READ_ALERT, alert);
}
- if (alert_level == 1) {
- /* warning */
+ if (alert_level == SSL3_AL_WARNING) {
s->s3->warn_alert = alert_descr;
if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
@@ -987,8 +976,7 @@
OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_NO_RENEGOTIATION);
goto f_err;
}
- } else if (alert_level == 2) {
- /* fatal */
+ } else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
s->rwstate = SSL_NOTHING;
@@ -1074,50 +1062,12 @@
goto start;
}
- switch (rr->type) {
- default:
- /* TLS up to v1.1 just ignores unknown message types. TLS v1.2 gives an
- * unexpected message alert. */
- if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
- rr->length = 0;
- goto start;
- }
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);
- goto f_err;
+ /* We already handled these. */
+ assert(rr->type != SSL3_RT_CHANGE_CIPHER_SPEC && rr->type != SSL3_RT_ALERT &&
+ rr->type != SSL3_RT_HANDSHAKE);
- case SSL3_RT_CHANGE_CIPHER_SPEC:
- case SSL3_RT_ALERT:
- case SSL3_RT_HANDSHAKE:
- /* we already handled all of these, with the possible exception of
- * SSL3_RT_HANDSHAKE when s->in_handshake is set, but that should not
- * happen when type != rr->type */
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, ERR_R_INTERNAL_ERROR);
- goto f_err;
-
- case SSL3_RT_APPLICATION_DATA:
- /* At this point we were expecting handshake data but have application
- * data. If the library was running inside ssl3_read() (i.e.
- * |in_read_app_data| is set) and it makes sense to read application data
- * at this point (session renegotiation not yet started), we will indulge
- * it. */
- if (s->s3->in_read_app_data && s->s3->total_renegotiations != 0 &&
- (((s->state & SSL_ST_CONNECT) &&
- s->state >= SSL3_ST_CW_CLNT_HELLO_A &&
- s->state <= SSL3_ST_CR_SRVR_HELLO_A) ||
- ((s->state & SSL_ST_ACCEPT) &&
- s->state <= SSL3_ST_SW_HELLO_REQ_A &&
- s->state >= SSL3_ST_SR_CLNT_HELLO_A))) {
- s->s3->in_read_app_data = 2;
- return -1;
- } else {
- al = SSL_AD_UNEXPECTED_MESSAGE;
- OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);
- goto f_err;
- }
- }
- /* not reached */
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ OPENSSL_PUT_ERROR(SSL, ssl3_read_bytes, SSL_R_UNEXPECTED_RECORD);
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1189,7 +1139,7 @@
void (*cb)(const SSL *ssl, int type, int val) = NULL;
s->s3->alert_dispatch = 0;
- i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0, 0);
+ i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0);
if (i <= 0) {
s->s3->alert_dispatch = 1;
} else {
diff --git a/src/ssl/s3_srvr.c b/src/ssl/s3_srvr.c
index b346d14..3cc3032 100644
--- a/src/ssl/s3_srvr.c
+++ b/src/ssl/s3_srvr.c
@@ -146,8 +146,6 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-#define NETSCAPE_HANG_BUG
-
#include <assert.h>
#include <stdio.h>
#include <string.h>
@@ -159,6 +157,7 @@
#include <openssl/dh.h>
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/md5.h>
@@ -168,7 +167,7 @@
#include <openssl/sha.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
#include "../crypto/internal.h"
#include "../crypto/dh/internal.h"
@@ -179,7 +178,7 @@
int ssl3_accept(SSL *s) {
BUF_MEM *buf = NULL;
- unsigned long alg_a;
+ uint32_t alg_a;
void (*cb)(const SSL *ssl, int type, int val) = NULL;
int ret = -1;
int new_state, state, skip = 0;
@@ -228,11 +227,6 @@
}
s->init_num = 0;
- if (!ssl3_setup_buffers(s)) {
- ret = -1;
- goto end;
- }
-
if (!s->s3->send_connection_binding &&
!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
/* Server attempting to renegotiate with client that doesn't support
@@ -244,7 +238,6 @@
goto end;
}
- s->ctx->stats.sess_accept_renegotiate++;
s->state = SSL3_ST_SW_HELLO_REQ_A;
break;
@@ -278,6 +271,15 @@
cb(s, SSL_CB_HANDSHAKE_START, 1);
}
+ if ((s->version >> 8) != 3) {
+ /* TODO(davidben): Some consumers clear |s->version| to break the
+ * handshake in a callback. Remove this when they're using proper
+ * APIs. */
+ OPENSSL_PUT_ERROR(SSL, ssl3_accept, ERR_R_INTERNAL_ERROR);
+ ret = -1;
+ goto end;
+ }
+
if (s->init_buf == NULL) {
buf = BUF_MEM_new();
if (!buf || !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
@@ -289,6 +291,13 @@
}
s->init_num = 0;
+ /* Enable a write buffer. This groups handshake messages within a flight
+ * into a single write. */
+ if (!ssl_init_wbio_buffer(s, 1)) {
+ ret = -1;
+ goto end;
+ }
+
if (!ssl3_init_finished_mac(s)) {
OPENSSL_PUT_ERROR(SSL, ssl3_accept, ERR_R_INTERNAL_ERROR);
ret = -1;
@@ -296,22 +305,10 @@
}
if (!s->s3->have_version) {
- /* This is the initial handshake. The record layer has not been
- * initialized yet. Sniff for a V2ClientHello before reading a
- * ClientHello normally. */
- assert(s->s3->rbuf.buf == NULL);
- assert(s->s3->wbuf.buf == NULL);
s->state = SSL3_ST_SR_INITIAL_BYTES;
} else {
- /* Enable a write buffer. This groups handshake messages within a
- * flight into a single write. */
- if (!ssl3_setup_buffers(s) || !ssl_init_wbio_buffer(s, 1)) {
- ret = -1;
- goto end;
- }
s->state = SSL3_ST_SR_CLNT_HELLO_A;
}
- s->ctx->stats.sess_accept++;
break;
case SSL3_ST_SR_INITIAL_BYTES:
@@ -337,14 +334,6 @@
case SSL3_ST_SR_CLNT_HELLO_D:
s->shutdown = 0;
ret = ssl3_get_client_hello(s);
- if (ret == PENDING_SESSION) {
- s->rwstate = SSL_PENDING_SESSION;
- goto end;
- }
- if (ret == CERTIFICATE_SELECTION_PENDING) {
- s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
- goto end;
- }
if (ret <= 0) {
goto end;
}
@@ -404,8 +393,9 @@
if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
((alg_a & SSL_aPSK) && s->psk_identity_hint)) {
ret = ssl3_send_server_key_exchange(s);
- if (ret <= 0)
+ if (ret <= 0) {
goto end;
+ }
} else {
skip = 1;
}
@@ -425,13 +415,6 @@
* don't request cert during re-negotiation: */
((s->session->peer != NULL) &&
(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
- /* never request cert in anonymous ciphersuites
- * (see section "Certificate request" in SSL 3 drafts
- * and in RFC 2246): */
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
- /* ... except when the application insists on verification
- * (against the specs, but s3_clnt.c accepts this for SSL 3) */
- !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
/* With normal PSK Certificates and
* Certificate Requests are omitted */
(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
@@ -449,14 +432,7 @@
if (ret <= 0) {
goto end;
}
-#ifndef NETSCAPE_HANG_BUG
s->state = SSL3_ST_SW_SRVR_DONE_A;
-#else
- /* ServerHelloDone was already sent in the
- * previous record. */
- s->state = SSL3_ST_SW_FLUSH;
- s->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
-#endif
s->init_num = 0;
}
break;
@@ -659,7 +635,7 @@
/* If we aren't retaining peer certificates then we can discard it
* now. */
- if (s->session->peer && s->ctx->retain_only_sha256_of_client_certs) {
+ if (s->ctx->retain_only_sha256_of_client_certs) {
X509_free(s->session->peer);
s->session->peer = NULL;
}
@@ -671,8 +647,6 @@
ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
- s->ctx->stats.sess_accept_good++;
-
if (cb != NULL) {
cb(s, SSL_CB_HANDSHAKE_DONE, 1);
}
@@ -698,9 +672,7 @@
end:
s->in_handshake--;
- if (buf != NULL) {
- BUF_MEM_free(buf);
- }
+ BUF_MEM_free(buf);
if (cb != NULL) {
cb(s, SSL_CB_ACCEPT_EXIT, ret);
}
@@ -770,10 +742,12 @@
p[5] == SSL3_MT_CLIENT_HELLO) {
/* This is a ClientHello. Initialize the record layer with the already
* consumed data and continue the handshake. */
- if (!ssl3_setup_buffers(s) || !ssl_init_wbio_buffer(s, 1)) {
+ if (!ssl3_setup_read_buffer(s)) {
return -1;
}
assert(s->rstate == SSL_ST_READ_HEADER);
+ /* There cannot have already been data in the record layer. */
+ assert(s->s3->rbuf.left == 0);
memcpy(s->s3->rbuf.buf, p, s->s3->sniff_buffer_len);
s->s3->rbuf.offset = 0;
s->s3->rbuf.left = s->s3->sniff_buffer_len;
@@ -829,7 +803,10 @@
/* The V2ClientHello without the length is incorporated into the Finished
* hash. */
- ssl3_finish_mac(s, CBS_data(&v2_client_hello), CBS_len(&v2_client_hello));
+ if (!ssl3_finish_mac(s, CBS_data(&v2_client_hello),
+ CBS_len(&v2_client_hello))) {
+ return -1;
+ }
if (s->msg_callback) {
s->msg_callback(0, SSL2_VERSION, 0, CBS_data(&v2_client_hello),
CBS_len(&v2_client_hello), s, s->msg_callback_arg);
@@ -913,11 +890,6 @@
/* The handshake message header is 4 bytes. */
s->s3->tmp.message_size = len - 4;
- /* Initialize the record layer. */
- if (!ssl3_setup_buffers(s) || !ssl_init_wbio_buffer(s, 1)) {
- return -1;
- }
-
/* Drop the sniff buffer. */
BUF_MEM_free(s->s3->sniff_buffer);
s->s3->sniff_buffer = NULL;
@@ -928,7 +900,9 @@
int ssl3_send_hello_request(SSL *s) {
if (s->state == SSL3_ST_SW_HELLO_REQ_A) {
- ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0);
+ if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
+ return -1;
+ }
s->state = SSL3_ST_SW_HELLO_REQ_B;
}
@@ -956,31 +930,12 @@
n = s->method->ssl_get_message(
s, SSL3_ST_SR_CLNT_HELLO_A, SSL3_ST_SR_CLNT_HELLO_B,
SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH,
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
return n;
}
- /* If we require cookies and this ClientHello doesn't contain one, just
- * return since we do not want to allocate any memory yet. So check
- * cookie length... */
- if (SSL_IS_DTLS(s) && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
- uint8_t cookie_length;
-
- CBS_init(&client_hello, s->init_msg, n);
- if (!CBS_skip(&client_hello, 2 + SSL3_RANDOM_SIZE) ||
- !CBS_get_u8_length_prefixed(&client_hello, &session_id) ||
- !CBS_get_u8(&client_hello, &cookie_length)) {
- al = SSL_AD_DECODE_ERROR;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
- goto f_err;
- }
-
- if (cookie_length == 0) {
- return 1;
- }
- }
s->state = SSL3_ST_SR_CLNT_HELLO_C;
/* fallthrough */
case SSL3_ST_SR_CLNT_HELLO_C:
@@ -1006,7 +961,8 @@
s->state = SSL3_ST_SR_CLNT_HELLO_D;
switch (s->ctx->select_certificate_cb(&early_ctx)) {
case 0:
- return CERTIFICATE_SELECTION_PENDING;
+ s->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
+ goto err;
case -1:
/* Connection rejected. */
@@ -1053,27 +1009,6 @@
OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_DECODE_ERROR);
goto f_err;
}
-
- /* Verify the cookie if appropriate option is set. */
- if ((SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) && CBS_len(&cookie) > 0) {
- if (s->ctx->app_verify_cookie_cb != NULL) {
- if (s->ctx->app_verify_cookie_cb(s, CBS_data(&cookie),
- CBS_len(&cookie)) == 0) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_COOKIE_MISMATCH);
- goto f_err;
- }
- /* else cookie verification succeeded */
- } else if (!CBS_mem_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) {
- /* default verification */
- al = SSL_AD_HANDSHAKE_FAILURE;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_COOKIE_MISMATCH);
- goto f_err;
- }
- /* Set to -2 so if successful we return 2 and don't send
- * HelloVerifyRequest. */
- ret = -2;
- }
}
if (!s->s3->have_version) {
@@ -1118,7 +1053,7 @@
} else {
i = ssl_get_prev_session(s, &early_ctx);
if (i == PENDING_SESSION) {
- ret = PENDING_SESSION;
+ s->rwstate = SSL_PENDING_SESSION;
goto err;
} else if (i == -1) {
goto err;
@@ -1136,7 +1071,16 @@
}
}
+ if (s->ctx->dos_protection_cb != NULL && s->ctx->dos_protection_cb(&early_ctx) == 0) {
+ /* Connection rejected for DOS reasons. */
+ al = SSL_AD_ACCESS_DENIED;
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_CONNECTION_REJECTED);
+ goto f_err;
+ }
+
if (!CBS_get_u16_length_prefixed(&client_hello, &cipher_suites) ||
+ CBS_len(&cipher_suites) == 0 ||
+ CBS_len(&cipher_suites) % 2 != 0 ||
!CBS_get_u8_length_prefixed(&client_hello, &compression_methods) ||
CBS_len(&compression_methods) == 0) {
al = SSL_AD_DECODE_ERROR;
@@ -1144,28 +1088,16 @@
goto f_err;
}
- /* TODO(davidben): Per spec, cipher_suites can never be empty (specified at
- * the ClientHello structure level). This logic allows it to be empty if
- * resuming a session. Can we always require non-empty? If a client sends
- * empty cipher_suites because it's resuming a session, it could always fail
- * to resume a session, so it's unlikely to actually work. */
- if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) {
- /* We need a cipher if we are not resuming a session. */
- al = SSL_AD_ILLEGAL_PARAMETER;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_client_hello, SSL_R_NO_CIPHERS_SPECIFIED);
- goto f_err;
- }
-
ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites);
if (ciphers == NULL) {
goto err;
}
/* If it is a hit, check that the cipher is in the list. */
- if (s->hit && CBS_len(&cipher_suites) > 0) {
+ if (s->hit) {
size_t j;
int found_cipher = 0;
- unsigned long id = s->session->cipher->id;
+ uint32_t id = s->session->cipher->id;
for (j = 0; j < sk_SSL_CIPHER_num(ciphers); j++) {
c = sk_SSL_CIPHER_value(ciphers, j);
@@ -1269,9 +1201,7 @@
}
err:
- if (ciphers != NULL) {
- sk_SSL_CIPHER_free(ciphers);
- }
+ sk_SSL_CIPHER_free(ciphers);
return ret;
}
@@ -1285,7 +1215,7 @@
/* We only accept ChannelIDs on connections with ECDHE in order to avoid a
* known attack while we fix ChannelID itself. */
if (s->s3->tlsext_channel_id_valid &&
- (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kEECDH) == 0) {
+ (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
s->s3->tlsext_channel_id_valid = 0;
}
@@ -1354,7 +1284,9 @@
/* do the header */
l = (p - d);
- ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l);
+ if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
+ return -1;
+ }
s->state = SSL3_ST_SW_SRVR_HELLO_B;
}
@@ -1364,7 +1296,9 @@
int ssl3_send_server_done(SSL *s) {
if (s->state == SSL3_ST_SW_SRVR_DONE_A) {
- ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0);
+ if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
+ return -1;
+ }
s->state = SSL3_ST_SW_SRVR_DONE_B;
}
@@ -1374,7 +1308,7 @@
int ssl3_send_server_key_exchange(SSL *s) {
DH *dh = NULL, *dhp;
- EC_KEY *ecdh = NULL, *ecdhp;
+ EC_KEY *ecdh = NULL;
uint8_t *encodedPoint = NULL;
int encodedlen = 0;
uint16_t curve_id = 0;
@@ -1384,8 +1318,8 @@
EVP_PKEY *pkey;
uint8_t *p, *d;
int al, i;
- unsigned long alg_k;
- unsigned long alg_a;
+ uint32_t alg_k;
+ uint32_t alg_a;
int n;
CERT *cert;
BIGNUM *r[4];
@@ -1414,7 +1348,7 @@
n += 2 + psk_identity_hint_len;
}
- if (alg_k & SSL_kEDH) {
+ if (alg_k & SSL_kDHE) {
dhp = cert->dh_tmp;
if (dhp == NULL && s->cert->dh_tmp_cb != NULL) {
dhp = s->cert->dh_tmp_cb(s, 0, 1024);
@@ -1431,46 +1365,37 @@
ERR_R_INTERNAL_ERROR);
goto err;
}
-
dh = DHparams_dup(dhp);
if (dh == NULL) {
OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
goto err;
}
-
s->s3->tmp.dh = dh;
- if (dhp->pub_key == NULL || dhp->priv_key == NULL ||
- (s->options & SSL_OP_SINGLE_DH_USE)) {
- if (!DH_generate_key(dh)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
- goto err;
- }
- } else {
- dh->pub_key = BN_dup(dhp->pub_key);
- dh->priv_key = BN_dup(dhp->priv_key);
- if (dh->pub_key == NULL || dh->priv_key == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
- goto err;
- }
+
+ if (!DH_generate_key(dh)) {
+ OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_DH_LIB);
+ goto err;
}
r[0] = dh->p;
r[1] = dh->g;
r[2] = dh->pub_key;
- } else if (alg_k & SSL_kEECDH) {
- const EC_GROUP *group;
-
- ecdhp = cert->ecdh_tmp;
- if (s->cert->ecdh_tmp_auto) {
- /* Get NID of appropriate shared curve */
- int nid = tls1_get_shared_curve(s);
- if (nid != NID_undef) {
- ecdhp = EC_KEY_new_by_curve_name(nid);
+ } else if (alg_k & SSL_kECDHE) {
+ /* Determine the curve to use. */
+ int nid = NID_undef;
+ if (cert->ecdh_nid != NID_undef) {
+ nid = cert->ecdh_nid;
+ } else if (cert->ecdh_tmp_cb != NULL) {
+ /* Note: |ecdh_tmp_cb| does NOT pass ownership of the result
+ * to the caller. */
+ EC_KEY *template = s->cert->ecdh_tmp_cb(s, 0, 1024);
+ if (template != NULL && EC_KEY_get0_group(template) != NULL) {
+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(template));
}
- } else if (ecdhp == NULL && s->cert->ecdh_tmp_cb) {
- ecdhp = s->cert->ecdh_tmp_cb(s, 0, 1024);
+ } else {
+ nid = tls1_get_shared_curve(s);
}
- if (ecdhp == NULL) {
+ if (nid == NID_undef) {
al = SSL_AD_HANDSHAKE_FAILURE;
OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
SSL_R_MISSING_TMP_ECDH_KEY);
@@ -1482,42 +1407,19 @@
ERR_R_INTERNAL_ERROR);
goto err;
}
-
- /* Duplicate the ECDH structure. */
- if (ecdhp == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (ecdh == NULL) {
goto err;
}
-
- if (s->cert->ecdh_tmp_auto) {
- ecdh = ecdhp;
- } else {
- ecdh = EC_KEY_dup(ecdhp);
- if (ecdh == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
- goto err;
- }
- }
-
s->s3->tmp.ecdh = ecdh;
- if (EC_KEY_get0_public_key(ecdh) == NULL ||
- EC_KEY_get0_private_key(ecdh) == NULL ||
- (s->options & SSL_OP_SINGLE_ECDH_USE)) {
- if (!EC_KEY_generate_key(ecdh)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
- goto err;
- }
- }
- group = EC_KEY_get0_group(ecdh);
- if (group == NULL ||
- EC_KEY_get0_public_key(ecdh) == NULL ||
- EC_KEY_get0_private_key(ecdh) == NULL) {
+ if (!EC_KEY_generate_key(ecdh)) {
OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange, ERR_R_ECDH_LIB);
goto err;
}
/* We only support ephemeral ECDH keys over named (not generic) curves. */
+ const EC_GROUP *group = EC_KEY_get0_group(ecdh);
if (!tls1_ec_nid2curve_id(&curve_id, EC_GROUP_get_curve_name(group))) {
OPENSSL_PUT_ERROR(SSL, ssl3_send_server_key_exchange,
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
@@ -1597,7 +1499,7 @@
p += nr[i];
}
- /* Note: ECDHE PSK ciphersuites use SSL_kEECDH and SSL_aPSK. When one of
+ /* Note: ECDHE PSK ciphersuites use SSL_kECDHE and SSL_aPSK. When one of
* them is used, the server key exchange record needs to have both the
* psk_identity_hint and the ServerECDHParams. */
if (alg_a & SSL_aPSK) {
@@ -1609,7 +1511,7 @@
}
}
- if (alg_k & SSL_kEECDH) {
+ if (alg_k & SSL_kECDHE) {
/* We only support named (not generic) curves. In this situation, the
* serverKeyExchange message has:
* [1 byte CurveType], [2 byte CurveName]
@@ -1667,7 +1569,9 @@
}
}
- ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n);
+ if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
+ goto err;
+ }
}
s->state = SSL3_ST_SW_KEY_EXCH_B;
@@ -1677,9 +1581,7 @@
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
err:
- if (encodedPoint != NULL) {
- OPENSSL_free(encodedPoint);
- }
+ OPENSSL_free(encodedPoint);
BN_CTX_free(bn_ctx);
EVP_MD_CTX_cleanup(&md_ctx);
return -1;
@@ -1740,27 +1642,9 @@
p = ssl_handshake_start(s) + off;
s2n(nl, p);
- ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n);
-
-#ifdef NETSCAPE_HANG_BUG
- if (!SSL_IS_DTLS(s)) {
- /* Prepare a ServerHelloDone in the same record. This is to workaround a
- * hang in Netscape. */
- if (!BUF_MEM_grow_clean(buf, s->init_num + 4)) {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_certificate_request, ERR_R_BUF_LIB);
- goto err;
- }
- p = (uint8_t *)s->init_buf->data + s->init_num;
- /* do the header */
- *(p++) = SSL3_MT_SERVER_DONE;
- *(p++) = 0;
- *(p++) = 0;
- *(p++) = 0;
- s->init_num += 4;
- ssl3_finish_mac(s, p - 4, 4);
+ if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
+ goto err;
}
-#endif
-
s->state = SSL3_ST_SW_CERT_REQ_B;
}
@@ -1775,8 +1659,8 @@
int al, ok;
long n;
CBS client_key_exchange;
- unsigned long alg_k;
- unsigned long alg_a;
+ uint32_t alg_k;
+ uint32_t alg_a;
uint8_t *premaster_secret = NULL;
size_t premaster_secret_len = 0;
RSA *rsa = NULL;
@@ -1795,7 +1679,7 @@
n = s->method->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A,
SSL3_ST_SR_KEY_EXCH_B,
SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, /* ??? */
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -1983,7 +1867,7 @@
}
premaster_secret_len = sizeof(rand_premaster_secret);
- } else if (alg_k & SSL_kEDH) {
+ } else if (alg_k & SSL_kDHE) {
CBS dh_Yc;
int dh_len;
@@ -2014,6 +1898,7 @@
if (premaster_secret == NULL) {
OPENSSL_PUT_ERROR(SSL, ssl3_get_client_key_exchange,
ERR_R_MALLOC_FAILURE);
+ BN_clear_free(pub);
goto err;
}
@@ -2030,7 +1915,7 @@
pub = NULL;
premaster_secret_len = dh_len;
- } else if (alg_k & SSL_kEECDH) {
+ } else if (alg_k & SSL_kECDHE) {
int field_size = 0, ecdh_len;
const EC_KEY *tkey;
const EC_GROUP *group;
@@ -2191,14 +2076,10 @@
}
OPENSSL_free(premaster_secret);
}
- if (decrypt_buf) {
- OPENSSL_free(decrypt_buf);
- }
+ OPENSSL_free(decrypt_buf);
EVP_PKEY_free(clnt_pub_pkey);
EC_POINT_free(clnt_ecpoint);
- if (srvr_ecdh != NULL) {
- EC_KEY_free(srvr_ecdh);
- }
+ EC_KEY_free(srvr_ecdh);
BN_CTX_free(bn_ctx);
return -1;
@@ -2229,7 +2110,7 @@
n = s->method->ssl_get_message(
s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B,
SSL3_MT_CERTIFICATE_VERIFY, SSL3_RT_MAX_PLAIN_LENGTH,
- SSL_GET_MESSAGE_DONT_HASH_MESSAGE, &ok);
+ ssl_dont_hash_message, &ok);
if (!ok) {
return n;
@@ -2237,6 +2118,9 @@
/* Filter out unsupported certificate types. */
pkey = X509_get_pubkey(peer);
+ if (pkey == NULL) {
+ goto err;
+ }
if (!(X509_certificate_type(peer, pkey) & EVP_PKT_SIGN) ||
(pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_EC)) {
al = SSL_AD_UNSUPPORTED_CERTIFICATE;
@@ -2264,7 +2148,9 @@
!ssl3_digest_cached_records(s, free_handshake_buffer)) {
goto err;
}
- ssl3_hash_current_message(s);
+ if (!ssl3_hash_current_message(s)) {
+ goto err;
+ }
/* Parse and verify the signature. */
if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
@@ -2311,8 +2197,7 @@
int is_first_certificate = 1;
n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1,
- s->max_cert_list, SSL_GET_MESSAGE_HASH_MESSAGE,
- &ok);
+ (long)s->max_cert_list, ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -2433,11 +2318,7 @@
}
}
- if (s->session->peer != NULL) {
- /* This should not be needed */
- X509_free(s->session->peer);
- }
-
+ X509_free(s->session->peer);
s->session->peer = sk_X509_shift(sk);
s->session->verify_result = s->verify_result;
@@ -2450,9 +2331,7 @@
goto err;
}
}
- if (s->session->sess_cert->cert_chain != NULL) {
- sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
- }
+ sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free);
s->session->sess_cert->cert_chain = sk;
/* Inconsistency alert: cert_chain does *not* include the peer's own
* certificate, while we do include it in s3_clnt.c */
@@ -2467,12 +2346,8 @@
}
err:
- if (x != NULL) {
- X509_free(x);
- }
- if (sk != NULL) {
- sk_X509_pop_free(sk, X509_free);
- }
+ X509_free(x);
+ sk_X509_pop_free(sk, X509_free);
return ret;
}
@@ -2487,7 +2362,9 @@
return 0;
}
- ssl3_output_cert_chain(s, cpk);
+ if (!ssl3_output_cert_chain(s, cpk)) {
+ return 0;
+ }
s->state = SSL3_ST_SW_CERT_B;
}
@@ -2497,14 +2374,19 @@
/* send a new session ticket (not necessarily for a new session) */
int ssl3_send_new_session_ticket(SSL *s) {
+ int ret = -1;
+ uint8_t *session = NULL;
+ size_t session_len;
+ EVP_CIPHER_CTX ctx;
+ HMAC_CTX hctx;
+
+ EVP_CIPHER_CTX_init(&ctx);
+ HMAC_CTX_init(&hctx);
+
if (s->state == SSL3_ST_SW_SESSION_TICKET_A) {
- uint8_t *session;
- size_t session_len;
uint8_t *p, *macstart;
int len;
unsigned int hlen;
- EVP_CIPHER_CTX ctx;
- HMAC_CTX hctx;
SSL_CTX *tctx = s->initial_ctx;
uint8_t iv[EVP_MAX_IV_LENGTH];
uint8_t key_name[16];
@@ -2515,7 +2397,7 @@
/* Serialize the SSL_SESSION to be encoded into the ticket. */
if (!SSL_SESSION_to_bytes_for_ticket(s->session, &session, &session_len)) {
- return -1;
+ goto err;
}
/* If the session is too long, emit a dummy value rather than abort the
@@ -2525,6 +2407,7 @@
const size_t placeholder_len = strlen(kTicketPlaceholder);
OPENSSL_free(session);
+ session = NULL;
p = ssl_handshake_start(s);
/* Emit ticket_lifetime_hint. */
@@ -2535,7 +2418,9 @@
p += placeholder_len;
len = p - ssl_handshake_start(s);
- ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
+ if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
+ goto err;
+ }
s->state = SSL3_ST_SW_SESSION_TICKET_B;
return ssl_do_write(s);
}
@@ -2545,20 +2430,15 @@
* max_ticket_overhead + * session_length */
if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + 6 +
max_ticket_overhead + session_len)) {
- OPENSSL_free(session);
- return -1;
+ goto err;
}
p = ssl_handshake_start(s);
- EVP_CIPHER_CTX_init(&ctx);
- HMAC_CTX_init(&hctx);
/* Initialize HMAC and cipher contexts. If callback present it does all the
* work otherwise use generated values from parent ctx. */
if (tctx->tlsext_ticket_key_cb) {
- if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx, 1) < 0) {
- OPENSSL_free(session);
- EVP_CIPHER_CTX_cleanup(&ctx);
- HMAC_CTX_cleanup(&hctx);
- return -1;
+ if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx,
+ 1 /* encrypt */) < 0) {
+ goto err;
}
} else {
if (!RAND_bytes(iv, 16) ||
@@ -2566,10 +2446,7 @@
tctx->tlsext_tick_aes_key, iv) ||
!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16, tlsext_tick_md(),
NULL)) {
- OPENSSL_free(session);
- EVP_CIPHER_CTX_cleanup(&ctx);
- HMAC_CTX_cleanup(&hctx);
- return -1;
+ goto err;
}
memcpy(key_name, tctx->tlsext_tick_key_name, 16);
}
@@ -2589,15 +2466,19 @@
memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
p += EVP_CIPHER_CTX_iv_length(&ctx);
/* Encrypt session data */
- EVP_EncryptUpdate(&ctx, p, &len, session, session_len);
+ if (!EVP_EncryptUpdate(&ctx, p, &len, session, session_len)) {
+ goto err;
+ }
p += len;
- EVP_EncryptFinal_ex(&ctx, p, &len);
+ if (!EVP_EncryptFinal_ex(&ctx, p, &len)) {
+ goto err;
+ }
p += len;
- EVP_CIPHER_CTX_cleanup(&ctx);
- HMAC_Update(&hctx, macstart, p - macstart);
- HMAC_Final(&hctx, p, &hlen);
- HMAC_CTX_cleanup(&hctx);
+ if (!HMAC_Update(&hctx, macstart, p - macstart) ||
+ !HMAC_Final(&hctx, p, &hlen)) {
+ goto err;
+ }
p += hlen;
/* Now write out lengths: p points to end of data written */
@@ -2606,13 +2487,20 @@
/* Skip ticket lifetime hint */
p = ssl_handshake_start(s) + 4;
s2n(len - 6, p);
- ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len);
+ if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) {
+ goto err;
+ }
s->state = SSL3_ST_SW_SESSION_TICKET_B;
- OPENSSL_free(session);
}
/* SSL3_ST_SW_SESSION_TICKET_B */
- return ssl_do_write(s);
+ ret = ssl_do_write(s);
+
+err:
+ OPENSSL_free(session);
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ HMAC_CTX_cleanup(&hctx);
+ return ret;
}
/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
@@ -2633,7 +2521,7 @@
n = s->method->ssl_get_message(s, SSL3_ST_SR_NEXT_PROTO_A,
SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
514, /* See the payload format below */
- SSL_GET_MESSAGE_HASH_MESSAGE, &ok);
+ ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -2688,7 +2576,7 @@
n = s->method->ssl_get_message(
s, SSL3_ST_SR_CHANNEL_ID_A, SSL3_ST_SR_CHANNEL_ID_B,
SSL3_MT_ENCRYPTED_EXTENSIONS, 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
- SSL_GET_MESSAGE_DONT_HASH_MESSAGE, &ok);
+ ssl_dont_hash_message, &ok);
if (!ok) {
return n;
@@ -2707,7 +2595,9 @@
EVP_MD_CTX_cleanup(&md_ctx);
assert(channel_id_hash_len == SHA256_DIGEST_LENGTH);
- ssl3_hash_current_message(s);
+ if (!ssl3_hash_current_message(s)) {
+ return -1;
+ }
/* s->state doesn't reflect whether ChangeCipherSpec has been received in
* this handshake, but s->s3->change_cipher_spec does (will be reset by
@@ -2757,6 +2647,9 @@
BN_init(&y);
sig.r = BN_new();
sig.s = BN_new();
+ if (sig.r == NULL || sig.s == NULL) {
+ goto err;
+ }
p = CBS_data(&extension);
if (BN_bin2bn(p + 0, 32, &x) == NULL ||
@@ -2794,14 +2687,8 @@
BN_free(&y);
BN_free(sig.r);
BN_free(sig.s);
- if (key) {
- EC_KEY_free(key);
- }
- if (point) {
- EC_POINT_free(point);
- }
- if (p256) {
- EC_GROUP_free(p256);
- }
+ EC_KEY_free(key);
+ EC_POINT_free(point);
+ EC_GROUP_free(p256);
return ret;
}
diff --git a/src/ssl/ssl_algs.c b/src/ssl/ssl_algs.c
index 6ec88bf..fda39a5 100644
--- a/src/ssl/ssl_algs.c
+++ b/src/ssl/ssl_algs.c
@@ -54,18 +54,13 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.] */
-#include "ssl_locl.h"
+#include "internal.h"
#include <openssl/crypto.h>
-extern const ERR_STRING_DATA SSL_error_string_data[];
-
int SSL_library_init(void) {
CRYPTO_library_init();
- ERR_load_crypto_strings();
- ERR_load_strings(SSL_error_string_data);
return 1;
}
-void SSL_load_error_strings(void) {
-}
+void SSL_load_error_strings(void) {}
diff --git a/src/ssl/ssl_asn1.c b/src/ssl/ssl_asn1.c
index d39da87..eb0c725 100644
--- a/src/ssl/ssl_asn1.c
+++ b/src/ssl/ssl_asn1.c
@@ -85,9 +85,10 @@
#include <openssl/bytestring.h>
#include <openssl/err.h>
+#include <openssl/mem.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
/* An SSL_SESSION is serialized as the following ASN.1 structure:
@@ -177,14 +178,14 @@
for_ticket ? 0 : in->session_id_length) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child, in->master_key, in->master_key_length)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
if (in->time != 0) {
if (!CBB_add_asn1(&session, &child, kTimeTag) ||
!CBB_add_asn1_uint64(&child, in->time)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -192,7 +193,7 @@
if (in->timeout != 0) {
if (!CBB_add_asn1(&session, &child, kTimeoutTag) ||
!CBB_add_asn1_uint64(&child, in->timeout)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -207,7 +208,7 @@
}
if (!CBB_add_asn1(&session, &child, kPeerTag) ||
!CBB_add_space(&child, &buf, len)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
if (buf != NULL && i2d_X509(in->peer, &buf) < 0) {
@@ -220,14 +221,14 @@
if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
if (in->verify_result != X509_V_OK) {
if (!CBB_add_asn1(&session, &child, kVerifyResultTag) ||
!CBB_add_asn1_uint64(&child, in->verify_result)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -237,7 +238,7 @@
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, (const uint8_t *)in->tlsext_hostname,
strlen(in->tlsext_hostname))) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -247,7 +248,7 @@
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, (const uint8_t *)in->psk_identity,
strlen(in->psk_identity))) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -255,7 +256,7 @@
if (in->tlsext_tick_lifetime_hint > 0) {
if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) ||
!CBB_add_asn1_uint64(&child, in->tlsext_tick_lifetime_hint)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -264,7 +265,7 @@
if (!CBB_add_asn1(&session, &child, kTicketTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->tlsext_tick, in->tlsext_ticklen)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -273,7 +274,7 @@
if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->peer_sha256, sizeof(in->peer_sha256))) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -283,7 +284,7 @@
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->original_handshake_hash,
in->original_handshake_hash_len)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -293,7 +294,7 @@
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->tlsext_signed_cert_timestamp_list,
in->tlsext_signed_cert_timestamp_list_length)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -302,7 +303,7 @@
if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->ocsp_response, in->ocsp_response_length)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
@@ -311,13 +312,13 @@
if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_BOOLEAN) ||
!CBB_add_u8(&child2, 0xff)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
}
if (!CBB_finish(&cbb, out_data, out_len)) {
- OPENSSL_PUT_ERROR(SSL, i2d_SSL_SESSION, ERR_R_MALLOC_FAILURE);
+ OPENSSL_PUT_ERROR(SSL, SSL_SESSION_to_bytes_full, ERR_R_MALLOC_FAILURE);
goto err;
}
return 1;
@@ -381,7 +382,7 @@
OPENSSL_PUT_ERROR(SSL, d2i_SSL_SESSION, ERR_R_MALLOC_FAILURE);
return 0;
}
- } else if (*out) {
+ } else {
OPENSSL_free(*out);
*out = NULL;
}
@@ -409,7 +410,7 @@
}
SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
- SSL_SESSION *ret = NULL;
+ SSL_SESSION *ret, *allocated = NULL;
CBS cbs, session, cipher, session_id, master_key;
CBS peer, sid_ctx, peer_sha256, original_handshake_hash;
int has_peer, has_peer_sha256, extended_master_secret;
@@ -419,8 +420,8 @@
if (a && *a) {
ret = *a;
} else {
- ret = SSL_SESSION_new();
- if (ret == NULL) {
+ ret = allocated = SSL_SESSION_new();
+ if (allocated == NULL) {
goto err;
}
}
@@ -525,10 +526,8 @@
ret->time = session_time;
ret->timeout = timeout;
- if (ret->peer != NULL) {
- X509_free(ret->peer);
- ret->peer = NULL;
- }
+ X509_free(ret->peer);
+ ret->peer = NULL;
if (has_peer) {
const uint8_t *ptr;
ptr = CBS_data(&peer);
@@ -584,8 +583,6 @@
return ret;
err:
- if (a && *a != ret) {
- SSL_SESSION_free(ret);
- }
+ SSL_SESSION_free(allocated);
return NULL;
}
diff --git a/src/ssl/ssl_cert.c b/src/ssl/ssl_cert.c
index 624c41a..770912b 100644
--- a/src/ssl/ssl_cert.c
+++ b/src/ssl/ssl_cert.c
@@ -112,7 +112,9 @@
* ECC cipher suite support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
+#include <errno.h>
#include <stdio.h>
+#include <string.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
@@ -126,7 +128,7 @@
#include "../crypto/dh/internal.h"
#include "../crypto/directory.h"
-#include "ssl_locl.h"
+#include "internal.h"
int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
@@ -178,7 +180,6 @@
OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);
return NULL;
}
-
memset(ret, 0, sizeof(CERT));
ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
@@ -213,15 +214,8 @@
}
ret->dh_tmp_cb = cert->dh_tmp_cb;
- if (cert->ecdh_tmp) {
- ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp);
- if (ret->ecdh_tmp == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_EC_LIB);
- goto err;
- }
- }
+ ret->ecdh_nid = cert->ecdh_nid;
ret->ecdh_tmp_cb = cert->ecdh_tmp_cb;
- ret->ecdh_tmp_auto = cert->ecdh_tmp_auto;
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = cert->pkeys + i;
@@ -231,7 +225,7 @@
}
if (cpk->privatekey != NULL) {
- rpk->privatekey = EVP_PKEY_dup(cpk->privatekey);
+ rpk->privatekey = EVP_PKEY_up_ref(cpk->privatekey);
}
if (cpk->chain) {
@@ -243,34 +237,24 @@
}
}
- /* Peer sigalgs set to NULL as we get these from handshake too */
- ret->peer_sigalgs = NULL;
- ret->peer_sigalgslen = 0;
- /* Configured sigalgs however we copy across */
-
+ /* Copy over signature algorithm configuration. */
if (cert->conf_sigalgs) {
- ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen);
+ ret->conf_sigalgs = BUF_memdup(cert->conf_sigalgs, cert->conf_sigalgslen);
if (!ret->conf_sigalgs) {
goto err;
}
- memcpy(ret->conf_sigalgs, cert->conf_sigalgs, cert->conf_sigalgslen);
ret->conf_sigalgslen = cert->conf_sigalgslen;
- } else {
- ret->conf_sigalgs = NULL;
}
if (cert->client_sigalgs) {
- ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen);
+ ret->client_sigalgs = BUF_memdup(cert->client_sigalgs,
+ cert->client_sigalgslen);
if (!ret->client_sigalgs) {
goto err;
}
- memcpy(ret->client_sigalgs, cert->client_sigalgs, cert->client_sigalgslen);
ret->client_sigalgslen = cert->client_sigalgslen;
- } else {
- ret->client_sigalgs = NULL;
}
- /* Shared sigalgs also NULL */
- ret->shared_sigalgs = NULL;
+
/* Copy any custom client certificate types */
if (cert->client_certificate_types) {
ret->client_certificate_types = BUF_memdup(
@@ -281,8 +265,6 @@
ret->num_client_certificate_types = cert->num_client_certificate_types;
}
- ret->cert_flags = cert->cert_flags;
-
ret->cert_cb = cert->cert_cb;
ret->cert_cb_arg = cert->cert_cb_arg;
@@ -296,8 +278,6 @@
ret->chain_store = cert->chain_store;
}
- ret->ciphers_raw = NULL;
-
return ret;
err:
@@ -334,79 +314,32 @@
return;
}
- if (c->dh_tmp) {
- DH_free(c->dh_tmp);
- }
- if (c->ecdh_tmp) {
- EC_KEY_free(c->ecdh_tmp);
- }
+ DH_free(c->dh_tmp);
ssl_cert_clear_certs(c);
- if (c->peer_sigalgs) {
- OPENSSL_free(c->peer_sigalgs);
- }
- if (c->conf_sigalgs) {
- OPENSSL_free(c->conf_sigalgs);
- }
- if (c->client_sigalgs) {
- OPENSSL_free(c->client_sigalgs);
- }
- if (c->shared_sigalgs) {
- OPENSSL_free(c->shared_sigalgs);
- }
- if (c->client_certificate_types) {
- OPENSSL_free(c->client_certificate_types);
- }
- if (c->verify_store) {
- X509_STORE_free(c->verify_store);
- }
- if (c->chain_store) {
- X509_STORE_free(c->chain_store);
- }
- if (c->ciphers_raw) {
- OPENSSL_free(c->ciphers_raw);
- }
+ OPENSSL_free(c->peer_sigalgs);
+ OPENSSL_free(c->conf_sigalgs);
+ OPENSSL_free(c->client_sigalgs);
+ OPENSSL_free(c->shared_sigalgs);
+ OPENSSL_free(c->client_certificate_types);
+ X509_STORE_free(c->verify_store);
+ X509_STORE_free(c->chain_store);
OPENSSL_free(c);
}
-int ssl_cert_inst(CERT **o) {
- /* Create a CERT if there isn't already one (which cannot really happen, as
- * it is initially created in SSL_CTX_new; but the earlier code usually
- * allows for that one being non-existant, so we follow that behaviour, as it
- * might turn out that there actually is a reason for it -- but I'm not sure
- * that *all* of the existing code could cope with s->cert being NULL,
- * otherwise we could do without the initialization in SSL_CTX_new). */
-
- if (o == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl_cert_inst, ERR_R_PASSED_NULL_PARAMETER);
- return 0;
- }
- if (*o == NULL) {
- *o = ssl_cert_new();
- if (*o == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl_cert_new, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- }
-
- return 1;
-}
-
-int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) * chain) {
+int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain) {
CERT_PKEY *cpk = c->key;
if (!cpk) {
return 0;
}
- if (cpk->chain) {
- sk_X509_pop_free(cpk->chain, X509_free);
- }
+ sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = chain;
return 1;
}
-int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) * chain) {
- STACK_OF(X509) * dchain;
+int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain) {
+ STACK_OF(X509) *dchain;
if (!chain) {
return ssl_cert_set0_chain(c, NULL);
}
@@ -499,22 +432,14 @@
return;
}
- if (sc->cert_chain != NULL) {
- sk_X509_pop_free(sc->cert_chain, X509_free);
- }
+ sk_X509_pop_free(sc->cert_chain, X509_free);
for (i = 0; i < SSL_PKEY_NUM; i++) {
- if (sc->peer_pkeys[i].x509 != NULL) {
- X509_free(sc->peer_pkeys[i].x509);
- }
+ X509_free(sc->peer_pkeys[i].x509);
}
- if (sc->peer_dh_tmp != NULL) {
- DH_free(sc->peer_dh_tmp);
- }
- if (sc->peer_ecdh_tmp != NULL) {
- EC_KEY_free(sc->peer_ecdh_tmp);
- }
+ DH_free(sc->peer_dh_tmp);
+ EC_KEY_free(sc->peer_ecdh_tmp);
OPENSSL_free(sc);
}
@@ -524,7 +449,7 @@
return 1;
}
-int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) * sk) {
+int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) {
X509 *x;
int i;
X509_STORE *verify_store;
@@ -571,18 +496,15 @@
return i;
}
-static void set_client_CA_list(STACK_OF(X509_NAME) * *ca_list,
- STACK_OF(X509_NAME) * name_list) {
- if (*ca_list != NULL) {
- sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
- }
-
+static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,
+ STACK_OF(X509_NAME) *name_list) {
+ sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
*ca_list = name_list;
}
-STACK_OF(X509_NAME) * SSL_dup_CA_list(STACK_OF(X509_NAME) * sk) {
+STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) {
size_t i;
- STACK_OF(X509_NAME) * ret;
+ STACK_OF(X509_NAME) *ret;
X509_NAME *name;
ret = sk_X509_NAME_new_null();
@@ -597,19 +519,19 @@
return ret;
}
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) * name_list) {
+void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) {
set_client_CA_list(&(s->client_CA), name_list);
}
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) * name_list) {
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
set_client_CA_list(&(ctx->client_CA), name_list);
}
-STACK_OF(X509_NAME) * SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
return ctx->client_CA;
}
-STACK_OF(X509_NAME) * SSL_get_client_CA_list(const SSL *s) {
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s) {
if (s->server) {
if (s->client_CA != NULL) {
return s->client_CA;
@@ -625,7 +547,7 @@
}
}
-static int add_client_CA(STACK_OF(X509_NAME) * *sk, X509 *x) {
+static int add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) {
X509_NAME *name;
if (x == NULL) {
@@ -670,7 +592,7 @@
*
* \param file the file containing one or more certs.
* \return a ::STACK containing the certs. */
-STACK_OF(X509_NAME) * SSL_load_client_CA_file(const char *file) {
+STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
BIO *in;
X509 *x = NULL;
X509_NAME *xn = NULL;
@@ -719,21 +641,13 @@
if (0) {
err:
- if (ret != NULL) {
- sk_X509_NAME_pop_free(ret, X509_NAME_free);
- }
+ sk_X509_NAME_pop_free(ret, X509_NAME_free);
ret = NULL;
}
- if (sk != NULL) {
- sk_X509_NAME_free(sk);
- }
- if (in != NULL) {
- BIO_free(in);
- }
- if (x != NULL) {
- X509_free(x);
- }
+ sk_X509_NAME_free(sk);
+ BIO_free(in);
+ X509_free(x);
if (ret != NULL) {
ERR_clear_error();
}
@@ -747,7 +661,7 @@
* already in the stack will be added.
* \return 1 for success, 0 for failure. Note that in the case of failure some
* certs may have been added to \c stack. */
-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
+int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *file) {
BIO *in;
X509 *x = NULL;
@@ -794,12 +708,8 @@
ret = 0;
}
- if (in != NULL) {
- BIO_free(in);
- }
- if (x != NULL) {
- X509_free(x);
- }
+ BIO_free(in);
+ X509_free(x);
(void) sk_X509_NAME_set_cmp_func(stack, oldcmp);
@@ -815,7 +725,7 @@
* be included.
* \return 1 for success, 0 for failure. Note that in the case of failure some
* certs may have been added to \c stack. */
-int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) * stack,
+int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir) {
OPENSSL_DIR_CTX *d = NULL;
const char *filename;
@@ -842,7 +752,7 @@
}
if (errno) {
- OPENSSL_PUT_ERROR(SSL, SSL_add_file_cert_subjects_to_stack, ERR_R_SYS_LIB);
+ OPENSSL_PUT_ERROR(SSL, SSL_add_dir_cert_subjects_to_stack, ERR_R_SYS_LIB);
ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
goto err;
}
@@ -881,12 +791,13 @@
int no_chain = 0;
size_t i;
- X509 *x = NULL;
- STACK_OF(X509) * extra_certs;
+ X509 *x = cpk->x509;
+ STACK_OF(X509) *extra_certs;
X509_STORE *chain_store;
- if (cpk) {
- x = cpk->x509;
+ if (x == NULL) {
+ OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, SSL_R_NO_CERTIFICATE_SET);
+ return 0;
}
if (s->cert->chain_store) {
@@ -906,44 +817,36 @@
no_chain = 1;
}
- /* TLSv1 sends a chain with nothing in it, instead of an alert. */
- if (!BUF_MEM_grow_clean(buf, 10)) {
- OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_BUF_LIB);
- return 0;
- }
-
- if (x != NULL) {
- if (no_chain) {
- if (!ssl_add_cert_to_buf(buf, l, x)) {
- return 0;
- }
- } else {
- X509_STORE_CTX xs_ctx;
-
- if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) {
- OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_X509_LIB);
- return 0;
- }
- X509_verify_cert(&xs_ctx);
- /* Don't leave errors in the queue */
- ERR_clear_error();
- for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
- x = sk_X509_value(xs_ctx.chain, i);
-
- if (!ssl_add_cert_to_buf(buf, l, x)) {
- X509_STORE_CTX_cleanup(&xs_ctx);
- return 0;
- }
- }
- X509_STORE_CTX_cleanup(&xs_ctx);
- }
- }
-
- for (i = 0; i < sk_X509_num(extra_certs); i++) {
- x = sk_X509_value(extra_certs, i);
+ if (no_chain) {
if (!ssl_add_cert_to_buf(buf, l, x)) {
return 0;
}
+
+ for (i = 0; i < sk_X509_num(extra_certs); i++) {
+ x = sk_X509_value(extra_certs, i);
+ if (!ssl_add_cert_to_buf(buf, l, x)) {
+ return 0;
+ }
+ }
+ } else {
+ X509_STORE_CTX xs_ctx;
+
+ if (!X509_STORE_CTX_init(&xs_ctx, chain_store, x, NULL)) {
+ OPENSSL_PUT_ERROR(SSL, ssl_add_cert_chain, ERR_R_X509_LIB);
+ return 0;
+ }
+ X509_verify_cert(&xs_ctx);
+ /* Don't leave errors in the queue */
+ ERR_clear_error();
+ for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) {
+ x = sk_X509_value(xs_ctx.chain, i);
+
+ if (!ssl_add_cert_to_buf(buf, l, x)) {
+ X509_STORE_CTX_cleanup(&xs_ctx);
+ return 0;
+ }
+ }
+ X509_STORE_CTX_cleanup(&xs_ctx);
}
return 1;
@@ -956,7 +859,7 @@
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
X509 *x;
int i, rv = 0;
- unsigned long error;
+ uint32_t error;
if (!cpk->x509) {
OPENSSL_PUT_ERROR(SSL, ssl_build_cert_chain, SSL_R_NO_CERTIFICATE_SET);
@@ -1050,8 +953,9 @@
}
cpk->chain = chain;
- if (rv == 0)
+ if (rv == 0) {
rv = 1;
+ }
err:
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
@@ -1069,9 +973,7 @@
pstore = &c->verify_store;
}
- if (*pstore) {
- X509_STORE_free(*pstore);
- }
+ X509_STORE_free(*pstore);
*pstore = store;
if (ref && store) {
diff --git a/src/ssl/ssl_ciph.c b/src/ssl/ssl_cipher.c
similarity index 64%
rename from src/ssl/ssl_ciph.c
rename to src/ssl/ssl_cipher.c
index 60b9747..2cafeb9 100644
--- a/src/ssl/ssl_ciph.c
+++ b/src/ssl/ssl_cipher.c
@@ -138,20 +138,22 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-#include <stdio.h>
#include <assert.h>
+#include <stdio.h>
+#include <string.h>
-#include <openssl/engine.h>
+#include <openssl/buf.h>
+#include <openssl/err.h>
#include <openssl/md5.h>
#include <openssl/mem.h>
-#include <openssl/obj.h>
#include <openssl/sha.h>
+#include <openssl/stack.h>
-#include "ssl_locl.h"
+#include "internal.h"
struct handshake_digest {
- long mask;
+ uint32_t mask;
const EVP_MD *(*md_func)(void);
};
@@ -171,78 +173,92 @@
typedef struct cipher_order_st {
const SSL_CIPHER *cipher;
int active;
- int dead;
int in_group;
struct cipher_order_st *next, *prev;
} CIPHER_ORDER;
-static const SSL_CIPHER cipher_aliases[] =
- {
- {0, SSL_TXT_ALL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
+typedef struct cipher_alias_st {
+ /* name is the name of the cipher alias. */
+ const char *name;
- /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
- ALL!) */
- {0, SSL_TXT_CMPDEF, 0, SSL_kEDH | SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0,
- 0},
+ /* The following fields are bitmasks for the corresponding fields on
+ * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
+ * bit corresponding to the cipher's value is set to 1. If any bitmask is
+ * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
+ uint32_t algorithm_mkey;
+ uint32_t algorithm_auth;
+ uint32_t algorithm_enc;
+ uint32_t algorithm_mac;
+ uint32_t algorithm_ssl;
+ uint32_t algo_strength;
+} CIPHER_ALIAS;
+
+static const CIPHER_ALIAS kCipherAliases[] =
+ {
+ {SSL_TXT_ALL, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u},
+
+ /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
/* key exchange aliases
* (some of those using only a single bit here combine
* multiple key exchange algs according to the RFCs,
* e.g. kEDH combines DHE_DSS and DHE_RSA) */
- {0, SSL_TXT_kRSA, 0, SSL_kRSA, 0, 0, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_kRSA, SSL_kRSA, ~0u, ~0u, ~0u, ~0u, ~0u},
- {0, SSL_TXT_kEDH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_DH, 0, SSL_kEDH, 0, 0, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_kDHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_kEDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_DH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
- {0, SSL_TXT_kEECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ECDH, 0, SSL_kEECDH, 0, 0, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_kECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_kEECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_ECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
- {0, SSL_TXT_kPSK, 0, SSL_kPSK, 0, 0, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_kPSK, SSL_kPSK, ~0u, ~0u, ~0u, ~0u, ~0u},
/* server authentication aliases */
- {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ECDSA, 0, 0, SSL_aECDSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_aPSK, 0, 0, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_aRSA, ~0u, SSL_aRSA, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_aECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_ECDSA, ~0u, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_aPSK, ~0u, SSL_aPSK, ~0u, ~0u, ~0u, ~0u},
/* aliases combining key exchange and server authentication */
- {0, SSL_TXT_EDH, 0, SSL_kEDH, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_EECDH, 0, SSL_kEECDH, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_ADH, 0, SSL_kEDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AECDH, 0, SSL_kEECDH, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_PSK, 0, SSL_kPSK, SSL_aPSK, 0, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_DHE, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_EDH, SSL_kDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_ECDHE, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_EECDH, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_RSA, SSL_kRSA, SSL_aRSA, ~0u, ~0u, ~0u, ~0u},
+ {SSL_TXT_PSK, SSL_kPSK, SSL_aPSK, ~0u, ~0u, ~0u, ~0u},
/* symmetric encryption aliases */
- {0, SSL_TXT_3DES, 0, 0, 0, SSL_3DES, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_RC4, 0, 0, 0, SSL_RC4, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AES128, 0, 0, 0, SSL_AES128 | SSL_AES128GCM, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AES256, 0, 0, 0, SSL_AES256 | SSL_AES256GCM, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AES, 0, 0, 0, SSL_AES, 0, 0, 0, 0, 0, 0},
- {0, SSL_TXT_AES_GCM, 0, 0, 0, SSL_AES128GCM | SSL_AES256GCM, 0, 0, 0, 0, 0,
- 0},
- {0, SSL_TXT_CHACHA20, 0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, 0, 0, 0},
+ {SSL_TXT_3DES, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u},
+ {SSL_TXT_RC4, ~0u, ~0u, SSL_RC4, ~0u, ~0u, ~0u},
+ {SSL_TXT_AES128, ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, ~0u, ~0u},
+ {SSL_TXT_AES256, ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, ~0u, ~0u},
+ {SSL_TXT_AES, ~0u, ~0u, SSL_AES, ~0u, ~0u, ~0u},
+ {SSL_TXT_AES_GCM, ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, ~0u, ~0u},
+ {SSL_TXT_CHACHA20, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u},
/* MAC aliases */
- {0, SSL_TXT_MD5, 0, 0, 0, 0, SSL_MD5, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA1, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA, 0, 0, 0, 0, SSL_SHA1, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA256, 0, 0, 0, 0, SSL_SHA256, 0, 0, 0, 0, 0},
- {0, SSL_TXT_SHA384, 0, 0, 0, 0, SSL_SHA384, 0, 0, 0, 0, 0},
+ {SSL_TXT_MD5, ~0u, ~0u, ~0u, SSL_MD5, ~0u, ~0u},
+ {SSL_TXT_SHA1, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u},
+ {SSL_TXT_SHA, ~0u, ~0u, ~0u, SSL_SHA1, ~0u, ~0u},
+ {SSL_TXT_SHA256, ~0u, ~0u, ~0u, SSL_SHA256, ~0u, ~0u},
+ {SSL_TXT_SHA384, ~0u, ~0u, ~0u, SSL_SHA384, ~0u, ~0u},
/* protocol version aliases */
- {0, SSL_TXT_SSLV3, 0, 0, 0, 0, 0, SSL_SSLV3, 0, 0, 0, 0},
- {0, SSL_TXT_TLSV1, 0, 0, 0, 0, 0, SSL_TLSV1, 0, 0, 0, 0},
- {0, SSL_TXT_TLSV1_2, 0, 0, 0, 0, 0, SSL_TLSV1_2, 0, 0, 0, 0},
+ {SSL_TXT_SSLV3, ~0u, ~0u, ~0u, ~0u, SSL_SSLV3, ~0u},
+ {SSL_TXT_TLSV1, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1, ~0u},
+ {SSL_TXT_TLSV1_2, ~0u, ~0u, ~0u, ~0u, SSL_TLSV1_2, ~0u},
/* strength classes */
- {0, SSL_TXT_MEDIUM, 0, 0, 0, 0, 0, 0, SSL_MEDIUM, 0, 0, 0},
- {0, SSL_TXT_HIGH, 0, 0, 0, 0, 0, 0, SSL_HIGH, 0, 0, 0},
+ {SSL_TXT_MEDIUM, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_MEDIUM},
+ {SSL_TXT_HIGH, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_HIGH},
/* FIPS 140-2 approved ciphersuite */
- {0, SSL_TXT_FIPS, 0, 0, 0, 0, 0, 0, SSL_FIPS, 0, 0, 0},
+ {SSL_TXT_FIPS, ~0u, ~0u, ~0u, ~0u, ~0u, SSL_FIPS},
};
+#define NUM_CIPHER_ALIASES (sizeof(kCipherAliases) / sizeof(kCipherAliases[0]))
+
int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
size_t *out_mac_secret_len,
size_t *out_fixed_iv_len,
@@ -360,18 +376,26 @@
}
}
-int ssl_get_handshake_digest(size_t idx, long *mask, const EVP_MD **md) {
+int ssl_get_handshake_digest(uint32_t *out_mask, const EVP_MD **out_md,
+ size_t idx) {
if (idx >= SSL_MAX_DIGEST) {
return 0;
}
- *mask = ssl_handshake_digests[idx].mask;
- *md = ssl_handshake_digests[idx].md_func();
+ *out_mask = ssl_handshake_digests[idx].mask;
+ *out_md = ssl_handshake_digests[idx].md_func();
return 1;
}
#define ITEM_SEP(a) \
(((a) == ':') || ((a) == ' ') || ((a) == ';') || ((a) == ','))
+/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
+ * |buf_len| bytes at |buf|. */
+static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
+ /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
+ return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
+}
+
static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,
CIPHER_ORDER **tail) {
if (curr == *tail) {
@@ -413,12 +437,11 @@
}
static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
- int num_of_ciphers,
+ size_t num_of_ciphers,
CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p) {
- int i, co_list_num;
- const SSL_CIPHER *c;
+ size_t i, co_list_num;
/* We have num_of_ciphers descriptions compiled in, depending on the method
* selected (SSLv2 and/or SSLv3, TLSv1 etc). These will later be sorted in a
@@ -427,9 +450,8 @@
/* Get the initial list of ciphers */
co_list_num = 0; /* actual count of ciphers */
for (i = 0; i < num_of_ciphers; i++) {
- c = ssl_method->get_cipher(i);
- /* drop those that use any of that is not available */
- if (c != NULL && c->valid) {
+ const SSL_CIPHER *c = ssl_method->get_cipher(i);
+ if (c != NULL) {
co_list[co_list_num].cipher = c;
co_list[co_list_num].next = NULL;
co_list[co_list_num].prev = NULL;
@@ -461,43 +483,31 @@
}
}
-static void ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list,
- int num_of_group_aliases,
- CIPHER_ORDER *head) {
- CIPHER_ORDER *ciph_curr;
- const SSL_CIPHER **ca_curr;
- int i;
-
- /* First, add the real ciphers as already collected. */
- ciph_curr = head;
- ca_curr = ca_list;
- while (ciph_curr != NULL) {
- *ca_curr = ciph_curr->cipher;
- ca_curr++;
- ciph_curr = ciph_curr->next;
- }
-
- /* Now we add the available ones from the cipher_aliases[] table. They
- * represent either one or more algorithms, some of which in any affected
- * category must be supported (set in enabled_mask), or represent a cipher
- * strength value (will be added in any case because algorithms=0). */
- for (i = 0; i < num_of_group_aliases; i++) {
- *ca_curr = cipher_aliases + i;
- ca_curr++;
- }
-
- *ca_curr = NULL; /* end of list */
-}
-
+/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
+ * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
+ * head and tail of the list to |*head_p| and |*tail_p|, respectively.
+ *
+ * - If |cipher_id| is non-zero, only that cipher is selected.
+ * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
+ * of that strength.
+ * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
+ * |algo_strength|. */
static void ssl_cipher_apply_rule(
- unsigned long cipher_id, unsigned long alg_mkey, unsigned long alg_auth,
- unsigned long alg_enc, unsigned long alg_mac, unsigned long alg_ssl,
- unsigned long algo_strength, int rule, int strength_bits, int in_group,
+ uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
+ uint32_t alg_enc, uint32_t alg_mac, uint32_t alg_ssl,
+ uint32_t algo_strength, int rule, int strength_bits, int in_group,
CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) {
CIPHER_ORDER *head, *tail, *curr, *next, *last;
const SSL_CIPHER *cp;
int reverse = 0;
+ if (cipher_id == 0 && strength_bits == -1 &&
+ (alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0 ||
+ alg_ssl == 0 || algo_strength == 0)) {
+ /* The rule matches nothing, so bail early. */
+ return;
+ }
+
if (rule == CIPHER_DEL) {
/* needed to maintain sorting between currently deleted ciphers */
reverse = 1;
@@ -528,21 +538,23 @@
next = reverse ? curr->prev : curr->next;
cp = curr->cipher;
- /* Selection criteria is either the value of strength_bits
- * or the algorithms used. */
- if (strength_bits >= 0) {
+ /* Selection criteria is either a specific cipher, the value of
+ * |strength_bits|, or the algorithms used. */
+ if (cipher_id != 0) {
+ if (cipher_id != cp->id) {
+ continue;
+ }
+ } else if (strength_bits >= 0) {
if (strength_bits != cp->strength_bits) {
continue;
}
- } else {
- if ((alg_mkey && !(alg_mkey & cp->algorithm_mkey)) ||
- (alg_auth && !(alg_auth & cp->algorithm_auth)) ||
- (alg_enc && !(alg_enc & cp->algorithm_enc)) ||
- (alg_mac && !(alg_mac & cp->algorithm_mac)) ||
- (alg_ssl && !(alg_ssl & cp->algorithm_ssl)) ||
- (algo_strength && !(algo_strength & cp->algo_strength))) {
- continue;
- }
+ } else if (!(alg_mkey & cp->algorithm_mkey) ||
+ !(alg_auth & cp->algorithm_auth) ||
+ !(alg_enc & cp->algorithm_enc) ||
+ !(alg_mac & cp->algorithm_mac) ||
+ !(alg_ssl & cp->algorithm_ssl) ||
+ !(algo_strength & cp->algo_strength)) {
+ continue;
}
/* add the cipher if it has not been added yet. */
@@ -644,14 +656,15 @@
return 1;
}
-static int ssl_cipher_process_rulestr(const char *rule_str,
+static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
+ const char *rule_str,
CIPHER_ORDER **head_p,
- CIPHER_ORDER **tail_p,
- const SSL_CIPHER **ca_list) {
- unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
+ CIPHER_ORDER **tail_p) {
+ uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
const char *l, *buf;
- int j, multi, found, rule, retval, ok, buflen, in_group = 0, has_group = 0;
- unsigned long cipher_id = 0;
+ int multi, rule, retval, ok, in_group = 0, has_group = 0;
+ size_t j, buf_len;
+ uint32_t cipher_id;
char ch;
retval = 1;
@@ -665,12 +678,6 @@
if (in_group) {
if (ch == ']') {
- if (!in_group) {
- OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
- SSL_R_UNEXPECTED_GROUP_CLOSE);
- retval = found = in_group = 0;
- break;
- }
if (*tail_p) {
(*tail_p)->in_group = 0;
}
@@ -687,7 +694,7 @@
!(ch >= '0' && ch <= '9')) {
OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);
- retval = found = in_group = 0;
+ retval = in_group = 0;
break;
} else {
rule = CIPHER_ADD;
@@ -707,7 +714,7 @@
} else if (ch == '[') {
if (in_group) {
OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr, SSL_R_NESTED_GROUP);
- retval = found = in_group = 0;
+ retval = in_group = 0;
break;
}
in_group = 1;
@@ -723,7 +730,7 @@
if (has_group && rule != CIPHER_ADD) {
OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
- retval = found = in_group = 0;
+ retval = in_group = 0;
break;
}
@@ -732,159 +739,82 @@
continue;
}
- alg_mkey = 0;
- alg_auth = 0;
- alg_enc = 0;
- alg_mac = 0;
- alg_ssl = 0;
- algo_strength = 0;
+ multi = 0;
+ cipher_id = 0;
+ alg_mkey = ~0u;
+ alg_auth = ~0u;
+ alg_enc = ~0u;
+ alg_mac = ~0u;
+ alg_ssl = ~0u;
+ algo_strength = ~0u;
for (;;) {
ch = *l;
buf = l;
- buflen = 0;
+ buf_len = 0;
while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.')) {
ch = *(++l);
- buflen++;
+ buf_len++;
}
- if (buflen == 0) {
+ if (buf_len == 0) {
/* We hit something we cannot deal with, it is no command or separator
* nor alphanumeric, so we call this an error. */
OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
SSL_R_INVALID_COMMAND);
- retval = found = in_group = 0;
+ retval = in_group = 0;
l++;
break;
}
if (rule == CIPHER_SPECIAL) {
- found = 0; /* unused -- avoid compiler warning */
- break; /* special treatment */
- }
-
- /* check for multi-part specification */
- if (ch == '+') {
- multi = 1;
- l++;
- } else {
- multi = 0;
- }
-
- /* Now search for the cipher alias in the ca_list. Be careful with the
- * strncmp, because the "buflen" limitation will make the rule "ADH:SOME"
- * and the cipher "ADH-MY-CIPHER" look like a match for buflen=3. So
- * additionally check whether the cipher name found has the correct
- * length. We can save a strlen() call: just checking for the '\0' at the
- * right place is sufficient, we have to strncmp() anyway. (We cannot use
- * strcmp(), because buf is not '\0' terminated.) */
- j = found = 0;
- cipher_id = 0;
- while (ca_list[j]) {
- if (!strncmp(buf, ca_list[j]->name, buflen) &&
- (ca_list[j]->name[buflen] == '\0')) {
- found = 1;
- break;
- } else {
- j++;
- }
- }
-
- if (!found) {
- break; /* ignore this entry */
- }
-
- if (ca_list[j]->algorithm_mkey) {
- if (alg_mkey) {
- alg_mkey &= ca_list[j]->algorithm_mkey;
- if (!alg_mkey) {
- found = 0;
- break;
- }
- } else {
- alg_mkey = ca_list[j]->algorithm_mkey;
- }
- }
-
- if (ca_list[j]->algorithm_auth) {
- if (alg_auth) {
- alg_auth &= ca_list[j]->algorithm_auth;
- if (!alg_auth) {
- found = 0;
- break;
- }
- } else {
- alg_auth = ca_list[j]->algorithm_auth;
- }
- }
-
- if (ca_list[j]->algorithm_enc) {
- if (alg_enc) {
- alg_enc &= ca_list[j]->algorithm_enc;
- if (!alg_enc) {
- found = 0;
- break;
- }
- } else {
- alg_enc = ca_list[j]->algorithm_enc;
- }
- }
-
- if (ca_list[j]->algorithm_mac) {
- if (alg_mac) {
- alg_mac &= ca_list[j]->algorithm_mac;
- if (!alg_mac) {
- found = 0;
- break;
- }
- } else {
- alg_mac = ca_list[j]->algorithm_mac;
- }
- }
-
- if (ca_list[j]->algo_strength) {
- if (algo_strength) {
- algo_strength &= ca_list[j]->algo_strength;
- if (!algo_strength) {
- found = 0;
- break;
- }
- } else {
- algo_strength |= ca_list[j]->algo_strength;
- }
- }
-
- if (ca_list[j]->valid) {
- /* explicit ciphersuite found; its protocol version does not become
- * part of the search pattern! */
- cipher_id = ca_list[j]->id;
- } else {
- /* not an explicit ciphersuite; only in this case, the protocol version
- * is considered part of the search pattern. */
- if (ca_list[j]->algorithm_ssl) {
- if (alg_ssl) {
- alg_ssl &= ca_list[j]->algorithm_ssl;
- if (!alg_ssl) {
- found = 0;
- break;
- }
- } else {
- alg_ssl = ca_list[j]->algorithm_ssl;
- }
- }
- }
-
- if (!multi) {
break;
}
+
+ /* Look for a matching exact cipher. These aren't allowed in multipart
+ * rules. */
+ if (!multi && ch != '+') {
+ size_t num_ciphers = ssl_method->num_ciphers();
+ for (j = 0; j < num_ciphers; j++) {
+ const SSL_CIPHER *cipher = ssl_method->get_cipher(j);
+ if (cipher != NULL && rule_equals(cipher->name, buf, buf_len)) {
+ cipher_id = cipher->id;
+ break;
+ }
+ }
+ }
+ if (cipher_id == 0) {
+ /* If not an exact cipher, look for a matching cipher alias. */
+ for (j = 0; j < NUM_CIPHER_ALIASES; j++) {
+ if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
+ alg_mkey &= kCipherAliases[j].algorithm_mkey;
+ alg_auth &= kCipherAliases[j].algorithm_auth;
+ alg_enc &= kCipherAliases[j].algorithm_enc;
+ alg_mac &= kCipherAliases[j].algorithm_mac;
+ alg_ssl &= kCipherAliases[j].algorithm_ssl;
+ algo_strength &= kCipherAliases[j].algo_strength;
+ break;
+ }
+ }
+ if (j == NUM_CIPHER_ALIASES) {
+ alg_mkey = alg_auth = alg_enc = alg_mac = alg_ssl = algo_strength = 0;
+ }
+ }
+
+ /* Check for a multipart rule. */
+ if (ch != '+') {
+ break;
+ }
+ l++;
+ multi = 1;
}
/* Ok, we have the rule, now apply it. */
if (rule == CIPHER_SPECIAL) {
/* special command */
ok = 0;
- if (buflen == 8 && !strncmp(buf, "STRENGTH", 8)) {
+ if (buf_len == 8 && !strncmp(buf, "STRENGTH", 8)) {
ok = ssl_cipher_strength_sort(head_p, tail_p);
} else {
OPENSSL_PUT_ERROR(SSL, ssl_cipher_process_rulestr,
@@ -900,14 +830,10 @@
while (*l != '\0' && !ITEM_SEP(*l)) {
l++;
}
- } else if (found) {
+ } else {
ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac,
alg_ssl, algo_strength, rule, -1, in_group, head_p,
tail_p);
- } else {
- while (*l != '\0' && !ITEM_SEP(*l)) {
- l++;
- }
}
}
@@ -921,20 +847,20 @@
STACK_OF(SSL_CIPHER) *
ssl_create_cipher_list(const SSL_PROTOCOL_METHOD *ssl_method,
- struct ssl_cipher_preference_list_st **cipher_list,
- STACK_OF(SSL_CIPHER) * *cipher_list_by_id,
- const char *rule_str, CERT *c) {
- int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases;
+ struct ssl_cipher_preference_list_st **out_cipher_list,
+ STACK_OF(SSL_CIPHER) **out_cipher_list_by_id,
+ const char *rule_str) {
+ int ok;
+ size_t num_of_ciphers;
STACK_OF(SSL_CIPHER) *cipherstack = NULL, *tmp_cipher_list = NULL;
const char *rule_p;
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
- const SSL_CIPHER **ca_list = NULL;
uint8_t *in_group_flags = NULL;
unsigned int num_in_group_flags = 0;
struct ssl_cipher_preference_list_st *pref_list = NULL;
/* Return with error if nothing to do. */
- if (rule_str == NULL || cipher_list == NULL) {
+ if (rule_str == NULL || out_cipher_list == NULL) {
return NULL;
}
@@ -956,84 +882,64 @@
/* Everything else being equal, prefer ECDHE_ECDSA then ECDHE_RSA over other
* key exchange mechanisms */
- ssl_cipher_apply_rule(0, SSL_kEECDH, SSL_aECDSA, 0, 0, 0, 0, CIPHER_ADD, -1,
+ ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, ~0u, ~0u,
+ CIPHER_ADD, -1, 0, &head, &tail);
+ ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
0, &head, &tail);
- ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
- &tail);
- ssl_cipher_apply_rule(0, SSL_kEECDH, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head,
- &tail);
+ ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1,
+ 0, &head, &tail);
/* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
* CHACHA20 unless there is hardware support for fast and constant-time
* AES_GCM. */
if (EVP_has_aes_hardware()) {
- ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD,
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
-1, 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
+ -1, 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u,
+ CIPHER_ADD, -1, 0, &head, &tail);
} else {
- ssl_cipher_apply_rule(0, 0, 0, SSL_CHACHA20POLY1305, 0, 0, 0, CIPHER_ADD,
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, ~0u, ~0u,
+ CIPHER_ADD, -1, 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
-1, 0, &head, &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_AES256GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_AES128GCM, 0, 0, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, ~0u, ~0u, CIPHER_ADD,
+ -1, 0, &head, &tail);
}
/* Then the legacy non-AEAD ciphers: AES_256_CBC, AES-128_CBC, RC4_128_SHA,
* RC4_128_MD5, 3DES_EDE_CBC_SHA. */
- ssl_cipher_apply_rule(0, 0, 0, SSL_AES256, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
- &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_AES128, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
- &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, ~SSL_MD5, 0, 0, CIPHER_ADD, -1, 0,
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
+ 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, ~0u, ~0u, CIPHER_ADD, -1,
+ 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, ~SSL_MD5, ~0u, ~0u, CIPHER_ADD,
+ -1, 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_RC4, SSL_MD5, ~0u, ~0u, CIPHER_ADD, -1,
+ 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0,
&head, &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, SSL_MD5, 0, 0, CIPHER_ADD, -1, 0,
- &head, &tail);
- ssl_cipher_apply_rule(0, 0, 0, SSL_3DES, 0, 0, 0, CIPHER_ADD, -1, 0, &head,
- &tail);
/* Temporarily enable everything else for sorting */
- ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_ADD, -1, 0, &head, &tail);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_ADD, -1, 0,
+ &head, &tail);
/* Move ciphers without forward secrecy to the end. */
- ssl_cipher_apply_rule(0, ~(SSL_kEDH | SSL_kEECDH), 0, 0, 0, 0, 0, CIPHER_ORD,
- -1, 0, &head, &tail);
-
- /* Move anonymous ciphers to the end. Usually, these will remain disabled.
- * (For applications that allow them, they aren't too bad, but we prefer
- * authenticated ciphers.)
- * TODO(davidben): Remove them altogether? */
- ssl_cipher_apply_rule(0, 0, SSL_aNULL, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head,
- &tail);
+ ssl_cipher_apply_rule(0, ~(SSL_kDHE | SSL_kECDHE), ~0u, ~0u, ~0u, ~0u, ~0u,
+ CIPHER_ORD, -1, 0, &head, &tail);
/* Now disable everything (maintaining the ordering!) */
- ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, 0, &head, &tail);
-
- /* We also need cipher aliases for selecting based on the rule_str. There
- * might be two types of entries in the rule_str: 1) names of ciphers
- * themselves 2) aliases for groups of ciphers. For 1) we need the available
- * ciphers and for 2) the cipher groups of cipher_aliases added together in
- * one list (otherwise we would be happy with just the cipher_aliases
- * table). */
- num_of_group_aliases = sizeof(cipher_aliases) / sizeof(SSL_CIPHER);
- num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
- ca_list = OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max);
- if (ca_list == NULL) {
- OPENSSL_PUT_ERROR(SSL, ssl_create_cipher_list, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, head);
+ ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, ~0u, ~0u, CIPHER_DEL, -1, 0,
+ &head, &tail);
/* If the rule_string begins with DEFAULT, apply the default rule before
* using the (possibly available) additional rules. */
ok = 1;
rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
- ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,
- ca_list);
+ ok = ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
+ &tail);
rule_p += 7;
if (*rule_p == ':') {
rule_p++;
@@ -1041,11 +947,9 @@
}
if (ok && strlen(rule_p) > 0) {
- ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list);
+ ok = ssl_cipher_process_rulestr(ssl_method, rule_p, &head, &tail);
}
- OPENSSL_free((void *)ca_list); /* Not needed anymore */
-
if (!ok) {
goto err;
}
@@ -1091,21 +995,20 @@
memcpy(pref_list->in_group_flags, in_group_flags, num_in_group_flags);
OPENSSL_free(in_group_flags);
in_group_flags = NULL;
- if (*cipher_list != NULL) {
- ssl_cipher_preference_list_free(*cipher_list);
+ if (*out_cipher_list != NULL) {
+ ssl_cipher_preference_list_free(*out_cipher_list);
}
- *cipher_list = pref_list;
+ *out_cipher_list = pref_list;
pref_list = NULL;
- if (cipher_list_by_id != NULL) {
- if (*cipher_list_by_id != NULL) {
- sk_SSL_CIPHER_free(*cipher_list_by_id);
- }
- *cipher_list_by_id = tmp_cipher_list;
+ if (out_cipher_list_by_id != NULL) {
+ sk_SSL_CIPHER_free(*out_cipher_list_by_id);
+ *out_cipher_list_by_id = tmp_cipher_list;
tmp_cipher_list = NULL;
- (void) sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, ssl_cipher_ptr_id_cmp);
+ (void) sk_SSL_CIPHER_set_cmp_func(*out_cipher_list_by_id,
+ ssl_cipher_ptr_id_cmp);
- sk_SSL_CIPHER_sort(*cipher_list_by_id);
+ sk_SSL_CIPHER_sort(*out_cipher_list_by_id);
} else {
sk_SSL_CIPHER_free(tmp_cipher_list);
tmp_cipher_list = NULL;
@@ -1114,32 +1017,177 @@
return cipherstack;
err:
- if (co_list) {
- OPENSSL_free(co_list);
- }
- if (in_group_flags) {
- OPENSSL_free(in_group_flags);
- }
- if (cipherstack) {
- sk_SSL_CIPHER_free(cipherstack);
- }
- if (tmp_cipher_list) {
- sk_SSL_CIPHER_free(tmp_cipher_list);
- }
- if (pref_list && pref_list->in_group_flags) {
+ OPENSSL_free(co_list);
+ OPENSSL_free(in_group_flags);
+ sk_SSL_CIPHER_free(cipherstack);
+ sk_SSL_CIPHER_free(tmp_cipher_list);
+ if (pref_list) {
OPENSSL_free(pref_list->in_group_flags);
}
- if (pref_list) {
- OPENSSL_free(pref_list);
- }
+ OPENSSL_free(pref_list);
return NULL;
}
+uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
+
+int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
+ return (cipher->algorithm_enc & SSL_AES) != 0;
+}
+
+int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *cipher) {
+ return (cipher->algorithm_mac & SSL_MD5) != 0;
+}
+
+int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
+ return (cipher->algorithm_mac & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
+}
+
+int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
+ return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
+}
+
+/* return the actual cipher being used */
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
+ if (cipher != NULL) {
+ return cipher->name;
+ }
+
+ return "(NONE)";
+}
+
+const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
+ if (cipher == NULL) {
+ return "";
+ }
+
+ switch (cipher->algorithm_mkey) {
+ case SSL_kRSA:
+ return "RSA";
+
+ case SSL_kDHE:
+ switch (cipher->algorithm_auth) {
+ case SSL_aRSA:
+ return "DHE_RSA";
+ default:
+ assert(0);
+ return "UNKNOWN";
+ }
+
+ case SSL_kECDHE:
+ switch (cipher->algorithm_auth) {
+ case SSL_aECDSA:
+ return "ECDHE_ECDSA";
+ case SSL_aRSA:
+ return "ECDHE_RSA";
+ case SSL_aPSK:
+ return "ECDHE_PSK";
+ default:
+ assert(0);
+ return "UNKNOWN";
+ }
+
+ case SSL_kPSK:
+ assert(cipher->algorithm_auth == SSL_aPSK);
+ return "PSK";
+
+ default:
+ assert(0);
+ return "UNKNOWN";
+ }
+}
+
+static const char *ssl_cipher_get_enc_name(const SSL_CIPHER *cipher) {
+ switch (cipher->algorithm_enc) {
+ case SSL_3DES:
+ return "3DES_EDE_CBC";
+ case SSL_RC4:
+ return "RC4";
+ case SSL_AES128:
+ return "AES_128_CBC";
+ case SSL_AES256:
+ return "AES_256_CBC";
+ case SSL_AES128GCM:
+ return "AES_128_GCM";
+ case SSL_AES256GCM:
+ return "AES_256_GCM";
+ case SSL_CHACHA20POLY1305:
+ return "CHACHA20_POLY1305";
+ break;
+ default:
+ assert(0);
+ return "UNKNOWN";
+ }
+}
+
+static const char *ssl_cipher_get_prf_name(const SSL_CIPHER *cipher) {
+ if ((cipher->algorithm2 & TLS1_PRF) == TLS1_PRF) {
+ /* Before TLS 1.2, the PRF component is the hash used in the HMAC, which is
+ * only ever MD5 or SHA-1. */
+ switch (cipher->algorithm_mac) {
+ case SSL_MD5:
+ return "MD5";
+ case SSL_SHA1:
+ return "SHA";
+ default:
+ assert(0);
+ return "UNKNOWN";
+ }
+ } else if (cipher->algorithm2 & TLS1_PRF_SHA256) {
+ return "SHA256";
+ } else if (cipher->algorithm2 & TLS1_PRF_SHA384) {
+ return "SHA384";
+ } else {
+ assert(0);
+ return "UNKNOWN";
+ }
+}
+
+char *SSL_CIPHER_get_rfc_name(const SSL_CIPHER *cipher) {
+ if (cipher == NULL) {
+ return NULL;
+ }
+
+ const char *kx_name = SSL_CIPHER_get_kx_name(cipher);
+ const char *enc_name = ssl_cipher_get_enc_name(cipher);
+ const char *prf_name = ssl_cipher_get_prf_name(cipher);
+
+ /* The final name is TLS_{kx_name}_WITH_{enc_name}_{prf_name}. */
+ size_t len = 4 + strlen(kx_name) + 6 + strlen(enc_name) + 1 +
+ strlen(prf_name) + 1;
+ char *ret = OPENSSL_malloc(len);
+ if (ret == NULL) {
+ return NULL;
+ }
+ if (BUF_strlcpy(ret, "TLS_", len) >= len ||
+ BUF_strlcat(ret, kx_name, len) >= len ||
+ BUF_strlcat(ret, "_WITH_", len) >= len ||
+ BUF_strlcat(ret, enc_name, len) >= len ||
+ BUF_strlcat(ret, "_", len) >= len ||
+ BUF_strlcat(ret, prf_name, len) >= len) {
+ assert(0);
+ OPENSSL_free(ret);
+ return NULL;
+ }
+ assert(strlen(ret) + 1 == len);
+ return ret;
+}
+
+int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {
+ if (cipher == NULL) {
+ return 0;
+ }
+
+ if (out_alg_bits != NULL) {
+ *out_alg_bits = cipher->alg_bits;
+ }
+ return cipher->strength_bits;
+}
+
const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,
int len) {
const char *ver;
const char *kx, *au, *enc, *mac;
- unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
+ uint32_t alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
static const char *format = "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\n";
alg_mkey = cipher->algorithm_mkey;
@@ -1161,11 +1209,11 @@
kx = "RSA";
break;
- case SSL_kEDH:
+ case SSL_kDHE:
kx = "DH";
break;
- case SSL_kEECDH:
+ case SSL_kECDHE:
kx = "ECDH";
break;
@@ -1182,10 +1230,6 @@
au = "RSA";
break;
- case SSL_aNULL:
- au = "None";
- break;
-
case SSL_aECDSA:
au = "ECDSA";
break;
@@ -1262,8 +1306,9 @@
if (buf == NULL) {
len = 128;
buf = OPENSSL_malloc(len);
- if (buf == NULL)
- return "OPENSSL_malloc Error";
+ if (buf == NULL) {
+ return NULL;
+ }
} else if (len < 128) {
return "Buffer too small";
}
@@ -1272,109 +1317,18 @@
return buf;
}
-int SSL_CIPHER_is_AES(const SSL_CIPHER *c) {
- return (c->algorithm_enc & SSL_AES) != 0;
+const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {
+ return "TLSv1/SSLv3";
}
-int SSL_CIPHER_has_MD5_HMAC(const SSL_CIPHER *c) {
- return (c->algorithm_mac & SSL_MD5) != 0;
-}
-
-int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *c) {
- return (c->algorithm_mac & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
-}
-
-int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *c) {
- return (c->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
-}
-
-const char *SSL_CIPHER_get_version(const SSL_CIPHER *c) {
- int i;
-
- if (c == NULL) {
- return "(NONE)";
- }
-
- i = (int)(c->id >> 24L);
- if (i == 3) {
- return "TLSv1/SSLv3";
- } else if (i == 2) {
- return "SSLv2";
- } else {
- return "unknown";
- }
-}
-
-/* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(const SSL_CIPHER *c) {
- if (c != NULL) {
- return c->name;
- }
-
- return "(NONE)";
-}
-
-const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {
- if (cipher == NULL) {
- return "";
- }
-
- switch (cipher->algorithm_mkey) {
- case SSL_kRSA:
- return SSL_TXT_RSA;
-
- case SSL_kEDH:
- switch (cipher->algorithm_auth) {
- case SSL_aRSA:
- return "DHE_" SSL_TXT_RSA;
- case SSL_aNULL:
- return SSL_TXT_DH "_anon";
- default:
- return "UNKNOWN";
- }
-
- case SSL_kEECDH:
- switch (cipher->algorithm_auth) {
- case SSL_aECDSA:
- return "ECDHE_" SSL_TXT_ECDSA;
- case SSL_aRSA:
- return "ECDHE_" SSL_TXT_RSA;
- case SSL_aNULL:
- return SSL_TXT_ECDH "_anon";
- default:
- return "UNKNOWN";
- }
-
- default:
- return "UNKNOWN";
- }
-}
-
-/* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits) {
- int ret = 0;
-
- if (c != NULL) {
- if (alg_bits != NULL) {
- *alg_bits = c->alg_bits;
- }
- ret = c->strength_bits;
- }
-
- return ret;
-}
-
-unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c) { return c->id; }
-
void *SSL_COMP_get_compression_methods(void) { return NULL; }
int SSL_COMP_add_compression_method(int id, void *cm) { return 1; }
const char *SSL_COMP_get_name(const void *comp) { return NULL; }
-/* For a cipher return the index corresponding to the certificate type */
-int ssl_cipher_get_cert_index(const SSL_CIPHER *c) {
- unsigned long alg_a = c->algorithm_auth;
+int ssl_cipher_get_cert_index(const SSL_CIPHER *cipher) {
+ uint32_t alg_a = cipher->algorithm_auth;
if (alg_a & SSL_aECDSA) {
return SSL_PKEY_ECC;
@@ -1385,16 +1339,9 @@
return -1;
}
-/* ssl_cipher_has_server_public_key returns 1 if |cipher| involves a server
- * public key in the key exchange, sent in a server Certificate message.
- * Otherwise it returns 0. */
int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher) {
- /* Anonymous ciphers do not include a server certificate. */
- if (cipher->algorithm_auth & SSL_aNULL) {
- return 0;
- }
-
- /* Neither do PSK ciphers, except for RSA_PSK. */
+ /* PSK-authenticated ciphers do not use a public key, except for
+ * RSA_PSK. */
if ((cipher->algorithm_auth & SSL_aPSK) &&
!(cipher->algorithm_mkey & SSL_kRSA)) {
return 0;
@@ -1404,15 +1351,9 @@
return 1;
}
-/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
- * ServerKeyExchange message. Otherwise it returns 0.
- *
- * Unlike ssl_cipher_has_server_public_key, some ciphers take optional
- * ServerKeyExchanges. PSK and RSA_PSK only use the ServerKeyExchange to
- * communicate a psk_identity_hint, so it is optional. */
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
/* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
- if (cipher->algorithm_mkey & SSL_kEDH || cipher->algorithm_mkey & SSL_kEECDH) {
+ if (cipher->algorithm_mkey & SSL_kDHE || cipher->algorithm_mkey & SSL_kECDHE) {
return 1;
}
diff --git a/src/ssl/ssl_error.c b/src/ssl/ssl_error.c
deleted file mode 100644
index 2ffb9e6..0000000
--- a/src/ssl/ssl_error.c
+++ /dev/null
@@ -1,566 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/ssl.h>
-
-const ERR_STRING_DATA SSL_error_string_data[] = {
- {ERR_PACK(ERR_LIB_SSL, SSL_F_D2I_SSL_SESSION, 0), "D2I_SSL_SESSION"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_check_private_key, 0), "SSL_CTX_check_private_key"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_new, 0), "SSL_CTX_new"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_cipher_list, 0), "SSL_CTX_set_cipher_list"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_cipher_list_tls11, 0), "SSL_CTX_set_cipher_list_tls11"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_session_id_context, 0), "SSL_CTX_set_session_id_context"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_set_ssl_version, 0), "SSL_CTX_set_ssl_version"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_PrivateKey, 0), "SSL_CTX_use_PrivateKey"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_PrivateKey_ASN1, 0), "SSL_CTX_use_PrivateKey_ASN1"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_PrivateKey_file, 0), "SSL_CTX_use_PrivateKey_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_RSAPrivateKey, 0), "SSL_CTX_use_RSAPrivateKey"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_RSAPrivateKey_ASN1, 0), "SSL_CTX_use_RSAPrivateKey_ASN1"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_RSAPrivateKey_file, 0), "SSL_CTX_use_RSAPrivateKey_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_authz, 0), "SSL_CTX_use_authz"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate, 0), "SSL_CTX_use_certificate"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_ASN1, 0), "SSL_CTX_use_certificate_ASN1"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_chain_file, 0), "SSL_CTX_use_certificate_chain_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_file, 0), "SSL_CTX_use_certificate_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_psk_identity_hint, 0), "SSL_CTX_use_psk_identity_hint"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_new, 0), "SSL_SESSION_new"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_print_fp, 0), "SSL_SESSION_print_fp"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_set1_id_context, 0), "SSL_SESSION_set1_id_context"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_to_bytes_full, 0), "SSL_SESSION_to_bytes_full"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_accept, 0), "SSL_accept"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_add_dir_cert_subjects_to_stack, 0), "SSL_add_dir_cert_subjects_to_stack"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_add_file_cert_subjects_to_stack, 0), "SSL_add_file_cert_subjects_to_stack"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_check_private_key, 0), "SSL_check_private_key"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_clear, 0), "SSL_clear"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_connect, 0), "SSL_connect"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_do_handshake, 0), "SSL_do_handshake"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_load_client_CA_file, 0), "SSL_load_client_CA_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_new, 0), "SSL_new"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_peek, 0), "SSL_peek"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_read, 0), "SSL_read"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_cipher_list, 0), "SSL_set_cipher_list"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_fd, 0), "SSL_set_fd"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_rfd, 0), "SSL_set_rfd"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_session, 0), "SSL_set_session"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_session_id_context, 0), "SSL_set_session_id_context"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_session_ticket_ext, 0), "SSL_set_session_ticket_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_set_wfd, 0), "SSL_set_wfd"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_shutdown, 0), "SSL_shutdown"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_PrivateKey, 0), "SSL_use_PrivateKey"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_PrivateKey_ASN1, 0), "SSL_use_PrivateKey_ASN1"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_PrivateKey_file, 0), "SSL_use_PrivateKey_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_RSAPrivateKey, 0), "SSL_use_RSAPrivateKey"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_RSAPrivateKey_ASN1, 0), "SSL_use_RSAPrivateKey_ASN1"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_RSAPrivateKey_file, 0), "SSL_use_RSAPrivateKey_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_authz, 0), "SSL_use_authz"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_certificate, 0), "SSL_use_certificate"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_certificate_ASN1, 0), "SSL_use_certificate_ASN1"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_certificate_file, 0), "SSL_use_certificate_file"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_use_psk_identity_hint, 0), "SSL_use_psk_identity_hint"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_write, 0), "SSL_write"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_authz_find_data, 0), "authz_find_data"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_check_suiteb_cipher_list, 0), "check_suiteb_cipher_list"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_d2i_SSL_SESSION, 0), "d2i_SSL_SESSION"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_d2i_SSL_SESSION_get_octet_string, 0), "d2i_SSL_SESSION_get_octet_string"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_d2i_SSL_SESSION_get_string, 0), "d2i_SSL_SESSION_get_string"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_do_dtls1_write, 0), "do_dtls1_write"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_do_ssl3_write, 0), "do_ssl3_write"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_accept, 0), "dtls1_accept"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_buffer_record, 0), "dtls1_buffer_record"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_check_timeout_num, 0), "dtls1_check_timeout_num"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_connect, 0), "dtls1_connect"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_do_write, 0), "dtls1_do_write"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_get_hello_verify, 0), "dtls1_get_hello_verify"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_get_message, 0), "dtls1_get_message"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_get_message_fragment, 0), "dtls1_get_message_fragment"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_heartbeat, 0), "dtls1_heartbeat"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_preprocess_fragment, 0), "dtls1_preprocess_fragment"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_process_record, 0), "dtls1_process_record"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_read_bytes, 0), "dtls1_read_bytes"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_send_hello_verify_request, 0), "dtls1_send_hello_verify_request"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_dtls1_write_app_data_bytes, 0), "dtls1_write_app_data_bytes"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_fclose, 0), "fclose"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_fprintf, 0), "fprintf"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_i2d_SSL_SESSION, 0), "i2d_SSL_SESSION"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_printf, 0), "printf"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_read_authz, 0), "read_authz"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_accept, 0), "ssl23_accept"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_client_hello, 0), "ssl23_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_connect, 0), "ssl23_connect"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_get_client_hello, 0), "ssl23_get_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_get_server_hello, 0), "ssl23_get_server_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_get_v2_client_hello, 0), "ssl23_get_v2_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_peek, 0), "ssl23_peek"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_read, 0), "ssl23_read"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl23_write, 0), "ssl23_write"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_accept, 0), "ssl3_accept"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_callback_ctrl, 0), "ssl3_callback_ctrl"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_cert_verify_hash, 0), "ssl3_cert_verify_hash"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_change_cipher_state, 0), "ssl3_change_cipher_state"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_check_cert_and_algorithm, 0), "ssl3_check_cert_and_algorithm"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_check_client_hello, 0), "ssl3_check_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_connect, 0), "ssl3_connect"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_ctrl, 0), "ssl3_ctrl"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_ctx_ctrl, 0), "ssl3_ctx_ctrl"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_digest_cached_records, 0), "ssl3_digest_cached_records"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_do_change_cipher_spec, 0), "ssl3_do_change_cipher_spec"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_expect_change_cipher_spec, 0), "ssl3_expect_change_cipher_spec"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_generate_key_block, 0), "ssl3_generate_key_block"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_cert_status, 0), "ssl3_get_cert_status"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_cert_verify, 0), "ssl3_get_cert_verify"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_certificate_request, 0), "ssl3_get_certificate_request"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_channel_id, 0), "ssl3_get_channel_id"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_certificate, 0), "ssl3_get_client_certificate"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_hello, 0), "ssl3_get_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_client_key_exchange, 0), "ssl3_get_client_key_exchange"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_finished, 0), "ssl3_get_finished"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_initial_bytes, 0), "ssl3_get_initial_bytes"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_message, 0), "ssl3_get_message"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_new_session_ticket, 0), "ssl3_get_new_session_ticket"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_next_proto, 0), "ssl3_get_next_proto"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_record, 0), "ssl3_get_record"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_certificate, 0), "ssl3_get_server_certificate"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_done, 0), "ssl3_get_server_done"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_hello, 0), "ssl3_get_server_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_server_key_exchange, 0), "ssl3_get_server_key_exchange"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_get_v2_client_hello, 0), "ssl3_get_v2_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_handshake_mac, 0), "ssl3_handshake_mac"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_prf, 0), "ssl3_prf"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_read_bytes, 0), "ssl3_read_bytes"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_read_n, 0), "ssl3_read_n"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_cert_verify, 0), "ssl3_send_cert_verify"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_certificate_request, 0), "ssl3_send_certificate_request"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_channel_id, 0), "ssl3_send_channel_id"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_client_certificate, 0), "ssl3_send_client_certificate"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_client_hello, 0), "ssl3_send_client_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_client_key_exchange, 0), "ssl3_send_client_key_exchange"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_new_session_ticket, 0), "ssl3_send_new_session_ticket"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_server_certificate, 0), "ssl3_send_server_certificate"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_server_hello, 0), "ssl3_send_server_hello"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_send_server_key_exchange, 0), "ssl3_send_server_key_exchange"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_setup_key_block, 0), "ssl3_setup_key_block"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_setup_read_buffer, 0), "ssl3_setup_read_buffer"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_setup_write_buffer, 0), "ssl3_setup_write_buffer"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_write_bytes, 0), "ssl3_write_bytes"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl3_write_pending, 0), "ssl3_write_pending"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_cert_chain, 0), "ssl_add_cert_chain"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_cert_to_buf, 0), "ssl_add_cert_to_buf"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_clienthello_renegotiate_ext, 0), "ssl_add_clienthello_renegotiate_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_clienthello_tlsext, 0), "ssl_add_clienthello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_clienthello_use_srtp_ext, 0), "ssl_add_clienthello_use_srtp_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_serverhello_renegotiate_ext, 0), "ssl_add_serverhello_renegotiate_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_serverhello_tlsext, 0), "ssl_add_serverhello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_add_serverhello_use_srtp_ext, 0), "ssl_add_serverhello_use_srtp_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_bad_method, 0), "ssl_bad_method"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_build_cert_chain, 0), "ssl_build_cert_chain"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_bytes_to_cipher_list, 0), "ssl_bytes_to_cipher_list"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cert_dup, 0), "ssl_cert_dup"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cert_inst, 0), "ssl_cert_inst"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cert_new, 0), "ssl_cert_new"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_check_serverhello_tlsext, 0), "ssl_check_serverhello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_check_srvr_ecc_cert_and_alg, 0), "ssl_check_srvr_ecc_cert_and_alg"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cipher_process_rulestr, 0), "ssl_cipher_process_rulestr"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_cipher_strength_sort, 0), "ssl_cipher_strength_sort"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_create_cipher_list, 0), "ssl_create_cipher_list"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_ctx_log_master_secret, 0), "ssl_ctx_log_master_secret"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_ctx_log_rsa_client_key_exchange, 0), "ssl_ctx_log_rsa_client_key_exchange"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_ctx_make_profiles, 0), "ssl_ctx_make_profiles"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_new_session, 0), "ssl_get_new_session"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_prev_session, 0), "ssl_get_prev_session"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_server_cert_index, 0), "ssl_get_server_cert_index"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_get_sign_pkey, 0), "ssl_get_sign_pkey"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_init_wbio_buffer, 0), "ssl_init_wbio_buffer"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_new, 0), "ssl_new"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_clienthello_renegotiate_ext, 0), "ssl_parse_clienthello_renegotiate_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_clienthello_tlsext, 0), "ssl_parse_clienthello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_clienthello_use_srtp_ext, 0), "ssl_parse_clienthello_use_srtp_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_serverhello_renegotiate_ext, 0), "ssl_parse_serverhello_renegotiate_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_serverhello_tlsext, 0), "ssl_parse_serverhello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_parse_serverhello_use_srtp_ext, 0), "ssl_parse_serverhello_use_srtp_ext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_prepare_clienthello_tlsext, 0), "ssl_prepare_clienthello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_scan_clienthello_tlsext, 0), "ssl_scan_clienthello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_scan_serverhello_tlsext, 0), "ssl_scan_serverhello_tlsext"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_sess_cert_new, 0), "ssl_sess_cert_new"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_set_authz, 0), "ssl_set_authz"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_set_cert, 0), "ssl_set_cert"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_set_pkey, 0), "ssl_set_pkey"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_undefined_const_function, 0), "ssl_undefined_const_function"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_undefined_function, 0), "ssl_undefined_function"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_undefined_void_function, 0), "ssl_undefined_void_function"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_ssl_verify_cert_chain, 0), "ssl_verify_cert_chain"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls12_check_peer_sigalg, 0), "tls12_check_peer_sigalg"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_aead_ctx_init, 0), "tls1_aead_ctx_init"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_cert_verify_mac, 0), "tls1_cert_verify_mac"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_change_cipher_state, 0), "tls1_change_cipher_state"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_change_cipher_state_aead, 0), "tls1_change_cipher_state_aead"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_change_cipher_state_cipher, 0), "tls1_change_cipher_state_cipher"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_check_duplicate_extensions, 0), "tls1_check_duplicate_extensions"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_enc, 0), "tls1_enc"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_export_keying_material, 0), "tls1_export_keying_material"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_get_server_supplemental_data, 0), "tls1_get_server_supplemental_data"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_heartbeat, 0), "tls1_heartbeat"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_prf, 0), "tls1_prf"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_send_server_supplemental_data, 0), "tls1_send_server_supplemental_data"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_tls1_setup_key_block, 0), "tls1_setup_key_block"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE), "APP_DATA_IN_HANDSHAKE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), "ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_AUTHZ_DATA_TOO_LARGE), "AUTHZ_DATA_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ALERT), "BAD_ALERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ALERT_RECORD), "BAD_ALERT_RECORD"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_AUTHENTICATION_TYPE), "BAD_AUTHENTICATION_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHANGE_CIPHER_SPEC), "BAD_CHANGE_CIPHER_SPEC"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_CHECKSUM), "BAD_CHECKSUM"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA), "BAD_DATA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK), "BAD_DATA_RETURNED_BY_CALLBACK"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DECOMPRESSION), "BAD_DECOMPRESSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_G_LENGTH), "BAD_DH_G_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_PUB_KEY_LENGTH), "BAD_DH_PUB_KEY_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DH_P_LENGTH), "BAD_DH_P_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DIGEST_LENGTH), "BAD_DIGEST_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_DSA_SIGNATURE), "BAD_DSA_SIGNATURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECC_CERT), "BAD_ECC_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECDSA_SIGNATURE), "BAD_ECDSA_SIGNATURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_ECPOINT), "BAD_ECPOINT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HANDSHAKE_LENGTH), "BAD_HANDSHAKE_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_HELLO_REQUEST), "BAD_HELLO_REQUEST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_LENGTH), "BAD_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_MAC_DECODE), "BAD_MAC_DECODE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_MAC_LENGTH), "BAD_MAC_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_MESSAGE_TYPE), "BAD_MESSAGE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PACKET_LENGTH), "BAD_PACKET_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PROTOCOL_VERSION_NUMBER), "BAD_PROTOCOL_VERSION_NUMBER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH), "BAD_PSK_IDENTITY_HINT_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RESPONSE_ARGUMENT), "BAD_RESPONSE_ARGUMENT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_DECRYPT), "BAD_RSA_DECRYPT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_ENCRYPT), "BAD_RSA_ENCRYPT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_E_LENGTH), "BAD_RSA_E_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_MODULUS_LENGTH), "BAD_RSA_MODULUS_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_RSA_SIGNATURE), "BAD_RSA_SIGNATURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SIGNATURE), "BAD_SIGNATURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_A_LENGTH), "BAD_SRP_A_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_B_LENGTH), "BAD_SRP_B_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_G_LENGTH), "BAD_SRP_G_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_N_LENGTH), "BAD_SRP_N_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRP_S_LENGTH), "BAD_SRP_S_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_MKI_VALUE), "BAD_SRTP_MKI_VALUE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST), "BAD_SRTP_PROTECTION_PROFILE_LIST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_FILETYPE), "BAD_SSL_FILETYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_SSL_SESSION_ID_LENGTH), "BAD_SSL_SESSION_ID_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_STATE), "BAD_STATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_VALUE), "BAD_VALUE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BAD_WRITE_RETRY), "BAD_WRITE_RETRY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BIO_NOT_SET), "BIO_NOT_SET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG), "BLOCK_CIPHER_PAD_IS_WRONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_BN_LIB), "BN_LIB"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY), "CANNOT_SERIALIZE_PUBLIC_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_LENGTH_MISMATCH), "CA_DN_LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CA_DN_TOO_LONG), "CA_DN_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CCS_RECEIVED_EARLY), "CCS_RECEIVED_EARLY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED), "CERTIFICATE_VERIFY_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_CB_ERROR), "CERT_CB_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERT_LENGTH_MISMATCH), "CERT_LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CHALLENGE_IS_DIFFERENT), "CHALLENGE_IS_DIFFERENT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CHANNEL_ID_NOT_P256), "CHANNEL_ID_NOT_P256"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CHANNEL_ID_SIGNATURE_INVALID), "CHANNEL_ID_SIGNATURE_INVALID"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_CODE_WRONG_LENGTH), "CIPHER_CODE_WRONG_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_OR_HASH_UNAVAILABLE), "CIPHER_OR_HASH_UNAVAILABLE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CIPHER_TABLE_SRC_ERROR), "CIPHER_TABLE_SRC_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_PARSE_FAILED), "CLIENTHELLO_PARSE_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CLIENTHELLO_TLSEXT), "CLIENTHELLO_TLSEXT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSED_LENGTH_TOO_LONG), "COMPRESSED_LENGTH_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_DISABLED), "COMPRESSION_DISABLED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_FAILURE), "COMPRESSION_FAILURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE), "COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COMPRESSION_LIBRARY_ERROR), "COMPRESSION_LIBRARY_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_ID_IS_DIFFERENT), "CONNECTION_ID_IS_DIFFERENT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_REJECTED), "CONNECTION_REJECTED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CONNECTION_TYPE_NOT_SET), "CONNECTION_TYPE_NOT_SET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_COOKIE_MISMATCH), "COOKIE_MISMATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_D2I_ECDSA_SIG), "D2I_ECDSA_SIG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED), "DATA_BETWEEN_CCS_AND_FINISHED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DATA_LENGTH_TOO_LONG), "DATA_LENGTH_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECODE_ERROR), "DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED), "DECRYPTION_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "DECRYPTION_FAILED_OR_BAD_RECORD_MAC"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "DH_PUBLIC_VALUE_LENGTH_IS_WRONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DIGEST_CHECK_FAILED), "DIGEST_CHECK_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DTLS_MESSAGE_TOO_BIG), "DTLS_MESSAGE_TOO_BIG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_DUPLICATE_COMPRESSION_ID), "DUPLICATE_COMPRESSION_ID"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT), "ECC_CERT_NOT_FOR_KEY_AGREEMENT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_NOT_FOR_SIGNING), "ECC_CERT_NOT_FOR_SIGNING"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE), "ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE), "ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER), "ECGROUP_TOO_LARGE_FOR_CIPHER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "EMPTY_SRTP_PROTECTION_PROFILE_LIST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "ENCRYPTED_LENGTH_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "ERROR_GENERATING_TMP_RSA_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST), "ERROR_IN_RECEIVED_CIPHER_LIST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EVP_DIGESTSIGNFINAL_FAILED), "EVP_DIGESTSIGNFINAL_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EVP_DIGESTSIGNINIT_FAILED), "EVP_DIGESTSIGNINIT_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXCESSIVE_MESSAGE_SIZE), "EXCESSIVE_MESSAGE_SIZE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_EXTRA_DATA_IN_MESSAGE), "EXTRA_DATA_IN_MESSAGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOST_NOT_SUPPORTED), "GOST_NOT_SUPPORTED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_A_FIN_BEFORE_A_CCS), "GOT_A_FIN_BEFORE_A_CCS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_CHANNEL_ID_BEFORE_A_CCS), "GOT_CHANNEL_ID_BEFORE_A_CCS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS), "GOT_NEXT_PROTO_BEFORE_A_CCS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION), "GOT_NEXT_PROTO_WITHOUT_EXTENSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO), "HANDSHAKE_FAILURE_ON_CLIENT_HELLO"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HANDSHAKE_RECORD_BEFORE_CCS), "HANDSHAKE_RECORD_BEFORE_CCS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTPS_PROXY_REQUEST), "HTTPS_PROXY_REQUEST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_HTTP_REQUEST), "HTTP_REQUEST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_PADDING), "ILLEGAL_PADDING"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ILLEGAL_SUITEB_DIGEST), "ILLEGAL_SUITEB_DIGEST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INAPPROPRIATE_FALLBACK), "INAPPROPRIATE_FALLBACK"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INCONSISTENT_COMPRESSION), "INCONSISTENT_COMPRESSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_AUDIT_PROOF), "INVALID_AUDIT_PROOF"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_AUTHZ_DATA), "INVALID_AUTHZ_DATA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_CHALLENGE_LENGTH), "INVALID_CHALLENGE_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMMAND), "INVALID_COMMAND"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_COMPRESSION_ALGORITHM), "INVALID_COMPRESSION_ALGORITHM"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_MESSAGE), "INVALID_MESSAGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_NULL_CMD_NAME), "INVALID_NULL_CMD_NAME"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_PURPOSE), "INVALID_PURPOSE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SERVERINFO_DATA), "INVALID_SERVERINFO_DATA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SRP_USERNAME), "INVALID_SRP_USERNAME"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_SSL_SESSION), "INVALID_SSL_SESSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_STATUS_RESPONSE), "INVALID_STATUS_RESPONSE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TICKET_KEYS_LENGTH), "INVALID_TICKET_KEYS_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_INVALID_TRUST), "INVALID_TRUST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KEY_ARG_TOO_LONG), "KEY_ARG_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5), "KRB5"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_CC_PRINC), "KRB5_C_CC_PRINC"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_GET_CRED), "KRB5_C_GET_CRED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_INIT), "KRB5_C_INIT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_C_MK_REQ), "KRB5_C_MK_REQ"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_BAD_TICKET), "KRB5_S_BAD_TICKET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_INIT), "KRB5_S_INIT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_RD_REQ), "KRB5_S_RD_REQ"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_TKT_EXPIRED), "KRB5_S_TKT_EXPIRED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_TKT_NYV), "KRB5_S_TKT_NYV"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_KRB5_S_TKT_SKEW), "KRB5_S_TKT_SKEW"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_MISMATCH), "LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LENGTH_TOO_SHORT), "LENGTH_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_BUG), "LIBRARY_BUG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_LIBRARY_HAS_NO_CIPHERS), "LIBRARY_HAS_NO_CIPHERS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MESSAGE_TOO_LONG), "MESSAGE_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DH_DSA_CERT), "MISSING_DH_DSA_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DH_KEY), "MISSING_DH_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DH_RSA_CERT), "MISSING_DH_RSA_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_DSA_SIGNING_CERT), "MISSING_DSA_SIGNING_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDH_CERT), "MISSING_ECDH_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_ECDSA_SIGNING_CERT), "MISSING_ECDSA_SIGNING_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_EXPORT_TMP_DH_KEY), "MISSING_EXPORT_TMP_DH_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_EXPORT_TMP_RSA_KEY), "MISSING_EXPORT_TMP_RSA_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_CERTIFICATE), "MISSING_RSA_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_ENCRYPTING_CERT), "MISSING_RSA_ENCRYPTING_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_RSA_SIGNING_CERT), "MISSING_RSA_SIGNING_CERT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_SRP_PARAM), "MISSING_SRP_PARAM"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "MISSING_TMP_DH_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY), "MISSING_TMP_ECDH_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_RSA_KEY), "MISSING_TMP_RSA_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_RSA_PKEY), "MISSING_TMP_RSA_PKEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_VERIFY_MESSAGE), "MISSING_VERIFY_MESSAGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS), "MIXED_SPECIAL_OPERATOR_WITH_GROUPS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MTU_TOO_SMALL), "MTU_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MULTIPLE_SGC_RESTARTS), "MULTIPLE_SGC_RESTARTS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NESTED_GROUP), "NESTED_GROUP"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NON_SSLV2_INITIAL_PACKET), "NON_SSLV2_INITIAL_PACKET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATES_RETURNED), "NO_CERTIFICATES_RETURNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_ASSIGNED), "NO_CERTIFICATE_ASSIGNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_RETURNED), "NO_CERTIFICATE_RETURNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SET), "NO_CERTIFICATE_SET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CERTIFICATE_SPECIFIED), "NO_CERTIFICATE_SPECIFIED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_AVAILABLE), "NO_CIPHERS_AVAILABLE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_PASSED), "NO_CIPHERS_PASSED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHERS_SPECIFIED), "NO_CIPHERS_SPECIFIED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_LIST), "NO_CIPHER_LIST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CIPHER_MATCH), "NO_CIPHER_MATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_METHOD), "NO_CLIENT_CERT_METHOD"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_CLIENT_CERT_RECEIVED), "NO_CLIENT_CERT_RECEIVED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COMPRESSION_SPECIFIED), "NO_COMPRESSION_SPECIFIED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "NO_GOST_CERTIFICATE_SENT_BY_PEER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_METHOD_SPECIFIED), "NO_METHOD_SPECIFIED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_P256_SUPPORT), "NO_P256_SUPPORT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PEM_EXTENSIONS), "NO_PEM_EXTENSIONS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATEKEY), "NO_PRIVATEKEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PRIVATE_KEY_ASSIGNED), "NO_PRIVATE_KEY_ASSIGNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PROTOCOLS_AVAILABLE), "NO_PROTOCOLS_AVAILABLE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_PUBLICKEY), "NO_PUBLICKEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_RENEGOTIATION), "NO_RENEGOTIATION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_REQUIRED_DIGEST), "NO_REQUIRED_DIGEST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_CIPHER), "NO_SHARED_CIPHER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SHARED_SIGATURE_ALGORITHMS), "NO_SHARED_SIGATURE_ALGORITHMS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_SRTP_PROFILES), "NO_SRTP_PROFILES"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_VERIFY_CALLBACK), "NO_VERIFY_CALLBACK"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_CTX), "NULL_SSL_CTX"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NULL_SSL_METHOD_PASSED), "NULL_SSL_METHOD_PASSED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED), "OLD_SESSION_CIPHER_NOT_RETURNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED), "OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE), "ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE), "ONLY_TLS_1_2_ALLOWED_IN_SUITEB_MODE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE), "ONLY_TLS_ALLOWED_IN_FIPS_MODE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_OPAQUE_PRF_INPUT_TOO_LONG), "OPAQUE_PRF_INPUT_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PACKET_LENGTH_TOO_LONG), "PACKET_LENGTH_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PARSE_TLSEXT), "PARSE_TLSEXT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PATH_TOO_LONG), "PATH_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), "PEER_DID_NOT_RETURN_A_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR), "PEER_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_CERTIFICATE), "PEER_ERROR_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_NO_CERTIFICATE), "PEER_ERROR_NO_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_NO_CIPHER), "PEER_ERROR_NO_CIPHER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE), "PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_BAD_PREFIX), "PEM_NAME_BAD_PREFIX"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PEM_NAME_TOO_SHORT), "PEM_NAME_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PRE_MAC_LENGTH_TOO_LONG), "PRE_MAC_LENGTH_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROBLEMS_MAPPING_CIPHER_FUNCTIONS), "PROBLEMS_MAPPING_CIPHER_FUNCTIONS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PROTOCOL_IS_SHUTDOWN), "PROTOCOL_IS_SHUTDOWN"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_IDENTITY_NOT_FOUND), "PSK_IDENTITY_NOT_FOUND"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_CLIENT_CB), "PSK_NO_CLIENT_CB"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PSK_NO_SERVER_CB), "PSK_NO_SERVER_CB"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PUBLIC_KEY_ENCRYPT_ERROR), "PUBLIC_KEY_ENCRYPT_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PUBLIC_KEY_IS_NOT_RSA), "PUBLIC_KEY_IS_NOT_RSA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_PUBLIC_KEY_NOT_RSA), "PUBLIC_KEY_NOT_RSA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_BIO_NOT_SET), "READ_BIO_NOT_SET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_TIMEOUT_EXPIRED), "READ_TIMEOUT_EXPIRED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_READ_WRONG_PACKET_TYPE), "READ_WRONG_PACKET_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_LENGTH_MISMATCH), "RECORD_LENGTH_MISMATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_LARGE), "RECORD_TOO_LARGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RECORD_TOO_SMALL), "RECORD_TOO_SMALL"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATE_EXT_TOO_LONG), "RENEGOTIATE_EXT_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_ENCODING_ERR), "RENEGOTIATION_ENCODING_ERR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_RENEGOTIATION_MISMATCH), "RENEGOTIATION_MISMATCH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_CIPHER_MISSING), "REQUIRED_CIPHER_MISSING"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING), "REQUIRED_COMPRESSSION_ALGORITHM_MISSING"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REUSE_CERT_LENGTH_NOT_ZERO), "REUSE_CERT_LENGTH_NOT_ZERO"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REUSE_CERT_TYPE_NOT_ZERO), "REUSE_CERT_TYPE_NOT_ZERO"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_REUSE_CIPHER_LIST_NOT_ZERO), "REUSE_CIPHER_LIST_NOT_ZERO"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING), "SCSV_RECEIVED_WHEN_RENEGOTIATING"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SERVERHELLO_TLSEXT), "SERVERHELLO_TLSEXT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "SESSION_ID_CONTEXT_UNINITIALIZED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SESSION_MAY_NOT_BE_CREATED), "SESSION_MAY_NOT_BE_CREATED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ), "SHORT_READ"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_ALGORITHMS_ERROR), "SIGNATURE_ALGORITHMS_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), "SIGNATURE_FOR_NON_SIGNING_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRP_A_CALC), "SRP_A_CALC"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES), "SRTP_COULD_NOT_ALLOCATE_PROFILES"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG), "SRTP_PROTECTION_PROFILE_LIST_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE), "SRTP_UNKNOWN_PROTECTION_PROFILE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL23_DOING_SESSION_ID_REUSE), "SSL23_DOING_SESSION_ID_REUSE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL2_CONNECTION_ID_TOO_LONG), "SSL2_CONNECTION_ID_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT), "SSL3_EXT_INVALID_ECPOINTFORMAT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME), "SSL3_EXT_INVALID_SERVERNAME"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE), "SSL3_EXT_INVALID_SERVERNAME_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_LONG), "SSL3_SESSION_ID_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL3_SESSION_ID_TOO_SHORT), "SSL3_SESSION_ID_TOO_SHORT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE), "SSLV3_ALERT_BAD_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_BAD_RECORD_MAC), "SSLV3_ALERT_BAD_RECORD_MAC"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED), "SSLV3_ALERT_CERTIFICATE_EXPIRED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED), "SSLV3_ALERT_CERTIFICATE_REVOKED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN), "SSLV3_ALERT_CERTIFICATE_UNKNOWN"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_CLOSE_NOTIFY), "SSLV3_ALERT_CLOSE_NOTIFY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE), "SSLV3_ALERT_DECOMPRESSION_FAILURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE), "SSLV3_ALERT_HANDSHAKE_FAILURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER), "SSLV3_ALERT_ILLEGAL_PARAMETER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_NO_CERTIFICATE), "SSLV3_ALERT_NO_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE), "SSLV3_ALERT_UNEXPECTED_MESSAGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE), "SSLV3_ALERT_UNSUPPORTED_CERTIFICATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION), "SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_HANDSHAKE_FAILURE), "SSL_HANDSHAKE_FAILURE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS), "SSL_LIBRARY_HAS_NO_CIPHERS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CALLBACK_FAILED), "SSL_SESSION_ID_CALLBACK_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONFLICT), "SSL_SESSION_ID_CONFLICT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG), "SSL_SESSION_ID_CONTEXT_TOO_LONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH), "SSL_SESSION_ID_HAS_BAD_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SSL_SESSION_ID_IS_DIFFERENT), "SSL_SESSION_ID_IS_DIFFERENT"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_ACCESS_DENIED), "TLSV1_ALERT_ACCESS_DENIED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECODE_ERROR), "TLSV1_ALERT_DECODE_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "TLSV1_ALERT_DECRYPTION_FAILED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "TLSV1_ALERT_DECRYPT_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "TLSV1_ALERT_EXPORT_RESTRICTION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "TLSV1_ALERT_INAPPROPRIATE_FALLBACK"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "TLSV1_ALERT_INSUFFICIENT_SECURITY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "TLSV1_ALERT_INTERNAL_ERROR"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "TLSV1_ALERT_NO_RENEGOTIATION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_PROTOCOL_VERSION), "TLSV1_ALERT_PROTOCOL_VERSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_RECORD_OVERFLOW), "TLSV1_ALERT_RECORD_OVERFLOW"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_UNKNOWN_CA), "TLSV1_ALERT_UNKNOWN_CA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_ALERT_USER_CANCELLED), "TLSV1_ALERT_USER_CANCELLED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE), "TLSV1_BAD_CERTIFICATE_HASH_VALUE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE), "TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE), "TLSV1_CERTIFICATE_UNOBTAINABLE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNRECOGNIZED_NAME), "TLSV1_UNRECOGNIZED_NAME"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLSV1_UNSUPPORTED_EXTENSION), "TLSV1_UNSUPPORTED_EXTENSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER), "TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL), "TLS_ILLEGAL_EXPORTER_LABEL"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST), "TLS_INVALID_ECPOINTFORMAT_LIST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST), "TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG), "TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TOO_MANY_EMPTY_FRAGMENTS), "TOO_MANY_EMPTY_FRAGMENTS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER), "TRIED_TO_USE_UNSUPPORTED_CIPHER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_DECODE_DH_CERTS), "UNABLE_TO_DECODE_DH_CERTS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS), "UNABLE_TO_DECODE_ECDH_CERTS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_EXTRACT_PUBLIC_KEY), "UNABLE_TO_EXTRACT_PUBLIC_KEY"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS), "UNABLE_TO_FIND_DH_PARAMETERS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS), "UNABLE_TO_FIND_ECDH_PARAMETERS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS), "UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_FIND_SSL_METHOD), "UNABLE_TO_FIND_SSL_METHOD"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL2_MD5_ROUTINES), "UNABLE_TO_LOAD_SSL2_MD5_ROUTINES"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES), "UNABLE_TO_LOAD_SSL3_MD5_ROUTINES"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES), "UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_GROUP_CLOSE), "UNEXPECTED_GROUP_CLOSE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "UNEXPECTED_MESSAGE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP), "UNEXPECTED_OPERATOR_IN_GROUP"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "UNEXPECTED_RECORD"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "UNINITIALIZED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_ALERT_TYPE), "UNKNOWN_ALERT_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_AUTHZ_DATA_TYPE), "UNKNOWN_AUTHZ_DATA_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CERTIFICATE_TYPE), "UNKNOWN_CERTIFICATE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_RETURNED), "UNKNOWN_CIPHER_RETURNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CIPHER_TYPE), "UNKNOWN_CIPHER_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_CMD_NAME), "UNKNOWN_CMD_NAME"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_DIGEST), "UNKNOWN_DIGEST"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE), "UNKNOWN_KEY_EXCHANGE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PKEY_TYPE), "UNKNOWN_PKEY_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_PROTOCOL), "UNKNOWN_PROTOCOL"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_REMOTE_ERROR_TYPE), "UNKNOWN_REMOTE_ERROR_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SSL_VERSION), "UNKNOWN_SSL_VERSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_STATE), "UNKNOWN_STATE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE), "UNKNOWN_SUPPLEMENTAL_DATA_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNPROCESSED_HANDSHAKE_DATA), "UNPROCESSED_HANDSHAKE_DATA"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED), "UNSAFE_LEGACY_RENEGOTIATION_DISABLED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_CIPHER), "UNSUPPORTED_CIPHER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM), "UNSUPPORTED_COMPRESSION_ALGORITHM"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_DIGEST_TYPE), "UNSUPPORTED_DIGEST_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE), "UNSUPPORTED_ELLIPTIC_CURVE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_PROTOCOL), "UNSUPPORTED_PROTOCOL"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_SSL_VERSION), "UNSUPPORTED_SSL_VERSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNSUPPORTED_STATUS_TYPE), "UNSUPPORTED_STATUS_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_USE_SRTP_NOT_NEGOTIATED), "USE_SRTP_NOT_NEGOTIATED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRITE_BIO_NOT_SET), "WRITE_BIO_NOT_SET"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CERTIFICATE_TYPE), "WRONG_CERTIFICATE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CIPHER_RETURNED), "WRONG_CIPHER_RETURNED"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_CURVE), "WRONG_CURVE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_MESSAGE_TYPE), "WRONG_MESSAGE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_NUMBER_OF_KEY_BITS), "WRONG_NUMBER_OF_KEY_BITS"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_LENGTH), "WRONG_SIGNATURE_LENGTH"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_SIZE), "WRONG_SIGNATURE_SIZE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SIGNATURE_TYPE), "WRONG_SIGNATURE_TYPE"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_SSL_VERSION), "WRONG_SSL_VERSION"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_WRONG_VERSION_NUMBER), "WRONG_VERSION_NUMBER"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_LIB), "X509_LIB"},
- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "X509_VERIFICATION_SETUP_PROBLEMS"},
- {0, NULL},
-};
diff --git a/src/ssl/ssl_lib.c b/src/ssl/ssl_lib.c
index 35eb1ec..6c8e2c9 100644
--- a/src/ssl/ssl_lib.c
+++ b/src/ssl/ssl_lib.c
@@ -138,19 +138,22 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-#include <stdio.h>
#include <assert.h>
+#include <stdio.h>
+#include <string.h>
#include <openssl/bytestring.h>
#include <openssl/dh.h>
-#include <openssl/engine.h>
+#include <openssl/err.h>
#include <openssl/lhash.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
-#include "ssl_locl.h"
+#include "internal.h"
+#include "../crypto/internal.h"
+
/* Some error codes are special. Ensure the make_errors.go script never
* regresses this. */
@@ -158,6 +161,12 @@
SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
ssl_alert_reason_code_mismatch);
+/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */
+static const size_t kMaxHandshakeSize = (1u << 24) - 1;
+
+static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = CRYPTO_EX_DATA_CLASS_INIT;
+static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = CRYPTO_EX_DATA_CLASS_INIT;
+
int SSL_clear(SSL *s) {
if (s->method == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_clear, SSL_R_NO_METHOD_SPECIFIED);
@@ -199,21 +208,17 @@
s->rwstate = SSL_NOTHING;
s->rstate = SSL_ST_READ_HEADER;
- if (s->init_buf != NULL) {
- BUF_MEM_free(s->init_buf);
- s->init_buf = NULL;
- }
+ BUF_MEM_free(s->init_buf);
+ s->init_buf = NULL;
s->packet = NULL;
s->packet_length = 0;
ssl_clear_cipher_ctx(s);
- if (s->next_proto_negotiated) {
- OPENSSL_free(s->next_proto_negotiated);
- s->next_proto_negotiated = NULL;
- s->next_proto_negotiated_len = 0;
- }
+ OPENSSL_free(s->next_proto_negotiated);
+ s->next_proto_negotiated = NULL;
+ s->next_proto_negotiated_len = 0;
/* The s->d1->mtu is simultaneously configuration (preserved across
* clear) and connection-specific state (gets reset).
@@ -265,21 +270,9 @@
s->mode = ctx->mode;
s->max_cert_list = ctx->max_cert_list;
- if (ctx->cert != NULL) {
- /* Earlier library versions used to copy the pointer to the CERT, not its
- * contents; only when setting new parameters for the per-SSL copy,
- * ssl_cert_new would be called (and the direct reference to the
- * per-SSL_CTX settings would be lost, but those still were indirectly
- * accessed for various purposes, and for that reason they used to be known
- * as s->ctx->default_cert). Now we don't look at the SSL_CTX's CERT after
- * having duplicated it once. */
-
- s->cert = ssl_cert_dup(ctx->cert);
- if (s->cert == NULL) {
- goto err;
- }
- } else {
- s->cert = NULL; /* Cannot really happen (see SSL_CTX_new) */
+ s->cert = ssl_cert_dup(ctx->cert);
+ if (s->cert == NULL) {
+ goto err;
}
s->read_ahead = ctx->read_ahead;
@@ -302,8 +295,6 @@
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
s->ctx = ctx;
- s->tlsext_debug_cb = 0;
- s->tlsext_debug_arg = NULL;
s->tlsext_ticket_expected = 0;
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
s->initial_ctx = ctx;
@@ -345,12 +336,10 @@
s->enc_method = ssl3_get_enc_method(s->version);
assert(s->enc_method != NULL);
- s->references = 1;
-
s->rwstate = SSL_NOTHING;
s->rstate = SSL_ST_READ_HEADER;
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
+ CRYPTO_new_ex_data(&g_ex_data_class_ssl, s, &s->ex_data);
s->psk_identity_hint = NULL;
if (ctx->psk_identity_hint) {
@@ -364,7 +353,8 @@
s->tlsext_channel_id_enabled = ctx->tlsext_channel_id_enabled;
if (ctx->tlsext_channel_id_private) {
- s->tlsext_channel_id_private = EVP_PKEY_dup(ctx->tlsext_channel_id_private);
+ s->tlsext_channel_id_private =
+ EVP_PKEY_up_ref(ctx->tlsext_channel_id_private);
}
s->signed_cert_timestamps_enabled = s->ctx->signed_cert_timestamps_enabled;
@@ -373,9 +363,7 @@
return s;
err:
- if (s != NULL) {
- SSL_free(s);
- }
+ SSL_free(s);
OPENSSL_PUT_ERROR(SSL, SSL_new, ERR_R_MALLOC_FAILURE);
return NULL;
@@ -415,9 +403,7 @@
}
int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) {
- CRYPTO_w_lock(CRYPTO_LOCK_SSL);
ssl->generate_session_id = cb;
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL);
return 1;
}
@@ -470,6 +456,9 @@
void ssl_cipher_preference_list_free(
struct ssl_cipher_preference_list_st *cipher_list) {
+ if (cipher_list == NULL) {
+ return;
+ }
sk_SSL_CIPHER_free(cipher_list->ciphers);
OPENSSL_free(cipher_list->in_group_flags);
OPENSSL_free(cipher_list);
@@ -499,17 +488,12 @@
return ret;
err:
- if (ret && ret->ciphers) {
- sk_SSL_CIPHER_free(ret->ciphers);
- }
- if (ret) {
- OPENSSL_free(ret);
- }
+ ssl_cipher_preference_list_free(ret);
return NULL;
}
struct ssl_cipher_preference_list_st *ssl_cipher_preference_list_from_ciphers(
- STACK_OF(SSL_CIPHER) * ciphers) {
+ STACK_OF(SSL_CIPHER) *ciphers) {
struct ssl_cipher_preference_list_st *ret = NULL;
size_t n = sk_SSL_CIPHER_num(ciphers);
@@ -531,12 +515,7 @@
return ret;
err:
- if (ret && ret->ciphers) {
- sk_SSL_CIPHER_free(ret->ciphers);
- }
- if (ret) {
- OPENSSL_free(ret);
- }
+ ssl_cipher_preference_list_free(ret);
return NULL;
}
@@ -547,22 +526,13 @@
void SSL_certs_clear(SSL *s) { ssl_cert_clear_certs(s->cert); }
void SSL_free(SSL *s) {
- int i;
-
if (s == NULL) {
return;
}
- i = CRYPTO_add(&s->references, -1, CRYPTO_LOCK_SSL);
- if (i > 0) {
- return;
- }
+ X509_VERIFY_PARAM_free(s->param);
- if (s->param) {
- X509_VERIFY_PARAM_free(s->param);
- }
-
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class_ssl, s, &s->ex_data);
if (s->bbio != NULL) {
/* If the buffering BIO is in place, pop it off */
@@ -573,74 +543,40 @@
s->bbio = NULL;
}
- if (s->rbio != NULL) {
- BIO_free_all(s->rbio);
- }
-
- if (s->wbio != NULL && s->wbio != s->rbio) {
+ int free_wbio = s->wbio != s->rbio;
+ BIO_free_all(s->rbio);
+ if (free_wbio) {
BIO_free_all(s->wbio);
}
- if (s->init_buf != NULL) {
- BUF_MEM_free(s->init_buf);
- }
+ BUF_MEM_free(s->init_buf);
/* add extra stuff */
- if (s->cipher_list != NULL) {
- ssl_cipher_preference_list_free(s->cipher_list);
- }
- if (s->cipher_list_by_id != NULL) {
- sk_SSL_CIPHER_free(s->cipher_list_by_id);
- }
+ ssl_cipher_preference_list_free(s->cipher_list);
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
- if (s->session != NULL) {
- ssl_clear_bad_session(s);
- SSL_SESSION_free(s->session);
- }
+ ssl_clear_bad_session(s);
+ SSL_SESSION_free(s->session);
ssl_clear_cipher_ctx(s);
- if (s->cert != NULL) {
- ssl_cert_free(s->cert);
- }
+ ssl_cert_free(s->cert);
- if (s->tlsext_hostname) {
- OPENSSL_free(s->tlsext_hostname);
- }
- if (s->initial_ctx) {
- SSL_CTX_free(s->initial_ctx);
- }
- if (s->tlsext_ecpointformatlist) {
- OPENSSL_free(s->tlsext_ecpointformatlist);
- }
- if (s->tlsext_ellipticcurvelist) {
- OPENSSL_free(s->tlsext_ellipticcurvelist);
- }
- if (s->alpn_client_proto_list) {
- OPENSSL_free(s->alpn_client_proto_list);
- }
- if (s->tlsext_channel_id_private) {
- EVP_PKEY_free(s->tlsext_channel_id_private);
- }
- if (s->psk_identity_hint) {
- OPENSSL_free(s->psk_identity_hint);
- }
- if (s->client_CA != NULL) {
- sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
- }
- if (s->next_proto_negotiated) {
- OPENSSL_free(s->next_proto_negotiated);
- }
- if (s->srtp_profiles) {
- sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
- }
+ OPENSSL_free(s->tlsext_hostname);
+ SSL_CTX_free(s->initial_ctx);
+ OPENSSL_free(s->tlsext_ecpointformatlist);
+ OPENSSL_free(s->tlsext_ellipticcurvelist);
+ OPENSSL_free(s->alpn_client_proto_list);
+ EVP_PKEY_free(s->tlsext_channel_id_private);
+ OPENSSL_free(s->psk_identity_hint);
+ sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);
+ OPENSSL_free(s->next_proto_negotiated);
+ sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
if (s->method != NULL) {
s->method->ssl_free(s);
}
- if (s->ctx) {
- SSL_CTX_free(s->ctx);
- }
+ SSL_CTX_free(s->ctx);
OPENSSL_free(s);
}
@@ -654,10 +590,10 @@
}
}
- if (s->rbio != NULL && s->rbio != rbio) {
+ if (s->rbio != rbio) {
BIO_free_all(s->rbio);
}
- if (s->wbio != NULL && s->wbio != wbio && s->rbio != s->wbio) {
+ if (s->wbio != wbio && s->rbio != s->wbio) {
BIO_free_all(s->wbio);
}
s->rbio = rbio;
@@ -822,10 +758,14 @@
X509_VERIFY_PARAM_set_depth(s->param, depth);
}
-void SSL_set_read_ahead(SSL *s, int yes) { s->read_ahead = yes; }
+int SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return ctx->read_ahead; }
int SSL_get_read_ahead(const SSL *s) { return s->read_ahead; }
+void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { ctx->read_ahead = !!yes; }
+
+void SSL_set_read_ahead(SSL *s, int yes) { s->read_ahead = !!yes; }
+
int SSL_pending(const SSL *s) {
/* SSL_pending cannot work properly if read-ahead is enabled
* (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), and it is
@@ -851,8 +791,8 @@
return X509_up_ref(r);
}
-STACK_OF(X509) * SSL_get_peer_cert_chain(const SSL *s) {
- STACK_OF(X509) * r;
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) {
+ STACK_OF(X509) *r;
if (s == NULL || s->session == NULL || s->session->sess_cert == NULL) {
r = NULL;
@@ -919,7 +859,7 @@
}
if (s->handshake_func != s->method->ssl_accept) {
- OPENSSL_PUT_ERROR(SSL, SSL_connect, ERR_R_INTERNAL_ERROR);
+ OPENSSL_PUT_ERROR(SSL, SSL_accept, ERR_R_INTERNAL_ERROR);
return -1;
}
@@ -1005,6 +945,12 @@
}
int SSL_renegotiate(SSL *s) {
+ if (SSL_IS_DTLS(s)) {
+ /* Renegotiation is not supported for DTLS. */
+ OPENSSL_PUT_ERROR(SSL, SSL_renegotiate, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return 0;
+ }
+
if (s->renegotiate == 0) {
s->renegotiate = 1;
}
@@ -1013,236 +959,146 @@
return s->method->ssl_renegotiate(s);
}
-int SSL_renegotiate_abbreviated(SSL *s) {
- if (s->renegotiate == 0) {
- s->renegotiate = 1;
- }
-
- s->new_session = 0;
- return s->method->ssl_renegotiate(s);
-}
-
int SSL_renegotiate_pending(SSL *s) {
/* becomes true when negotiation is requested; false again once a handshake
* has finished */
return s->renegotiate != 0;
}
-long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) {
- long l;
-
- switch (cmd) {
- case SSL_CTRL_GET_READ_AHEAD:
- return s->read_ahead;
-
- case SSL_CTRL_SET_READ_AHEAD:
- l = s->read_ahead;
- s->read_ahead = larg;
- return l;
-
- case SSL_CTRL_SET_MSG_CALLBACK_ARG:
- s->msg_callback_arg = parg;
- return 1;
-
- case SSL_CTRL_OPTIONS:
- return s->options |= larg;
-
- case SSL_CTRL_CLEAR_OPTIONS:
- return s->options &= ~larg;
-
- case SSL_CTRL_MODE:
- return s->mode |= larg;
-
- case SSL_CTRL_CLEAR_MODE:
- return s->mode &= ~larg;
-
- case SSL_CTRL_GET_MAX_CERT_LIST:
- return s->max_cert_list;
-
- case SSL_CTRL_SET_MAX_CERT_LIST:
- l = s->max_cert_list;
- s->max_cert_list = larg;
- return l;
-
- case SSL_CTRL_SET_MTU:
- if (larg < (long)dtls1_min_mtu()) {
- return 0;
- }
- if (SSL_IS_DTLS(s)) {
- s->d1->mtu = larg;
- return larg;
- }
- return 0;
-
- case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
- if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) {
- return 0;
- }
- s->max_send_fragment = larg;
- return 1;
-
- case SSL_CTRL_GET_RI_SUPPORT:
- if (s->s3) {
- return s->s3->send_connection_binding;
- }
- return 0;
-
- case SSL_CTRL_CERT_FLAGS:
- return s->cert->cert_flags |= larg;
-
- case SSL_CTRL_CLEAR_CERT_FLAGS:
- return s->cert->cert_flags &= ~larg;
-
- case SSL_CTRL_GET_RAW_CIPHERLIST:
- if (parg) {
- if (s->cert->ciphers_raw == NULL) {
- return 0;
- }
- *(uint8_t **)parg = s->cert->ciphers_raw;
- return (int)s->cert->ciphers_rawlen;
- }
-
- /* Passing a NULL |parg| returns the size of a single
- * cipher suite value. */
- return 2;
-
- default:
- return s->method->ssl_ctrl(s, cmd, larg, parg);
- }
+uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {
+ ctx->options |= options;
+ return ctx->options;
}
-long SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) {
- switch (cmd) {
- case SSL_CTRL_SET_MSG_CALLBACK:
- s->msg_callback =
- (void (*)(int write_p, int version, int content_type, const void *buf,
- size_t len, SSL *ssl, void *arg))(fp);
- return 1;
+uint32_t SSL_set_options(SSL *ssl, uint32_t options) {
+ ssl->options |= options;
+ return ssl->options;
+}
- default:
- return s->method->ssl_callback_ctrl(s, cmd, fp);
+uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) {
+ ctx->options &= ~options;
+ return ctx->options;
+}
+
+uint32_t SSL_clear_options(SSL *ssl, uint32_t options) {
+ ssl->options &= ~options;
+ return ssl->options;
+}
+
+uint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; }
+
+uint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }
+
+uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) {
+ ctx->mode |= mode;
+ return ctx->mode;
+}
+
+uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {
+ ssl->mode |= mode;
+ return ssl->mode;
+}
+
+uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) {
+ ctx->mode &= ~mode;
+ return ctx->mode;
+}
+
+uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {
+ ssl->mode &= ~mode;
+ return ssl->mode;
+}
+
+uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; }
+
+uint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }
+
+size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) {
+ return ctx->max_cert_list;
+}
+
+void SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) {
+ if (max_cert_list > kMaxHandshakeSize) {
+ max_cert_list = kMaxHandshakeSize;
}
+ ctx->max_cert_list = (uint32_t)max_cert_list;
+}
+
+size_t SSL_get_max_cert_list(const SSL *ssl) {
+ return ssl->max_cert_list;
+}
+
+void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
+ if (max_cert_list > kMaxHandshakeSize) {
+ max_cert_list = kMaxHandshakeSize;
+ }
+ ssl->max_cert_list = (uint32_t)max_cert_list;
+}
+
+void SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {
+ if (max_send_fragment < 512) {
+ max_send_fragment = 512;
+ }
+ if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+ max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
+ }
+ ctx->max_send_fragment = (uint16_t)max_send_fragment;
+}
+
+void SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {
+ if (max_send_fragment < 512) {
+ max_send_fragment = 512;
+ }
+ if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
+ max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
+ }
+ ssl->max_send_fragment = (uint16_t)max_send_fragment;
+}
+
+int SSL_set_mtu(SSL *ssl, unsigned mtu) {
+ if (!SSL_IS_DTLS(ssl) || mtu < dtls1_min_mtu()) {
+ return 0;
+ }
+ ssl->d1->mtu = mtu;
+ return 1;
+}
+
+int SSL_get_secure_renegotiation_support(const SSL *ssl) {
+ return ssl->s3->send_connection_binding;
+}
+
+long SSL_ctrl(SSL *s, int cmd, long larg, void *parg) {
+ return s->method->ssl_ctrl(s, cmd, larg, parg);
}
LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; }
-long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
- long l;
-
- switch (cmd) {
- case SSL_CTRL_GET_READ_AHEAD:
- return ctx->read_ahead;
-
- case SSL_CTRL_SET_READ_AHEAD:
- l = ctx->read_ahead;
- ctx->read_ahead = larg;
- return l;
-
- case SSL_CTRL_SET_MSG_CALLBACK_ARG:
- ctx->msg_callback_arg = parg;
- return 1;
-
- case SSL_CTRL_GET_MAX_CERT_LIST:
- return ctx->max_cert_list;
-
- case SSL_CTRL_SET_MAX_CERT_LIST:
- l = ctx->max_cert_list;
- ctx->max_cert_list = larg;
- return l;
-
- case SSL_CTRL_SET_SESS_CACHE_SIZE:
- l = ctx->session_cache_size;
- ctx->session_cache_size = larg;
- return l;
-
- case SSL_CTRL_GET_SESS_CACHE_SIZE:
- return ctx->session_cache_size;
-
- case SSL_CTRL_SET_SESS_CACHE_MODE:
- l = ctx->session_cache_mode;
- ctx->session_cache_mode = larg;
- return l;
-
- case SSL_CTRL_GET_SESS_CACHE_MODE:
- return ctx->session_cache_mode;
-
- case SSL_CTRL_SESS_NUMBER:
- return lh_SSL_SESSION_num_items(ctx->sessions);
-
- case SSL_CTRL_SESS_CONNECT:
- return ctx->stats.sess_connect;
-
- case SSL_CTRL_SESS_CONNECT_GOOD:
- return ctx->stats.sess_connect_good;
-
- case SSL_CTRL_SESS_CONNECT_RENEGOTIATE:
- return ctx->stats.sess_connect_renegotiate;
-
- case SSL_CTRL_SESS_ACCEPT:
- return ctx->stats.sess_accept;
-
- case SSL_CTRL_SESS_ACCEPT_GOOD:
- return ctx->stats.sess_accept_good;
-
- case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE:
- return ctx->stats.sess_accept_renegotiate;
-
- case SSL_CTRL_SESS_HIT:
- return ctx->stats.sess_hit;
-
- case SSL_CTRL_SESS_CB_HIT:
- return ctx->stats.sess_cb_hit;
-
- case SSL_CTRL_SESS_MISSES:
- return ctx->stats.sess_miss;
-
- case SSL_CTRL_SESS_TIMEOUTS:
- return ctx->stats.sess_timeout;
-
- case SSL_CTRL_SESS_CACHE_FULL:
- return ctx->stats.sess_cache_full;
-
- case SSL_CTRL_OPTIONS:
- return ctx->options |= larg;
-
- case SSL_CTRL_CLEAR_OPTIONS:
- return ctx->options &= ~larg;
-
- case SSL_CTRL_MODE:
- return ctx->mode |= larg;
-
- case SSL_CTRL_CLEAR_MODE:
- return ctx->mode &= ~larg;
-
- case SSL_CTRL_SET_MAX_SEND_FRAGMENT:
- if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) {
- return 0;
- }
- ctx->max_send_fragment = larg;
- return 1;
-
- case SSL_CTRL_CERT_FLAGS:
- return ctx->cert->cert_flags |= larg;
-
- case SSL_CTRL_CLEAR_CERT_FLAGS:
- return ctx->cert->cert_flags &= ~larg;
-
- default:
- return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
- }
+size_t SSL_CTX_sess_number(const SSL_CTX *ctx) {
+ return lh_SSL_SESSION_num_items(ctx->sessions);
}
-long SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) {
- switch (cmd) {
- case SSL_CTRL_SET_MSG_CALLBACK:
- ctx->msg_callback =
- (void (*)(int write_p, int version, int content_type, const void *buf,
- size_t len, SSL *ssl, void *arg))(fp);
- return 1;
+unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) {
+ unsigned long ret = ctx->session_cache_size;
+ ctx->session_cache_size = size;
+ return ret;
+}
- default:
- return ctx->method->ssl_ctx_callback_ctrl(ctx, cmd, fp);
- }
+unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) {
+ return ctx->session_cache_size;
+}
+
+int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) {
+ int ret = ctx->session_cache_mode;
+ ctx->session_cache_mode = mode;
+ return ret;
+}
+
+int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) {
+ return ctx->session_cache_mode;
+}
+
+long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
+ return ctx->method->ssl_ctx_ctrl(ctx, cmd, larg, parg);
}
int ssl_cipher_id_cmp(const void *in_a, const void *in_b) {
@@ -1275,7 +1131,7 @@
/* return a STACK of the ciphers available for the SSL and in order of
* preference */
-STACK_OF(SSL_CIPHER) * SSL_get_ciphers(const SSL *s) {
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s) {
if (s == NULL) {
return NULL;
}
@@ -1298,7 +1154,7 @@
/* return a STACK of the ciphers available for the SSL and in order of
* algorithm id */
-STACK_OF(SSL_CIPHER) * ssl_get_ciphers_by_id(SSL *s) {
+STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s) {
if (s == NULL) {
return NULL;
}
@@ -1317,7 +1173,7 @@
/* The old interface to get the same thing as SSL_get_ciphers() */
const char *SSL_get_cipher_list(const SSL *s, int n) {
const SSL_CIPHER *c;
- STACK_OF(SSL_CIPHER) * sk;
+ STACK_OF(SSL_CIPHER) *sk;
if (s == NULL) {
return NULL;
@@ -1341,7 +1197,7 @@
STACK_OF(SSL_CIPHER) *sk;
sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list,
- &ctx->cipher_list_by_id, str, ctx->cert);
+ &ctx->cipher_list_by_id, str);
/* ssl_create_cipher_list may return an empty stack if it was unable to find
* a cipher matching the given rule string (for example if the rule string
* specifies a cipher which has been disabled). This is not an error as far
@@ -1360,8 +1216,7 @@
int SSL_CTX_set_cipher_list_tls11(SSL_CTX *ctx, const char *str) {
STACK_OF(SSL_CIPHER) *sk;
- sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls11, NULL, str,
- ctx->cert);
+ sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list_tls11, NULL, str);
if (sk == NULL) {
return 0;
} else if (sk_SSL_CIPHER_num(sk) == 0) {
@@ -1378,7 +1233,7 @@
STACK_OF(SSL_CIPHER) *sk;
sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list,
- &s->cipher_list_by_id, str, s->cert);
+ &s->cipher_list_by_id, str);
/* see comment in SSL_CTX_set_cipher_list */
if (sk == NULL) {
@@ -1435,7 +1290,7 @@
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, const CBS *cbs) {
CBS cipher_suites = *cbs;
const SSL_CIPHER *c;
- STACK_OF(SSL_CIPHER) * sk;
+ STACK_OF(SSL_CIPHER) *sk;
if (s->s3) {
s->s3->send_connection_binding = 0;
@@ -1453,12 +1308,6 @@
goto err;
}
- if (!CBS_stow(&cipher_suites, &s->cert->ciphers_raw,
- &s->cert->ciphers_rawlen)) {
- OPENSSL_PUT_ERROR(SSL, ssl_bytes_to_cipher_list, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
while (CBS_len(&cipher_suites) > 0) {
uint16_t cipher_suite;
@@ -1503,9 +1352,7 @@
return sk;
err:
- if (sk != NULL) {
- sk_SSL_CIPHER_free(sk);
- }
+ sk_SSL_CIPHER_free(sk);
return NULL;
}
@@ -1691,17 +1538,9 @@
ctx->next_proto_select_cb_arg = arg;
}
-/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
- * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings).
- *
- * Returns 0 on success. */
int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,
unsigned protos_len) {
- if (ctx->alpn_client_proto_list) {
- OPENSSL_free(ctx->alpn_client_proto_list);
- }
-
+ OPENSSL_free(ctx->alpn_client_proto_list);
ctx->alpn_client_proto_list = BUF_memdup(protos, protos_len);
if (!ctx->alpn_client_proto_list) {
return 1;
@@ -1711,16 +1550,8 @@
return 0;
}
-/* SSL_set_alpn_protos sets the ALPN protocol list on |ssl| to |protos|.
- * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
- * length-prefixed strings).
- *
- * Returns 0 on success. */
int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, unsigned protos_len) {
- if (ssl->alpn_client_proto_list) {
- OPENSSL_free(ssl->alpn_client_proto_list);
- }
-
+ OPENSSL_free(ssl->alpn_client_proto_list);
ssl->alpn_client_proto_list = BUF_memdup(protos, protos_len);
if (!ssl->alpn_client_proto_list) {
return 1;
@@ -1759,15 +1590,16 @@
}
}
-int SSL_export_keying_material(SSL *s, uint8_t *out, size_t olen,
- const char *label, size_t llen, const uint8_t *p,
- size_t plen, int use_context) {
+int SSL_export_keying_material(SSL *s, uint8_t *out, size_t out_len,
+ const char *label, size_t label_len,
+ const uint8_t *context, size_t context_len,
+ int use_context) {
if (s->version < TLS1_VERSION) {
- return -1;
+ return 0;
}
- return s->enc_method->export_keying_material(s, out, olen, label, llen, p,
- plen, use_context);
+ return s->enc_method->export_keying_material(
+ s, out, out_len, label, label_len, context, context_len, use_context);
}
static uint32_t ssl_session_hash(const SSL_SESSION *a) {
@@ -1833,8 +1665,6 @@
ret->get_session_cb = 0;
ret->generate_session_id = 0;
- memset((char *)&ret->stats, 0, sizeof(ret->stats));
-
ret->references = 1;
ret->quiet_shutdown = 0;
@@ -1858,8 +1688,6 @@
ret->default_passwd_callback = 0;
ret->default_passwd_callback_userdata = NULL;
ret->client_cert_cb = 0;
- ret->app_gen_cookie_cb = 0;
- ret->app_verify_cookie_cb = 0;
ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);
if (ret->sessions == NULL) {
@@ -1871,8 +1699,7 @@
}
ssl_create_cipher_list(ret->method, &ret->cipher_list,
- &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST,
- ret->cert);
+ &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST);
if (ret->cipher_list == NULL ||
sk_SSL_CIPHER_num(ret->cipher_list->ciphers) <= 0) {
OPENSSL_PUT_ERROR(SSL, SSL_CTX_new, SSL_R_LIBRARY_HAS_NO_CIPHERS);
@@ -1889,7 +1716,7 @@
goto err;
}
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
+ CRYPTO_new_ex_data(&g_ex_data_class_ssl_ctx, ret, &ret->ex_data);
ret->extra_certs = NULL;
@@ -1904,9 +1731,6 @@
ret->options |= SSL_OP_NO_TICKET;
}
- ret->tlsext_status_cb = 0;
- ret->tlsext_status_arg = NULL;
-
ret->next_protos_advertised_cb = 0;
ret->next_proto_select_cb = 0;
ret->psk_identity_hint = NULL;
@@ -1929,27 +1753,17 @@
err:
OPENSSL_PUT_ERROR(SSL, SSL_CTX_new, ERR_R_MALLOC_FAILURE);
err2:
- if (ret != NULL) {
- SSL_CTX_free(ret);
- }
+ SSL_CTX_free(ret);
return NULL;
}
-void SSL_CTX_free(SSL_CTX *a) {
- int i;
-
- if (a == NULL) {
+void SSL_CTX_free(SSL_CTX *ctx) {
+ if (ctx == NULL ||
+ CRYPTO_add(&ctx->references, -1, CRYPTO_LOCK_SSL_CTX) > 0) {
return;
}
- i = CRYPTO_add(&a->references, -1, CRYPTO_LOCK_SSL_CTX);
- if (i > 0) {
- return;
- }
-
- if (a->param) {
- X509_VERIFY_PARAM_free(a->param);
- }
+ X509_VERIFY_PARAM_free(ctx->param);
/* Free internal session cache. However: the remove_cb() may reference the
* ex_data of SSL_CTX, thus the ex_data store can only be removed after the
@@ -1957,59 +1771,27 @@
* the session cache, the most secure solution seems to be: empty (flush) the
* cache, then free ex_data, then finally free the cache. (See ticket
* [openssl.org #212].) */
- if (a->sessions != NULL) {
- SSL_CTX_flush_sessions(a, 0);
- }
+ SSL_CTX_flush_sessions(ctx, 0);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, a, &a->ex_data);
+ CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data);
- if (a->sessions != NULL) {
- lh_SSL_SESSION_free(a->sessions);
- }
- if (a->cert_store != NULL) {
- X509_STORE_free(a->cert_store);
- }
- if (a->cipher_list != NULL) {
- ssl_cipher_preference_list_free(a->cipher_list);
- }
- if (a->cipher_list_by_id != NULL) {
- sk_SSL_CIPHER_free(a->cipher_list_by_id);
- }
- if (a->cipher_list_tls11 != NULL) {
- ssl_cipher_preference_list_free(a->cipher_list_tls11);
- }
- if (a->cert != NULL) {
- ssl_cert_free(a->cert);
- }
- if (a->client_CA != NULL) {
- sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
- }
- if (a->extra_certs != NULL) {
- sk_X509_pop_free(a->extra_certs, X509_free);
- }
- if (a->srtp_profiles) {
- sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
- }
- if (a->psk_identity_hint) {
- OPENSSL_free(a->psk_identity_hint);
- }
- if (a->tlsext_ecpointformatlist) {
- OPENSSL_free(a->tlsext_ecpointformatlist);
- }
- if (a->tlsext_ellipticcurvelist) {
- OPENSSL_free(a->tlsext_ellipticcurvelist);
- }
- if (a->alpn_client_proto_list != NULL) {
- OPENSSL_free(a->alpn_client_proto_list);
- }
- if (a->tlsext_channel_id_private) {
- EVP_PKEY_free(a->tlsext_channel_id_private);
- }
- if (a->keylog_bio) {
- BIO_free(a->keylog_bio);
- }
+ lh_SSL_SESSION_free(ctx->sessions);
+ X509_STORE_free(ctx->cert_store);
+ ssl_cipher_preference_list_free(ctx->cipher_list);
+ sk_SSL_CIPHER_free(ctx->cipher_list_by_id);
+ ssl_cipher_preference_list_free(ctx->cipher_list_tls11);
+ ssl_cert_free(ctx->cert);
+ sk_X509_NAME_pop_free(ctx->client_CA, X509_NAME_free);
+ sk_X509_pop_free(ctx->extra_certs, X509_free);
+ sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles);
+ OPENSSL_free(ctx->psk_identity_hint);
+ OPENSSL_free(ctx->tlsext_ecpointformatlist);
+ OPENSSL_free(ctx->tlsext_ellipticcurvelist);
+ OPENSSL_free(ctx->alpn_client_proto_list);
+ EVP_PKEY_free(ctx->tlsext_channel_id_private);
+ BIO_free(ctx->keylog_bio);
- OPENSSL_free(a);
+ OPENSSL_free(ctx);
}
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) {
@@ -2051,13 +1833,12 @@
return cpk->x509 && cpk->privatekey;
}
-void ssl_get_compatible_server_ciphers(SSL *s, unsigned long *out_mask_k,
- unsigned long *out_mask_a) {
+void ssl_get_compatible_server_ciphers(SSL *s, uint32_t *out_mask_k,
+ uint32_t *out_mask_a) {
CERT *c = s->cert;
int rsa_enc, rsa_sign, dh_tmp;
- unsigned long mask_k, mask_a;
+ uint32_t mask_k, mask_a;
int have_ecc_cert, ecdsa_ok;
- int have_ecdh_tmp;
X509 *x;
if (c == NULL) {
@@ -2069,7 +1850,6 @@
dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
- have_ecdh_tmp = (c->ecdh_tmp || c->ecdh_tmp_cb || c->ecdh_tmp_auto);
rsa_enc = ssl_has_key(s, SSL_PKEY_RSA_ENC);
rsa_sign = ssl_has_key(s, SSL_PKEY_RSA_SIGN);
have_ecc_cert = ssl_has_key(s, SSL_PKEY_ECC);
@@ -2080,14 +1860,12 @@
mask_k |= SSL_kRSA;
}
if (dh_tmp) {
- mask_k |= SSL_kEDH;
+ mask_k |= SSL_kDHE;
}
if (rsa_enc || rsa_sign) {
mask_a |= SSL_aRSA;
}
- mask_a |= SSL_aNULL;
-
/* An ECC certificate may be usable for ECDSA cipher suites depending on the
* key usage extension and on the client's curve preferences. */
if (have_ecc_cert) {
@@ -2107,8 +1885,8 @@
/* If we are considering an ECC cipher suite that uses an ephemeral EC
* key, check it. */
- if (have_ecdh_tmp && tls1_check_ec_tmp_key(s)) {
- mask_k |= SSL_kEECDH;
+ if (tls1_check_ec_tmp_key(s)) {
+ mask_k |= SSL_kECDHE;
}
/* PSK requires a server callback. */
@@ -2126,11 +1904,9 @@
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) {
- unsigned long alg_a;
- int signature_nid = 0, md_nid = 0, pk_nid = 0;
const SSL_CIPHER *cs = s->s3->tmp.new_cipher;
-
- alg_a = cs->algorithm_auth;
+ uint32_t alg_a = cs->algorithm_auth;
+ int signature_nid = 0, md_nid = 0, pk_nid = 0;
/* This call populates the ex_flags field correctly */
X509_check_purpose(x, -1, 0);
@@ -2175,13 +1951,10 @@
}
EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher) {
- unsigned long alg_a;
- CERT *c;
+ uint32_t alg_a = cipher->algorithm_auth;
+ CERT *c = s->cert;
int idx = -1;
- alg_a = cipher->algorithm_auth;
- c = s->cert;
-
if (alg_a & SSL_aRSA) {
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) {
idx = SSL_PKEY_RSA_SIGN;
@@ -2202,56 +1975,62 @@
}
void ssl_update_cache(SSL *s, int mode) {
- int i;
-
- /* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-) */
+ /* Never cache sessions with empty session IDs. */
if (s->session->session_id_length == 0) {
return;
}
- i = s->initial_ctx->session_cache_mode;
- if ((i & mode) && !s->hit &&
- ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) ||
- SSL_CTX_add_session(s->initial_ctx, s->session)) &&
- s->initial_ctx->new_session_cb != NULL) {
- CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION);
- if (!s->initial_ctx->new_session_cb(s, s->session)) {
+ SSL_CTX *ctx = s->initial_ctx;
+ if ((ctx->session_cache_mode & mode) == mode && !s->hit &&
+ ((ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) ||
+ SSL_CTX_add_session(ctx, s->session)) &&
+ ctx->new_session_cb != NULL) {
+ /* Note: |new_session_cb| is called whether the internal session cache is
+ * used or not. */
+ if (!ctx->new_session_cb(s, SSL_SESSION_up_ref(s->session))) {
SSL_SESSION_free(s->session);
}
}
- /* auto flush every 255 connections */
- if ((!(i & SSL_SESS_CACHE_NO_AUTO_CLEAR)) && ((i & mode) == mode)) {
- if ((((mode & SSL_SESS_CACHE_CLIENT)
- ? s->initial_ctx->stats.sess_connect_good
- : s->initial_ctx->stats.sess_accept_good) &
- 0xff) == 0xff) {
- SSL_CTX_flush_sessions(s->initial_ctx, (unsigned long)time(NULL));
+ if (!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR) &&
+ !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) &&
+ (ctx->session_cache_mode & mode) == mode) {
+ /* Automatically flush the internal session cache every 255 connections. */
+ int flush_cache = 0;
+ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+ ctx->handshakes_since_cache_flush++;
+ if (ctx->handshakes_since_cache_flush >= 255) {
+ flush_cache = 1;
+ ctx->handshakes_since_cache_flush = 0;
+ }
+ CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+
+ if (flush_cache) {
+ SSL_CTX_flush_sessions(ctx, (unsigned long)time(NULL));
}
}
}
-int SSL_get_error(const SSL *s, int i) {
+int SSL_get_error(const SSL *s, int ret_code) {
int reason;
- unsigned long l;
+ uint32_t err;
BIO *bio;
- if (i > 0) {
+ if (ret_code > 0) {
return SSL_ERROR_NONE;
}
/* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
* where we do encode the error */
- l = ERR_peek_error();
- if (l != 0) {
- if (ERR_GET_LIB(l) == ERR_LIB_SYS) {
+ err = ERR_peek_error();
+ if (err != 0) {
+ if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
return SSL_ERROR_SYSCALL;
}
return SSL_ERROR_SSL;
}
- if (i == 0) {
+ if (ret_code == 0) {
if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
(s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) {
/* The socket was cleanly shut down with a close_notify. */
@@ -2371,24 +2150,6 @@
ssl_clear_cipher_ctx(s);
}
-int ssl_undefined_function(SSL *s) {
- OPENSSL_PUT_ERROR(SSL, ssl_undefined_function,
- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-}
-
-int ssl_undefined_void_function(void) {
- OPENSSL_PUT_ERROR(SSL, ssl_undefined_void_function,
- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-}
-
-int ssl_undefined_const_function(const SSL *s) {
- OPENSSL_PUT_ERROR(SSL, ssl_undefined_const_function,
- ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
- return 0;
-}
-
static const char *ssl_get_version(int version) {
switch (version) {
case TLS1_2_VERSION:
@@ -2403,6 +2164,12 @@
case SSL3_VERSION:
return "SSLv3";
+ case DTLS1_VERSION:
+ return "DTLSv1";
+
+ case DTLS1_2_VERSION:
+ return "DTLSv1.2";
+
default:
return "unknown";
}
@@ -2552,15 +2319,11 @@
ctx = ssl->initial_ctx;
}
- if (ssl->cert != NULL) {
- ssl_cert_free(ssl->cert);
- }
-
+ ssl_cert_free(ssl->cert);
ssl->cert = ssl_cert_dup(ctx->cert);
+
CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
- if (ssl->ctx != NULL) {
- SSL_CTX_free(ssl->ctx); /* decrement reference count */
- }
+ SSL_CTX_free(ssl->ctx); /* decrement reference count */
ssl->ctx = ctx;
ssl->sid_ctx_length = ctx->sid_ctx_length;
@@ -2599,8 +2362,12 @@
int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, argl, argp, new_func,
- dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp,
+ new_func, dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int SSL_set_ex_data(SSL *s, int idx, void *arg) {
@@ -2614,8 +2381,12 @@
int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func,
CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, argl, argp, new_func,
- dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp,
+ new_func, dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) {
@@ -2633,9 +2404,7 @@
}
void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) {
- if (ctx->cert_store != NULL) {
- X509_STORE_free(ctx->cert_store);
- }
+ X509_STORE_free(ctx->cert_store);
ctx->cert_store = store;
}
@@ -2644,35 +2413,33 @@
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*cb)(SSL *ssl, int is_export,
int keylength)) {
- SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
}
void SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,
int keylength)) {
- SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_RSA_CB, (void (*)(void))cb);
}
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
- DH *(*dh)(SSL *ssl, int is_export,
- int keylength)) {
- SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
+ DH *(*callback)(SSL *ssl, int is_export,
+ int keylength)) {
+ ctx->cert->dh_tmp_cb = callback;
}
-void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*dh)(SSL *ssl, int is_export,
- int keylength)) {
- SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_DH_CB, (void (*)(void))dh);
+void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*callback)(SSL *ssl, int is_export,
+ int keylength)) {
+ ssl->cert->dh_tmp_cb = callback;
}
void SSL_CTX_set_tmp_ecdh_callback(SSL_CTX *ctx,
- EC_KEY *(*ecdh)(SSL *ssl, int is_export,
- int keylength)) {
- SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh);
+ EC_KEY *(*callback)(SSL *ssl, int is_export,
+ int keylength)) {
+ ctx->cert->ecdh_tmp_cb = callback;
}
void SSL_set_tmp_ecdh_callback(SSL *ssl,
- EC_KEY *(*ecdh)(SSL *ssl, int is_export,
- int keylength)) {
- SSL_callback_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH_CB, (void (*)(void))ecdh);
+ EC_KEY *(*callback)(SSL *ssl, int is_export,
+ int keylength)) {
+ ssl->cert->ecdh_tmp_cb = callback;
}
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {
@@ -2682,9 +2449,7 @@
return 0;
}
- if (ctx->psk_identity_hint != NULL) {
- OPENSSL_free(ctx->psk_identity_hint);
- }
+ OPENSSL_free(ctx->psk_identity_hint);
if (identity_hint != NULL) {
ctx->psk_identity_hint = BUF_strdup(identity_hint);
@@ -2710,10 +2475,8 @@
}
/* Clear currently configured hint, if any. */
- if (s->psk_identity_hint != NULL) {
- OPENSSL_free(s->psk_identity_hint);
- s->psk_identity_hint = NULL;
- }
+ OPENSSL_free(s->psk_identity_hint);
+ s->psk_identity_hint = NULL;
if (identity_hint != NULL) {
s->psk_identity_hint = BUF_strdup(identity_hint);
@@ -2786,19 +2549,26 @@
void (*cb)(int write_p, int version,
int content_type, const void *buf,
size_t len, SSL *ssl, void *arg)) {
- SSL_CTX_callback_ctrl(ctx, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
+ ctx->msg_callback = cb;
}
+
+void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) {
+ ctx->msg_callback_arg = arg;
+}
+
void SSL_set_msg_callback(SSL *ssl,
void (*cb)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl,
void *arg)) {
- SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb);
+ ssl->msg_callback = cb;
+}
+
+void SSL_set_msg_callback_arg(SSL *ssl, void *arg) {
+ ssl->msg_callback_arg = arg;
}
void SSL_CTX_set_keylog_bio(SSL_CTX *ctx, BIO *keylog_bio) {
- if (ctx->keylog_bio != NULL) {
- BIO_free(ctx->keylog_bio);
- }
+ BIO_free(ctx->keylog_bio);
ctx->keylog_bio = keylog_bio;
}
@@ -2904,19 +2674,12 @@
return ret;
}
+int SSL_in_false_start(const SSL *s) {
+ return s->s3->tmp.in_false_start;
+}
+
int SSL_cutthrough_complete(const SSL *s) {
- return (
- !s->server && /* cutthrough only applies to clients */
- !s->hit && /* full-handshake */
- s->version >= SSL3_VERSION &&
- s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */
- (SSL_get_mode((SSL *)s) &
- SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */
- ssl3_can_cutthrough(s) && /* cutthrough allowed */
- s->s3->previous_server_finished_len ==
- 0 && /* not a renegotiation handshake */
- (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/
- s->state == SSL3_ST_CR_CHANGE || s->state == SSL3_ST_CR_FINISHED_A));
+ return SSL_in_false_start(s);
}
void SSL_get_structure_sizes(size_t *ssl_size, size_t *ssl_ctx_size,
@@ -2926,27 +2689,18 @@
*ssl_session_size = sizeof(SSL_SESSION);
}
-int ssl3_can_cutthrough(const SSL *s) {
- const SSL_CIPHER *c;
+int ssl3_can_false_start(const SSL *s) {
+ const SSL_CIPHER *const cipher = SSL_get_current_cipher(s);
- /* require a strong enough cipher */
- if (SSL_get_cipher_bits(s, NULL) < 128) {
- return 0;
- }
-
- /* require ALPN or NPN extension */
- if (!s->s3->alpn_selected && !s->s3->next_proto_neg_seen) {
- return 0;
- }
-
- /* require a forward-secret cipher */
- c = SSL_get_current_cipher(s);
- if (!c ||
- (c->algorithm_mkey != SSL_kEDH && c->algorithm_mkey != SSL_kEECDH)) {
- return 0;
- }
-
- return 1;
+ /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
+ return !SSL_IS_DTLS(s) &&
+ SSL_version(s) >= TLS1_2_VERSION &&
+ (s->s3->alpn_selected || s->s3->next_proto_neg_seen) &&
+ cipher != NULL &&
+ cipher->algorithm_mkey == SSL_kECDHE &&
+ (cipher->algorithm_enc == SSL_AES128GCM ||
+ cipher->algorithm_enc == SSL_AES256GCM ||
+ cipher->algorithm_enc == SSL_CHACHA20POLY1305);
}
const SSL3_ENC_METHOD *ssl3_get_enc_method(uint16_t version) {
@@ -2957,18 +2711,14 @@
case TLS1_VERSION:
return &TLSv1_enc_data;
+ case DTLS1_VERSION:
case TLS1_1_VERSION:
return &TLSv1_1_enc_data;
+ case DTLS1_2_VERSION:
case TLS1_2_VERSION:
return &TLSv1_2_enc_data;
- case DTLS1_VERSION:
- return &DTLSv1_enc_data;
-
- case DTLS1_2_VERSION:
- return &DTLSv1_2_enc_data;
-
default:
return NULL;
}
@@ -3016,7 +2766,7 @@
if (client_version <= DTLS1_2_VERSION && !(s->options & SSL_OP_NO_DTLSv1_2)) {
version = DTLS1_2_VERSION;
} else if (client_version <= DTLS1_VERSION &&
- !(s->options & SSL_OP_NO_DTLSv1)) {
+ !(s->options & SSL_OP_NO_DTLSv1)) {
version = DTLS1_VERSION;
}
@@ -3051,7 +2801,7 @@
}
uint16_t ssl3_get_max_client_version(SSL *s) {
- unsigned long options = s->options;
+ uint32_t options = s->options;
uint16_t version = 0;
/* OpenSSL's API for controlling versions entails blacklisting individual
@@ -3169,6 +2919,41 @@
int SSL_is_server(SSL *s) { return s->server; }
+void SSL_CTX_set_dos_protection_cb(
+ SSL_CTX *ctx, int (*cb)(const struct ssl_early_callback_ctx *)) {
+ ctx->dos_protection_cb = cb;
+}
+
void SSL_enable_fastradio_padding(SSL *s, char on_off) {
s->fastradio_padding = on_off;
}
+
+void SSL_set_reject_peer_renegotiations(SSL *s, int reject) {
+ s->reject_peer_renegotiations = !!reject;
+}
+
+const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
+ return ssl3_get_cipher_by_value(value);
+}
+
+int SSL_get_rc4_state(const SSL *ssl, const RC4_KEY **read_key,
+ const RC4_KEY **write_key) {
+ if (ssl->aead_read_ctx == NULL || ssl->aead_write_ctx == NULL) {
+ return 0;
+ }
+
+ return EVP_AEAD_CTX_get_rc4_state(&ssl->aead_read_ctx->ctx, read_key) &&
+ EVP_AEAD_CTX_get_rc4_state(&ssl->aead_write_ctx->ctx, write_key);
+}
+
+int SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; }
+int SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; }
diff --git a/src/ssl/ssl_rsa.c b/src/ssl/ssl_rsa.c
index 3d1bc62..87f4c1c 100644
--- a/src/ssl/ssl_rsa.c
+++ b/src/ssl/ssl_rsa.c
@@ -64,7 +64,7 @@
#include <openssl/pem.h>
#include <openssl/x509.h>
-#include "ssl_locl.h"
+#include "internal.h"
static int ssl_set_cert(CERT *c, X509 *x509);
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
@@ -74,10 +74,6 @@
OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
- if (!ssl_cert_inst(&ssl->cert)) {
- OPENSSL_PUT_ERROR(SSL, SSL_use_certificate, ERR_R_MALLOC_FAILURE);
- return 0;
- }
return ssl_set_cert(ssl->cert, x);
}
@@ -118,12 +114,8 @@
ret = SSL_use_certificate(ssl, x);
end:
- if (x != NULL) {
- X509_free(x);
- }
- if (in != NULL) {
- BIO_free(in);
- }
+ X509_free(x);
+ BIO_free(in);
return ret;
}
@@ -152,11 +144,6 @@
return 0;
}
- if (!ssl_cert_inst(&ssl->cert)) {
- OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
pkey = EVP_PKEY_new();
if (pkey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_use_RSAPrivateKey, ERR_R_EVP_LIB);
@@ -182,12 +169,6 @@
}
if (c->pkeys[i].x509 != NULL) {
- EVP_PKEY *pktmp;
- pktmp = X509_get_pubkey(c->pkeys[i].x509);
- EVP_PKEY_copy_parameters(pktmp, pkey);
- EVP_PKEY_free(pktmp);
- ERR_clear_error();
-
/* Sanity-check that the private key and the certificate match, unless the
* key is opaque (in case of, say, a smartcard). */
if (!EVP_PKEY_is_opaque(pkey) &&
@@ -198,10 +179,8 @@
}
}
- if (c->pkeys[i].privatekey != NULL) {
- EVP_PKEY_free(c->pkeys[i].privatekey);
- }
- c->pkeys[i].privatekey = EVP_PKEY_dup(pkey);
+ EVP_PKEY_free(c->pkeys[i].privatekey);
+ c->pkeys[i].privatekey = EVP_PKEY_up_ref(pkey);
c->key = &(c->pkeys[i]);
return 1;
@@ -244,9 +223,7 @@
RSA_free(rsa);
end:
- if (in != NULL) {
- BIO_free(in);
- }
+ BIO_free(in);
return ret;
}
@@ -275,11 +252,6 @@
return 0;
}
- if (!ssl_cert_inst(&ssl->cert)) {
- OPENSSL_PUT_ERROR(SSL, SSL_use_PrivateKey, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
ret = ssl_set_pkey(ssl->cert, pkey);
return ret;
}
@@ -320,9 +292,7 @@
EVP_PKEY_free(pkey);
end:
- if (in != NULL) {
- BIO_free(in);
- }
+ BIO_free(in);
return ret;
}
@@ -349,10 +319,6 @@
ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
- if (!ssl_cert_inst(&ctx->cert)) {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_certificate, ERR_R_MALLOC_FAILURE);
- return 0;
- }
return ssl_set_cert(ctx->cert, x);
}
@@ -375,9 +341,6 @@
}
if (c->pkeys[i].privatekey != NULL) {
- EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
- ERR_clear_error();
-
/* Sanity-check that the private key and the certificate match, unless the
* key is opaque (in case of, say, a smartcard). */
if (!EVP_PKEY_is_opaque(c->pkeys[i].privatekey) &&
@@ -394,9 +357,7 @@
EVP_PKEY_free(pkey);
- if (c->pkeys[i].x509 != NULL) {
- X509_free(c->pkeys[i].x509);
- }
+ X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = X509_up_ref(x);
c->key = &(c->pkeys[i]);
@@ -441,12 +402,8 @@
ret = SSL_CTX_use_certificate(ctx, x);
end:
- if (x != NULL) {
- X509_free(x);
- }
- if (in != NULL) {
- BIO_free(in);
- }
+ X509_free(x);
+ BIO_free(in);
return ret;
}
@@ -475,11 +432,6 @@
return 0;
}
- if (!ssl_cert_inst(&ctx->cert)) {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
pkey = EVP_PKEY_new();
if (pkey == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_RSAPrivateKey, ERR_R_EVP_LIB);
@@ -531,9 +483,7 @@
RSA_free(rsa);
end:
- if (in != NULL) {
- BIO_free(in);
- }
+ BIO_free(in);
return ret;
}
@@ -560,11 +510,6 @@
return 0;
}
- if (!ssl_cert_inst(&ctx->cert)) {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_PrivateKey, ERR_R_MALLOC_FAILURE);
- return 0;
- }
-
return ssl_set_pkey(ctx->cert, pkey);
}
@@ -604,9 +549,7 @@
EVP_PKEY_free(pkey);
end:
- if (in != NULL) {
- BIO_free(in);
- }
+ BIO_free(in);
return ret;
}
@@ -668,7 +611,7 @@
* certificates. */
X509 *ca;
int r;
- unsigned long err;
+ uint32_t err;
SSL_CTX_clear_chain_certs(ctx);
@@ -697,11 +640,7 @@
}
end:
- if (x != NULL) {
- X509_free(x);
- }
- if (in != NULL) {
- BIO_free(in);
- }
+ X509_free(x);
+ BIO_free(in);
return ret;
}
diff --git a/src/ssl/ssl_sess.c b/src/ssl/ssl_sess.c
index c5069d8..3eb428f 100644
--- a/src/ssl/ssl_sess.c
+++ b/src/ssl/ssl_sess.c
@@ -134,22 +134,26 @@
* OTHERWISE. */
#include <stdio.h>
+#include <string.h>
-#include <openssl/engine.h>
#include <openssl/err.h>
#include <openssl/lhash.h>
#include <openssl/mem.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "internal.h"
+#include "../crypto/internal.h"
+
/* The address of this is a magic value, a pointer to which is returned by
* SSL_magic_pending_session_ptr(). It allows a session callback to indicate
* that it needs to asynchronously fetch session information. */
static const char g_pending_session_magic = 0;
+static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
+
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
-static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
+static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
SSL_SESSION *SSL_magic_pending_session_ptr(void) {
@@ -164,25 +168,18 @@
SSL_SESSION *SSL_get1_session(SSL *ssl) {
/* variant of SSL_get_session: caller really gets something */
- SSL_SESSION *sess;
- /* Need to lock this all up rather than just use CRYPTO_add so that
- * somebody doesn't free ssl->session between when we check it's
- * non-null and when we up the reference count. */
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION);
- sess = ssl->session;
- if (sess) {
- sess->references++;
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION);
-
- return sess;
+ return SSL_SESSION_up_ref(ssl->session);
}
int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
CRYPTO_EX_dup *dup_func,
CRYPTO_EX_free *free_func) {
- return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, argl, argp,
- new_func, dup_func, free_func);
+ int index;
+ if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, new_func,
+ dup_func, free_func)) {
+ return -1;
+ }
+ return index;
}
int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg) {
@@ -207,7 +204,7 @@
ss->references = 1;
ss->timeout = SSL_DEFAULT_SESSION_TIMEOUT;
ss->time = (unsigned long)time(NULL);
- CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
+ CRYPTO_new_ex_data(&g_ex_data_class, ss, &ss->ex_data);
return ss;
}
@@ -275,10 +272,8 @@
ss->timeout = s->initial_ctx->session_timeout;
}
- if (s->session != NULL) {
- SSL_SESSION_free(s->session);
- s->session = NULL;
- }
+ SSL_SESSION_free(s->session);
+ s->session = NULL;
if (session) {
if (s->version == SSL3_VERSION || s->version == TLS1_VERSION ||
@@ -425,15 +420,9 @@
}
memcpy(data.session_id, ctx->session_id, ctx->session_id_len);
CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX);
- ret = lh_SSL_SESSION_retrieve(s->initial_ctx->sessions, &data);
- if (ret != NULL) {
- /* don't allow other threads to steal it: */
- CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
- }
+ ret = SSL_SESSION_up_ref(lh_SSL_SESSION_retrieve(s->initial_ctx->sessions,
+ &data));
CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX);
- if (ret == NULL) {
- s->initial_ctx->stats.sess_miss++;
- }
}
if (try_session_cache && ret == NULL &&
@@ -448,14 +437,13 @@
* unwind the stack and figure out the session asynchronously. */
return PENDING_SESSION;
}
- s->initial_ctx->stats.sess_cb_hit++;
/* Increment reference count now if the session callback asks us to do so
* (note that if the session structures returned by the callback are
* shared between threads, it must handle the reference count itself
* [i.e. copy == 0], or things won't be thread-safe). */
if (copy) {
- CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_SSL_SESSION);
+ SSL_SESSION_up_ref(ret);
}
/* Add the externally cached session to the internal cache as well if and
@@ -499,7 +487,6 @@
if (ret->timeout < (long)(time(NULL) - ret->time)) {
/* timeout */
- s->initial_ctx->stats.sess_timeout++;
if (try_session_cache) {
/* session was from the cache, so remove it */
SSL_CTX_remove_session(s->initial_ctx, ret);
@@ -507,11 +494,7 @@
goto err;
}
- s->initial_ctx->stats.sess_hit++;
-
- if (s->session != NULL) {
- SSL_SESSION_free(s->session);
- }
+ SSL_SESSION_free(s->session);
s->session = ret;
s->verify_result = s->session->verify_result;
return 1;
@@ -538,7 +521,7 @@
/* add just 1 reference count for the SSL_CTX's session cache even though it
* has two ways of access: each session is in a doubly linked list and an
* lhash */
- CRYPTO_add(&c->references, 1, CRYPTO_LOCK_SSL_SESSION);
+ SSL_SESSION_up_ref(c);
/* if session c is in already in cache, we take back the increment later */
CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
@@ -579,7 +562,6 @@
if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) {
break;
}
- ctx->stats.sess_cache_full++;
}
}
}
@@ -623,45 +605,32 @@
return ret;
}
-void SSL_SESSION_free(SSL_SESSION *ss) {
- int i;
+SSL_SESSION *SSL_SESSION_up_ref(SSL_SESSION *session) {
+ if (session) {
+ CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
+ }
+ return session;
+}
- if (ss == NULL) {
+void SSL_SESSION_free(SSL_SESSION *session) {
+ if (session == NULL ||
+ CRYPTO_add(&session->references, -1, CRYPTO_LOCK_SSL_SESSION) > 0) {
return;
}
- i = CRYPTO_add(&ss->references, -1, CRYPTO_LOCK_SSL_SESSION);
- if (i > 0) {
- return;
- }
+ CRYPTO_free_ex_data(&g_ex_data_class, session, &session->ex_data);
- CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data);
-
- OPENSSL_cleanse(ss->master_key, sizeof ss->master_key);
- OPENSSL_cleanse(ss->session_id, sizeof ss->session_id);
- if (ss->sess_cert != NULL) {
- ssl_sess_cert_free(ss->sess_cert);
- }
- if (ss->peer != NULL) {
- X509_free(ss->peer);
- }
- if (ss->tlsext_hostname != NULL) {
- OPENSSL_free(ss->tlsext_hostname);
- }
- if (ss->tlsext_tick != NULL) {
- OPENSSL_free(ss->tlsext_tick);
- }
- if (ss->tlsext_signed_cert_timestamp_list != NULL) {
- OPENSSL_free(ss->tlsext_signed_cert_timestamp_list);
- }
- if (ss->ocsp_response != NULL) {
- OPENSSL_free(ss->ocsp_response);
- }
- if (ss->psk_identity != NULL) {
- OPENSSL_free(ss->psk_identity);
- }
- OPENSSL_cleanse(ss, sizeof(*ss));
- OPENSSL_free(ss);
+ OPENSSL_cleanse(session->master_key, sizeof(session->master_key));
+ OPENSSL_cleanse(session->session_id, sizeof(session->session_id));
+ ssl_sess_cert_free(session->sess_cert);
+ X509_free(session->peer);
+ OPENSSL_free(session->tlsext_hostname);
+ OPENSSL_free(session->tlsext_tick);
+ OPENSSL_free(session->tlsext_signed_cert_timestamp_list);
+ OPENSSL_free(session->ocsp_response);
+ OPENSSL_free(session->psk_identity);
+ OPENSSL_cleanse(session, sizeof(*session));
+ OPENSSL_free(session);
}
int SSL_set_session(SSL *s, SSL_SESSION *session) {
@@ -669,12 +638,10 @@
return 1;
}
- if (s->session != NULL) {
- SSL_SESSION_free(s->session);
- }
+ SSL_SESSION_free(s->session);
s->session = session;
if (session != NULL) {
- CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
+ SSL_SESSION_up_ref(session);
s->verify_result = session->verify_result;
}
@@ -753,7 +720,7 @@
typedef struct timeout_param_st {
SSL_CTX *ctx;
long time;
- LHASH_OF(SSL_SESSION) * cache;
+ LHASH_OF(SSL_SESSION) *cache;
} TIMEOUT_PARAM;
static void timeout_doall_arg(SSL_SESSION *sess, void *void_param) {
@@ -896,18 +863,6 @@
return ctx->client_cert_cb;
}
-void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
- int (*cb)(SSL *ssl, uint8_t *cookie,
- size_t *cookie_len)) {
- ctx->app_gen_cookie_cb = cb;
-}
-
-void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
- int (*cb)(SSL *ssl, const uint8_t *cookie,
- size_t cookie_len)) {
- ctx->app_verify_cookie_cb = cb;
-}
-
void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx,
void (*cb)(SSL *ssl, EVP_PKEY **pkey)) {
ctx->channel_id_cb = cb;
diff --git a/src/ssl/ssl_stat.c b/src/ssl/ssl_stat.c
index 450ed7c..8bed9ad 100644
--- a/src/ssl/ssl_stat.c
+++ b/src/ssl/ssl_stat.c
@@ -83,7 +83,7 @@
*/
#include <stdio.h>
-#include "ssl_locl.h"
+#include "internal.h"
const char *SSL_state_string_long(const SSL *s) {
const char *str;
@@ -382,14 +382,6 @@
str = "DTLS1 read hello verify request B";
break;
- case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
- str = "DTLS1 write hello verify request A";
- break;
-
- case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
- str = "DTLS1 write hello verify request B";
- break;
-
default:
str = "unknown state";
break;
@@ -691,14 +683,6 @@
str = "DRCHVB";
break;
- case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
- str = "DWCHVA";
- break;
-
- case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
- str = "DWCHVB";
- break;
-
default:
str = "UNKWN ";
break;
diff --git a/src/ssl/ssl_test.c b/src/ssl/ssl_test.c
deleted file mode 100644
index 70291a2..0000000
--- a/src/ssl/ssl_test.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/base64.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-
-typedef struct {
- int id;
- int in_group_flag;
-} EXPECTED_CIPHER;
-
-typedef struct {
- /* The rule string to apply. */
- const char *rule;
- /* The list of expected ciphers, in order, terminated with -1. */
- const EXPECTED_CIPHER *expected;
-} CIPHER_TEST;
-
-/* Selecting individual ciphers should work. */
-static const char kRule1[] =
- "ECDHE-ECDSA-CHACHA20-POLY1305:"
- "ECDHE-RSA-CHACHA20-POLY1305:"
- "ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES128-GCM-SHA256";
-
-static const EXPECTED_CIPHER kExpected1[] = {
- { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* + reorders selected ciphers to the end, keeping their relative
- * order. */
-static const char kRule2[] =
- "ECDHE-ECDSA-CHACHA20-POLY1305:"
- "ECDHE-RSA-CHACHA20-POLY1305:"
- "ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES128-GCM-SHA256:"
- "+aRSA";
-
-static const EXPECTED_CIPHER kExpected2[] = {
- { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
- { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* ! banishes ciphers from future selections. */
-static const char kRule3[] =
- "!aRSA:"
- "ECDHE-ECDSA-CHACHA20-POLY1305:"
- "ECDHE-RSA-CHACHA20-POLY1305:"
- "ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES128-GCM-SHA256";
-
-static const EXPECTED_CIPHER kExpected3[] = {
- { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* Multiple masks can be ANDed in a single rule. */
-static const char kRule4[] = "kRSA+AESGCM+AES128";
-
-static const EXPECTED_CIPHER kExpected4[] = {
- { TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* - removes selected ciphers, but preserves their order for future
- * selections. Select AES_128_GCM, but order the key exchanges RSA,
- * DHE_RSA, ECDHE_RSA. */
-static const char kRule5[] =
- "ALL:-kEECDH:-kEDH:-kRSA:-ALL:"
- "AESGCM+AES128+aRSA";
-
-static const EXPECTED_CIPHER kExpected5[] = {
- { TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* Unknown selectors are no-ops. */
-static const char kRule6[] =
- "ECDHE-ECDSA-CHACHA20-POLY1305:"
- "ECDHE-RSA-CHACHA20-POLY1305:"
- "ECDHE-ECDSA-AES128-GCM-SHA256:"
- "ECDHE-RSA-AES128-GCM-SHA256:"
- "BOGUS1:-BOGUS2:+BOGUS3:!BOGUS4";
-
-static const EXPECTED_CIPHER kExpected6[] = {
- { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* Square brackets specify equi-preference groups. */
-static const char kRule7[] =
- "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
- "[ECDHE-RSA-CHACHA20-POLY1305]:"
- "ECDHE-RSA-AES128-GCM-SHA256";
-
-static const EXPECTED_CIPHER kExpected7[] = {
- { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1 },
- { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
- { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
- { -1, -1 },
-};
-
-/* @STRENGTH performs a stable strength-sort of the selected
- * ciphers and only the selected ciphers. */
-static const char kRule8[] =
- /* To simplify things, banish all but {ECDHE_RSA,RSA} x
- * {CHACHA20,AES_256_CBC,AES_128_CBC,RC4} x SHA1. */
- "!kEDH:!AESGCM:!3DES:!SHA256:!MD5:!SHA384:"
- /* Order some ciphers backwards by strength. */
- "ALL:-CHACHA20:-AES256:-AES128:-RC4:-ALL:"
- /* Select ECDHE ones and sort them by strength. Ties should resolve
- * based on the order above. */
- "kEECDH:@STRENGTH:-ALL:"
- /* Now bring back everything uses RSA. ECDHE_RSA should be first,
- * sorted by strength. Then RSA, backwards by strength. */
- "aRSA";
-
-static const EXPECTED_CIPHER kExpected8[] = {
- { TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0 },
- { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 0 },
- { TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0 },
- { SSL3_CK_RSA_RC4_128_SHA, 0 },
- { TLS1_CK_RSA_WITH_AES_128_SHA, 0 },
- { TLS1_CK_RSA_WITH_AES_256_SHA, 0 },
- { -1, -1 },
-};
-
-static CIPHER_TEST kCipherTests[] = {
- { kRule1, kExpected1 },
- { kRule2, kExpected2 },
- { kRule3, kExpected3 },
- { kRule4, kExpected4 },
- { kRule5, kExpected5 },
- { kRule6, kExpected6 },
- { kRule7, kExpected7 },
- { kRule8, kExpected8 },
- { NULL, NULL },
-};
-
-static const char *kBadRules[] = {
- /* Invalid brackets. */
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
- "RSA]",
- "[[RSA]]",
- /* Operators inside brackets */
- "[+RSA]",
- /* Unknown directive. */
- "@BOGUS",
- /* Empty cipher lists error at SSL_CTX_set_cipher_list. */
- "",
- "BOGUS",
- /* Invalid command. */
- "?BAR",
- /* Special operators are not allowed if groups are used. */
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
- NULL,
-};
-
-static void print_cipher_preference_list(
- struct ssl_cipher_preference_list_st *list) {
- size_t i;
- int in_group = 0;
- for (i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
- const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
- if (!in_group && list->in_group_flags[i]) {
- fprintf(stderr, "\t[\n");
- in_group = 1;
- }
- fprintf(stderr, "\t");
- if (in_group) {
- fprintf(stderr, " ");
- }
- fprintf(stderr, "%s\n", SSL_CIPHER_get_name(cipher));
- if (in_group && !list->in_group_flags[i]) {
- fprintf(stderr, "\t]\n");
- in_group = 0;
- }
- }
-}
-
-static int test_cipher_rule(CIPHER_TEST *t) {
- int ret = 0;
- SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
- size_t i;
-
- if (!SSL_CTX_set_cipher_list(ctx, t->rule)) {
- fprintf(stderr, "Error testing cipher rule '%s'\n", t->rule);
- BIO_print_errors_fp(stderr);
- goto done;
- }
-
- /* Compare the two lists. */
- for (i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
- const SSL_CIPHER *cipher =
- sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i);
- if (t->expected[i].id != SSL_CIPHER_get_id(cipher) ||
- t->expected[i].in_group_flag != ctx->cipher_list->in_group_flags[i]) {
- fprintf(stderr, "Error: cipher rule '%s' evaluted to:\n", t->rule);
- print_cipher_preference_list(ctx->cipher_list);
- goto done;
- }
- }
-
- if (t->expected[i].id != -1) {
- fprintf(stderr, "Error: cipher rule '%s' evaluted to:\n", t->rule);
- print_cipher_preference_list(ctx->cipher_list);
- goto done;
- }
-
- ret = 1;
-done:
- SSL_CTX_free(ctx);
- return ret;
-}
-
-static int test_cipher_rules(void) {
- size_t i;
- for (i = 0; kCipherTests[i].rule != NULL; i++) {
- if (!test_cipher_rule(&kCipherTests[i])) {
- return 0;
- }
- }
-
- for (i = 0; kBadRules[i] != NULL; i++) {
- SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
- if (SSL_CTX_set_cipher_list(ctx, kBadRules[i])) {
- fprintf(stderr, "Cipher rule '%s' unexpectedly succeeded\n", kBadRules[i]);
- return 0;
- }
- ERR_clear_error();
- SSL_CTX_free(ctx);
- }
-
- return 1;
-}
-
-/* kOpenSSLSession is a serialized SSL_SESSION generated from openssl
- * s_client -sess_out. */
-static const char kOpenSSLSession[] =
- "MIIFpQIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
- "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
- "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
- "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
- "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
- "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
- "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
- "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
- "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
- "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
- "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
- "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
- "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
- "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
- "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
- "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
- "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
- "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
- "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
- "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
- "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
- "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
- "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
- "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
- "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
- "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
- "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
- "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
- "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
- "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
- "i4gv7Y5oliyn";
-
-/* kCustomSession is a custom serialized SSL_SESSION generated by
- * filling in missing fields from |kOpenSSLSession|. This includes
- * providing |peer_sha256|, so |peer| is not serialized. */
-static const char kCustomSession[] =
- "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
- "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
- "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
- "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
- "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
- "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
- "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
- "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
-
-static int decode_base64(uint8_t **out, size_t *out_len, const char *in) {
- size_t len;
-
- if (!EVP_DecodedLength(&len, strlen(in))) {
- fprintf(stderr, "EVP_DecodedLength failed\n");
- return 0;
- }
-
- *out = OPENSSL_malloc(len);
- if (*out == NULL) {
- fprintf(stderr, "malloc failed\n");
- return 0;
- }
-
- if (!EVP_DecodeBase64(*out, out_len, len, (const uint8_t *)in,
- strlen(in))) {
- fprintf(stderr, "EVP_DecodeBase64 failed\n");
- OPENSSL_free(*out);
- *out = NULL;
- return 0;
- }
- return 1;
-}
-
-static int test_ssl_session_asn1(const char *input_b64) {
- int ret = 0, len;
- size_t input_len, encoded_len;
- uint8_t *input = NULL, *encoded = NULL;
- const uint8_t *cptr;
- uint8_t *ptr;
- SSL_SESSION *session = NULL;
-
- /* Decode the input. */
- if (!decode_base64(&input, &input_len, input_b64)) {
- goto done;
- }
-
- /* Verify the SSL_SESSION decodes. */
- cptr = input;
- session = d2i_SSL_SESSION(NULL, &cptr, input_len);
- if (session == NULL || cptr != input + input_len) {
- fprintf(stderr, "d2i_SSL_SESSION failed\n");
- goto done;
- }
-
- /* Verify the SSL_SESSION encoding round-trips. */
- if (!SSL_SESSION_to_bytes(session, &encoded, &encoded_len)) {
- fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
- goto done;
- }
- if (encoded_len != input_len ||
- memcmp(input, encoded, input_len) != 0) {
- fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
- goto done;
- }
- OPENSSL_free(encoded);
- encoded = NULL;
-
- /* Verify the SSL_SESSION encoding round-trips via the legacy API. */
- len = i2d_SSL_SESSION(session, NULL);
- if (len < 0 || (size_t)len != input_len) {
- fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
- goto done;
- }
-
- encoded = OPENSSL_malloc(input_len);
- if (encoded == NULL) {
- fprintf(stderr, "malloc failed\n");
- goto done;
- }
- ptr = encoded;
- len = i2d_SSL_SESSION(session, &ptr);
- if (len < 0 || (size_t)len != input_len) {
- fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
- goto done;
- }
- if (ptr != encoded + input_len) {
- fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
- goto done;
- }
- if (memcmp(input, encoded, input_len) != 0) {
- fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
- goto done;
- }
-
- ret = 1;
-
- done:
- if (!ret) {
- BIO_print_errors_fp(stderr);
- }
-
- if (session) {
- SSL_SESSION_free(session);
- }
- if (input) {
- OPENSSL_free(input);
- }
- if (encoded) {
- OPENSSL_free(encoded);
- }
- return ret;
-}
-
-int test_default_version(uint16_t version, const SSL_METHOD *(*method)(void)) {
- SSL_CTX *ctx;
- int ret;
-
- ctx = SSL_CTX_new(method());
- if (ctx == NULL) {
- return 0;
- }
-
- ret = ctx->min_version == version && ctx->max_version == version;
- SSL_CTX_free(ctx);
- return ret;
-}
-
-int main(void) {
- SSL_library_init();
-
- if (!test_cipher_rules() ||
- !test_ssl_session_asn1(kOpenSSLSession) ||
- !test_ssl_session_asn1(kCustomSession) ||
- !test_default_version(0, &TLS_method) ||
- !test_default_version(SSL3_VERSION, &SSLv3_method) ||
- !test_default_version(TLS1_VERSION, &TLSv1_method) ||
- !test_default_version(TLS1_1_VERSION, &TLSv1_1_method) ||
- !test_default_version(TLS1_2_VERSION, &TLSv1_2_method) ||
- !test_default_version(0, &DTLS_method) ||
- !test_default_version(DTLS1_VERSION, &DTLSv1_method) ||
- !test_default_version(DTLS1_2_VERSION, &DTLSv1_2_method)) {
- return 1;
- }
-
- printf("PASS\n");
- return 0;
-}
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
new file mode 100644
index 0000000..7886304
--- /dev/null
+++ b/src/ssl/ssl_test.cc
@@ -0,0 +1,509 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <string>
+#include <vector>
+
+#include <openssl/base64.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#include "test/scoped_types.h"
+
+struct ExpectedCipher {
+ unsigned long id;
+ int in_group_flag;
+};
+
+struct CipherTest {
+ // The rule string to apply.
+ const char *rule;
+ // The list of expected ciphers, in order, terminated with -1.
+ const ExpectedCipher *expected;
+};
+
+// Selecting individual ciphers should work.
+static const char kRule1[] =
+ "ECDHE-ECDSA-CHACHA20-POLY1305:"
+ "ECDHE-RSA-CHACHA20-POLY1305:"
+ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES128-GCM-SHA256";
+
+static const ExpectedCipher kExpected1[] = {
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// + reorders selected ciphers to the end, keeping their relative
+// order.
+static const char kRule2[] =
+ "ECDHE-ECDSA-CHACHA20-POLY1305:"
+ "ECDHE-RSA-CHACHA20-POLY1305:"
+ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES128-GCM-SHA256:"
+ "+aRSA";
+
+static const ExpectedCipher kExpected2[] = {
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// ! banishes ciphers from future selections.
+static const char kRule3[] =
+ "!aRSA:"
+ "ECDHE-ECDSA-CHACHA20-POLY1305:"
+ "ECDHE-RSA-CHACHA20-POLY1305:"
+ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES128-GCM-SHA256";
+
+static const ExpectedCipher kExpected3[] = {
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// Multiple masks can be ANDed in a single rule.
+static const char kRule4[] = "kRSA+AESGCM+AES128";
+
+static const ExpectedCipher kExpected4[] = {
+ { TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// - removes selected ciphers, but preserves their order for future
+// selections. Select AES_128_GCM, but order the key exchanges RSA,
+// DHE_RSA, ECDHE_RSA.
+static const char kRule5[] =
+ "ALL:-kECDHE:-kDHE:-kRSA:-ALL:"
+ "AESGCM+AES128+aRSA";
+
+static const ExpectedCipher kExpected5[] = {
+ { TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// Unknown selectors are no-ops.
+static const char kRule6[] =
+ "ECDHE-ECDSA-CHACHA20-POLY1305:"
+ "ECDHE-RSA-CHACHA20-POLY1305:"
+ "ECDHE-ECDSA-AES128-GCM-SHA256:"
+ "ECDHE-RSA-AES128-GCM-SHA256:"
+ "BOGUS1:-BOGUS2:+BOGUS3:!BOGUS4";
+
+static const ExpectedCipher kExpected6[] = {
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// Square brackets specify equi-preference groups.
+static const char kRule7[] =
+ "[ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES128-GCM-SHA256]:"
+ "[ECDHE-RSA-CHACHA20-POLY1305]:"
+ "ECDHE-RSA-AES128-GCM-SHA256";
+
+static const ExpectedCipher kExpected7[] = {
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 1 },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 0 },
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0 },
+ { 0, 0 },
+};
+
+// @STRENGTH performs a stable strength-sort of the selected
+// ciphers and only the selected ciphers.
+static const char kRule8[] =
+ // To simplify things, banish all but {ECDHE_RSA,RSA} x
+ // {CHACHA20,AES_256_CBC,AES_128_CBC,RC4} x SHA1.
+ "!kEDH:!AESGCM:!3DES:!SHA256:!MD5:!SHA384:"
+ // Order some ciphers backwards by strength.
+ "ALL:-CHACHA20:-AES256:-AES128:-RC4:-ALL:"
+ // Select ECDHE ones and sort them by strength. Ties should resolve
+ // based on the order above.
+ "kECDHE:@STRENGTH:-ALL:"
+ // Now bring back everything uses RSA. ECDHE_RSA should be first,
+ // sorted by strength. Then RSA, backwards by strength.
+ "aRSA";
+
+static const ExpectedCipher kExpected8[] = {
+ { TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, 0 },
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA, 0 },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, 0 },
+ { SSL3_CK_RSA_RC4_128_SHA, 0 },
+ { TLS1_CK_RSA_WITH_AES_128_SHA, 0 },
+ { TLS1_CK_RSA_WITH_AES_256_SHA, 0 },
+ { 0, 0 },
+};
+
+// Exact ciphers may not be used in multi-part rules; they are treated
+// as unknown aliases.
+static const char kRule9[] =
+ "ECDHE-ECDSA-CHACHA20-POLY1305:"
+ "ECDHE-RSA-CHACHA20-POLY1305:"
+ "!ECDHE-RSA-CHACHA20-POLY1305+RSA:"
+ "!ECDSA+ECDHE-ECDSA-CHACHA20-POLY1305";
+
+static const ExpectedCipher kExpected9[] = {
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305, 0 },
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305, 0 },
+ { 0, 0 },
+};
+
+static CipherTest kCipherTests[] = {
+ { kRule1, kExpected1 },
+ { kRule2, kExpected2 },
+ { kRule3, kExpected3 },
+ { kRule4, kExpected4 },
+ { kRule5, kExpected5 },
+ { kRule6, kExpected6 },
+ { kRule7, kExpected7 },
+ { kRule8, kExpected8 },
+ { kRule9, kExpected9 },
+ { NULL, NULL },
+};
+
+static const char *kBadRules[] = {
+ // Invalid brackets.
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
+ "RSA]",
+ "[[RSA]]",
+ // Operators inside brackets.
+ "[+RSA]",
+ // Unknown directive.
+ "@BOGUS",
+ // Empty cipher lists error at SSL_CTX_set_cipher_list.
+ "",
+ "BOGUS",
+ // COMPLEMENTOFDEFAULT is empty.
+ "COMPLEMENTOFDEFAULT",
+ // Invalid command.
+ "?BAR",
+ // Special operators are not allowed if groups are used.
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
+ NULL,
+};
+
+static void PrintCipherPreferenceList(ssl_cipher_preference_list_st *list) {
+ bool in_group = false;
+ for (size_t i = 0; i < sk_SSL_CIPHER_num(list->ciphers); i++) {
+ const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(list->ciphers, i);
+ if (!in_group && list->in_group_flags[i]) {
+ fprintf(stderr, "\t[\n");
+ in_group = true;
+ }
+ fprintf(stderr, "\t");
+ if (in_group) {
+ fprintf(stderr, " ");
+ }
+ fprintf(stderr, "%s\n", SSL_CIPHER_get_name(cipher));
+ if (in_group && !list->in_group_flags[i]) {
+ fprintf(stderr, "\t]\n");
+ in_group = false;
+ }
+ }
+}
+
+static bool TestCipherRule(CipherTest *t) {
+ ScopedSSL_CTX ctx(SSL_CTX_new(TLS_method()));
+ if (!ctx) {
+ return false;
+ }
+
+ if (!SSL_CTX_set_cipher_list(ctx.get(), t->rule)) {
+ fprintf(stderr, "Error testing cipher rule '%s'\n", t->rule);
+ return false;
+ }
+
+ // Compare the two lists.
+ size_t i;
+ for (i = 0; i < sk_SSL_CIPHER_num(ctx->cipher_list->ciphers); i++) {
+ const SSL_CIPHER *cipher =
+ sk_SSL_CIPHER_value(ctx->cipher_list->ciphers, i);
+ if (t->expected[i].id != SSL_CIPHER_get_id(cipher) ||
+ t->expected[i].in_group_flag != ctx->cipher_list->in_group_flags[i]) {
+ fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t->rule);
+ PrintCipherPreferenceList(ctx->cipher_list);
+ return false;
+ }
+ }
+
+ if (t->expected[i].id != 0) {
+ fprintf(stderr, "Error: cipher rule '%s' evaluated to:\n", t->rule);
+ PrintCipherPreferenceList(ctx->cipher_list);
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestCipherRules() {
+ for (size_t i = 0; kCipherTests[i].rule != NULL; i++) {
+ if (!TestCipherRule(&kCipherTests[i])) {
+ return false;
+ }
+ }
+
+ for (size_t i = 0; kBadRules[i] != NULL; i++) {
+ ScopedSSL_CTX ctx(SSL_CTX_new(SSLv23_server_method()));
+ if (!ctx) {
+ return false;
+ }
+ if (SSL_CTX_set_cipher_list(ctx.get(), kBadRules[i])) {
+ fprintf(stderr, "Cipher rule '%s' unexpectedly succeeded\n", kBadRules[i]);
+ return false;
+ }
+ ERR_clear_error();
+ }
+
+ return true;
+}
+
+// kOpenSSLSession is a serialized SSL_SESSION generated from openssl
+// s_client -sess_out.
+static const char kOpenSSLSession[] =
+ "MIIFpQIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
+ "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
+ "IWoJoQYCBFRDO46iBAICASyjggR6MIIEdjCCA16gAwIBAgIIK9dUvsPWSlUwDQYJ"
+ "KoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMx"
+ "JTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMDA4"
+ "MTIwNzU3WhcNMTUwMTA2MDAwMDAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwK"
+ "Q2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29v"
+ "Z2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEB"
+ "AQUAA4IBDwAwggEKAoIBAQCcKeLrplAC+Lofy8t/wDwtB6eu72CVp0cJ4V3lknN6"
+ "huH9ct6FFk70oRIh/VBNBBz900jYy+7111Jm1b8iqOTQ9aT5C7SEhNcQFJvqzH3e"
+ "MPkb6ZSWGm1yGF7MCQTGQXF20Sk/O16FSjAynU/b3oJmOctcycWYkY0ytS/k3LBu"
+ "Id45PJaoMqjB0WypqvNeJHC3q5JjCB4RP7Nfx5jjHSrCMhw8lUMW4EaDxjaR9KDh"
+ "PLgjsk+LDIySRSRDaCQGhEOWLJZVLzLo4N6/UlctCHEllpBUSvEOyFga52qroGjg"
+ "rf3WOQ925MFwzd6AK+Ich0gDRg8sQfdLH5OuP1cfLfU1AgMBAAGjggFBMIIBPTAd"
+ "BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdv"
+ "b2dsZS5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtp"
+ "Lmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50"
+ "czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBQ7a+CcxsZByOpc+xpYFcIbnUMZ"
+ "hTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEv"
+ "MBcGA1UdIAQQMA4wDAYKKwYBBAHWeQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRw"
+ "Oi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCa"
+ "OXCBdoqUy5bxyq+Wrh1zsyyCFim1PH5VU2+yvDSWrgDY8ibRGJmfff3r4Lud5kal"
+ "dKs9k8YlKD3ITG7P0YT/Rk8hLgfEuLcq5cc0xqmE42xJ+Eo2uzq9rYorc5emMCxf"
+ "5L0TJOXZqHQpOEcuptZQ4OjdYMfSxk5UzueUhA3ogZKRcRkdB3WeWRp+nYRhx4St"
+ "o2rt2A0MKmY9165GHUqMK9YaaXHDXqBu7Sefr1uSoAP9gyIJKeihMivsGqJ1TD6Z"
+ "cc6LMe+dN2P8cZEQHtD1y296ul4Mivqk3jatUVL8/hCwgch9A8O4PGZq9WqBfEWm"
+ "IyHh1dPtbg1lOXdYCWtjpAIEAKUDAgEUqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36S"
+ "YTcLEkXqKwOBfF9vE4KX0NxeLwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9B"
+ "sNHM362zZnY27GpTw+Kwd751CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yE"
+ "OTDKPNj3+inbMaVigtK4PLyPq+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdA"
+ "i4gv7Y5oliyn";
+
+// kCustomSession is a custom serialized SSL_SESSION generated by
+// filling in missing fields from |kOpenSSLSession|. This includes
+// providing |peer_sha256|, so |peer| is not serialized.
+static const char kCustomSession[] =
+ "MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
+ "kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
+ "IWoJoQYCBFRDO46iBAICASykAwQBAqUDAgEUphAEDnd3dy5nb29nbGUuY29tqAcE"
+ "BXdvcmxkqQUCAwGJwKqBpwSBpBwUQvoeOk0Kg36SYTcLEkXqKwOBfF9vE4KX0Nxe"
+ "LwjcDTpsuh3qXEaZ992r1N38VDcyS6P7I6HBYN9BsNHM362zZnY27GpTw+Kwd751"
+ "CLoXFPoaMOe57dbBpXoro6Pd3BTbf/Tzr88K06yEOTDKPNj3+inbMaVigtK4PLyP"
+ "q+Topyzvx9USFgRvyuoxn0Hgb+R0A3j6SLRuyOdAi4gv7Y5oliynrSIEIAYGBgYG"
+ "BgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGBgYGrgMEAQevAwQBBLADBAEF";
+
+static bool DecodeBase64(std::vector<uint8_t> *out, const char *in) {
+ size_t len;
+ if (!EVP_DecodedLength(&len, strlen(in))) {
+ fprintf(stderr, "EVP_DecodedLength failed\n");
+ return false;
+ }
+
+ out->resize(len);
+ if (!EVP_DecodeBase64(bssl::vector_data(out), &len, len, (const uint8_t *)in,
+ strlen(in))) {
+ fprintf(stderr, "EVP_DecodeBase64 failed\n");
+ return false;
+ }
+ out->resize(len);
+ return true;
+}
+
+static bool TestSSL_SESSIONEncoding(const char *input_b64) {
+ const uint8_t *cptr;
+ uint8_t *ptr;
+
+ // Decode the input.
+ std::vector<uint8_t> input;
+ if (!DecodeBase64(&input, input_b64)) {
+ return false;
+ }
+
+ // Verify the SSL_SESSION decodes.
+ cptr = bssl::vector_data(&input);
+ ScopedSSL_SESSION session(d2i_SSL_SESSION(NULL, &cptr, input.size()));
+ if (!session || cptr != bssl::vector_data(&input) + input.size()) {
+ fprintf(stderr, "d2i_SSL_SESSION failed\n");
+ return false;
+ }
+
+ // Verify the SSL_SESSION encoding round-trips.
+ size_t encoded_len;
+ ScopedOpenSSLBytes encoded;
+ uint8_t *encoded_raw;
+ if (!SSL_SESSION_to_bytes(session.get(), &encoded_raw, &encoded_len)) {
+ fprintf(stderr, "SSL_SESSION_to_bytes failed\n");
+ return false;
+ }
+ encoded.reset(encoded_raw);
+ if (encoded_len != input.size() ||
+ memcmp(bssl::vector_data(&input), encoded.get(), input.size()) != 0) {
+ fprintf(stderr, "SSL_SESSION_to_bytes did not round-trip\n");
+ return false;
+ }
+
+ // Verify the SSL_SESSION encoding round-trips via the legacy API.
+ int len = i2d_SSL_SESSION(session.get(), NULL);
+ if (len < 0 || (size_t)len != input.size()) {
+ fprintf(stderr, "i2d_SSL_SESSION(NULL) returned invalid length\n");
+ return false;
+ }
+
+ encoded.reset((uint8_t *)OPENSSL_malloc(input.size()));
+ if (!encoded) {
+ fprintf(stderr, "malloc failed\n");
+ return false;
+ }
+
+ ptr = encoded.get();
+ len = i2d_SSL_SESSION(session.get(), &ptr);
+ if (len < 0 || (size_t)len != input.size()) {
+ fprintf(stderr, "i2d_SSL_SESSION returned invalid length\n");
+ return false;
+ }
+ if (ptr != encoded.get() + input.size()) {
+ fprintf(stderr, "i2d_SSL_SESSION did not advance ptr correctly\n");
+ return false;
+ }
+ if (memcmp(bssl::vector_data(&input), encoded.get(), input.size()) != 0) {
+ fprintf(stderr, "i2d_SSL_SESSION did not round-trip\n");
+ return false;
+ }
+
+ return true;
+}
+
+static bool TestDefaultVersion(uint16_t version,
+ const SSL_METHOD *(*method)(void)) {
+ ScopedSSL_CTX ctx(SSL_CTX_new(method()));
+ if (!ctx) {
+ return false;
+ }
+ return ctx->min_version == version && ctx->max_version == version;
+}
+
+static bool CipherGetRFCName(std::string *out, uint16_t value) {
+ const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value);
+ if (cipher == NULL) {
+ return false;
+ }
+ ScopedOpenSSLString rfc_name(SSL_CIPHER_get_rfc_name(cipher));
+ out->assign(rfc_name.get());
+ return true;
+}
+
+typedef struct {
+ int id;
+ const char *rfc_name;
+} CIPHER_RFC_NAME_TEST;
+
+static const CIPHER_RFC_NAME_TEST kCipherRFCNameTests[] = {
+ { SSL3_CK_RSA_DES_192_CBC3_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA" },
+ { SSL3_CK_RSA_RC4_128_MD5, "TLS_RSA_WITH_RC4_MD5" },
+ { TLS1_CK_RSA_WITH_AES_128_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA" },
+ { TLS1_CK_DHE_RSA_WITH_AES_256_SHA, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA" },
+ { TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
+ "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256" },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" },
+ { TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" },
+ { TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" },
+ { TLS1_CK_PSK_WITH_RC4_128_SHA, "TLS_PSK_WITH_RC4_SHA" },
+ // These names are non-standard:
+ { TLS1_CK_ECDHE_RSA_CHACHA20_POLY1305,
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" },
+ { TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305,
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" },
+ { TLS1_CK_ECDHE_PSK_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256" },
+};
+
+static bool TestCipherGetRFCName(void) {
+ for (size_t i = 0;
+ i < sizeof(kCipherRFCNameTests) / sizeof(kCipherRFCNameTests[0]); i++) {
+ const CIPHER_RFC_NAME_TEST *test = &kCipherRFCNameTests[i];
+ std::string rfc_name;
+ if (!CipherGetRFCName(&rfc_name, test->id & 0xffff)) {
+ fprintf(stderr, "SSL_CIPHER_get_rfc_name failed\n");
+ return false;
+ }
+ if (rfc_name != test->rfc_name) {
+ fprintf(stderr, "SSL_CIPHER_get_rfc_name: got '%s', wanted '%s'\n",
+ rfc_name.c_str(), test->rfc_name);
+ return false;
+ }
+ }
+ return true;
+}
+
+int main(void) {
+ SSL_library_init();
+
+ if (!TestCipherRules() ||
+ !TestSSL_SESSIONEncoding(kOpenSSLSession) ||
+ !TestSSL_SESSIONEncoding(kCustomSession) ||
+ !TestDefaultVersion(0, &TLS_method) ||
+ !TestDefaultVersion(SSL3_VERSION, &SSLv3_method) ||
+ !TestDefaultVersion(TLS1_VERSION, &TLSv1_method) ||
+ !TestDefaultVersion(TLS1_1_VERSION, &TLSv1_1_method) ||
+ !TestDefaultVersion(TLS1_2_VERSION, &TLSv1_2_method) ||
+ !TestDefaultVersion(0, &DTLS_method) ||
+ !TestDefaultVersion(DTLS1_VERSION, &DTLSv1_method) ||
+ !TestDefaultVersion(DTLS1_2_VERSION, &DTLSv1_2_method) ||
+ !TestCipherGetRFCName()) {
+ ERR_print_errors_fp(stderr);
+ return 1;
+ }
+
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/ssl/ssl_txt.c b/src/ssl/ssl_txt.c
index c950ce8..2275f16 100644
--- a/src/ssl/ssl_txt.c
+++ b/src/ssl/ssl_txt.c
@@ -87,7 +87,7 @@
#include <openssl/err.h>
#include <openssl/mem.h>
-#include "ssl_locl.h"
+#include "internal.h"
int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) {
@@ -145,8 +145,9 @@
}
for (i = 0; i < x->session_id_length; i++) {
- if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0)
+ if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0) {
goto err;
+ }
}
if (BIO_puts(bp, "\n Session-ID-ctx: ") <= 0) {
diff --git a/src/ssl/t1_enc.c b/src/ssl/t1_enc.c
index 014bc88..3eaffe7 100644
--- a/src/ssl/t1_enc.c
+++ b/src/ssl/t1_enc.c
@@ -133,8 +133,9 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-#include <stdio.h>
#include <assert.h>
+#include <stdio.h>
+#include <string.h>
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -144,7 +145,7 @@
#include <openssl/obj.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "internal.h"
/* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
@@ -225,7 +226,7 @@
const uint8_t *seed2, size_t seed2_len) {
size_t idx, len, count, i;
const uint8_t *S1;
- long m;
+ uint32_t m;
const EVP_MD *md;
int ret = 0;
uint8_t *tmp;
@@ -243,7 +244,7 @@
/* Count number of digests and partition |secret| evenly. */
count = 0;
- for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
+ for (idx = 0; ssl_get_handshake_digest(&m, &md, idx); idx++) {
if ((m << TLS1_PRF_DGST_SHIFT) & ssl_get_algorithm2(s)) {
count++;
}
@@ -258,7 +259,7 @@
}
S1 = secret;
memset(out, 0, out_len);
- for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) {
+ for (idx = 0; ssl_get_handshake_digest(&m, &md, idx); idx++) {
if ((m << TLS1_PRF_DGST_SHIFT) & ssl_get_algorithm2(s)) {
/* If |count| is 2 and |secret_len| is odd, |secret| is partitioned into
* two halves with an overlapping byte. */
@@ -340,14 +341,12 @@
}
aead_ctx = s->aead_read_ctx;
} else {
- /* When updating the cipher state for DTLS, we do not wish to overwrite the
- * old ones because DTLS stores pointers to them in order to implement
- * retransmission. See dtls1_hm_fragment_free.
- *
- * TODO(davidben): Simplify aead_write_ctx ownership, probably by just
- * forbidding DTLS renego. */
- if (SSL_IS_DTLS(s)) {
- s->aead_write_ctx = NULL;
+ if (SSL_IS_DTLS(s) && s->aead_write_ctx != NULL) {
+ /* DTLS renegotiation is unsupported, so a CCS can only switch away from
+ * the NULL cipher. This simplifies renegotiation. */
+ OPENSSL_PUT_ERROR(SSL, tls1_change_cipher_state_aead,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
}
if (!tls1_aead_ctx_init(&s->aead_write_ctx)) {
return 0;
@@ -355,8 +354,9 @@
aead_ctx = s->aead_write_ctx;
}
- if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
- EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */)) {
+ if (!EVP_AEAD_CTX_init_with_direction(
+ &aead_ctx->ctx, aead, key, key_len, EVP_AEAD_DEFAULT_TAG_LENGTH,
+ is_read ? evp_aead_open : evp_aead_seal)) {
OPENSSL_free(aead_ctx);
if (is_read) {
s->aead_read_ctx = NULL;
@@ -578,7 +578,7 @@
aead = s->aead_read_ctx;
}
- if (s->session == NULL || aead == NULL) {
+ if (aead == NULL) {
/* Handle the initial NULL cipher. */
memmove(rec->data, rec->input, rec->length);
rec->input = rec->data;
@@ -598,13 +598,9 @@
memcpy(p, &seq[2], 6);
memcpy(ad, dtlsseq, 8);
} else {
- int i;
memcpy(ad, seq, 8);
- for (i = 7; i >= 0; i--) {
- ++seq[i];
- if (seq[i] != 0) {
- break;
- }
+ if (!ssl3_record_sequence_update(seq, 8)) {
+ return 0;
}
}
@@ -739,7 +735,10 @@
}
EVP_MD_CTX_init(&ctx);
- EVP_MD_CTX_copy_ex(&ctx, d);
+ if (!EVP_MD_CTX_copy_ex(&ctx, d)) {
+ EVP_MD_CTX_cleanup(&ctx);
+ return 0;
+ }
EVP_DigestFinal_ex(&ctx, out, &ret);
EVP_MD_CTX_cleanup(&ctx);
@@ -756,11 +755,11 @@
EVP_MD_CTX ctx;
int err = 0, len = 0;
size_t i;
- long mask;
+ uint32_t mask;
EVP_MD_CTX_init(&ctx);
- for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
+ for (i = 0; ssl_get_handshake_digest(&mask, &md, i); i++) {
size_t hash_size;
unsigned int digest_len;
EVP_MD_CTX *hdgst = s->s3->handshake_dgst[i];
@@ -863,82 +862,42 @@
return SSL3_MASTER_SECRET_SIZE;
}
-int tls1_export_keying_material(SSL *s, uint8_t *out, size_t olen,
- const char *label, size_t llen,
- const uint8_t *context, size_t contextlen,
+int tls1_export_keying_material(SSL *s, uint8_t *out, size_t out_len,
+ const char *label, size_t label_len,
+ const uint8_t *context, size_t context_len,
int use_context) {
- uint8_t *val = NULL;
- size_t vallen, currentvalpos;
- int ret;
-
- /* construct PRF arguments we construct the PRF argument ourself rather than
- * passing separate values into the TLS PRF to ensure that the concatenation
- * of values does not create a prohibited label. */
- vallen = llen + SSL3_RANDOM_SIZE * 2;
- if (use_context) {
- vallen += 2 + contextlen;
+ if (!s->s3->have_version || s->version == SSL3_VERSION) {
+ OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material,
+ ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return 0;
}
- val = OPENSSL_malloc(vallen);
- if (val == NULL) {
- goto err2;
- }
-
- currentvalpos = 0;
- memcpy(val + currentvalpos, (uint8_t *)label, llen);
- currentvalpos += llen;
- memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
- currentvalpos += SSL3_RANDOM_SIZE;
- memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
- currentvalpos += SSL3_RANDOM_SIZE;
-
+ size_t seed_len = 2 * SSL3_RANDOM_SIZE;
if (use_context) {
- val[currentvalpos] = (contextlen >> 8) & 0xff;
- currentvalpos++;
- val[currentvalpos] = contextlen & 0xff;
- currentvalpos++;
- if (contextlen > 0 || context != NULL) {
- memcpy(val + currentvalpos, context, contextlen);
+ if (context_len >= 1u << 16) {
+ OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material, ERR_R_OVERFLOW);
+ return 0;
}
+ seed_len += 2 + context_len;
+ }
+ uint8_t *seed = OPENSSL_malloc(seed_len);
+ if (seed == NULL) {
+ OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material, ERR_R_MALLOC_FAILURE);
+ return 0;
}
- /* disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
- * label len) = 15, so size of val > max(prohibited label len) = 15 and the
- * comparisons won't have buffer overflow. */
- if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
- TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0 ||
- memcmp(val, TLS_MD_SERVER_FINISH_CONST,
- TLS_MD_SERVER_FINISH_CONST_SIZE) == 0 ||
- memcmp(val, TLS_MD_MASTER_SECRET_CONST,
- TLS_MD_MASTER_SECRET_CONST_SIZE) == 0 ||
- memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
- TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) {
- goto err1;
+ memcpy(seed, s->s3->client_random, SSL3_RANDOM_SIZE);
+ memcpy(seed + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
+ if (use_context) {
+ seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);
+ seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;
+ memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);
}
- /* SSL_export_keying_material is not implemented for SSLv3, so passing
- * everything through the label parameter works. */
- assert(s->version != SSL3_VERSION);
- ret = s->enc_method->prf(s, out, olen, s->session->master_key,
- s->session->master_key_length, (const char *)val,
- vallen, NULL, 0, NULL, 0);
- goto out;
-
-err1:
- OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material,
- SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
- ret = 0;
- goto out;
-
-err2:
- OPENSSL_PUT_ERROR(SSL, tls1_export_keying_material, ERR_R_MALLOC_FAILURE);
- ret = 0;
-
-out:
- if (val != NULL) {
- OPENSSL_free(val);
- }
-
+ int ret = s->enc_method->prf(s, out, out_len, s->session->master_key,
+ s->session->master_key_length, label, label_len,
+ seed, seed_len, NULL, 0);
+ OPENSSL_free(seed);
return ret;
}
diff --git a/src/ssl/t1_lib.c b/src/ssl/t1_lib.c
index e26351b..433a647 100644
--- a/src/ssl/t1_lib.c
+++ b/src/ssl/t1_lib.c
@@ -106,18 +106,20 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
+#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
-#include <assert.h>
+#include <string.h>
#include <openssl/bytestring.h>
+#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/rand.h>
-#include "ssl_locl.h"
+#include "internal.h"
static int tls_decrypt_ticket(SSL *s, const uint8_t *tick, int ticklen,
@@ -133,16 +135,12 @@
tls1_generate_master_secret,
tls1_change_cipher_state,
tls1_final_finish_mac,
- TLS1_FINISH_MAC_LENGTH,
tls1_cert_verify_mac,
TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
tls1_alert_code,
tls1_export_keying_material,
0,
- SSL3_HM_HEADER_LENGTH,
- ssl3_set_handshake_header,
- ssl3_handshake_write,
};
const SSL3_ENC_METHOD TLSv1_1_enc_data = {
@@ -152,16 +150,12 @@
tls1_generate_master_secret,
tls1_change_cipher_state,
tls1_final_finish_mac,
- TLS1_FINISH_MAC_LENGTH,
tls1_cert_verify_mac,
TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
tls1_alert_code,
tls1_export_keying_material,
SSL_ENC_FLAG_EXPLICIT_IV,
- SSL3_HM_HEADER_LENGTH,
- ssl3_set_handshake_header,
- ssl3_handshake_write,
};
const SSL3_ENC_METHOD TLSv1_2_enc_data = {
@@ -171,7 +165,6 @@
tls1_generate_master_secret,
tls1_change_cipher_state,
tls1_final_finish_mac,
- TLS1_FINISH_MAC_LENGTH,
tls1_cert_verify_mac,
TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE,
TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE,
@@ -179,9 +172,6 @@
tls1_export_keying_material,
SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_SHA256_PRF
|SSL_ENC_FLAG_TLS1_2_CIPHERS,
- SSL3_HM_HEADER_LENGTH,
- ssl3_set_handshake_header,
- ssl3_handshake_write,
};
static int compare_uint16_t(const void *p1, const void *p2) {
@@ -255,8 +245,7 @@
ret = 1;
done:
- if (extension_types)
- OPENSSL_free(extension_types);
+ OPENSSL_free(extension_types);
return ret;
}
@@ -367,7 +356,7 @@
};
static const uint16_t eccurves_default[] = {
- 23, /* X9_64_prime256v1 */
+ 23, /* X9_62_prime256v1 */
24, /* secp384r1 */
};
@@ -399,6 +388,9 @@
const uint16_t **out_curve_ids,
size_t *out_curve_ids_len) {
if (get_peer_curves) {
+ /* Only clients send a curve list, so this function is only called
+ * on the server. */
+ assert(s->server);
*out_curve_ids = s->s3->tmp.peer_ellipticcurvelist;
*out_curve_ids_len = s->s3->tmp.peer_ellipticcurvelist_length;
return;
@@ -437,22 +429,38 @@
}
int tls1_get_shared_curve(SSL *s) {
- const uint16_t *pref, *supp;
- size_t preflen, supplen, i, j;
+ const uint16_t *curves, *peer_curves, *pref, *supp;
+ size_t curves_len, peer_curves_len, pref_len, supp_len, i, j;
/* Can't do anything on client side */
if (s->server == 0) {
return NID_undef;
}
- /* Return first preference shared curve */
- tls1_get_curvelist(s, !!(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &supp,
- &supplen);
- tls1_get_curvelist(s, !(s->options & SSL_OP_CIPHER_SERVER_PREFERENCE), &pref,
- &preflen);
+ tls1_get_curvelist(s, 0 /* local curves */, &curves, &curves_len);
+ tls1_get_curvelist(s, 1 /* peer curves */, &peer_curves, &peer_curves_len);
- for (i = 0; i < preflen; i++) {
- for (j = 0; j < supplen; j++) {
+ if (peer_curves_len == 0) {
+ /* Clients are not required to send a supported_curves extension. In this
+ * case, the server is free to pick any curve it likes. See RFC 4492,
+ * section 4, paragraph 3. */
+ return (curves_len == 0) ? NID_undef : tls1_ec_curve_id2nid(curves[0]);
+ }
+
+ if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
+ pref = curves;
+ pref_len = curves_len;
+ supp = peer_curves;
+ supp_len = peer_curves_len;
+ } else {
+ pref = peer_curves;
+ pref_len = peer_curves_len;
+ supp = curves;
+ supp_len = curves_len;
+ }
+
+ for (i = 0; i < pref_len; i++) {
+ for (j = 0; j < supp_len; j++) {
if (pref[i] == supp[j]) {
return tls1_ec_curve_id2nid(pref[i]);
}
@@ -479,9 +487,7 @@
}
}
- if (*out_curve_ids) {
- OPENSSL_free(*out_curve_ids);
- }
+ OPENSSL_free(*out_curve_ids);
*out_curve_ids = curve_ids;
*out_curve_ids_len = ncurves;
@@ -556,11 +562,23 @@
* preferences are checked; the peer (the server) does not send preferences. */
static int tls1_check_curve_id(SSL *s, uint16_t curve_id) {
const uint16_t *curves;
- size_t curves_len, i, j;
+ size_t curves_len, i, get_peer_curves;
/* Check against our list, then the peer's list. */
- for (j = 0; j <= 1; j++) {
- tls1_get_curvelist(s, j, &curves, &curves_len);
+ for (get_peer_curves = 0; get_peer_curves <= 1; get_peer_curves++) {
+ if (get_peer_curves && !s->server) {
+ /* Servers do not present a preference list so, if we are a client, only
+ * check our list. */
+ continue;
+ }
+
+ tls1_get_curvelist(s, get_peer_curves, &curves, &curves_len);
+ if (get_peer_curves && curves_len == 0) {
+ /* Clients are not required to send a supported_curves extension. In this
+ * case, the server is free to pick any curve it likes. See RFC 4492,
+ * section 4, paragraph 3. */
+ continue;
+ }
for (i = 0; i < curves_len; i++) {
if (curves[i] == curve_id) {
break;
@@ -570,12 +588,6 @@
if (i == curves_len) {
return 0;
}
-
- /* Servers do not present a preference list so, if we are a client, only
- * check our list. */
- if (!s->server) {
- return 1;
- }
}
return 1;
@@ -610,30 +622,27 @@
ret = 1;
done:
- if (pkey) {
- EVP_PKEY_free(pkey);
- }
+ EVP_PKEY_free(pkey);
return ret;
}
int tls1_check_ec_tmp_key(SSL *s) {
- uint16_t curve_id;
- EC_KEY *ec = s->cert->ecdh_tmp;
-
- if (s->cert->ecdh_tmp_auto) {
- /* Need a shared curve */
- return tls1_get_shared_curve(s) != NID_undef;
+ if (s->cert->ecdh_nid != NID_undef) {
+ /* If the curve is preconfigured, ECDH is acceptable iff the peer supports
+ * the curve. */
+ uint16_t curve_id;
+ return tls1_ec_nid2curve_id(&curve_id, s->cert->ecdh_nid) &&
+ tls1_check_curve_id(s, curve_id);
}
- if (!ec) {
- if (s->cert->ecdh_tmp_cb) {
- return 1;
- }
- return 0;
+ if (s->cert->ecdh_tmp_cb != NULL) {
+ /* Assume the callback will provide an acceptable curve. */
+ return 1;
}
- return tls1_curve_params_from_ec_key(&curve_id, NULL, ec) &&
- tls1_check_curve_id(s, curve_id);
+ /* Otherwise, the curve gets selected automatically. ECDH is acceptable iff
+ * there is a shared curve. */
+ return tls1_get_shared_curve(s) != NID_undef;
}
/* List of supported signature algorithms and hashes. Should make this
@@ -803,7 +812,7 @@
if (s->version >= TLS1_VERSION || SSL_IS_DTLS(s)) {
size_t i;
- unsigned long alg_k, alg_a;
+ uint32_t alg_k, alg_a;
STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
@@ -811,7 +820,7 @@
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
- if ((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) {
+ if ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) {
using_ecc = 1;
break;
}
@@ -1117,9 +1126,9 @@
uint8_t *orig = buf;
uint8_t *ret = buf;
int next_proto_neg_seen;
- unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
- unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
- int using_ecc = (alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA);
+ uint32_t alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ uint32_t alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+ int using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);
using_ecc = using_ecc && (s->s3->tmp.peer_ecpointformatlist != NULL);
/* don't add extensions for SSLv3, unless doing secure renegotiation */
@@ -1331,9 +1340,7 @@
s, &selected, &selected_len, CBS_data(&protocol_name_list),
CBS_len(&protocol_name_list), s->ctx->alpn_select_cb_arg);
if (r == SSL_TLSEXT_ERR_OK) {
- if (s->s3->alpn_selected) {
- OPENSSL_free(s->s3->alpn_selected);
- }
+ OPENSSL_free(s->s3->alpn_selected);
s->s3->alpn_selected = BUF_memdup(selected, selected_len);
if (!s->s3->alpn_selected) {
*out_alert = SSL_AD_INTERNAL_ERROR;
@@ -1359,35 +1366,27 @@
s->s3->tmp.certificate_status_expected = 0;
s->s3->tmp.extended_master_secret = 0;
- if (s->s3->alpn_selected) {
- OPENSSL_free(s->s3->alpn_selected);
- s->s3->alpn_selected = NULL;
- }
+ OPENSSL_free(s->s3->alpn_selected);
+ s->s3->alpn_selected = NULL;
/* Clear any signature algorithms extension received */
- if (s->cert->peer_sigalgs) {
- OPENSSL_free(s->cert->peer_sigalgs);
- s->cert->peer_sigalgs = NULL;
- }
+ OPENSSL_free(s->cert->peer_sigalgs);
+ s->cert->peer_sigalgs = NULL;
+ s->cert->peer_sigalgslen = 0;
/* Clear any shared signature algorithms */
- if (s->cert->shared_sigalgs) {
- OPENSSL_free(s->cert->shared_sigalgs);
- s->cert->shared_sigalgs = NULL;
- }
+ OPENSSL_free(s->cert->shared_sigalgs);
+ s->cert->shared_sigalgs = NULL;
+ s->cert->shared_sigalgslen = 0;
/* Clear ECC extensions */
- if (s->s3->tmp.peer_ecpointformatlist != 0) {
- OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
- s->s3->tmp.peer_ecpointformatlist = NULL;
- s->s3->tmp.peer_ecpointformatlist_length = 0;
- }
+ OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+ s->s3->tmp.peer_ecpointformatlist = NULL;
+ s->s3->tmp.peer_ecpointformatlist_length = 0;
- if (s->s3->tmp.peer_ellipticcurvelist != 0) {
- OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
- s->s3->tmp.peer_ellipticcurvelist = NULL;
- s->s3->tmp.peer_ellipticcurvelist_length = 0;
- }
+ OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+ s->s3->tmp.peer_ellipticcurvelist = NULL;
+ s->s3->tmp.peer_ellipticcurvelist_length = 0;
/* There may be no extensions. */
if (CBS_len(cbs) == 0) {
@@ -1412,11 +1411,6 @@
return 0;
}
- if (s->tlsext_debug_cb) {
- s->tlsext_debug_cb(s, 0, type, (uint8_t *)CBS_data(&extension),
- CBS_len(&extension), s->tlsext_debug_arg);
- }
-
/* The servername extension is treated as follows:
- Only the hostname type is supported with a maximum length of 255.
@@ -1529,10 +1523,8 @@
return 0;
}
- if (s->s3->tmp.peer_ellipticcurvelist) {
- OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
- s->s3->tmp.peer_ellipticcurvelist_length = 0;
- }
+ OPENSSL_free(s->s3->tmp.peer_ellipticcurvelist);
+ s->s3->tmp.peer_ellipticcurvelist_length = 0;
s->s3->tmp.peer_ellipticcurvelist =
(uint16_t *)OPENSSL_malloc(CBS_len(&elliptic_curve_list));
@@ -1586,7 +1578,7 @@
}
/* If sigalgs received and no shared algorithms fatal error. */
if (s->cert->peer_sigalgs && !s->cert->shared_sigalgs) {
- OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_tlsext,
+ OPENSSL_PUT_ERROR(SSL, ssl_scan_clienthello_tlsext,
SSL_R_NO_SHARED_SIGATURE_ALGORITHMS);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
@@ -1714,17 +1706,13 @@
s->s3->tmp.extended_master_secret = 0;
s->srtp_profile = NULL;
- if (s->s3->alpn_selected) {
- OPENSSL_free(s->s3->alpn_selected);
- s->s3->alpn_selected = NULL;
- }
+ OPENSSL_free(s->s3->alpn_selected);
+ s->s3->alpn_selected = NULL;
/* Clear ECC extensions */
- if (s->s3->tmp.peer_ecpointformatlist != 0) {
- OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
- s->s3->tmp.peer_ecpointformatlist = NULL;
- s->s3->tmp.peer_ecpointformatlist_length = 0;
- }
+ OPENSSL_free(s->s3->tmp.peer_ecpointformatlist);
+ s->s3->tmp.peer_ecpointformatlist = NULL;
+ s->s3->tmp.peer_ecpointformatlist_length = 0;
/* There may be no extensions. */
if (CBS_len(cbs) == 0) {
@@ -1749,11 +1737,6 @@
return 0;
}
- if (s->tlsext_debug_cb) {
- s->tlsext_debug_cb(s, 1, type, (uint8_t *)CBS_data(&extension),
- CBS_len(&extension), s->tlsext_debug_arg);
- }
-
if (type == TLSEXT_TYPE_server_name) {
/* The extension must be empty. */
if (CBS_len(&extension) != 0) {
@@ -1987,9 +1970,9 @@
/* If we are client and using an elliptic curve cryptography cipher suite,
* then if server returns an EC point formats lists extension it must contain
* uncompressed. */
- unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
- unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
- if (((alg_k & SSL_kEECDH) || (alg_a & SSL_aECDSA)) &&
+ uint32_t alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+ uint32_t alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+ if (((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA)) &&
!tls1_check_point_format(s, TLSEXT_ECPOINTFORMAT_uncompressed)) {
OPENSSL_PUT_ERROR(SSL, ssl_check_serverhello_tlsext,
SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
@@ -2001,7 +1984,7 @@
ret = s->ctx->tlsext_servername_callback(s, &al,
s->ctx->tlsext_servername_arg);
} else if (s->initial_ctx != NULL &&
- s->initial_ctx->tlsext_servername_callback != 0) {
+ s->initial_ctx->tlsext_servername_callback != 0) {
ret = s->initial_ctx->tlsext_servername_callback(
s, &al, s->initial_ctx->tlsext_servername_arg);
}
@@ -2133,8 +2116,11 @@
EVP_CIPHER_CTX ctx;
SSL_CTX *tctx = s->initial_ctx;
- /* Need at least keyname + iv + some encrypted data */
- if (eticklen < 48) {
+ /* Ensure there is room for the key name and the largest IV
+ * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower, but
+ * the maximum IV length should be well under the minimum size for the
+ * session material and HMAC. */
+ if (eticklen < 16 + EVP_MAX_IV_LENGTH) {
return 2;
}
@@ -2143,7 +2129,8 @@
EVP_CIPHER_CTX_init(&ctx);
if (tctx->tlsext_ticket_key_cb) {
uint8_t *nctick = (uint8_t *)etick;
- int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, &ctx, &hctx, 0);
+ int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16, &ctx, &hctx,
+ 0 /* decrypt */);
if (rv < 0) {
return -1;
}
@@ -2168,13 +2155,13 @@
}
}
- /* Attempt to process session ticket, first conduct sanity and integrity
- * checks on ticket. */
+ /* First, check the MAC. The MAC is at the end of the ticket. */
mlen = HMAC_size(&hctx);
- if (mlen < 0) {
+ if ((size_t) eticklen < 16 + EVP_CIPHER_CTX_iv_length(&ctx) + 1 + mlen) {
+ /* The ticket must be large enough for key name, IV, data, and MAC. */
HMAC_CTX_cleanup(&hctx);
EVP_CIPHER_CTX_cleanup(&ctx);
- return -1;
+ return 2;
}
eticklen -= mlen;
/* Check HMAC of encrypted ticket */
@@ -2407,10 +2394,9 @@
TLS_SIGALGS *salgs = NULL;
CERT *c = s->cert;
- if (c->shared_sigalgs) {
- OPENSSL_free(c->shared_sigalgs);
- c->shared_sigalgs = NULL;
- }
+ OPENSSL_free(c->shared_sigalgs);
+ c->shared_sigalgs = NULL;
+ c->shared_sigalgslen = 0;
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs) {
@@ -2460,21 +2446,12 @@
return 1;
}
- /* Length must be even */
- if (CBS_len(sigalgs) % 2 != 0) {
+ if (CBS_len(sigalgs) % 2 != 0 ||
+ !CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen) ||
+ !tls1_set_shared_sigalgs(s)) {
return 0;
}
- /* Should never happen */
- if (!c) {
- return 0;
- }
-
- if (!CBS_stow(sigalgs, &c->peer_sigalgs, &c->peer_sigalgslen)) {
- return 0;
- }
-
- tls1_set_shared_sigalgs(s);
return 1;
}
@@ -2583,7 +2560,10 @@
if (s->s3->handshake_dgst[i] == NULL) {
continue;
}
- EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i]);
+ if (!EVP_MD_CTX_copy_ex(&ctx, s->s3->handshake_dgst[i])) {
+ EVP_MD_CTX_cleanup(&ctx);
+ return 0;
+ }
EVP_DigestFinal_ex(&ctx, temp_digest, &temp_digest_len);
EVP_DigestUpdate(md, temp_digest, temp_digest_len);
}
@@ -2650,15 +2630,11 @@
}
if (client) {
- if (c->client_sigalgs) {
- OPENSSL_free(c->client_sigalgs);
- }
+ OPENSSL_free(c->client_sigalgs);
c->client_sigalgs = sigalgs;
c->client_sigalgslen = salglen;
} else {
- if (c->conf_sigalgs) {
- OPENSSL_free(c->conf_sigalgs);
- }
+ OPENSSL_free(c->conf_sigalgs);
c->conf_sigalgs = sigalgs;
c->conf_sigalgslen = salglen;
}
diff --git a/src/ssl/t1_reneg.c b/src/ssl/t1_reneg.c
index 2d9fbc0..d0009c1 100644
--- a/src/ssl/t1_reneg.c
+++ b/src/ssl/t1_reneg.c
@@ -106,14 +106,14 @@
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com). */
-#include <stdio.h>
#include <assert.h>
+#include <stdio.h>
+#include <string.h>
#include <openssl/bytestring.h>
-#include <openssl/obj.h>
#include <openssl/err.h>
-#include "ssl_locl.h"
+#include "internal.h"
/* Add the client's renegotiation binding */
@@ -170,8 +170,7 @@
int maxlen) {
if (p) {
if (s->s3->previous_client_finished_len +
- s->s3->previous_server_finished_len + 1 >
- maxlen) {
+ s->s3->previous_server_finished_len + 1 > maxlen) {
OPENSSL_PUT_ERROR(SSL, ssl_add_serverhello_renegotiate_ext,
SSL_R_RENEGOTIATE_EXT_TOO_LONG);
return 0;
diff --git a/src/ssl/test/CMakeLists.txt b/src/ssl/test/CMakeLists.txt
index 9992360..a0d7a5e 100644
--- a/src/ssl/test/CMakeLists.txt
+++ b/src/ssl/test/CMakeLists.txt
@@ -11,6 +11,3 @@
)
target_link_libraries(bssl_shim ssl crypto)
-if (NOT APPLE AND NOT WIN32)
- target_link_libraries(bssl_shim dl)
-endif()
diff --git a/src/ssl/test/async_bio.cc b/src/ssl/test/async_bio.cc
index c007ffa..0534845 100644
--- a/src/ssl/test/async_bio.cc
+++ b/src/ssl/test/async_bio.cc
@@ -22,23 +22,23 @@
namespace {
-extern const BIO_METHOD async_bio_method;
+extern const BIO_METHOD g_async_bio_method;
-struct async_bio {
+struct AsyncBio {
bool datagram;
size_t read_quota;
size_t write_quota;
};
-async_bio *get_data(BIO *bio) {
- if (bio->method != &async_bio_method) {
+AsyncBio *GetData(BIO *bio) {
+ if (bio->method != &g_async_bio_method) {
return NULL;
}
- return (async_bio *)bio->ptr;
+ return (AsyncBio *)bio->ptr;
}
-static int async_write(BIO *bio, const char *in, int inl) {
- async_bio *a = get_data(bio);
+static int AsyncWrite(BIO *bio, const char *in, int inl) {
+ AsyncBio *a = GetData(bio);
if (a == NULL || bio->next_bio == NULL) {
return 0;
}
@@ -69,8 +69,8 @@
return ret;
}
-static int async_read(BIO *bio, char *out, int outl) {
- async_bio *a = get_data(bio);
+static int AsyncRead(BIO *bio, char *out, int outl) {
+ AsyncBio *a = GetData(bio);
if (a == NULL || bio->next_bio == NULL) {
return 0;
}
@@ -95,7 +95,7 @@
return ret;
}
-static long async_ctrl(BIO *bio, int cmd, long num, void *ptr) {
+static long AsyncCtrl(BIO *bio, int cmd, long num, void *ptr) {
if (bio->next_bio == NULL) {
return 0;
}
@@ -105,8 +105,8 @@
return ret;
}
-static int async_new(BIO *bio) {
- async_bio *a = (async_bio *)OPENSSL_malloc(sizeof(*a));
+static int AsyncNew(BIO *bio) {
+ AsyncBio *a = (AsyncBio *)OPENSSL_malloc(sizeof(*a));
if (a == NULL) {
return 0;
}
@@ -116,7 +116,7 @@
return 1;
}
-static int async_free(BIO *bio) {
+static int AsyncFree(BIO *bio) {
if (bio == NULL) {
return 0;
}
@@ -128,51 +128,51 @@
return 1;
}
-static long async_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
+static long AsyncCallbackCtrl(BIO *bio, int cmd, bio_info_cb fp) {
if (bio->next_bio == NULL) {
return 0;
}
return BIO_callback_ctrl(bio->next_bio, cmd, fp);
}
-const BIO_METHOD async_bio_method = {
+const BIO_METHOD g_async_bio_method = {
BIO_TYPE_FILTER,
"async bio",
- async_write,
- async_read,
+ AsyncWrite,
+ AsyncRead,
NULL /* puts */,
NULL /* gets */,
- async_ctrl,
- async_new,
- async_free,
- async_callback_ctrl,
+ AsyncCtrl,
+ AsyncNew,
+ AsyncFree,
+ AsyncCallbackCtrl,
};
} // namespace
-BIO *async_bio_create() {
- return BIO_new(&async_bio_method);
+ScopedBIO AsyncBioCreate() {
+ return ScopedBIO(BIO_new(&g_async_bio_method));
}
-BIO *async_bio_create_datagram() {
- BIO *ret = BIO_new(&async_bio_method);
+ScopedBIO AsyncBioCreateDatagram() {
+ ScopedBIO ret(BIO_new(&g_async_bio_method));
if (!ret) {
- return NULL;
+ return nullptr;
}
- get_data(ret)->datagram = true;
+ GetData(ret.get())->datagram = true;
return ret;
}
-void async_bio_allow_read(BIO *bio, size_t count) {
- async_bio *a = get_data(bio);
+void AsyncBioAllowRead(BIO *bio, size_t count) {
+ AsyncBio *a = GetData(bio);
if (a == NULL) {
return;
}
a->read_quota += count;
}
-void async_bio_allow_write(BIO *bio, size_t count) {
- async_bio *a = get_data(bio);
+void AsyncBioAllowWrite(BIO *bio, size_t count) {
+ AsyncBio *a = GetData(bio);
if (a == NULL) {
return;
}
diff --git a/src/ssl/test/async_bio.h b/src/ssl/test/async_bio.h
index 2904036..1ccdf9b 100644
--- a/src/ssl/test/async_bio.h
+++ b/src/ssl/test/async_bio.h
@@ -17,24 +17,26 @@
#include <openssl/bio.h>
+#include "../../crypto/test/scoped_types.h"
-// async_bio_create creates a filter BIO for testing asynchronous state
+
+// AsyncBioCreate creates a filter BIO for testing asynchronous state
// machines which consume a stream socket. Reads and writes will fail
// and return EAGAIN unless explicitly allowed. Each async BIO has a
// read quota and a write quota. Initially both are zero. As each is
// incremented, bytes are allowed to flow through the BIO.
-BIO *async_bio_create();
+ScopedBIO AsyncBioCreate();
-// async_bio_create_datagram creates a filter BIO for testing for
+// AsyncBioCreateDatagram creates a filter BIO for testing for
// asynchronous state machines which consume datagram sockets. The read
// and write quota count in packets rather than bytes.
-BIO *async_bio_create_datagram();
+ScopedBIO AsyncBioCreateDatagram();
-// async_bio_allow_read increments |bio|'s read quota by |count|.
-void async_bio_allow_read(BIO *bio, size_t count);
+// AsyncBioAllowRead increments |bio|'s read quota by |count|.
+void AsyncBioAllowRead(BIO *bio, size_t count);
-// async_bio_allow_write increments |bio|'s write quota by |count|.
-void async_bio_allow_write(BIO *bio, size_t count);
+// AsyncBioAllowWrite increments |bio|'s write quota by |count|.
+void AsyncBioAllowWrite(BIO *bio, size_t count);
#endif // HEADER_ASYNC_BIO
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index 37891b9..1cf96f2 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -17,9 +17,19 @@
#if !defined(OPENSSL_WINDOWS)
#include <arpa/inet.h>
#include <netinet/in.h>
+#include <netinet/tcp.h>
#include <signal.h>
#include <sys/socket.h>
+#include <sys/types.h>
#include <unistd.h>
+#else
+#include <io.h>
+#pragma warning(push, 3)
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#pragma warning(pop)
+
+#pragma comment(lib, "Ws2_32.lib")
#endif
#include <string.h>
@@ -28,126 +38,198 @@
#include <openssl/bio.h>
#include <openssl/buf.h>
#include <openssl/bytestring.h>
+#include <openssl/err.h>
#include <openssl/ssl.h>
+#include <memory>
+#include <vector>
+
+#include "../../crypto/test/scoped_types.h"
#include "async_bio.h"
#include "packeted_bio.h"
+#include "scoped_types.h"
#include "test_config.h"
-static int usage(const char *program) {
- fprintf(stderr, "Usage: %s [flags...]\n",
- program);
+
+#if !defined(OPENSSL_WINDOWS)
+static int closesocket(int sock) {
+ return close(sock);
+}
+
+static void PrintSocketError(const char *func) {
+ perror(func);
+}
+#else
+static void PrintSocketError(const char *func) {
+ fprintf(stderr, "%s: %d\n", func, WSAGetLastError());
+}
+#endif
+
+static int Usage(const char *program) {
+ fprintf(stderr, "Usage: %s [flags...]\n", program);
return 1;
}
-static int g_ex_data_index = 0;
+struct TestState {
+ TestState() {
+ // MSVC cannot initialize these inline.
+ memset(&clock, 0, sizeof(clock));
+ memset(&clock_delta, 0, sizeof(clock_delta));
+ }
+
+ // async_bio is async BIO which pauses reads and writes.
+ BIO *async_bio = nullptr;
+ // clock is the current time for the SSL connection.
+ timeval clock;
+ // clock_delta is how far the clock advanced in the most recent failed
+ // |BIO_read|.
+ timeval clock_delta;
+ ScopedEVP_PKEY channel_id;
+ bool cert_ready = false;
+ ScopedSSL_SESSION session;
+ ScopedSSL_SESSION pending_session;
+ bool early_callback_called = false;
+ bool handshake_done = false;
+};
+
+static void TestStateExFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
+ int index, long argl, void *argp) {
+ delete ((TestState *)ptr);
+}
+
+static int g_config_index = 0;
+static int g_state_index = 0;
static bool SetConfigPtr(SSL *ssl, const TestConfig *config) {
- return SSL_set_ex_data(ssl, g_ex_data_index, (void *)config) == 1;
+ return SSL_set_ex_data(ssl, g_config_index, (void *)config) == 1;
}
-static const TestConfig *GetConfigPtr(SSL *ssl) {
- return (const TestConfig *)SSL_get_ex_data(ssl, g_ex_data_index);
+static const TestConfig *GetConfigPtr(const SSL *ssl) {
+ return (const TestConfig *)SSL_get_ex_data(ssl, g_config_index);
}
-static EVP_PKEY *LoadPrivateKey(const std::string &file) {
- BIO *bio = BIO_new(BIO_s_file());
- if (bio == NULL) {
- return NULL;
+static bool SetTestState(SSL *ssl, std::unique_ptr<TestState> async) {
+ if (SSL_set_ex_data(ssl, g_state_index, (void *)async.get()) == 1) {
+ async.release();
+ return true;
}
- if (!BIO_read_filename(bio, file.c_str())) {
- BIO_free(bio);
- return NULL;
+ return false;
+}
+
+static TestState *GetTestState(const SSL *ssl) {
+ return (TestState *)SSL_get_ex_data(ssl, g_state_index);
+}
+
+static ScopedEVP_PKEY LoadPrivateKey(const std::string &file) {
+ ScopedBIO bio(BIO_new(BIO_s_file()));
+ if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
+ return nullptr;
}
- EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
- BIO_free(bio);
+ ScopedEVP_PKEY pkey(PEM_read_bio_PrivateKey(bio.get(), NULL, NULL, NULL));
return pkey;
}
-static int early_callback_called = 0;
-
-static int select_certificate_callback(const struct ssl_early_callback_ctx *ctx) {
- early_callback_called = 1;
-
- const TestConfig *config = GetConfigPtr(ctx->ssl);
-
- if (config->expected_server_name.empty()) {
- return 1;
- }
-
- const uint8_t *extension_data;
- size_t extension_len;
- CBS extension, server_name_list, host_name;
- uint8_t name_type;
-
- if (!SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
- &extension_data,
- &extension_len)) {
- fprintf(stderr, "Could not find server_name extension.\n");
- return -1;
- }
-
- CBS_init(&extension, extension_data, extension_len);
- if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
- CBS_len(&extension) != 0 ||
- !CBS_get_u8(&server_name_list, &name_type) ||
- name_type != TLSEXT_NAMETYPE_host_name ||
- !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
- CBS_len(&server_name_list) != 0) {
- fprintf(stderr, "Could not decode server_name extension.\n");
- return -1;
- }
-
- if (!CBS_mem_equal(&host_name,
- (const uint8_t*)config->expected_server_name.data(),
- config->expected_server_name.size())) {
- fprintf(stderr, "Server name mismatch.\n");
- }
-
- return 1;
-}
-
-static int skip_verify(int preverify_ok, X509_STORE_CTX *store_ctx) {
- return 1;
-}
-
-static int next_protos_advertised_callback(SSL *ssl,
- const uint8_t **out,
- unsigned int *out_len,
- void *arg) {
+static bool InstallCertificate(SSL *ssl) {
const TestConfig *config = GetConfigPtr(ssl);
- if (config->advertise_npn.empty())
+ if (!config->key_file.empty() &&
+ !SSL_use_PrivateKey_file(ssl, config->key_file.c_str(),
+ SSL_FILETYPE_PEM)) {
+ return false;
+ }
+ if (!config->cert_file.empty() &&
+ !SSL_use_certificate_file(ssl, config->cert_file.c_str(),
+ SSL_FILETYPE_PEM)) {
+ return false;
+ }
+ return true;
+}
+
+static int SelectCertificateCallback(const struct ssl_early_callback_ctx *ctx) {
+ const TestConfig *config = GetConfigPtr(ctx->ssl);
+ GetTestState(ctx->ssl)->early_callback_called = true;
+
+ if (!config->expected_server_name.empty()) {
+ const uint8_t *extension_data;
+ size_t extension_len;
+ CBS extension, server_name_list, host_name;
+ uint8_t name_type;
+
+ if (!SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,
+ &extension_data,
+ &extension_len)) {
+ fprintf(stderr, "Could not find server_name extension.\n");
+ return -1;
+ }
+
+ CBS_init(&extension, extension_data, extension_len);
+ if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||
+ CBS_len(&extension) != 0 ||
+ !CBS_get_u8(&server_name_list, &name_type) ||
+ name_type != TLSEXT_NAMETYPE_host_name ||
+ !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
+ CBS_len(&server_name_list) != 0) {
+ fprintf(stderr, "Could not decode server_name extension.\n");
+ return -1;
+ }
+
+ if (!CBS_mem_equal(&host_name,
+ (const uint8_t*)config->expected_server_name.data(),
+ config->expected_server_name.size())) {
+ fprintf(stderr, "Server name mismatch.\n");
+ }
+ }
+
+ if (config->fail_early_callback) {
+ return -1;
+ }
+
+ // Install the certificate in the early callback.
+ if (config->use_early_callback) {
+ if (config->async) {
+ // Install the certificate asynchronously.
+ return 0;
+ }
+ if (!InstallCertificate(ctx->ssl)) {
+ return -1;
+ }
+ }
+ return 1;
+}
+
+static int SkipVerify(int preverify_ok, X509_STORE_CTX *store_ctx) {
+ return 1;
+}
+
+static int NextProtosAdvertisedCallback(SSL *ssl, const uint8_t **out,
+ unsigned int *out_len, void *arg) {
+ const TestConfig *config = GetConfigPtr(ssl);
+ if (config->advertise_npn.empty()) {
return SSL_TLSEXT_ERR_NOACK;
+ }
*out = (const uint8_t*)config->advertise_npn.data();
*out_len = config->advertise_npn.size();
return SSL_TLSEXT_ERR_OK;
}
-static int next_proto_select_callback(SSL* ssl,
- uint8_t** out,
- uint8_t* outlen,
- const uint8_t* in,
- unsigned inlen,
- void* arg) {
+static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen,
+ const uint8_t* in, unsigned inlen, void* arg) {
const TestConfig *config = GetConfigPtr(ssl);
- if (config->select_next_proto.empty())
+ if (config->select_next_proto.empty()) {
return SSL_TLSEXT_ERR_NOACK;
+ }
*out = (uint8_t*)config->select_next_proto.data();
*outlen = config->select_next_proto.size();
return SSL_TLSEXT_ERR_OK;
}
-static int alpn_select_callback(SSL* ssl,
- const uint8_t** out,
- uint8_t* outlen,
- const uint8_t* in,
- unsigned inlen,
- void* arg) {
+static int AlpnSelectCallback(SSL* ssl, const uint8_t** out, uint8_t* outlen,
+ const uint8_t* in, unsigned inlen, void* arg) {
const TestConfig *config = GetConfigPtr(ssl);
- if (config->select_alpn.empty())
+ if (config->select_alpn.empty()) {
return SSL_TLSEXT_ERR_NOACK;
+ }
if (!config->expected_advertised_alpn.empty() &&
(config->expected_advertised_alpn.size() != inlen ||
@@ -162,34 +244,10 @@
return SSL_TLSEXT_ERR_OK;
}
-static int cookie_generate_callback(SSL *ssl, uint8_t *cookie, size_t *cookie_len) {
- if (*cookie_len < 32) {
- fprintf(stderr, "Insufficient space for cookie\n");
- return 0;
- }
- *cookie_len = 32;
- memset(cookie, 42, *cookie_len);
- return 1;
-}
-
-static int cookie_verify_callback(SSL *ssl, const uint8_t *cookie, size_t cookie_len) {
- if (cookie_len != 32) {
- fprintf(stderr, "Cookie length mismatch.\n");
- return 0;
- }
- for (size_t i = 0; i < cookie_len; i++) {
- if (cookie[i] != 42) {
- fprintf(stderr, "Cookie mismatch.\n");
- return 0;
- }
- }
- return 1;
-}
-
-static unsigned psk_client_callback(SSL *ssl, const char *hint,
- char *out_identity,
- unsigned max_identity_len,
- uint8_t *out_psk, unsigned max_psk_len) {
+static unsigned PskClientCallback(SSL *ssl, const char *hint,
+ char *out_identity,
+ unsigned max_identity_len,
+ uint8_t *out_psk, unsigned max_psk_len) {
const TestConfig *config = GetConfigPtr(ssl);
if (strcmp(hint ? hint : "", config->psk_identity.c_str()) != 0) {
@@ -210,8 +268,8 @@
return config->psk.size();
}
-static unsigned psk_server_callback(SSL *ssl, const char *identity,
- uint8_t *out_psk, unsigned max_psk_len) {
+static unsigned PskServerCallback(SSL *ssl, const char *identity,
+ uint8_t *out_psk, unsigned max_psk_len) {
const TestConfig *config = GetConfigPtr(ssl);
if (strcmp(identity, config->psk_identity.c_str()) != 0) {
@@ -228,13 +286,124 @@
return config->psk.size();
}
-static SSL_CTX *setup_ctx(const TestConfig *config) {
- SSL_CTX *ssl_ctx = NULL;
- DH *dh = NULL;
+static void CurrentTimeCallback(const SSL *ssl, timeval *out_clock) {
+ *out_clock = GetTestState(ssl)->clock;
+}
- ssl_ctx = SSL_CTX_new(config->is_dtls ? DTLS_method() : TLS_method());
- if (ssl_ctx == NULL) {
- goto err;
+static void ChannelIdCallback(SSL *ssl, EVP_PKEY **out_pkey) {
+ *out_pkey = GetTestState(ssl)->channel_id.release();
+}
+
+static int CertCallback(SSL *ssl, void *arg) {
+ if (!GetTestState(ssl)->cert_ready) {
+ return -1;
+ }
+ if (!InstallCertificate(ssl)) {
+ return 0;
+ }
+ return 1;
+}
+
+static SSL_SESSION *GetSessionCallback(SSL *ssl, uint8_t *data, int len,
+ int *copy) {
+ TestState *async_state = GetTestState(ssl);
+ if (async_state->session) {
+ *copy = 0;
+ return async_state->session.release();
+ } else if (async_state->pending_session) {
+ return SSL_magic_pending_session_ptr();
+ } else {
+ return NULL;
+ }
+}
+
+static int DDoSCallback(const struct ssl_early_callback_ctx *early_context) {
+ const TestConfig *config = GetConfigPtr(early_context->ssl);
+ static int callback_num = 0;
+
+ callback_num++;
+ if (config->fail_ddos_callback ||
+ (config->fail_second_ddos_callback && callback_num == 2)) {
+ return 0;
+ }
+ return 1;
+}
+
+static void InfoCallback(const SSL *ssl, int type, int val) {
+ if (type == SSL_CB_HANDSHAKE_DONE) {
+ if (GetConfigPtr(ssl)->handshake_never_done) {
+ fprintf(stderr, "handshake completed\n");
+ // Abort before any expected error code is printed, to ensure the overall
+ // test fails.
+ abort();
+ }
+ GetTestState(ssl)->handshake_done = true;
+ }
+}
+
+// Connect returns a new socket connected to localhost on |port| or -1 on
+// error.
+static int Connect(uint16_t port) {
+ int sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock == -1) {
+ PrintSocketError("socket");
+ return -1;
+ }
+ int nodelay = 1;
+ if (setsockopt(sock, IPPROTO_TCP, TCP_NODELAY,
+ reinterpret_cast<const char*>(&nodelay), sizeof(nodelay)) != 0) {
+ PrintSocketError("setsockopt");
+ closesocket(sock);
+ return -1;
+ }
+ sockaddr_in sin;
+ memset(&sin, 0, sizeof(sin));
+ sin.sin_family = AF_INET;
+ sin.sin_port = htons(port);
+ if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
+ PrintSocketError("inet_pton");
+ closesocket(sock);
+ return -1;
+ }
+ if (connect(sock, reinterpret_cast<const sockaddr*>(&sin),
+ sizeof(sin)) != 0) {
+ PrintSocketError("connect");
+ closesocket(sock);
+ return -1;
+ }
+ return sock;
+}
+
+class SocketCloser {
+ public:
+ explicit SocketCloser(int sock) : sock_(sock) {}
+ ~SocketCloser() {
+ // Half-close and drain the socket before releasing it. This seems to be
+ // necessary for graceful shutdown on Windows. It will also avoid write
+ // failures in the test runner.
+#if defined(OPENSSL_WINDOWS)
+ shutdown(sock_, SD_SEND);
+#else
+ shutdown(sock_, SHUT_WR);
+#endif
+ while (true) {
+ char buf[1024];
+ if (recv(sock_, buf, sizeof(buf), 0) <= 0) {
+ break;
+ }
+ }
+ closesocket(sock_);
+ }
+
+ private:
+ const int sock_;
+};
+
+static ScopedSSL_CTX SetupCtx(const TestConfig *config) {
+ ScopedSSL_CTX ssl_ctx(SSL_CTX_new(
+ config->is_dtls ? DTLS_method() : TLS_method()));
+ if (!ssl_ctx) {
+ return nullptr;
}
if (config->is_dtls) {
@@ -242,376 +411,473 @@
//
// TODO(davidben): this should not be necessary. DTLS code should only
// expect a datagram BIO.
- SSL_CTX_set_read_ahead(ssl_ctx, 1);
+ SSL_CTX_set_read_ahead(ssl_ctx.get(), 1);
}
- if (!SSL_CTX_set_ecdh_auto(ssl_ctx, 1)) {
- goto err;
+ if (!SSL_CTX_set_cipher_list(ssl_ctx.get(), "ALL")) {
+ return nullptr;
}
- if (!SSL_CTX_set_cipher_list(ssl_ctx, "ALL")) {
- goto err;
+ ScopedDH dh(DH_get_2048_256(NULL));
+ if (!dh || !SSL_CTX_set_tmp_dh(ssl_ctx.get(), dh.get())) {
+ return nullptr;
}
- dh = DH_get_2048_256(NULL);
- if (dh == NULL ||
- !SSL_CTX_set_tmp_dh(ssl_ctx, dh)) {
- goto err;
+ if (config->async && config->is_server) {
+ // Disable the internal session cache. To test asynchronous session lookup,
+ // we use an external session cache.
+ SSL_CTX_set_session_cache_mode(
+ ssl_ctx.get(), SSL_SESS_CACHE_BOTH | SSL_SESS_CACHE_NO_INTERNAL);
+ SSL_CTX_sess_set_get_cb(ssl_ctx.get(), GetSessionCallback);
+ } else {
+ SSL_CTX_set_session_cache_mode(ssl_ctx.get(), SSL_SESS_CACHE_BOTH);
}
- SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_BOTH);
-
- ssl_ctx->select_certificate_cb = select_certificate_callback;
+ ssl_ctx->select_certificate_cb = SelectCertificateCallback;
SSL_CTX_set_next_protos_advertised_cb(
- ssl_ctx, next_protos_advertised_callback, NULL);
+ ssl_ctx.get(), NextProtosAdvertisedCallback, NULL);
if (!config->select_next_proto.empty()) {
- SSL_CTX_set_next_proto_select_cb(ssl_ctx, next_proto_select_callback, NULL);
+ SSL_CTX_set_next_proto_select_cb(ssl_ctx.get(), NextProtoSelectCallback,
+ NULL);
}
if (!config->select_alpn.empty()) {
- SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_callback, NULL);
+ SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
}
- SSL_CTX_set_cookie_generate_cb(ssl_ctx, cookie_generate_callback);
- SSL_CTX_set_cookie_verify_cb(ssl_ctx, cookie_verify_callback);
-
ssl_ctx->tlsext_channel_id_enabled_new = 1;
+ SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);
- DH_free(dh);
+ ssl_ctx->current_time_cb = CurrentTimeCallback;
+
+ SSL_CTX_set_info_callback(ssl_ctx.get(), InfoCallback);
+
return ssl_ctx;
-
- err:
- if (dh != NULL) {
- DH_free(dh);
- }
- if (ssl_ctx != NULL) {
- SSL_CTX_free(ssl_ctx);
- }
- return NULL;
}
-static int retry_async(SSL *ssl, int ret, BIO *bio) {
+// RetryAsync is called after a failed operation on |ssl| with return code
+// |ret|. If the operation should be retried, it simulates one asynchronous
+// event and returns true. Otherwise it returns false.
+static bool RetryAsync(SSL *ssl, int ret) {
// No error; don't retry.
if (ret >= 0) {
- return 0;
+ return false;
}
+
+ TestState *test_state = GetTestState(ssl);
+ if (test_state->clock_delta.tv_usec != 0 ||
+ test_state->clock_delta.tv_sec != 0) {
+ // Process the timeout and retry.
+ test_state->clock.tv_usec += test_state->clock_delta.tv_usec;
+ test_state->clock.tv_sec += test_state->clock.tv_usec / 1000000;
+ test_state->clock.tv_usec %= 1000000;
+ test_state->clock.tv_sec += test_state->clock_delta.tv_sec;
+ memset(&test_state->clock_delta, 0, sizeof(test_state->clock_delta));
+
+ if (DTLSv1_handle_timeout(ssl) < 0) {
+ fprintf(stderr, "Error retransmitting.\n");
+ return false;
+ }
+ return true;
+ }
+
// See if we needed to read or write more. If so, allow one byte through on
// the appropriate end to maximally stress the state machine.
- int err = SSL_get_error(ssl, ret);
- if (err == SSL_ERROR_WANT_READ) {
- async_bio_allow_read(bio, 1);
- return 1;
- } else if (err == SSL_ERROR_WANT_WRITE) {
- async_bio_allow_write(bio, 1);
- return 1;
+ switch (SSL_get_error(ssl, ret)) {
+ case SSL_ERROR_WANT_READ:
+ AsyncBioAllowRead(test_state->async_bio, 1);
+ return true;
+ case SSL_ERROR_WANT_WRITE:
+ AsyncBioAllowWrite(test_state->async_bio, 1);
+ return true;
+ case SSL_ERROR_WANT_CHANNEL_ID_LOOKUP: {
+ ScopedEVP_PKEY pkey = LoadPrivateKey(GetConfigPtr(ssl)->send_channel_id);
+ if (!pkey) {
+ return false;
+ }
+ test_state->channel_id = std::move(pkey);
+ return true;
+ }
+ case SSL_ERROR_WANT_X509_LOOKUP:
+ test_state->cert_ready = true;
+ return true;
+ case SSL_ERROR_PENDING_SESSION:
+ test_state->session = std::move(test_state->pending_session);
+ return true;
+ case SSL_ERROR_PENDING_CERTIFICATE:
+ // The handshake will resume without a second call to the early callback.
+ return InstallCertificate(ssl);
+ default:
+ return false;
}
- return 0;
}
-static int do_exchange(SSL_SESSION **out_session,
- SSL_CTX *ssl_ctx,
- const TestConfig *config,
- bool is_resume,
- int fd,
+// DoRead reads from |ssl|, resolving any asynchronous operations. It returns
+// the result value of the final |SSL_read| call.
+static int DoRead(SSL *ssl, uint8_t *out, size_t max_out) {
+ const TestConfig *config = GetConfigPtr(ssl);
+ int ret;
+ do {
+ ret = SSL_read(ssl, out, max_out);
+ } while (config->async && RetryAsync(ssl, ret));
+ return ret;
+}
+
+// WriteAll writes |in_len| bytes from |in| to |ssl|, resolving any asynchronous
+// operations. It returns the result of the final |SSL_write| call.
+static int WriteAll(SSL *ssl, const uint8_t *in, size_t in_len) {
+ const TestConfig *config = GetConfigPtr(ssl);
+ int ret;
+ do {
+ ret = SSL_write(ssl, in, in_len);
+ if (ret > 0) {
+ in += ret;
+ in_len -= ret;
+ }
+ } while ((config->async && RetryAsync(ssl, ret)) || (ret > 0 && in_len > 0));
+ return ret;
+}
+
+// DoExchange runs a test SSL exchange against the peer. On success, it returns
+// true and sets |*out_session| to the negotiated SSL session. If the test is a
+// resumption attempt, |is_resume| is true and |session| is the session from the
+// previous exchange.
+static bool DoExchange(ScopedSSL_SESSION *out_session, SSL_CTX *ssl_ctx,
+ const TestConfig *config, bool is_resume,
SSL_SESSION *session) {
- early_callback_called = 0;
-
- SSL *ssl = SSL_new(ssl_ctx);
- if (ssl == NULL) {
- BIO_print_errors_fp(stdout);
- return 1;
+ ScopedSSL ssl(SSL_new(ssl_ctx));
+ if (!ssl) {
+ return false;
}
- if (!SetConfigPtr(ssl, config)) {
- BIO_print_errors_fp(stdout);
- return 1;
+ if (!SetConfigPtr(ssl.get(), config) ||
+ !SetTestState(ssl.get(), std::unique_ptr<TestState>(new TestState))) {
+ return false;
}
- if (config->fallback_scsv) {
- if (!SSL_enable_fallback_scsv(ssl)) {
- BIO_print_errors_fp(stdout);
- return 1;
- }
+ if (config->fallback_scsv &&
+ !SSL_set_mode(ssl.get(), SSL_MODE_SEND_FALLBACK_SCSV)) {
+ return false;
}
- if (!config->key_file.empty()) {
- if (!SSL_use_PrivateKey_file(ssl, config->key_file.c_str(),
- SSL_FILETYPE_PEM)) {
- BIO_print_errors_fp(stdout);
- return 1;
- }
- }
- if (!config->cert_file.empty()) {
- if (!SSL_use_certificate_file(ssl, config->cert_file.c_str(),
- SSL_FILETYPE_PEM)) {
- BIO_print_errors_fp(stdout);
- return 1;
+ if (!config->use_early_callback) {
+ if (config->async) {
+ // TODO(davidben): Also test |s->ctx->client_cert_cb| on the client.
+ SSL_set_cert_cb(ssl.get(), CertCallback, NULL);
+ } else if (!InstallCertificate(ssl.get())) {
+ return false;
}
}
if (config->require_any_client_certificate) {
- SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
- skip_verify);
+ SSL_set_verify(ssl.get(), SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ SkipVerify);
}
if (config->false_start) {
- SSL_set_mode(ssl, SSL_MODE_HANDSHAKE_CUTTHROUGH);
+ SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_FALSE_START);
}
if (config->cbc_record_splitting) {
- SSL_set_mode(ssl, SSL_MODE_CBC_RECORD_SPLITTING);
+ SSL_set_mode(ssl.get(), SSL_MODE_CBC_RECORD_SPLITTING);
}
if (config->partial_write) {
- SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
+ SSL_set_mode(ssl.get(), SSL_MODE_ENABLE_PARTIAL_WRITE);
}
if (config->no_tls12) {
- SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
+ SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_2);
}
if (config->no_tls11) {
- SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
+ SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1_1);
}
if (config->no_tls1) {
- SSL_set_options(ssl, SSL_OP_NO_TLSv1);
+ SSL_set_options(ssl.get(), SSL_OP_NO_TLSv1);
}
if (config->no_ssl3) {
- SSL_set_options(ssl, SSL_OP_NO_SSLv3);
- }
- if (config->cookie_exchange) {
- SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);
+ SSL_set_options(ssl.get(), SSL_OP_NO_SSLv3);
}
if (config->tls_d5_bug) {
- SSL_set_options(ssl, SSL_OP_TLS_D5_BUG);
+ SSL_set_options(ssl.get(), SSL_OP_TLS_D5_BUG);
}
if (config->allow_unsafe_legacy_renegotiation) {
- SSL_set_options(ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ SSL_set_options(ssl.get(), SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
}
if (!config->expected_channel_id.empty()) {
- SSL_enable_tls_channel_id(ssl);
+ SSL_enable_tls_channel_id(ssl.get());
}
if (!config->send_channel_id.empty()) {
- EVP_PKEY *pkey = LoadPrivateKey(config->send_channel_id);
- if (pkey == NULL) {
- BIO_print_errors_fp(stdout);
- return 1;
+ SSL_enable_tls_channel_id(ssl.get());
+ if (!config->async) {
+ // The async case will be supplied by |ChannelIdCallback|.
+ ScopedEVP_PKEY pkey = LoadPrivateKey(config->send_channel_id);
+ if (!pkey || !SSL_set1_tls_channel_id(ssl.get(), pkey.get())) {
+ return false;
+ }
}
- SSL_enable_tls_channel_id(ssl);
- if (!SSL_set1_tls_channel_id(ssl, pkey)) {
- EVP_PKEY_free(pkey);
- BIO_print_errors_fp(stdout);
- return 1;
- }
- EVP_PKEY_free(pkey);
}
- if (!config->host_name.empty()) {
- SSL_set_tlsext_host_name(ssl, config->host_name.c_str());
+ if (!config->host_name.empty() &&
+ !SSL_set_tlsext_host_name(ssl.get(), config->host_name.c_str())) {
+ return false;
}
- if (!config->advertise_alpn.empty()) {
- SSL_set_alpn_protos(ssl, (const uint8_t *)config->advertise_alpn.data(),
- config->advertise_alpn.size());
+ if (!config->advertise_alpn.empty() &&
+ SSL_set_alpn_protos(ssl.get(),
+ (const uint8_t *)config->advertise_alpn.data(),
+ config->advertise_alpn.size()) != 0) {
+ return false;
}
if (!config->psk.empty()) {
- SSL_set_psk_client_callback(ssl, psk_client_callback);
- SSL_set_psk_server_callback(ssl, psk_server_callback);
+ SSL_set_psk_client_callback(ssl.get(), PskClientCallback);
+ SSL_set_psk_server_callback(ssl.get(), PskServerCallback);
}
if (!config->psk_identity.empty() &&
- !SSL_use_psk_identity_hint(ssl, config->psk_identity.c_str())) {
- BIO_print_errors_fp(stdout);
- return 1;
+ !SSL_use_psk_identity_hint(ssl.get(), config->psk_identity.c_str())) {
+ return false;
}
if (!config->srtp_profiles.empty() &&
- !SSL_set_srtp_profiles(ssl, config->srtp_profiles.c_str())) {
- BIO_print_errors_fp(stdout);
- return 1;
+ !SSL_set_srtp_profiles(ssl.get(), config->srtp_profiles.c_str())) {
+ return false;
}
if (config->enable_ocsp_stapling &&
- !SSL_enable_ocsp_stapling(ssl)) {
- BIO_print_errors_fp(stdout);
- return 1;
+ !SSL_enable_ocsp_stapling(ssl.get())) {
+ return false;
}
if (config->enable_signed_cert_timestamps &&
- !SSL_enable_signed_cert_timestamps(ssl)) {
- BIO_print_errors_fp(stdout);
- return 1;
+ !SSL_enable_signed_cert_timestamps(ssl.get())) {
+ return false;
}
- SSL_enable_fastradio_padding(ssl, config->fastradio_padding);
+ SSL_enable_fastradio_padding(ssl.get(), config->fastradio_padding);
if (config->min_version != 0) {
- SSL_set_min_version(ssl, (uint16_t)config->min_version);
+ SSL_set_min_version(ssl.get(), (uint16_t)config->min_version);
}
if (config->max_version != 0) {
- SSL_set_max_version(ssl, (uint16_t)config->max_version);
+ SSL_set_max_version(ssl.get(), (uint16_t)config->max_version);
}
if (config->mtu != 0) {
- SSL_set_options(ssl, SSL_OP_NO_QUERY_MTU);
- SSL_set_mtu(ssl, config->mtu);
+ SSL_set_options(ssl.get(), SSL_OP_NO_QUERY_MTU);
+ SSL_set_mtu(ssl.get(), config->mtu);
+ }
+ if (config->install_ddos_callback) {
+ SSL_CTX_set_dos_protection_cb(ssl_ctx, DDoSCallback);
+ }
+ if (!config->cipher.empty() &&
+ !SSL_set_cipher_list(ssl.get(), config->cipher.c_str())) {
+ return false;
+ }
+ if (config->reject_peer_renegotiations) {
+ SSL_set_reject_peer_renegotiations(ssl.get(), 1);
}
- BIO *bio = BIO_new_fd(fd, 1 /* take ownership */);
- if (bio == NULL) {
- BIO_print_errors_fp(stdout);
- return 1;
+ int sock = Connect(config->port);
+ if (sock == -1) {
+ return false;
+ }
+ SocketCloser closer(sock);
+
+ ScopedBIO bio(BIO_new_socket(sock, BIO_NOCLOSE));
+ if (!bio) {
+ return false;
}
if (config->is_dtls) {
- BIO *packeted = packeted_bio_create();
- BIO_push(packeted, bio);
- bio = packeted;
+ ScopedBIO packeted =
+ PacketedBioCreate(&GetTestState(ssl.get())->clock_delta);
+ BIO_push(packeted.get(), bio.release());
+ bio = std::move(packeted);
}
if (config->async) {
- BIO *async =
- config->is_dtls ? async_bio_create_datagram() : async_bio_create();
- BIO_push(async, bio);
- bio = async;
+ ScopedBIO async_scoped =
+ config->is_dtls ? AsyncBioCreateDatagram() : AsyncBioCreate();
+ BIO_push(async_scoped.get(), bio.release());
+ GetTestState(ssl.get())->async_bio = async_scoped.get();
+ bio = std::move(async_scoped);
}
- SSL_set_bio(ssl, bio, bio);
+ SSL_set_bio(ssl.get(), bio.get(), bio.get());
+ bio.release(); // SSL_set_bio takes ownership.
if (session != NULL) {
- if (SSL_set_session(ssl, session) != 1) {
- fprintf(stderr, "failed to set session\n");
- return 2;
+ if (!config->is_server) {
+ if (SSL_set_session(ssl.get(), session) != 1) {
+ return false;
+ }
+ } else if (config->async) {
+ // The internal session cache is disabled, so install the session
+ // manually.
+ GetTestState(ssl.get())->pending_session.reset(
+ SSL_SESSION_up_ref(session));
}
}
int ret;
- do {
+ if (config->implicit_handshake) {
if (config->is_server) {
- ret = SSL_accept(ssl);
+ SSL_set_accept_state(ssl.get());
} else {
- ret = SSL_connect(ssl);
+ SSL_set_connect_state(ssl.get());
}
- } while (config->async && retry_async(ssl, ret, bio));
- if (ret != 1) {
- SSL_free(ssl);
- BIO_print_errors_fp(stdout);
- return 2;
- }
-
- if (is_resume && (!!SSL_session_reused(ssl) == config->expect_session_miss)) {
- fprintf(stderr, "session was%s reused\n",
- SSL_session_reused(ssl) ? "" : " not");
- return 2;
- }
-
- if (!config->expected_server_name.empty()) {
- const char *server_name =
- SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
- if (server_name != config->expected_server_name) {
- fprintf(stderr, "servername mismatch (got %s; want %s)\n",
- server_name, config->expected_server_name.c_str());
- return 2;
+ } else {
+ do {
+ if (config->is_server) {
+ ret = SSL_accept(ssl.get());
+ } else {
+ ret = SSL_connect(ssl.get());
+ }
+ } while (config->async && RetryAsync(ssl.get(), ret));
+ if (ret != 1) {
+ return false;
}
- if (!early_callback_called) {
+ if (is_resume &&
+ (!!SSL_session_reused(ssl.get()) == config->expect_session_miss)) {
+ fprintf(stderr, "session was%s reused\n",
+ SSL_session_reused(ssl.get()) ? "" : " not");
+ return false;
+ }
+
+ bool expect_handshake_done = is_resume || !config->false_start;
+ if (expect_handshake_done != GetTestState(ssl.get())->handshake_done) {
+ fprintf(stderr, "handshake was%s completed\n",
+ GetTestState(ssl.get())->handshake_done ? "" : " not");
+ return false;
+ }
+
+ if (config->is_server && !GetTestState(ssl.get())->early_callback_called) {
fprintf(stderr, "early callback not called\n");
- return 2;
+ return false;
}
- }
- if (!config->expected_certificate_types.empty()) {
- uint8_t *certificate_types;
- int num_certificate_types =
- SSL_get0_certificate_types(ssl, &certificate_types);
- if (num_certificate_types !=
- (int)config->expected_certificate_types.size() ||
- memcmp(certificate_types,
- config->expected_certificate_types.data(),
- num_certificate_types) != 0) {
- fprintf(stderr, "certificate types mismatch\n");
- return 2;
+ if (!config->expected_server_name.empty()) {
+ const char *server_name =
+ SSL_get_servername(ssl.get(), TLSEXT_NAMETYPE_host_name);
+ if (server_name != config->expected_server_name) {
+ fprintf(stderr, "servername mismatch (got %s; want %s)\n",
+ server_name, config->expected_server_name.c_str());
+ return false;
+ }
}
- }
- if (!config->expected_next_proto.empty()) {
- const uint8_t *next_proto;
- unsigned next_proto_len;
- SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
- if (next_proto_len != config->expected_next_proto.size() ||
- memcmp(next_proto, config->expected_next_proto.data(),
- next_proto_len) != 0) {
- fprintf(stderr, "negotiated next proto mismatch\n");
- return 2;
+ if (!config->expected_certificate_types.empty()) {
+ uint8_t *certificate_types;
+ int num_certificate_types =
+ SSL_get0_certificate_types(ssl.get(), &certificate_types);
+ if (num_certificate_types !=
+ (int)config->expected_certificate_types.size() ||
+ memcmp(certificate_types,
+ config->expected_certificate_types.data(),
+ num_certificate_types) != 0) {
+ fprintf(stderr, "certificate types mismatch\n");
+ return false;
+ }
}
- }
- if (!config->expected_alpn.empty()) {
- const uint8_t *alpn_proto;
- unsigned alpn_proto_len;
- SSL_get0_alpn_selected(ssl, &alpn_proto, &alpn_proto_len);
- if (alpn_proto_len != config->expected_alpn.size() ||
- memcmp(alpn_proto, config->expected_alpn.data(),
- alpn_proto_len) != 0) {
- fprintf(stderr, "negotiated alpn proto mismatch\n");
- return 2;
+ if (!config->expected_next_proto.empty()) {
+ const uint8_t *next_proto;
+ unsigned next_proto_len;
+ SSL_get0_next_proto_negotiated(ssl.get(), &next_proto, &next_proto_len);
+ if (next_proto_len != config->expected_next_proto.size() ||
+ memcmp(next_proto, config->expected_next_proto.data(),
+ next_proto_len) != 0) {
+ fprintf(stderr, "negotiated next proto mismatch\n");
+ return false;
+ }
}
- }
- if (!config->expected_channel_id.empty()) {
- uint8_t channel_id[64];
- if (!SSL_get_tls_channel_id(ssl, channel_id, sizeof(channel_id))) {
- fprintf(stderr, "no channel id negotiated\n");
- return 2;
+ if (!config->expected_alpn.empty()) {
+ const uint8_t *alpn_proto;
+ unsigned alpn_proto_len;
+ SSL_get0_alpn_selected(ssl.get(), &alpn_proto, &alpn_proto_len);
+ if (alpn_proto_len != config->expected_alpn.size() ||
+ memcmp(alpn_proto, config->expected_alpn.data(),
+ alpn_proto_len) != 0) {
+ fprintf(stderr, "negotiated alpn proto mismatch\n");
+ return false;
+ }
}
- if (config->expected_channel_id.size() != 64 ||
- memcmp(config->expected_channel_id.data(),
- channel_id, 64) != 0) {
- fprintf(stderr, "channel id mismatch\n");
- return 2;
- }
- }
- if (config->expect_extended_master_secret) {
- if (!ssl->session->extended_master_secret) {
- fprintf(stderr, "No EMS for session when expected");
- return 2;
+ if (!config->expected_channel_id.empty()) {
+ uint8_t channel_id[64];
+ if (!SSL_get_tls_channel_id(ssl.get(), channel_id, sizeof(channel_id))) {
+ fprintf(stderr, "no channel id negotiated\n");
+ return false;
+ }
+ if (config->expected_channel_id.size() != 64 ||
+ memcmp(config->expected_channel_id.data(),
+ channel_id, 64) != 0) {
+ fprintf(stderr, "channel id mismatch\n");
+ return false;
+ }
}
- }
- if (!config->expected_ocsp_response.empty()) {
- const uint8_t *data;
- size_t len;
- SSL_get0_ocsp_response(ssl, &data, &len);
- if (config->expected_ocsp_response.size() != len ||
- memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
- fprintf(stderr, "OCSP response mismatch\n");
- return 2;
+ if (config->expect_extended_master_secret) {
+ if (!ssl->session->extended_master_secret) {
+ fprintf(stderr, "No EMS for session when expected");
+ return false;
+ }
}
- }
- if (!config->expected_signed_cert_timestamps.empty()) {
- const uint8_t *data;
- size_t len;
- SSL_get0_signed_cert_timestamp_list(ssl, &data, &len);
- if (config->expected_signed_cert_timestamps.size() != len ||
- memcmp(config->expected_signed_cert_timestamps.data(),
- data, len) != 0) {
- fprintf(stderr, "SCT list mismatch\n");
- return 2;
+ if (!config->expected_ocsp_response.empty()) {
+ const uint8_t *data;
+ size_t len;
+ SSL_get0_ocsp_response(ssl.get(), &data, &len);
+ if (config->expected_ocsp_response.size() != len ||
+ memcmp(config->expected_ocsp_response.data(), data, len) != 0) {
+ fprintf(stderr, "OCSP response mismatch\n");
+ return false;
+ }
+ }
+
+ if (!config->expected_signed_cert_timestamps.empty()) {
+ const uint8_t *data;
+ size_t len;
+ SSL_get0_signed_cert_timestamp_list(ssl.get(), &data, &len);
+ if (config->expected_signed_cert_timestamps.size() != len ||
+ memcmp(config->expected_signed_cert_timestamps.data(),
+ data, len) != 0) {
+ fprintf(stderr, "SCT list mismatch\n");
+ return false;
+ }
}
}
if (config->renegotiate) {
if (config->async) {
- fprintf(stderr, "--renegotiate is not supported with --async.\n");
- return 2;
+ fprintf(stderr, "-renegotiate is not supported with -async.\n");
+ return false;
+ }
+ if (config->implicit_handshake) {
+ fprintf(stderr, "-renegotiate is not supported with -implicit-handshake.\n");
+ return false;
}
- SSL_renegotiate(ssl);
+ SSL_renegotiate(ssl.get());
- ret = SSL_do_handshake(ssl);
+ ret = SSL_do_handshake(ssl.get());
if (ret != 1) {
- SSL_free(ssl);
- BIO_print_errors_fp(stdout);
- return 2;
+ return false;
}
- SSL_set_state(ssl, SSL_ST_ACCEPT);
- ret = SSL_do_handshake(ssl);
+ SSL_set_state(ssl.get(), SSL_ST_ACCEPT);
+ ret = SSL_do_handshake(ssl.get());
if (ret != 1) {
- SSL_free(ssl);
- BIO_print_errors_fp(stdout);
- return 2;
+ return false;
+ }
+ }
+
+ if (config->export_keying_material > 0) {
+ std::vector<uint8_t> result(
+ static_cast<size_t>(config->export_keying_material));
+ if (!SSL_export_keying_material(
+ ssl.get(), result.data(), result.size(),
+ config->export_label.data(), config->export_label.size(),
+ reinterpret_cast<const uint8_t*>(config->export_context.data()),
+ config->export_context.size(), config->use_export_context)) {
+ fprintf(stderr, "failed to export keying material\n");
+ return false;
+ }
+ if (WriteAll(ssl.get(), result.data(), result.size()) < 0) {
+ return false;
}
}
if (config->write_different_record_sizes) {
if (config->is_dtls) {
fprintf(stderr, "write_different_record_sizes not supported for DTLS\n");
- return 6;
+ return false;
}
// This mode writes a number of different record sizes in an attempt to
// trip up the CBC record splitting code.
@@ -621,138 +887,123 @@
0, 1, 255, 256, 257, 16383, 16384, 16385, 32767, 32768, 32769};
for (size_t i = 0; i < sizeof(kRecordSizes) / sizeof(kRecordSizes[0]);
i++) {
- int w;
const size_t len = kRecordSizes[i];
- size_t off = 0;
-
if (len > sizeof(buf)) {
fprintf(stderr, "Bad kRecordSizes value.\n");
- return 5;
+ return false;
}
-
- do {
- w = SSL_write(ssl, buf + off, len - off);
- if (w > 0) {
- off += (size_t) w;
- }
- } while ((config->async && retry_async(ssl, w, bio)) ||
- (w > 0 && off < len));
-
- if (w < 0 || off != len) {
- SSL_free(ssl);
- BIO_print_errors_fp(stdout);
- return 4;
+ if (WriteAll(ssl.get(), buf, len) < 0) {
+ return false;
}
}
} else {
if (config->shim_writes_first) {
- int w;
- do {
- w = SSL_write(ssl, "hello", 5);
- } while (config->async && retry_async(ssl, w, bio));
+ if (WriteAll(ssl.get(), reinterpret_cast<const uint8_t *>("hello"),
+ 5) < 0) {
+ return false;
+ }
}
for (;;) {
uint8_t buf[512];
- int n;
- do {
- n = SSL_read(ssl, buf, sizeof(buf));
- } while (config->async && retry_async(ssl, n, bio));
- int err = SSL_get_error(ssl, n);
+ int n = DoRead(ssl.get(), buf, sizeof(buf));
+ int err = SSL_get_error(ssl.get(), n);
if (err == SSL_ERROR_ZERO_RETURN ||
(n == 0 && err == SSL_ERROR_SYSCALL)) {
if (n != 0) {
fprintf(stderr, "Invalid SSL_get_error output\n");
- return 3;
+ return false;
}
- /* Accept shutdowns with or without close_notify.
- * TODO(davidben): Write tests which distinguish these two cases. */
+ // Accept shutdowns with or without close_notify.
+ // TODO(davidben): Write tests which distinguish these two cases.
break;
} else if (err != SSL_ERROR_NONE) {
if (n > 0) {
fprintf(stderr, "Invalid SSL_get_error output\n");
- return 3;
+ return false;
}
- SSL_free(ssl);
- BIO_print_errors_fp(stdout);
- return 3;
+ return false;
}
- /* Successfully read data. */
+ // Successfully read data.
if (n <= 0) {
fprintf(stderr, "Invalid SSL_get_error output\n");
- return 3;
+ return false;
}
+
+ // After a successful read, with or without False Start, the handshake
+ // must be complete.
+ if (!GetTestState(ssl.get())->handshake_done) {
+ fprintf(stderr, "handshake was not completed after SSL_read\n");
+ return false;
+ }
+
for (int i = 0; i < n; i++) {
buf[i] ^= 0xff;
}
- int w;
- do {
- w = SSL_write(ssl, buf, n);
- } while (config->async && retry_async(ssl, w, bio));
- if (w != n) {
- SSL_free(ssl);
- BIO_print_errors_fp(stdout);
- return 4;
+ if (WriteAll(ssl.get(), buf, n) < 0) {
+ return false;
}
}
}
if (out_session) {
- *out_session = SSL_get1_session(ssl);
+ out_session->reset(SSL_get1_session(ssl.get()));
}
- SSL_shutdown(ssl);
- SSL_free(ssl);
- return 0;
+ SSL_shutdown(ssl.get());
+ return true;
}
int main(int argc, char **argv) {
-#if !defined(OPENSSL_WINDOWS)
+#if defined(OPENSSL_WINDOWS)
+ /* Initialize Winsock. */
+ WORD wsa_version = MAKEWORD(2, 2);
+ WSADATA wsa_data;
+ int wsa_err = WSAStartup(wsa_version, &wsa_data);
+ if (wsa_err != 0) {
+ fprintf(stderr, "WSAStartup failed: %d\n", wsa_err);
+ return 1;
+ }
+ if (wsa_data.wVersion != wsa_version) {
+ fprintf(stderr, "Didn't get expected version: %x\n", wsa_data.wVersion);
+ return 1;
+ }
+#else
signal(SIGPIPE, SIG_IGN);
#endif
if (!SSL_library_init()) {
return 1;
}
- g_ex_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
- if (g_ex_data_index < 0) {
+ g_config_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ g_state_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, TestStateExFree);
+ if (g_config_index < 0 || g_state_index < 0) {
return 1;
}
TestConfig config;
if (!ParseConfig(argc - 1, argv + 1, &config)) {
- return usage(argv[0]);
+ return Usage(argv[0]);
}
- SSL_CTX *ssl_ctx = setup_ctx(&config);
- if (ssl_ctx == NULL) {
- BIO_print_errors_fp(stdout);
+ ScopedSSL_CTX ssl_ctx = SetupCtx(&config);
+ if (!ssl_ctx) {
+ ERR_print_errors_fp(stderr);
return 1;
}
- SSL_SESSION *session = NULL;
- int ret = do_exchange(&session,
- ssl_ctx, &config,
- false /* is_resume */,
- 3 /* fd */, NULL /* session */);
- if (ret != 0) {
- goto out;
+ ScopedSSL_SESSION session;
+ if (!DoExchange(&session, ssl_ctx.get(), &config, false /* is_resume */,
+ NULL /* session */)) {
+ ERR_print_errors_fp(stderr);
+ return 1;
}
- if (config.resume) {
- ret = do_exchange(NULL,
- ssl_ctx, &config,
- true /* is_resume */,
- 4 /* fd */,
- config.is_server ? NULL : session);
- if (ret != 0) {
- goto out;
- }
+ if (config.resume &&
+ !DoExchange(NULL, ssl_ctx.get(), &config, true /* is_resume */,
+ session.get())) {
+ ERR_print_errors_fp(stderr);
+ return 1;
}
- ret = 0;
-
-out:
- SSL_SESSION_free(session);
- SSL_CTX_free(ssl_ctx);
- return ret;
+ return 0;
}
diff --git a/src/ssl/test/malloc.cc b/src/ssl/test/malloc.cc
index 6cc0b33..2ec5582 100644
--- a/src/ssl/test/malloc.cc
+++ b/src/ssl/test/malloc.cc
@@ -14,15 +14,24 @@
#include <openssl/base.h>
+#if defined(__has_feature)
+#if __has_feature(address_sanitizer)
+#define OPENSSL_ASAN
+#endif
+#endif
+
// This file isn't built on ARM or Aarch64 because we link statically in those
-// builds and trying to override malloc in a static link doesn't work.
-#if defined(__linux__) && !defined(OPENSSL_ARM) && !defined(OPENSSL_AARCH64)
+// builds and trying to override malloc in a static link doesn't work. It's also
+// disabled on ASan builds as this interferes with ASan's malloc interceptor.
+//
+// TODO(davidben): See if this and ASan's interceptors can be made to coexist.
+#if defined(__linux__) && !defined(OPENSSL_ARM) && \
+ !defined(OPENSSL_AARCH64) && !defined(OPENSSL_ASAN)
#include <stdint.h>
+#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
-#include <unistd.h>
-#include <stdio.h>
#include <new>
@@ -127,4 +136,4 @@
} // extern "C"
-#endif /* defined(linux) && !ARM && !AARCH64 */
+#endif /* defined(linux) && !ARM && !AARCH64 && !ASAN */
diff --git a/src/ssl/test/packeted_bio.cc b/src/ssl/test/packeted_bio.cc
index 93b2164..e831082 100644
--- a/src/ssl/test/packeted_bio.cc
+++ b/src/ssl/test/packeted_bio.cc
@@ -15,7 +15,8 @@
#include "packeted_bio.h"
#include <assert.h>
-#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
#include <string.h>
#include <openssl/mem.h>
@@ -23,58 +24,135 @@
namespace {
-extern const BIO_METHOD packeted_bio_method;
+extern const BIO_METHOD g_packeted_bio_method;
-static int packeted_write(BIO *bio, const char *in, int inl) {
+const uint8_t kOpcodePacket = 'P';
+const uint8_t kOpcodeTimeout = 'T';
+const uint8_t kOpcodeTimeoutAck = 't';
+
+// ReadAll reads |len| bytes from |bio| into |out|. It returns 1 on success and
+// 0 or -1 on error.
+static int ReadAll(BIO *bio, uint8_t *out, size_t len) {
+ while (len > 0) {
+ int chunk_len = INT_MAX;
+ if (len <= INT_MAX) {
+ chunk_len = (int)len;
+ }
+ int ret = BIO_read(bio, out, chunk_len);
+ if (ret <= 0) {
+ return ret;
+ }
+ out += ret;
+ len -= ret;
+ }
+ return 1;
+}
+
+static int PacketedWrite(BIO *bio, const char *in, int inl) {
if (bio->next_bio == NULL) {
return 0;
}
BIO_clear_retry_flags(bio);
- // Write the length prefix.
- uint8_t len_bytes[4];
- len_bytes[0] = (inl >> 24) & 0xff;
- len_bytes[1] = (inl >> 16) & 0xff;
- len_bytes[2] = (inl >> 8) & 0xff;
- len_bytes[3] = inl & 0xff;
- int ret = BIO_write(bio->next_bio, len_bytes, sizeof(len_bytes));
+ // Write the header.
+ uint8_t header[5];
+ header[0] = kOpcodePacket;
+ header[1] = (inl >> 24) & 0xff;
+ header[2] = (inl >> 16) & 0xff;
+ header[3] = (inl >> 8) & 0xff;
+ header[4] = inl & 0xff;
+ int ret = BIO_write(bio->next_bio, header, sizeof(header));
if (ret <= 0) {
BIO_copy_next_retry(bio);
return ret;
}
- // Write the buffer. BIOs for which this operation fails are not supported.
+ // Write the buffer.
ret = BIO_write(bio->next_bio, in, inl);
+ if (ret < 0 || (inl > 0 && ret == 0)) {
+ BIO_copy_next_retry(bio);
+ return ret;
+ }
assert(ret == inl);
return ret;
}
-static int packeted_read(BIO *bio, char *out, int outl) {
+static int PacketedRead(BIO *bio, char *out, int outl) {
if (bio->next_bio == NULL) {
return 0;
}
BIO_clear_retry_flags(bio);
- // Read the length prefix.
- uint8_t len_bytes[4];
- int ret = BIO_read(bio->next_bio, &len_bytes, sizeof(len_bytes));
+ // Read the opcode.
+ uint8_t opcode;
+ int ret = ReadAll(bio->next_bio, &opcode, sizeof(opcode));
if (ret <= 0) {
BIO_copy_next_retry(bio);
return ret;
}
- // BIOs for which a partial length comes back are not supported.
- assert(ret == 4);
+
+ if (opcode == kOpcodeTimeout) {
+ // Process the timeout.
+ uint8_t buf[8];
+ ret = ReadAll(bio->next_bio, buf, sizeof(buf));
+ if (ret <= 0) {
+ BIO_copy_next_retry(bio);
+ return ret;
+ }
+ uint64_t timeout = (static_cast<uint64_t>(buf[0]) << 56) |
+ (static_cast<uint64_t>(buf[1]) << 48) |
+ (static_cast<uint64_t>(buf[2]) << 40) |
+ (static_cast<uint64_t>(buf[3]) << 32) |
+ (static_cast<uint64_t>(buf[4]) << 24) |
+ (static_cast<uint64_t>(buf[5]) << 16) |
+ (static_cast<uint64_t>(buf[6]) << 8) |
+ static_cast<uint64_t>(buf[7]);
+ timeout /= 1000; // Convert nanoseconds to microseconds.
+ timeval *out_timeout = reinterpret_cast<timeval *>(bio->ptr);
+ assert(out_timeout->tv_usec == 0);
+ assert(out_timeout->tv_sec == 0);
+ out_timeout->tv_usec = timeout % 1000000;
+ out_timeout->tv_sec = timeout / 1000000;
+
+ // Send an ACK to the peer.
+ ret = BIO_write(bio->next_bio, &kOpcodeTimeoutAck, 1);
+ if (ret <= 0) {
+ return ret;
+ }
+ assert(ret == 1);
+
+ // Signal to the caller to retry the read, after processing the
+ // new clock.
+ BIO_set_retry_read(bio);
+ return -1;
+ }
+
+ if (opcode != kOpcodePacket) {
+ fprintf(stderr, "Unknown opcode, %u\n", opcode);
+ return -1;
+ }
+
+ // Read the length prefix.
+ uint8_t len_bytes[4];
+ ret = ReadAll(bio->next_bio, len_bytes, sizeof(len_bytes));
+ if (ret <= 0) {
+ BIO_copy_next_retry(bio);
+ return ret;
+ }
uint32_t len = (len_bytes[0] << 24) | (len_bytes[1] << 16) |
(len_bytes[2] << 8) | len_bytes[3];
- char *buf = (char *)OPENSSL_malloc(len);
+ uint8_t *buf = (uint8_t *)OPENSSL_malloc(len);
if (buf == NULL) {
return -1;
}
- ret = BIO_read(bio->next_bio, buf, len);
- assert(ret == (int)len);
+ ret = ReadAll(bio->next_bio, buf, len);
+ if (ret <= 0) {
+ fprintf(stderr, "Packeted BIO was truncated\n");
+ return -1;
+ }
if (outl > (int)len) {
outl = len;
@@ -84,7 +162,7 @@
return outl;
}
-static long packeted_ctrl(BIO *bio, int cmd, long num, void *ptr) {
+static long PacketedCtrl(BIO *bio, int cmd, long num, void *ptr) {
if (bio->next_bio == NULL) {
return 0;
}
@@ -94,12 +172,12 @@
return ret;
}
-static int packeted_new(BIO *bio) {
+static int PacketedNew(BIO *bio) {
bio->init = 1;
return 1;
}
-static int packeted_free(BIO *bio) {
+static int PacketedFree(BIO *bio) {
if (bio == NULL) {
return 0;
}
@@ -108,28 +186,33 @@
return 1;
}
-static long packeted_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
+static long PacketedCallbackCtrl(BIO *bio, int cmd, bio_info_cb fp) {
if (bio->next_bio == NULL) {
return 0;
}
return BIO_callback_ctrl(bio->next_bio, cmd, fp);
}
-const BIO_METHOD packeted_bio_method = {
+const BIO_METHOD g_packeted_bio_method = {
BIO_TYPE_FILTER,
"packeted bio",
- packeted_write,
- packeted_read,
+ PacketedWrite,
+ PacketedRead,
NULL /* puts */,
NULL /* gets */,
- packeted_ctrl,
- packeted_new,
- packeted_free,
- packeted_callback_ctrl,
+ PacketedCtrl,
+ PacketedNew,
+ PacketedFree,
+ PacketedCallbackCtrl,
};
} // namespace
-BIO *packeted_bio_create() {
- return BIO_new(&packeted_bio_method);
+ScopedBIO PacketedBioCreate(timeval *out_timeout) {
+ ScopedBIO bio(BIO_new(&g_packeted_bio_method));
+ if (!bio) {
+ return nullptr;
+ }
+ bio->ptr = out_timeout;
+ return bio;
}
diff --git a/src/ssl/test/packeted_bio.h b/src/ssl/test/packeted_bio.h
index 384bd64..30697a5 100644
--- a/src/ssl/test/packeted_bio.h
+++ b/src/ssl/test/packeted_bio.h
@@ -15,18 +15,30 @@
#ifndef HEADER_PACKETED_BIO
#define HEADER_PACKETED_BIO
+#include <openssl/base.h>
#include <openssl/bio.h>
+#include "../../crypto/test/scoped_types.h"
-// packeted_bio_create creates a filter BIO for testing protocols which expect
-// datagram BIOs. It implements a reliable datagram socket and reads and writes
-// packets by prefixing each packet with a big-endian 32-bit length. It must be
-// layered over a reliable blocking stream BIO.
+#if defined(OPENSSL_WINDOWS)
+#pragma warning(push, 3)
+#include <winsock2.h>
+#pragma warning(pop)
+#else
+#include <sys/types.h>
+#endif
+
+
+// PacketedBioCreate creates a filter BIO which implements a reliable in-order
+// blocking datagram socket. The resulting BIO, on |BIO_read|, may simulate a
+// timeout which sets |*out_timeout| to the timeout and fails the read.
+// |*out_timeout| must be zero on entry to |BIO_read|; it is an error to not
+// apply the timeout before the next |BIO_read|.
//
-// Note: packeted_bio_create exists because a SOCK_DGRAM socketpair on OS X is
-// does not block the caller, unlike on Linux. Writes simply fail with
-// ENOBUFS. POSIX also does not guarantee that such sockets are reliable.
-BIO *packeted_bio_create();
+// Note: The read timeout simulation is intended to be used with the async BIO
+// wrapper. It doesn't simulate BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, used in DTLS's
+// blocking mode.
+ScopedBIO PacketedBioCreate(timeval *out_timeout);
#endif // HEADER_PACKETED_BIO
diff --git a/src/ssl/test/runner/chacha20_poly1305.go b/src/ssl/test/runner/chacha20_poly1305.go
new file mode 100644
index 0000000..42911d4
--- /dev/null
+++ b/src/ssl/test/runner/chacha20_poly1305.go
@@ -0,0 +1,159 @@
+package main
+
+import (
+ "crypto/cipher"
+ "crypto/subtle"
+ "encoding/binary"
+ "errors"
+)
+
+// See draft-agl-tls-chacha20poly1305-04 and
+// draft-irtf-cfrg-chacha20-poly1305-10. Where the two differ, the
+// draft-agl-tls-chacha20poly1305-04 variant is implemented.
+
+func leftRotate(a uint32, n uint) uint32 {
+ return (a << n) | (a >> (32 - n))
+}
+
+func chaChaQuarterRound(state *[16]uint32, a, b, c, d int) {
+ state[a] += state[b]
+ state[d] = leftRotate(state[d]^state[a], 16)
+
+ state[c] += state[d]
+ state[b] = leftRotate(state[b]^state[c], 12)
+
+ state[a] += state[b]
+ state[d] = leftRotate(state[d]^state[a], 8)
+
+ state[c] += state[d]
+ state[b] = leftRotate(state[b]^state[c], 7)
+}
+
+func chaCha20Block(state *[16]uint32, out []byte) {
+ var workingState [16]uint32
+ copy(workingState[:], state[:])
+ for i := 0; i < 10; i++ {
+ chaChaQuarterRound(&workingState, 0, 4, 8, 12)
+ chaChaQuarterRound(&workingState, 1, 5, 9, 13)
+ chaChaQuarterRound(&workingState, 2, 6, 10, 14)
+ chaChaQuarterRound(&workingState, 3, 7, 11, 15)
+ chaChaQuarterRound(&workingState, 0, 5, 10, 15)
+ chaChaQuarterRound(&workingState, 1, 6, 11, 12)
+ chaChaQuarterRound(&workingState, 2, 7, 8, 13)
+ chaChaQuarterRound(&workingState, 3, 4, 9, 14)
+ }
+ for i := 0; i < 16; i++ {
+ binary.LittleEndian.PutUint32(out[i*4:i*4+4], workingState[i]+state[i])
+ }
+}
+
+// sliceForAppend takes a slice and a requested number of bytes. It returns a
+// slice with the contents of the given slice followed by that many bytes and a
+// second slice that aliases into it and contains only the extra bytes. If the
+// original slice has sufficient capacity then no allocation is performed.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+ if total := len(in) + n; cap(in) >= total {
+ head = in[:total]
+ } else {
+ head = make([]byte, total)
+ copy(head, in)
+ }
+ tail = head[len(in):]
+ return
+}
+
+type chaCha20Poly1305 struct {
+ key [32]byte
+}
+
+func newChaCha20Poly1305(key []byte) (cipher.AEAD, error) {
+ if len(key) != 32 {
+ return nil, errors.New("bad key length")
+ }
+ aead := new(chaCha20Poly1305)
+ copy(aead.key[:], key)
+ return aead, nil
+}
+
+func (c *chaCha20Poly1305) NonceSize() int { return 8 }
+func (c *chaCha20Poly1305) Overhead() int { return 16 }
+
+func (c *chaCha20Poly1305) chaCha20(out, in, nonce []byte, counter uint64) {
+ var state [16]uint32
+ state[0] = 0x61707865
+ state[1] = 0x3320646e
+ state[2] = 0x79622d32
+ state[3] = 0x6b206574
+ for i := 0; i < 8; i++ {
+ state[4+i] = binary.LittleEndian.Uint32(c.key[i*4 : i*4+4])
+ }
+ state[14] = binary.LittleEndian.Uint32(nonce[0:4])
+ state[15] = binary.LittleEndian.Uint32(nonce[4:8])
+
+ for i := 0; i < len(in); i += 64 {
+ state[12] = uint32(counter & 0xffffffff)
+ state[13] = uint32(counter >> 32)
+
+ var tmp [64]byte
+ chaCha20Block(&state, tmp[:])
+ count := 64
+ if len(in)-i < count {
+ count = len(in) - i
+ }
+ for j := 0; j < count; j++ {
+ out[i+j] = in[i+j] ^ tmp[j]
+ }
+
+ counter++
+ }
+}
+
+func (c *chaCha20Poly1305) poly1305(tag *[16]byte, nonce, ciphertext, additionalData []byte) {
+ input := make([]byte, 0, len(additionalData)+8+len(ciphertext)+8)
+ input = append(input, additionalData...)
+ input, out := sliceForAppend(input, 8)
+ binary.LittleEndian.PutUint64(out, uint64(len(additionalData)))
+ input = append(input, ciphertext...)
+ input, out = sliceForAppend(input, 8)
+ binary.LittleEndian.PutUint64(out, uint64(len(ciphertext)))
+
+ var poly1305Key [32]byte
+ c.chaCha20(poly1305Key[:], poly1305Key[:], nonce, 0)
+
+ poly1305Sum(tag, input, &poly1305Key)
+}
+
+func (c *chaCha20Poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+ if len(nonce) != 8 {
+ panic("Bad nonce length")
+ }
+
+ ret, out := sliceForAppend(dst, len(plaintext)+16)
+ c.chaCha20(out[:len(plaintext)], plaintext, nonce, 1)
+
+ var tag [16]byte
+ c.poly1305(&tag, nonce, out[:len(plaintext)], additionalData)
+ copy(out[len(plaintext):], tag[:])
+
+ return ret
+}
+
+func (c *chaCha20Poly1305) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+ if len(nonce) != 8 {
+ panic("Bad nonce length")
+ }
+ if len(ciphertext) < 16 {
+ return nil, errors.New("chacha20: message authentication failed")
+ }
+ plaintextLen := len(ciphertext) - 16
+
+ var tag [16]byte
+ c.poly1305(&tag, nonce, ciphertext[:plaintextLen], additionalData)
+ if subtle.ConstantTimeCompare(tag[:], ciphertext[plaintextLen:]) != 1 {
+ return nil, errors.New("chacha20: message authentication failed")
+ }
+
+ ret, out := sliceForAppend(dst, plaintextLen)
+ c.chaCha20(out, ciphertext[:plaintextLen], nonce, 1)
+ return ret, nil
+}
diff --git a/src/ssl/test/runner/chacha20_poly1305_test.go b/src/ssl/test/runner/chacha20_poly1305_test.go
new file mode 100644
index 0000000..726f482
--- /dev/null
+++ b/src/ssl/test/runner/chacha20_poly1305_test.go
@@ -0,0 +1,99 @@
+package main
+
+import (
+ "bytes"
+ "encoding/hex"
+ "testing"
+)
+
+// See draft-irtf-cfrg-chacha20-poly1305-10, section 2.1.1.
+func TestChaChaQuarterRound(t *testing.T) {
+ state := [16]uint32{0x11111111, 0x01020304, 0x9b8d6f43, 0x01234567}
+ chaChaQuarterRound(&state, 0, 1, 2, 3)
+
+ a, b, c, d := state[0], state[1], state[2], state[3]
+ if a != 0xea2a92f4 || b != 0xcb1cf8ce || c != 0x4581472e || d != 0x5881c4bb {
+ t.Errorf("Incorrect results: %x", state)
+ }
+}
+
+// See draft-irtf-cfrg-chacha20-poly1305-10, section 2.2.1.
+func TestChaChaQuarterRoundState(t *testing.T) {
+ state := [16]uint32{
+ 0x879531e0, 0xc5ecf37d, 0x516461b1, 0xc9a62f8a,
+ 0x44c20ef3, 0x3390af7f, 0xd9fc690b, 0x2a5f714c,
+ 0x53372767, 0xb00a5631, 0x974c541a, 0x359e9963,
+ 0x5c971061, 0x3d631689, 0x2098d9d6, 0x91dbd320,
+ }
+ chaChaQuarterRound(&state, 2, 7, 8, 13)
+
+ expected := [16]uint32{
+ 0x879531e0, 0xc5ecf37d, 0xbdb886dc, 0xc9a62f8a,
+ 0x44c20ef3, 0x3390af7f, 0xd9fc690b, 0xcfacafd2,
+ 0xe46bea80, 0xb00a5631, 0x974c541a, 0x359e9963,
+ 0x5c971061, 0xccc07c79, 0x2098d9d6, 0x91dbd320,
+ }
+ for i := range state {
+ if state[i] != expected[i] {
+ t.Errorf("Mismatch at %d: %x vs %x", i, state, expected)
+ }
+ }
+}
+
+// See draft-irtf-cfrg-chacha20-poly1305-10, section 2.3.2.
+func TestChaCha20Block(t *testing.T) {
+ state := [16]uint32{
+ 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574,
+ 0x03020100, 0x07060504, 0x0b0a0908, 0x0f0e0d0c,
+ 0x13121110, 0x17161514, 0x1b1a1918, 0x1f1e1d1c,
+ 0x00000001, 0x09000000, 0x4a000000, 0x00000000,
+ }
+ out := make([]byte, 64)
+ chaCha20Block(&state, out)
+
+ expected := []byte{
+ 0x10, 0xf1, 0xe7, 0xe4, 0xd1, 0x3b, 0x59, 0x15,
+ 0x50, 0x0f, 0xdd, 0x1f, 0xa3, 0x20, 0x71, 0xc4,
+ 0xc7, 0xd1, 0xf4, 0xc7, 0x33, 0xc0, 0x68, 0x03,
+ 0x04, 0x22, 0xaa, 0x9a, 0xc3, 0xd4, 0x6c, 0x4e,
+ 0xd2, 0x82, 0x64, 0x46, 0x07, 0x9f, 0xaa, 0x09,
+ 0x14, 0xc2, 0xd7, 0x05, 0xd9, 0x8b, 0x02, 0xa2,
+ 0xb5, 0x12, 0x9c, 0xd1, 0xde, 0x16, 0x4e, 0xb9,
+ 0xcb, 0xd0, 0x83, 0xe8, 0xa2, 0x50, 0x3c, 0x4e,
+ }
+ if !bytes.Equal(out, expected) {
+ t.Errorf("Got %x, wanted %x", out, expected)
+ }
+}
+
+// See draft-agl-tls-chacha20poly1305-04, section 7.
+func TestChaCha20Poly1305(t *testing.T) {
+ key, _ := hex.DecodeString("4290bcb154173531f314af57f3be3b5006da371ece272afa1b5dbdd1100a1007")
+ input, _ := hex.DecodeString("86d09974840bded2a5ca")
+ nonce, _ := hex.DecodeString("cd7cf67be39c794a")
+ ad, _ := hex.DecodeString("87e229d4500845a079c0")
+ output, _ := hex.DecodeString("e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6")
+
+ aead, err := newChaCha20Poly1305(key)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ out, err := aead.Open(nil, nonce, output, ad)
+ if err != nil {
+ t.Errorf("Open failed: %s", err)
+ } else if !bytes.Equal(out, input) {
+ t.Errorf("Open gave %x, wanted %x", out, input)
+ }
+
+ out = aead.Seal(nil, nonce, input, ad)
+ if !bytes.Equal(out, output) {
+ t.Errorf("Open gave %x, wanted %x", out, output)
+ }
+
+ out[0]++
+ _, err = aead.Open(nil, nonce, out, ad)
+ if err == nil {
+ t.Errorf("Open on malformed data unexpectedly succeeded")
+ }
+}
diff --git a/src/ssl/test/runner/cipher_suites.go b/src/ssl/test/runner/cipher_suites.go
index 89e75c8..162c0c0 100644
--- a/src/ssl/test/runner/cipher_suites.go
+++ b/src/ssl/test/runner/cipher_suites.go
@@ -62,6 +62,11 @@
suitePSK
)
+type tlsAead struct {
+ cipher.AEAD
+ explicitNonce bool
+}
+
// A cipherSuite is a specific combination of key agreement, cipher and MAC
// function. All cipher suites currently assume RSA key agreement.
type cipherSuite struct {
@@ -75,12 +80,14 @@
flags int
cipher func(key, iv []byte, isRead bool) interface{}
mac func(version uint16, macKey []byte) macFunction
- aead func(key, fixedNonce []byte) cipher.AEAD
+ aead func(key, fixedNonce []byte) *tlsAead
}
var cipherSuites = []*cipherSuite{
// Ciphersuite order is chosen so that ECDHE comes before plain RSA
// and RC4 comes before AES (because of the Lucky13 attack).
+ {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
+ {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 0, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
@@ -95,6 +102,7 @@
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, 32, 48, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, cipherAES, macSHA384, nil},
{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
+ {TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, 32, 0, 0, dheRSAKA, suiteTLS12, nil, nil, aeadCHACHA20POLY1305},
{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, dheRSAKA, suiteTLS12, nil, nil, aeadAESGCM},
{TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, dheRSAKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
{TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, dheRSAKA, suiteTLS12, cipherAES, macSHA256, nil},
@@ -216,7 +224,7 @@
return f.aead.Open(out, f.openNonce, plaintext, additionalData)
}
-func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
+func aeadAESGCM(key, fixedNonce []byte) *tlsAead {
aes, err := aes.NewCipher(key)
if err != nil {
panic(err)
@@ -230,7 +238,15 @@
copy(nonce1, fixedNonce)
copy(nonce2, fixedNonce)
- return &fixedNonceAEAD{nonce1, nonce2, aead}
+ return &tlsAead{&fixedNonceAEAD{nonce1, nonce2, aead}, true}
+}
+
+func aeadCHACHA20POLY1305(key, fixedNonce []byte) *tlsAead {
+ aead, err := newChaCha20Poly1305(key)
+ if err != nil {
+ panic(err)
+ }
+ return &tlsAead{aead, false}
}
// ssl30MAC implements the SSLv3 MAC function, as defined in
@@ -289,7 +305,7 @@
}
func rsaKA(version uint16) keyAgreement {
- return &rsaKeyAgreement{}
+ return &rsaKeyAgreement{version: version}
}
func ecdheECDSAKA(version uint16) keyAgreement {
@@ -391,5 +407,8 @@
// Additional cipher suite IDs, not IANA-assigned.
const (
- TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uint16 = 0xcafe
+ TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uint16 = 0xcafe
+ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcc13
+ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcc14
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcc15
)
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index 7aaf9a2..4ac7250 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -97,6 +97,7 @@
type CurveID uint16
const (
+ CurveP224 CurveID = 21
CurveP256 CurveID = 23
CurveP384 CurveID = 24
CurveP521 CurveID = 25
@@ -429,15 +430,32 @@
// ServerKeyExchange.
UnauthenticatedECDH bool
+ // SkipHelloVerifyRequest causes a DTLS server to skip the
+ // HelloVerifyRequest message.
+ SkipHelloVerifyRequest bool
+
+ // SkipCertificateStatus, if true, causes the server to skip the
+ // CertificateStatus message. This is legal because CertificateStatus is
+ // optional, even with a status_request in ServerHello.
+ SkipCertificateStatus bool
+
// SkipServerKeyExchange causes the server to skip sending
// ServerKeyExchange messages.
SkipServerKeyExchange bool
+ // SkipNewSessionTicket causes the server to skip sending the
+ // NewSessionTicket message despite promising to in ServerHello.
+ SkipNewSessionTicket bool
+
// SkipChangeCipherSpec causes the implementation to skip
// sending the ChangeCipherSpec message (and adjusting cipher
// state accordingly for the Finished message).
SkipChangeCipherSpec bool
+ // SkipFinished causes the implementation to skip sending the Finished
+ // message.
+ SkipFinished bool
+
// EarlyChangeCipherSpec causes the client to send an early
// ChangeCipherSpec message before the ClientKeyExchange. A value of
// zero disables this behavior. One and two configure variants for 0.9.8
@@ -449,10 +467,6 @@
// messages.
FragmentAcrossChangeCipherSpec bool
- // SkipNewSessionTicket causes the server to skip sending the
- // NewSessionTicket message despite promising to in ServerHello.
- SkipNewSessionTicket bool
-
// SendV2ClientHello causes the client to send a V2ClientHello
// instead of a normal ClientHello.
SendV2ClientHello bool
@@ -475,8 +489,9 @@
// two records.
FragmentAlert bool
- // SendSpuriousAlert will cause an spurious, unwanted alert to be sent.
- SendSpuriousAlert bool
+ // SendSpuriousAlert, if non-zero, will cause an spurious, unwanted
+ // alert to be sent.
+ SendSpuriousAlert alert
// RsaClientKeyExchangeVersion, if non-zero, causes the client to send a
// ClientKeyExchange with the specified version rather than the
@@ -491,16 +506,19 @@
// TLS version in the ClientHello than the maximum supported version.
SendClientVersion uint16
- // SkipHelloVerifyRequest causes a DTLS server to skip the
- // HelloVerifyRequest message.
- SkipHelloVerifyRequest bool
-
// ExpectFalseStart causes the server to, on full handshakes,
// expect the peer to False Start; the server Finished message
// isn't sent until we receive an application data record
// from the peer.
ExpectFalseStart bool
+ // AlertBeforeFalseStartTest, if non-zero, causes the server to, on full
+ // handshakes, send an alert just before reading the application data
+ // record to test False Start. This can be used in a negative False
+ // Start test to determine whether the peer processed the alert (and
+ // closed the connection) before or after sending app data.
+ AlertBeforeFalseStartTest alert
+
// SSL3RSAKeyExchange causes the client to always send an RSA
// ClientKeyExchange message without the two-byte length
// prefix, as if it were SSL3.
@@ -557,9 +575,10 @@
// retransmit at the record layer.
SequenceNumberIncrement uint64
- // RSAServerKeyExchange, if true, causes the server to send a
- // ServerKeyExchange message in the plain RSA key exchange.
- RSAServerKeyExchange bool
+ // RSAEphemeralKey, if true, causes the server to send a
+ // ServerKeyExchange message containing an ephemeral key (as in
+ // RSA_EXPORT) in the plain RSA key exchange.
+ RSAEphemeralKey bool
// SRTPMasterKeyIdentifer, if not empty, is the SRTP MKI value that the
// client offers when negotiating SRTP. MKI support is still missing so
@@ -578,6 +597,10 @@
// still be enforced.
NoSignatureAndHashes bool
+ // NoSupportedCurves, if true, causes the client to omit the
+ // supported_curves extension.
+ NoSupportedCurves bool
+
// RequireSameRenegoClientVersion, if true, causes the server
// to require that all ClientHellos match in offered version
// across a renego.
@@ -603,6 +626,87 @@
// AppDataAfterChangeCipherSpec, if not null, causes application data to
// be sent immediately after ChangeCipherSpec.
AppDataAfterChangeCipherSpec []byte
+
+ // AlertAfterChangeCipherSpec, if non-zero, causes an alert to be sent
+ // immediately after ChangeCipherSpec.
+ AlertAfterChangeCipherSpec alert
+
+ // TimeoutSchedule is the schedule of packet drops and simulated
+ // timeouts for before each handshake leg from the peer.
+ TimeoutSchedule []time.Duration
+
+ // PacketAdaptor is the packetAdaptor to use to simulate timeouts.
+ PacketAdaptor *packetAdaptor
+
+ // ReorderHandshakeFragments, if true, causes handshake fragments in
+ // DTLS to overlap and be sent in the wrong order. It also causes
+ // pre-CCS flights to be sent twice. (Post-CCS flights consist of
+ // Finished and will trigger a spurious retransmit.)
+ ReorderHandshakeFragments bool
+
+ // MixCompleteMessageWithFragments, if true, causes handshake
+ // messages in DTLS to redundantly both fragment the message
+ // and include a copy of the full one.
+ MixCompleteMessageWithFragments bool
+
+ // SendInvalidRecordType, if true, causes a record with an invalid
+ // content type to be sent immediately following the handshake.
+ SendInvalidRecordType bool
+
+ // WrongCertificateMessageType, if true, causes Certificate message to
+ // be sent with the wrong message type.
+ WrongCertificateMessageType bool
+
+ // FragmentMessageTypeMismatch, if true, causes all non-initial
+ // handshake fragments in DTLS to have the wrong message type.
+ FragmentMessageTypeMismatch bool
+
+ // FragmentMessageLengthMismatch, if true, causes all non-initial
+ // handshake fragments in DTLS to have the wrong message length.
+ FragmentMessageLengthMismatch bool
+
+ // SplitFragmentHeader, if true, causes the handshake fragments in DTLS
+ // to be split across two records.
+ SplitFragmentHeader bool
+
+ // SplitFragmentBody, if true, causes the handshake bodies in DTLS to be
+ // split across two records.
+ //
+ // TODO(davidben): There's one final split to test: when the header and
+ // body are split across two records. But those are (incorrectly)
+ // accepted right now.
+ SplitFragmentBody bool
+
+ // SendEmptyFragments, if true, causes handshakes to include empty
+ // fragments in DTLS.
+ SendEmptyFragments bool
+
+ // NeverResumeOnRenego, if true, causes renegotiations to always be full
+ // handshakes.
+ NeverResumeOnRenego bool
+
+ // NoSignatureAlgorithmsOnRenego, if true, causes renegotiations to omit
+ // the signature_algorithms extension.
+ NoSignatureAlgorithmsOnRenego bool
+
+ // IgnorePeerCipherPreferences, if true, causes the peer's cipher
+ // preferences to be ignored.
+ IgnorePeerCipherPreferences bool
+
+ // IgnorePeerSignatureAlgorithmPreferences, if true, causes the peer's
+ // signature algorithm preferences to be ignored.
+ IgnorePeerSignatureAlgorithmPreferences bool
+
+ // IgnorePeerCurvePreferences, if true, causes the peer's curve
+ // preferences to be ignored.
+ IgnorePeerCurvePreferences bool
+
+ // SendWarningAlerts, if non-zero, causes every record to be prefaced by
+ // a warning alert.
+ SendWarningAlerts alert
+
+ // BadFinished, if true, causes the Finished hash to be broken.
+ BadFinished bool
}
func (c *Config) serverInit() {
diff --git a/src/ssl/test/runner/conn.go b/src/ssl/test/runner/conn.go
index d4a6817..fd198ca 100644
--- a/src/ssl/test/runner/conn.go
+++ b/src/ssl/test/runner/conn.go
@@ -37,14 +37,16 @@
handshakeComplete bool
didResume bool // whether this connection was a session resumption
extendedMasterSecret bool // whether this session used an extended master secret
- cipherSuite uint16
+ cipherSuite *cipherSuite
ocspResponse []byte // stapled OCSP response
peerCertificates []*x509.Certificate
// verifiedChains contains the certificate chains that we built, as
// opposed to the ones presented by the server.
verifiedChains [][]*x509.Certificate
// serverName contains the server name indicated by the client, if any.
- serverName string
+ serverName string
+ clientRandom, serverRandom [32]byte
+ masterSecret [48]byte
clientProtocol string
clientProtocolFallback bool
@@ -69,8 +71,9 @@
// DTLS state
sendHandshakeSeq uint16
recvHandshakeSeq uint16
- handMsg []byte // pending assembled handshake message
- handMsgLen int // handshake message length, not including the header
+ handMsg []byte // pending assembled handshake message
+ handMsgLen int // handshake message length, not including the header
+ pendingFragments [][]byte // pending outgoing handshake fragments.
tmp [16]byte
}
@@ -131,6 +134,7 @@
nextCipher interface{} // next encryption state
nextMac macFunction // next MAC algorithm
+ nextSeq [6]byte // next epoch's starting sequence number in DTLS
// used to save allocating a new buffer for each MAC.
inDigestBuf, outDigestBuf []byte
@@ -200,10 +204,20 @@
}
}
-// incEpoch resets the sequence number. In DTLS, it increments the
-// epoch half of the sequence number.
+// incNextSeq increments the starting sequence number for the next epoch.
+func (hc *halfConn) incNextSeq() {
+ for i := len(hc.nextSeq) - 1; i >= 0; i-- {
+ hc.nextSeq[i]++
+ if hc.nextSeq[i] != 0 {
+ return
+ }
+ }
+ panic("TLS: sequence number wraparound")
+}
+
+// incEpoch resets the sequence number. In DTLS, it also increments the epoch
+// half of the sequence number.
func (hc *halfConn) incEpoch() {
- limit := 0
if hc.isDTLS {
for i := 1; i >= 0; i-- {
hc.seq[i]++
@@ -214,11 +228,14 @@
panic("TLS: epoch number wraparound")
}
}
- limit = 2
- }
- seq := hc.seq[limit:]
- for i := range seq {
- seq[i] = 0
+ copy(hc.seq[2:], hc.nextSeq[:])
+ for i := range hc.nextSeq {
+ hc.nextSeq[i] = 0
+ }
+ } else {
+ for i := range hc.seq {
+ hc.seq[i] = 0
+ }
}
}
@@ -321,13 +338,16 @@
switch c := hc.cipher.(type) {
case cipher.Stream:
c.XORKeyStream(payload, payload)
- case cipher.AEAD:
- explicitIVLen = 8
- if len(payload) < explicitIVLen {
- return false, 0, alertBadRecordMAC
+ case *tlsAead:
+ nonce := seq
+ if c.explicitNonce {
+ explicitIVLen = 8
+ if len(payload) < explicitIVLen {
+ return false, 0, alertBadRecordMAC
+ }
+ nonce = payload[:8]
+ payload = payload[8:]
}
- nonce := payload[:8]
- payload = payload[8:]
var additionalData [13]byte
copy(additionalData[:], seq)
@@ -451,10 +471,13 @@
switch c := hc.cipher.(type) {
case cipher.Stream:
c.XORKeyStream(payload, payload)
- case cipher.AEAD:
+ case *tlsAead:
payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
b.resize(len(b.data) + c.Overhead())
- nonce := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+ nonce := hc.seq[:]
+ if c.explicitNonce {
+ nonce = b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+ }
payload := b.data[recordHeaderLen+explicitIVLen:]
payload = payload[:payloadLen]
@@ -756,11 +779,8 @@
if typ != want {
// A client might need to process a HelloRequest from
// the server, thus receiving a handshake message when
- // application data is expected is ok. Moreover, a DTLS
- // peer who sends Finished second may retransmit the
- // final leg. BoringSSL retrainsmits on an internal
- // timer, so this may also occur in test code.
- if !c.isClient && !c.isDTLS {
+ // application data is expected is ok.
+ if !c.isClient {
return c.in.setErrorLocked(c.sendAlert(alertNoRenegotiation))
}
}
@@ -817,6 +837,13 @@
// to the connection and updates the record layer state.
// c.out.Mutex <= L.
func (c *Conn) writeRecord(typ recordType, data []byte) (n int, err error) {
+ if typ != recordTypeAlert && c.config.Bugs.SendWarningAlerts != 0 {
+ alert := make([]byte, 2)
+ alert[0] = alertLevelWarning
+ alert[1] = byte(c.config.Bugs.SendWarningAlerts)
+ c.writeRecord(recordTypeAlert, alert)
+ }
+
if c.isDTLS {
return c.dtlsWriteRecord(typ, data)
}
@@ -851,7 +878,7 @@
}
}
if explicitIVLen == 0 {
- if _, ok := c.out.cipher.(cipher.AEAD); ok {
+ if aead, ok := c.out.cipher.(*tlsAead); ok && aead.explicitNonce {
explicitIVLen = 8
// The AES-GCM construction in TLS has an
// explicit nonce so that the nonce can be
@@ -1003,6 +1030,67 @@
return m, nil
}
+// skipPacket processes all the DTLS records in packet. It updates
+// sequence number expectations but otherwise ignores them.
+func (c *Conn) skipPacket(packet []byte) error {
+ for len(packet) > 0 {
+ // Dropped packets are completely ignored save to update
+ // expected sequence numbers for this and the next epoch. (We
+ // don't assert on the contents of the packets both for
+ // simplicity and because a previous test with one shorter
+ // timeout schedule would have done so.)
+ epoch := packet[3:5]
+ seq := packet[5:11]
+ length := uint16(packet[11])<<8 | uint16(packet[12])
+ if bytes.Equal(c.in.seq[:2], epoch) {
+ if !bytes.Equal(c.in.seq[2:], seq) {
+ return errors.New("tls: sequence mismatch")
+ }
+ c.in.incSeq(false)
+ } else {
+ if !bytes.Equal(c.in.nextSeq[:], seq) {
+ return errors.New("tls: sequence mismatch")
+ }
+ c.in.incNextSeq()
+ }
+ packet = packet[13+length:]
+ }
+ return nil
+}
+
+// simulatePacketLoss simulates the loss of a handshake leg from the
+// peer based on the schedule in c.config.Bugs. If resendFunc is
+// non-nil, it is called after each simulated timeout to retransmit
+// handshake messages from the local end. This is used in cases where
+// the peer retransmits on a stale Finished rather than a timeout.
+func (c *Conn) simulatePacketLoss(resendFunc func()) error {
+ if len(c.config.Bugs.TimeoutSchedule) == 0 {
+ return nil
+ }
+ if !c.isDTLS {
+ return errors.New("tls: TimeoutSchedule may only be set in DTLS")
+ }
+ if c.config.Bugs.PacketAdaptor == nil {
+ return errors.New("tls: TimeoutSchedule set without PacketAdapter")
+ }
+ for _, timeout := range c.config.Bugs.TimeoutSchedule {
+ // Simulate a timeout.
+ packets, err := c.config.Bugs.PacketAdaptor.SendReadTimeout(timeout)
+ if err != nil {
+ return err
+ }
+ for _, packet := range packets {
+ if err := c.skipPacket(packet); err != nil {
+ return err
+ }
+ }
+ if resendFunc != nil {
+ resendFunc()
+ }
+ }
+ return nil
+}
+
// Write writes data to the connection.
func (c *Conn) Write(b []byte) (int, error) {
if err := c.Handshake(); err != nil {
@@ -1020,8 +1108,8 @@
return 0, alertInternalError
}
- if c.config.Bugs.SendSpuriousAlert {
- c.sendAlertLocked(alertRecordOverflow)
+ if c.config.Bugs.SendSpuriousAlert != 0 {
+ c.sendAlertLocked(c.config.Bugs.SendSpuriousAlert)
}
// SSL 3.0 and TLS 1.0 are susceptible to a chosen-plaintext
@@ -1096,9 +1184,9 @@
// Soft error, like EAGAIN
return 0, err
}
- if c.hand.Len() > 0 && !c.isDTLS {
+ if c.hand.Len() > 0 {
// We received handshake bytes, indicating the
- // start of a renegotiation or a DTLS retransmit.
+ // start of a renegotiation.
if err := c.handleRenegotiation(); err != nil {
return 0, err
}
@@ -1177,6 +1265,9 @@
} else {
c.handshakeErr = c.serverHandshake()
}
+ if c.handshakeErr == nil && c.config.Bugs.SendInvalidRecordType {
+ c.writeRecord(recordType(42), []byte("invalid record"))
+ }
return c.handshakeErr
}
@@ -1193,7 +1284,7 @@
state.DidResume = c.didResume
state.NegotiatedProtocolIsMutual = !c.clientProtocolFallback
state.NegotiatedProtocolFromALPN = c.usedALPN
- state.CipherSuite = c.cipherSuite
+ state.CipherSuite = c.cipherSuite.id
state.PeerCertificates = c.peerCertificates
state.VerifiedChains = c.verifiedChains
state.ServerName = c.serverName
@@ -1227,3 +1318,28 @@
}
return c.peerCertificates[0].VerifyHostname(host)
}
+
+// ExportKeyingMaterial exports keying material from the current connection
+// state, as per RFC 5705.
+func (c *Conn) ExportKeyingMaterial(length int, label, context []byte, useContext bool) ([]byte, error) {
+ c.handshakeMutex.Lock()
+ defer c.handshakeMutex.Unlock()
+ if !c.handshakeComplete {
+ return nil, errors.New("tls: handshake has not yet been performed")
+ }
+
+ seedLen := len(c.clientRandom) + len(c.serverRandom)
+ if useContext {
+ seedLen += 2 + len(context)
+ }
+ seed := make([]byte, 0, seedLen)
+ seed = append(seed, c.clientRandom[:]...)
+ seed = append(seed, c.serverRandom[:]...)
+ if useContext {
+ seed = append(seed, byte(len(context)>>8), byte(len(context)))
+ seed = append(seed, context...)
+ }
+ result := make([]byte, length)
+ prfForVersion(c.vers, c.cipherSuite)(result, c.masterSecret[:], label, seed)
+ return result, nil
+}
diff --git a/src/ssl/test/runner/dtls.go b/src/ssl/test/runner/dtls.go
index a395980..85c4247 100644
--- a/src/ssl/test/runner/dtls.go
+++ b/src/ssl/test/runner/dtls.go
@@ -16,10 +16,10 @@
import (
"bytes"
- "crypto/cipher"
"errors"
"fmt"
"io"
+ "math/rand"
"net"
)
@@ -38,7 +38,6 @@
}
func (c *Conn) dtlsDoReadRecord(want recordType) (recordType, *block, error) {
-Again:
recordHeaderLen := dtlsRecordHeaderLen
if c.rawInput == nil {
@@ -82,13 +81,6 @@
}
}
seq := b.data[3:11]
- if !bytes.Equal(seq[:2], c.in.seq[:2]) {
- // If the epoch didn't match, silently drop the record.
- // BoringSSL retransmits on an internal timer, so it may flakily
- // revisit the previous epoch if retransmiting ChangeCipherSpec
- // and Finished.
- goto Again
- }
// For test purposes, we assume a reliable channel. Require
// that the explicit sequence number matches the incrementing
// one we maintain. A real implementation would maintain a
@@ -113,7 +105,134 @@
return typ, b, nil
}
+func (c *Conn) makeFragment(header, data []byte, fragOffset, fragLen int) []byte {
+ fragment := make([]byte, 0, 12+fragLen)
+ fragment = append(fragment, header...)
+ fragment = append(fragment, byte(c.sendHandshakeSeq>>8), byte(c.sendHandshakeSeq))
+ fragment = append(fragment, byte(fragOffset>>16), byte(fragOffset>>8), byte(fragOffset))
+ fragment = append(fragment, byte(fragLen>>16), byte(fragLen>>8), byte(fragLen))
+ fragment = append(fragment, data[fragOffset:fragOffset+fragLen]...)
+ return fragment
+}
+
func (c *Conn) dtlsWriteRecord(typ recordType, data []byte) (n int, err error) {
+ if typ != recordTypeHandshake {
+ // Only handshake messages are fragmented.
+ return c.dtlsWriteRawRecord(typ, data)
+ }
+
+ maxLen := c.config.Bugs.MaxHandshakeRecordLength
+ if maxLen <= 0 {
+ maxLen = 1024
+ }
+
+ // Handshake messages have to be modified to include fragment
+ // offset and length and with the header replicated. Save the
+ // TLS header here.
+ //
+ // TODO(davidben): This assumes that data contains exactly one
+ // handshake message. This is incompatible with
+ // FragmentAcrossChangeCipherSpec. (Which is unfortunate
+ // because OpenSSL's DTLS implementation will probably accept
+ // such fragmentation and could do with a fix + tests.)
+ header := data[:4]
+ data = data[4:]
+
+ isFinished := header[0] == typeFinished
+
+ if c.config.Bugs.SendEmptyFragments {
+ fragment := c.makeFragment(header, data, 0, 0)
+ c.pendingFragments = append(c.pendingFragments, fragment)
+ }
+
+ firstRun := true
+ fragOffset := 0
+ for firstRun || fragOffset < len(data) {
+ firstRun = false
+ fragLen := len(data) - fragOffset
+ if fragLen > maxLen {
+ fragLen = maxLen
+ }
+
+ fragment := c.makeFragment(header, data, fragOffset, fragLen)
+ if c.config.Bugs.FragmentMessageTypeMismatch && fragOffset > 0 {
+ fragment[0]++
+ }
+ if c.config.Bugs.FragmentMessageLengthMismatch && fragOffset > 0 {
+ fragment[3]++
+ }
+
+ // Buffer the fragment for later. They will be sent (and
+ // reordered) on flush.
+ c.pendingFragments = append(c.pendingFragments, fragment)
+ if c.config.Bugs.ReorderHandshakeFragments {
+ // Don't duplicate Finished to avoid the peer
+ // interpreting it as a retransmit request.
+ if !isFinished {
+ c.pendingFragments = append(c.pendingFragments, fragment)
+ }
+
+ if fragLen > (maxLen+1)/2 {
+ // Overlap each fragment by half.
+ fragLen = (maxLen + 1) / 2
+ }
+ }
+ fragOffset += fragLen
+ n += fragLen
+ }
+ if !isFinished && c.config.Bugs.MixCompleteMessageWithFragments {
+ fragment := c.makeFragment(header, data, 0, len(data))
+ c.pendingFragments = append(c.pendingFragments, fragment)
+ }
+
+ // Increment the handshake sequence number for the next
+ // handshake message.
+ c.sendHandshakeSeq++
+ return
+}
+
+func (c *Conn) dtlsFlushHandshake() error {
+ if !c.isDTLS {
+ return nil
+ }
+
+ var fragments [][]byte
+ fragments, c.pendingFragments = c.pendingFragments, fragments
+
+ if c.config.Bugs.ReorderHandshakeFragments {
+ perm := rand.New(rand.NewSource(0)).Perm(len(fragments))
+ tmp := make([][]byte, len(fragments))
+ for i := range tmp {
+ tmp[i] = fragments[perm[i]]
+ }
+ fragments = tmp
+ }
+
+ // Send them all.
+ for _, fragment := range fragments {
+ if c.config.Bugs.SplitFragmentHeader {
+ if _, err := c.dtlsWriteRawRecord(recordTypeHandshake, fragment[:2]); err != nil {
+ return err
+ }
+ fragment = fragment[2:]
+ } else if c.config.Bugs.SplitFragmentBody && len(fragment) > 12 {
+ if _, err := c.dtlsWriteRawRecord(recordTypeHandshake, fragment[:13]); err != nil {
+ return err
+ }
+ fragment = fragment[13:]
+ }
+
+ // TODO(davidben): A real DTLS implementation needs to
+ // retransmit handshake messages. For testing purposes, we don't
+ // actually care.
+ if _, err := c.dtlsWriteRawRecord(recordTypeHandshake, fragment); err != nil {
+ return err
+ }
+ }
+ return nil
+}
+
+func (c *Conn) dtlsWriteRawRecord(typ recordType, data []byte) (n int, err error) {
recordHeaderLen := dtlsRecordHeaderLen
maxLen := c.config.Bugs.MaxHandshakeRecordLength
if maxLen <= 0 {
@@ -122,118 +241,60 @@
b := c.out.newBlock()
- var header []byte
- if typ == recordTypeHandshake {
- // Handshake messages have to be modified to include
- // fragment offset and length and with the header
- // replicated. Save the header here.
- //
- // TODO(davidben): This assumes that data contains
- // exactly one handshake message. This is incompatible
- // with FragmentAcrossChangeCipherSpec. (Which is
- // unfortunate because OpenSSL's DTLS implementation
- // will probably accept such fragmentation and could
- // do with a fix + tests.)
- if len(data) < 4 {
- // This should not happen.
- panic(data)
- }
- header = data[:4]
- data = data[4:]
- }
+ explicitIVLen := 0
+ explicitIVIsSeq := false
- firstRun := true
- for firstRun || len(data) > 0 {
- firstRun = false
- m := len(data)
- var fragment []byte
- // Handshake messages get fragmented. Other records we
- // pass-through as is. DTLS should be a packet
- // interface.
- if typ == recordTypeHandshake {
- if m > maxLen {
- m = maxLen
- }
-
- // Standard handshake header.
- fragment = make([]byte, 0, 12+m)
- fragment = append(fragment, header...)
- // message_seq
- fragment = append(fragment, byte(c.sendHandshakeSeq>>8), byte(c.sendHandshakeSeq))
- // fragment_offset
- fragment = append(fragment, byte(n>>16), byte(n>>8), byte(n))
- // fragment_length
- fragment = append(fragment, byte(m>>16), byte(m>>8), byte(m))
- fragment = append(fragment, data[:m]...)
- } else {
- fragment = data[:m]
- }
-
- // Send the fragment.
- explicitIVLen := 0
- explicitIVIsSeq := false
-
- if cbc, ok := c.out.cipher.(cbcMode); ok {
- // Block cipher modes have an explicit IV.
- explicitIVLen = cbc.BlockSize()
- } else if _, ok := c.out.cipher.(cipher.AEAD); ok {
+ if cbc, ok := c.out.cipher.(cbcMode); ok {
+ // Block cipher modes have an explicit IV.
+ explicitIVLen = cbc.BlockSize()
+ } else if aead, ok := c.out.cipher.(*tlsAead); ok {
+ if aead.explicitNonce {
explicitIVLen = 8
- // The AES-GCM construction in TLS has an
- // explicit nonce so that the nonce can be
- // random. However, the nonce is only 8 bytes
- // which is too small for a secure, random
- // nonce. Therefore we use the sequence number
- // as the nonce.
+ // The AES-GCM construction in TLS has an explicit nonce so that
+ // the nonce can be random. However, the nonce is only 8 bytes
+ // which is too small for a secure, random nonce. Therefore we
+ // use the sequence number as the nonce.
explicitIVIsSeq = true
- } else if c.out.cipher != nil {
- panic("Unknown cipher")
}
- b.resize(recordHeaderLen + explicitIVLen + len(fragment))
- b.data[0] = byte(typ)
- vers := c.vers
- if vers == 0 {
- // Some TLS servers fail if the record version is
- // greater than TLS 1.0 for the initial ClientHello.
- vers = VersionTLS10
- }
- vers = versionToWire(vers, c.isDTLS)
- b.data[1] = byte(vers >> 8)
- b.data[2] = byte(vers)
- // DTLS records include an explicit sequence number.
- copy(b.data[3:11], c.out.seq[0:])
- b.data[11] = byte(len(fragment) >> 8)
- b.data[12] = byte(len(fragment))
- if explicitIVLen > 0 {
- explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
- if explicitIVIsSeq {
- copy(explicitIV, c.out.seq[:])
- } else {
- if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
- break
- }
+ } else if c.out.cipher != nil {
+ panic("Unknown cipher")
+ }
+ b.resize(recordHeaderLen + explicitIVLen + len(data))
+ b.data[0] = byte(typ)
+ vers := c.vers
+ if vers == 0 {
+ // Some TLS servers fail if the record version is greater than
+ // TLS 1.0 for the initial ClientHello.
+ vers = VersionTLS10
+ }
+ vers = versionToWire(vers, c.isDTLS)
+ b.data[1] = byte(vers >> 8)
+ b.data[2] = byte(vers)
+ // DTLS records include an explicit sequence number.
+ copy(b.data[3:11], c.out.seq[0:])
+ b.data[11] = byte(len(data) >> 8)
+ b.data[12] = byte(len(data))
+ if explicitIVLen > 0 {
+ explicitIV := b.data[recordHeaderLen : recordHeaderLen+explicitIVLen]
+ if explicitIVIsSeq {
+ copy(explicitIV, c.out.seq[:])
+ } else {
+ if _, err = io.ReadFull(c.config.rand(), explicitIV); err != nil {
+ return
}
}
- copy(b.data[recordHeaderLen+explicitIVLen:], fragment)
- c.out.encrypt(b, explicitIVLen)
-
- // TODO(davidben): A real DTLS implementation needs to
- // retransmit handshake messages. For testing
- // purposes, we don't actually care.
- _, err = c.conn.Write(b.data)
- if err != nil {
- break
- }
- n += m
- data = data[m:]
}
+ copy(b.data[recordHeaderLen+explicitIVLen:], data)
+ c.out.encrypt(b, explicitIVLen)
+
+ _, err = c.conn.Write(b.data)
+ if err != nil {
+ return
+ }
+ n = len(data)
+
c.out.freeBlock(b)
- // Increment the handshake sequence number for the next
- // handshake message.
- if typ == recordTypeHandshake {
- c.sendHandshakeSeq++
- }
-
if typ == recordTypeChangeCipherSpec {
err = c.out.changeCipherSpec(c.config)
if err != nil {
@@ -250,9 +311,9 @@
func (c *Conn) dtlsDoReadHandshake() ([]byte, error) {
// Assemble a full handshake message. For test purposes, this
- // implementation assumes fragments arrive in order, but tolerates
- // retransmits. It may need to be cleverer if we ever test BoringSSL's
- // retransmit behavior.
+ // implementation assumes fragments arrive in order. It may
+ // need to be cleverer if we ever test BoringSSL's retransmit
+ // behavior.
for len(c.handMsg) < 4+c.handMsgLen {
// Get a new handshake record if the previous has been
// exhausted.
@@ -281,16 +342,9 @@
}
fragment := c.hand.Next(fragLen)
- if fragSeq < c.recvHandshakeSeq {
- // BoringSSL retransmits based on an internal timer, so
- // it may flakily retransmit part of a handshake
- // message. Ignore those fragments.
- //
- // TODO(davidben): Revise this if BoringSSL's retransmit
- // logic is made more deterministic.
- continue
- } else if fragSeq > c.recvHandshakeSeq {
- return nil, errors.New("dtls: handshake messages sent out of order")
+ // Check it's a fragment for the right message.
+ if fragSeq != c.recvHandshakeSeq {
+ return nil, errors.New("dtls: bad handshake sequence number")
}
// Check that the length is consistent.
diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go
index f297fc1..0dac05d 100644
--- a/src/ssl/test/runner/handshake_client.go
+++ b/src/ssl/test/runner/handshake_client.go
@@ -6,7 +6,6 @@
import (
"bytes"
- "crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
@@ -22,13 +21,14 @@
)
type clientHandshakeState struct {
- c *Conn
- serverHello *serverHelloMsg
- hello *clientHelloMsg
- suite *cipherSuite
- finishedHash finishedHash
- masterSecret []byte
- session *ClientSessionState
+ c *Conn
+ serverHello *serverHelloMsg
+ hello *clientHelloMsg
+ suite *cipherSuite
+ finishedHash finishedHash
+ masterSecret []byte
+ session *ClientSessionState
+ finishedBytes []byte
}
func (c *Conn) clientHandshake() error {
@@ -83,6 +83,10 @@
hello.extendedMasterSecret = false
}
+ if c.config.Bugs.NoSupportedCurves {
+ hello.supportedCurves = nil
+ }
+
if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
if c.config.Bugs.BadRenegotiationInfo {
hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
@@ -129,13 +133,16 @@
return errors.New("tls: short read from Rand: " + err.Error())
}
- if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes {
+ if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes && (c.cipherSuite == nil || !c.config.Bugs.NoSignatureAlgorithmsOnRenego) {
hello.signatureAndHashes = c.config.signatureAndHashesForClient()
}
var session *ClientSessionState
var cacheKey string
sessionCache := c.config.ClientSessionCache
+ if c.config.Bugs.NeverResumeOnRenego && c.cipherSuite != nil {
+ sessionCache = nil
+ }
if sessionCache != nil {
hello.ticketSupported = !c.config.SessionTicketsDisabled
@@ -213,7 +220,11 @@
helloBytes = hello.marshal()
c.writeRecord(recordTypeHandshake, helloBytes)
}
+ c.dtlsFlushHandshake()
+ if err := c.simulatePacketLoss(nil); err != nil {
+ return err
+ }
msg, err := c.readHandshake()
if err != nil {
return err
@@ -233,7 +244,11 @@
hello.cookie = helloVerifyRequest.cookie
helloBytes = hello.marshal()
c.writeRecord(recordTypeHandshake, helloBytes)
+ c.dtlsFlushHandshake()
+ if err := c.simulatePacketLoss(nil); err != nil {
+ return err
+ }
msg, err = c.readHandshake()
if err != nil {
return err
@@ -317,6 +332,15 @@
if err := hs.sendFinished(isResume); err != nil {
return err
}
+ // Most retransmits are triggered by a timeout, but the final
+ // leg of the handshake is retransmited upon re-receiving a
+ // Finished.
+ if err := c.simulatePacketLoss(func() {
+ c.writeRecord(recordTypeHandshake, hs.finishedBytes)
+ c.dtlsFlushHandshake()
+ }); err != nil {
+ return err
+ }
if err := hs.readSessionTicket(); err != nil {
return err
}
@@ -331,7 +355,10 @@
c.didResume = isResume
c.handshakeComplete = true
- c.cipherSuite = suite.id
+ c.cipherSuite = suite
+ copy(c.clientRandom[:], hs.hello.random)
+ copy(c.serverRandom[:], hs.serverHello.random)
+ copy(c.masterSecret[:], hs.masterSecret)
return nil
}
@@ -559,33 +586,39 @@
hasSignatureAndHash: c.vers >= VersionTLS12,
}
+ // Determine the hash to sign.
+ var signatureType uint8
+ switch c.config.Certificates[0].PrivateKey.(type) {
+ case *ecdsa.PrivateKey:
+ signatureType = signatureECDSA
+ case *rsa.PrivateKey:
+ signatureType = signatureRSA
+ default:
+ c.sendAlert(alertInternalError)
+ return errors.New("unknown private key type")
+ }
+ if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
+ certReq.signatureAndHashes = c.config.signatureAndHashesForClient()
+ }
+ certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, c.config.signatureAndHashesForClient(), signatureType)
+ if err != nil {
+ c.sendAlert(alertInternalError)
+ return err
+ }
+ digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
+ if err != nil {
+ c.sendAlert(alertInternalError)
+ return err
+ }
+
switch key := c.config.Certificates[0].PrivateKey.(type) {
case *ecdsa.PrivateKey:
- certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureECDSA)
- if err != nil {
- break
- }
- var digest []byte
- digest, _, err = hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
- if err != nil {
- break
- }
var r, s *big.Int
r, s, err = ecdsa.Sign(c.config.rand(), key, digest)
if err == nil {
signed, err = asn1.Marshal(ecdsaSignature{r, s})
}
case *rsa.PrivateKey:
- certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureRSA)
- if err != nil {
- break
- }
- var digest []byte
- var hashFunc crypto.Hash
- digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
- if err != nil {
- break
- }
signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)
default:
err = errors.New("unknown private key type")
@@ -599,6 +632,7 @@
hs.writeClientHash(certVerify.marshal())
c.writeRecord(recordTypeHandshake, certVerify.marshal())
}
+ c.dtlsFlushHandshake()
hs.finishedHash.discardHandshakeBuffer()
@@ -825,15 +859,19 @@
} else {
finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
}
+ if c.config.Bugs.BadFinished {
+ finished.verifyData[0]++
+ }
c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
- finishedBytes := finished.marshal()
- hs.writeHash(finishedBytes, seqno)
- postCCSBytes = append(postCCSBytes, finishedBytes...)
+ hs.finishedBytes = finished.marshal()
+ hs.writeHash(hs.finishedBytes, seqno)
+ postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
if c.config.Bugs.FragmentAcrossChangeCipherSpec {
c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
postCCSBytes = postCCSBytes[5:]
}
+ c.dtlsFlushHandshake()
if !c.config.Bugs.SkipChangeCipherSpec &&
c.config.Bugs.EarlyChangeCipherSpec == 0 {
@@ -843,8 +881,15 @@
if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
}
+ if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
+ c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
+ return errors.New("tls: simulating post-CCS alert")
+ }
- c.writeRecord(recordTypeHandshake, postCCSBytes)
+ if !c.config.Bugs.SkipFinished {
+ c.writeRecord(recordTypeHandshake, postCCSBytes)
+ c.dtlsFlushHandshake()
+ }
return nil
}
diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go
index 1234a57..59ed9df 100644
--- a/src/ssl/test/runner/handshake_server.go
+++ b/src/ssl/test/runner/handshake_server.go
@@ -33,6 +33,7 @@
masterSecret []byte
certsFromClient [][]byte
cert *Certificate
+ finishedBytes []byte
}
// serverHandshake performs a TLS handshake as a server.
@@ -71,6 +72,15 @@
if err := hs.sendFinished(); err != nil {
return err
}
+ // Most retransmits are triggered by a timeout, but the final
+ // leg of the handshake is retransmited upon re-receiving a
+ // Finished.
+ if err := c.simulatePacketLoss(func() {
+ c.writeRecord(recordTypeHandshake, hs.finishedBytes)
+ c.dtlsFlushHandshake()
+ }); err != nil {
+ return err
+ }
if err := hs.readFinished(isResume); err != nil {
return err
}
@@ -87,9 +97,12 @@
if err := hs.readFinished(isResume); err != nil {
return err
}
+ if c.config.Bugs.AlertBeforeFalseStartTest != 0 {
+ c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest)
+ }
if c.config.Bugs.ExpectFalseStart {
if err := c.readRecord(recordTypeApplicationData); err != nil {
- return err
+ return fmt.Errorf("tls: peer did not false start: %s", err)
}
}
if err := hs.sendSessionTicket(); err != nil {
@@ -100,6 +113,9 @@
}
}
c.handshakeComplete = true
+ copy(c.clientRandom[:], hs.clientHello.random)
+ copy(c.serverRandom[:], hs.hello.random)
+ copy(c.masterSecret[:], hs.masterSecret)
return nil
}
@@ -110,6 +126,9 @@
config := hs.c.config
c := hs.c
+ if err := c.simulatePacketLoss(nil); err != nil {
+ return false, err
+ }
msg, err := c.readHandshake()
if err != nil {
return false, err
@@ -136,7 +155,11 @@
return false, errors.New("dtls: short read from Rand: " + err.Error())
}
c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal())
+ c.dtlsFlushHandshake()
+ if err := c.simulatePacketLoss(nil); err != nil {
+ return false, err
+ }
msg, err := c.readHandshake()
if err != nil {
return false, err
@@ -176,6 +199,9 @@
if c.clientVersion < VersionTLS12 && len(hs.clientHello.signatureAndHashes) > 0 {
return false, fmt.Errorf("tls: client included signature_algorithms before TLS 1.2")
}
+ if config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
+ hs.clientHello.signatureAndHashes = config.signatureAndHashesForServer()
+ }
c.vers, ok = config.mutualVersion(hs.clientHello.vers)
if !ok {
@@ -189,6 +215,9 @@
supportedCurve := false
preferredCurves := config.curvePreferences()
+ if config.Bugs.IgnorePeerCurvePreferences {
+ hs.clientHello.supportedCurves = preferredCurves
+ }
Curves:
for _, curve := range hs.clientHello.supportedCurves {
for _, supported := range preferredCurves {
@@ -323,6 +352,9 @@
return false, errors.New("tls: fallback SCSV found when not expected")
}
+ if config.Bugs.IgnorePeerCipherPreferences {
+ hs.clientHello.cipherSuites = c.config.cipherSuites()
+ }
var preferenceList, supportedList []uint16
if c.config.PreferServerCipherSuites {
preferenceList = c.config.cipherSuites()
@@ -350,6 +382,10 @@
func (hs *serverHandshakeState) checkForResumption() bool {
c := hs.c
+ if c.config.Bugs.NeverResumeOnRenego && c.cipherSuite != nil {
+ return false
+ }
+
if len(hs.clientHello.sessionTicket) > 0 {
if c.config.SessionTicketsDisabled {
return false
@@ -410,6 +446,9 @@
c := hs.c
hs.hello.cipherSuite = hs.suite.id
+ if c.config.Bugs.SendCipherSuite != 0 {
+ hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite
+ }
// We echo the client's session ID in the ServerHello to let it know
// that we're doing a resumption.
hs.hello.sessionId = hs.clientHello.sessionId
@@ -473,12 +512,16 @@
certMsg := new(certificateMsg)
certMsg.certificates = hs.cert.Certificate
if !config.Bugs.UnauthenticatedECDH {
- hs.writeServerHash(certMsg.marshal())
- c.writeRecord(recordTypeHandshake, certMsg.marshal())
+ certMsgBytes := certMsg.marshal()
+ if config.Bugs.WrongCertificateMessageType {
+ certMsgBytes[0] += 42
+ }
+ hs.writeServerHash(certMsgBytes)
+ c.writeRecord(recordTypeHandshake, certMsgBytes)
}
}
- if hs.hello.ocspStapling {
+ if hs.hello.ocspStapling && !c.config.Bugs.SkipCertificateStatus {
certStatus := new(certificateStatusMsg)
certStatus.statusType = statusTypeOCSP
certStatus.response = hs.cert.OCSPStaple
@@ -530,9 +573,13 @@
helloDone := new(serverHelloDoneMsg)
hs.writeServerHash(helloDone.marshal())
c.writeRecord(recordTypeHandshake, helloDone.marshal())
+ c.dtlsFlushHandshake()
var pub crypto.PublicKey // public key for client auth, if any
+ if err := c.simulatePacketLoss(nil); err != nil {
+ return err
+ }
msg, err := c.readHandshake()
if err != nil {
return err
@@ -811,14 +858,19 @@
finished := new(finishedMsg)
finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
+ if c.config.Bugs.BadFinished {
+ finished.verifyData[0]++
+ }
c.serverVerify = append(c.serverVerify[:0], finished.verifyData...)
- postCCSBytes := finished.marshal()
- hs.writeServerHash(postCCSBytes)
+ hs.finishedBytes = finished.marshal()
+ hs.writeServerHash(hs.finishedBytes)
+ postCCSBytes := hs.finishedBytes
if c.config.Bugs.FragmentAcrossChangeCipherSpec {
c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
postCCSBytes = postCCSBytes[5:]
}
+ c.dtlsFlushHandshake()
if !c.config.Bugs.SkipChangeCipherSpec {
c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
@@ -827,10 +879,17 @@
if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
}
+ if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
+ c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
+ return errors.New("tls: simulating post-CCS alert")
+ }
- c.writeRecord(recordTypeHandshake, postCCSBytes)
+ if !c.config.Bugs.SkipFinished {
+ c.writeRecord(recordTypeHandshake, postCCSBytes)
+ c.dtlsFlushHandshake()
+ }
- c.cipherSuite = hs.suite.id
+ c.cipherSuite = hs.suite
return nil
}
diff --git a/src/ssl/test/runner/key_agreement.go b/src/ssl/test/runner/key_agreement.go
index 116dfd8..5e44b54 100644
--- a/src/ssl/test/runner/key_agreement.go
+++ b/src/ssl/test/runner/key_agreement.go
@@ -25,19 +25,73 @@
// rsaKeyAgreement implements the standard TLS key agreement where the client
// encrypts the pre-master secret to the server's public key.
type rsaKeyAgreement struct {
+ version uint16
clientVersion uint16
+ exportKey *rsa.PrivateKey
}
func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
// Save the client version for comparison later.
ka.clientVersion = versionToWire(clientHello.vers, clientHello.isDTLS)
- if config.Bugs.RSAServerKeyExchange {
- // Send an empty ServerKeyExchange message.
- return &serverKeyExchangeMsg{}, nil
+ if !config.Bugs.RSAEphemeralKey {
+ return nil, nil
}
- return nil, nil
+ // Generate an ephemeral RSA key to use instead of the real
+ // one, as in RSA_EXPORT.
+ key, err := rsa.GenerateKey(config.rand(), 512)
+ if err != nil {
+ return nil, err
+ }
+ ka.exportKey = key
+
+ modulus := key.N.Bytes()
+ exponent := big.NewInt(int64(key.E)).Bytes()
+ serverRSAParams := make([]byte, 0, 2+len(modulus)+2+len(exponent))
+ serverRSAParams = append(serverRSAParams, byte(len(modulus)>>8), byte(len(modulus)))
+ serverRSAParams = append(serverRSAParams, modulus...)
+ serverRSAParams = append(serverRSAParams, byte(len(exponent)>>8), byte(len(exponent)))
+ serverRSAParams = append(serverRSAParams, exponent...)
+
+ var tls12HashId uint8
+ if ka.version >= VersionTLS12 {
+ if tls12HashId, err = pickTLS12HashForSignature(signatureRSA, clientHello.signatureAndHashes, config.signatureAndHashesForServer()); err != nil {
+ return nil, err
+ }
+ }
+
+ digest, hashFunc, err := hashForServerKeyExchange(signatureRSA, tls12HashId, ka.version, clientHello.random, hello.random, serverRSAParams)
+ if err != nil {
+ return nil, err
+ }
+ privKey, ok := cert.PrivateKey.(*rsa.PrivateKey)
+ if !ok {
+ return nil, errors.New("RSA ephemeral key requires an RSA server private key")
+ }
+ sig, err := rsa.SignPKCS1v15(config.rand(), privKey, hashFunc, digest)
+ if err != nil {
+ return nil, errors.New("failed to sign RSA parameters: " + err.Error())
+ }
+
+ skx := new(serverKeyExchangeMsg)
+ sigAndHashLen := 0
+ if ka.version >= VersionTLS12 {
+ sigAndHashLen = 2
+ }
+ skx.key = make([]byte, len(serverRSAParams)+sigAndHashLen+2+len(sig))
+ copy(skx.key, serverRSAParams)
+ k := skx.key[len(serverRSAParams):]
+ if ka.version >= VersionTLS12 {
+ k[0] = tls12HashId
+ k[1] = signatureRSA
+ k = k[2:]
+ }
+ k[0] = byte(len(sig) >> 8)
+ k[1] = byte(len(sig))
+ copy(k[2:], sig)
+
+ return skx, nil
}
func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
@@ -60,7 +114,11 @@
ciphertext = ckx.ciphertext[2:]
}
- err = rsa.DecryptPKCS1v15SessionKey(config.rand(), cert.PrivateKey.(*rsa.PrivateKey), ciphertext, preMasterSecret)
+ key := cert.PrivateKey.(*rsa.PrivateKey)
+ if ka.exportKey != nil {
+ key = ka.exportKey
+ }
+ err = rsa.DecryptPKCS1v15SessionKey(config.rand(), key, ciphertext, preMasterSecret)
if err != nil {
return nil, err
}
@@ -154,20 +212,19 @@
// pickTLS12HashForSignature returns a TLS 1.2 hash identifier for signing a
// ServerKeyExchange given the signature type being used and the client's
// advertized list of supported signature and hash combinations.
-func pickTLS12HashForSignature(sigType uint8, clientSignatureAndHashes []signatureAndHash) (uint8, error) {
- if len(clientSignatureAndHashes) == 0 {
+func pickTLS12HashForSignature(sigType uint8, clientList, serverList []signatureAndHash) (uint8, error) {
+ if len(clientList) == 0 {
// If the client didn't specify any signature_algorithms
// extension then we can assume that it supports SHA1. See
// http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
return hashSHA1, nil
}
- for _, sigAndHash := range clientSignatureAndHashes {
+ for _, sigAndHash := range clientList {
if sigAndHash.signature != sigType {
continue
}
- switch sigAndHash.hash {
- case hashSHA1, hashSHA256:
+ if isSupportedSignatureAndHash(sigAndHash, serverList) {
return sigAndHash.hash, nil
}
}
@@ -177,6 +234,8 @@
func curveForCurveID(id CurveID) (elliptic.Curve, bool) {
switch id {
+ case CurveP224:
+ return elliptic.P224(), true
case CurveP256:
return elliptic.P256(), true
case CurveP384:
@@ -221,7 +280,7 @@
var tls12HashId uint8
var err error
if ka.version >= VersionTLS12 {
- if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes); err != nil {
+ if tls12HashId, err = pickTLS12HashForSignature(ka.sigType, clientHello.signatureAndHashes, config.signatureAndHashesForServer()); err != nil {
return nil, err
}
}
diff --git a/src/ssl/test/runner/packet_adapter.go b/src/ssl/test/runner/packet_adapter.go
index 671b413..bbcd388 100644
--- a/src/ssl/test/runner/packet_adapter.go
+++ b/src/ssl/test/runner/packet_adapter.go
@@ -6,52 +6,117 @@
import (
"encoding/binary"
- "errors"
+ "fmt"
+ "io"
"net"
+ "time"
)
+// opcodePacket signals a packet, encoded with a 32-bit length prefix, followed
+// by the payload.
+const opcodePacket = byte('P')
+
+// opcodeTimeout signals a read timeout, encoded by a 64-bit number of
+// nanoseconds. On receipt, the peer should reply with
+// opcodeTimeoutAck. opcodeTimeout may only be sent by the Go side.
+const opcodeTimeout = byte('T')
+
+// opcodeTimeoutAck acknowledges a read timeout. This opcode has no payload and
+// may only be sent by the C side. Timeout ACKs act as a synchronization point
+// at the timeout, to bracket one flight of messages from C.
+const opcodeTimeoutAck = byte('t')
+
type packetAdaptor struct {
net.Conn
}
-// newPacketAdaptor wraps a reliable streaming net.Conn into a
-// reliable packet-based net.Conn. Every packet is encoded with a
-// 32-bit length prefix as a framing layer.
-func newPacketAdaptor(conn net.Conn) net.Conn {
+// newPacketAdaptor wraps a reliable streaming net.Conn into a reliable
+// packet-based net.Conn. The stream contains packets and control commands,
+// distinguished by a one byte opcode.
+func newPacketAdaptor(conn net.Conn) *packetAdaptor {
return &packetAdaptor{conn}
}
-func (p *packetAdaptor) Read(b []byte) (int, error) {
- var length uint32
- if err := binary.Read(p.Conn, binary.BigEndian, &length); err != nil {
+func (p *packetAdaptor) readOpcode() (byte, error) {
+ out := make([]byte, 1)
+ if _, err := io.ReadFull(p.Conn, out); err != nil {
return 0, err
}
+ return out[0], nil
+}
+
+func (p *packetAdaptor) readPacketBody() ([]byte, error) {
+ var length uint32
+ if err := binary.Read(p.Conn, binary.BigEndian, &length); err != nil {
+ return nil, err
+ }
out := make([]byte, length)
- n, err := p.Conn.Read(out)
+ if _, err := io.ReadFull(p.Conn, out); err != nil {
+ return nil, err
+ }
+ return out, nil
+}
+
+func (p *packetAdaptor) Read(b []byte) (int, error) {
+ opcode, err := p.readOpcode()
if err != nil {
return 0, err
}
- if n != int(length) {
- return 0, errors.New("internal error: length mismatch!")
+ if opcode != opcodePacket {
+ return 0, fmt.Errorf("unexpected opcode '%d'", opcode)
+ }
+ out, err := p.readPacketBody()
+ if err != nil {
+ return 0, err
}
return copy(b, out), nil
}
func (p *packetAdaptor) Write(b []byte) (int, error) {
- length := uint32(len(b))
- if err := binary.Write(p.Conn, binary.BigEndian, length); err != nil {
+ payload := make([]byte, 1+4+len(b))
+ payload[0] = opcodePacket
+ binary.BigEndian.PutUint32(payload[1:5], uint32(len(b)))
+ copy(payload[5:], b)
+ if _, err := p.Conn.Write(payload); err != nil {
return 0, err
}
- n, err := p.Conn.Write(b)
- if err != nil {
- return 0, err
- }
- if n != len(b) {
- return 0, errors.New("internal error: length mismatch!")
- }
return len(b), nil
}
+// SendReadTimeout instructs the peer to simulate a read timeout. It then waits
+// for acknowledgement of the timeout, buffering any packets received since
+// then. The packets are then returned.
+func (p *packetAdaptor) SendReadTimeout(d time.Duration) ([][]byte, error) {
+ payload := make([]byte, 1+8)
+ payload[0] = opcodeTimeout
+ binary.BigEndian.PutUint64(payload[1:], uint64(d.Nanoseconds()))
+ if _, err := p.Conn.Write(payload); err != nil {
+ return nil, err
+ }
+
+ var packets [][]byte
+ for {
+ opcode, err := p.readOpcode()
+ if err != nil {
+ return nil, err
+ }
+ switch opcode {
+ case opcodeTimeoutAck:
+ // Done! Return the packets buffered and continue.
+ return packets, nil
+ case opcodePacket:
+ // Buffer the packet for the caller to process.
+ packet, err := p.readPacketBody()
+ if err != nil {
+ return nil, err
+ }
+ packets = append(packets, packet)
+ default:
+ return nil, fmt.Errorf("unexpected opcode '%d'", opcode)
+ }
+ }
+}
+
type replayAdaptor struct {
net.Conn
prevWrite []byte
diff --git a/src/ssl/test/runner/poly1305.go b/src/ssl/test/runner/poly1305.go
new file mode 100644
index 0000000..51a1009
--- /dev/null
+++ b/src/ssl/test/runner/poly1305.go
@@ -0,0 +1,1540 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+// Based on original, public domain implementation from NaCl by D. J.
+// Bernstein.
+
+import (
+ "crypto/subtle"
+ "math"
+)
+
+const (
+ alpham80 = 0.00000000558793544769287109375
+ alpham48 = 24.0
+ alpham16 = 103079215104.0
+ alpha0 = 6755399441055744.0
+ alpha18 = 1770887431076116955136.0
+ alpha32 = 29014219670751100192948224.0
+ alpha50 = 7605903601369376408980219232256.0
+ alpha64 = 124615124604835863084731911901282304.0
+ alpha82 = 32667107224410092492483962313449748299776.0
+ alpha96 = 535217884764734955396857238543560676143529984.0
+ alpha112 = 35076039295941670036888435985190792471742381031424.0
+ alpha130 = 9194973245195333150150082162901855101712434733101613056.0
+ scale = 0.0000000000000000000000000000000000000036734198463196484624023016788195177431833298649127735047148490821200539357960224151611328125
+ offset0 = 6755408030990331.0
+ offset1 = 29014256564239239022116864.0
+ offset2 = 124615283061160854719918951570079744.0
+ offset3 = 535219245894202480694386063513315216128475136.0
+)
+
+// poly1305Verify returns true if mac is a valid authenticator for m with the
+// given key.
+func poly1305Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
+ var tmp [16]byte
+ poly1305Sum(&tmp, m, key)
+ return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1
+}
+
+// poly1305Sum generates an authenticator for m using a one-time key and puts
+// the 16-byte result into out. Authenticating two different messages with the
+// same key allows an attacker to forge messages at will.
+func poly1305Sum(out *[16]byte, m []byte, key *[32]byte) {
+ r := key
+ s := key[16:]
+ var (
+ y7 float64
+ y6 float64
+ y1 float64
+ y0 float64
+ y5 float64
+ y4 float64
+ x7 float64
+ x6 float64
+ x1 float64
+ x0 float64
+ y3 float64
+ y2 float64
+ x5 float64
+ r3lowx0 float64
+ x4 float64
+ r0lowx6 float64
+ x3 float64
+ r3highx0 float64
+ x2 float64
+ r0highx6 float64
+ r0lowx0 float64
+ sr1lowx6 float64
+ r0highx0 float64
+ sr1highx6 float64
+ sr3low float64
+ r1lowx0 float64
+ sr2lowx6 float64
+ r1highx0 float64
+ sr2highx6 float64
+ r2lowx0 float64
+ sr3lowx6 float64
+ r2highx0 float64
+ sr3highx6 float64
+ r1highx4 float64
+ r1lowx4 float64
+ r0highx4 float64
+ r0lowx4 float64
+ sr3highx4 float64
+ sr3lowx4 float64
+ sr2highx4 float64
+ sr2lowx4 float64
+ r0lowx2 float64
+ r0highx2 float64
+ r1lowx2 float64
+ r1highx2 float64
+ r2lowx2 float64
+ r2highx2 float64
+ sr3lowx2 float64
+ sr3highx2 float64
+ z0 float64
+ z1 float64
+ z2 float64
+ z3 float64
+ m0 int64
+ m1 int64
+ m2 int64
+ m3 int64
+ m00 uint32
+ m01 uint32
+ m02 uint32
+ m03 uint32
+ m10 uint32
+ m11 uint32
+ m12 uint32
+ m13 uint32
+ m20 uint32
+ m21 uint32
+ m22 uint32
+ m23 uint32
+ m30 uint32
+ m31 uint32
+ m32 uint32
+ m33 uint64
+ lbelow2 int32
+ lbelow3 int32
+ lbelow4 int32
+ lbelow5 int32
+ lbelow6 int32
+ lbelow7 int32
+ lbelow8 int32
+ lbelow9 int32
+ lbelow10 int32
+ lbelow11 int32
+ lbelow12 int32
+ lbelow13 int32
+ lbelow14 int32
+ lbelow15 int32
+ s00 uint32
+ s01 uint32
+ s02 uint32
+ s03 uint32
+ s10 uint32
+ s11 uint32
+ s12 uint32
+ s13 uint32
+ s20 uint32
+ s21 uint32
+ s22 uint32
+ s23 uint32
+ s30 uint32
+ s31 uint32
+ s32 uint32
+ s33 uint32
+ bits32 uint64
+ f uint64
+ f0 uint64
+ f1 uint64
+ f2 uint64
+ f3 uint64
+ f4 uint64
+ g uint64
+ g0 uint64
+ g1 uint64
+ g2 uint64
+ g3 uint64
+ g4 uint64
+ )
+
+ var p int32
+
+ l := int32(len(m))
+
+ r00 := uint32(r[0])
+
+ r01 := uint32(r[1])
+
+ r02 := uint32(r[2])
+ r0 := int64(2151)
+
+ r03 := uint32(r[3])
+ r03 &= 15
+ r0 <<= 51
+
+ r10 := uint32(r[4])
+ r10 &= 252
+ r01 <<= 8
+ r0 += int64(r00)
+
+ r11 := uint32(r[5])
+ r02 <<= 16
+ r0 += int64(r01)
+
+ r12 := uint32(r[6])
+ r03 <<= 24
+ r0 += int64(r02)
+
+ r13 := uint32(r[7])
+ r13 &= 15
+ r1 := int64(2215)
+ r0 += int64(r03)
+
+ d0 := r0
+ r1 <<= 51
+ r2 := int64(2279)
+
+ r20 := uint32(r[8])
+ r20 &= 252
+ r11 <<= 8
+ r1 += int64(r10)
+
+ r21 := uint32(r[9])
+ r12 <<= 16
+ r1 += int64(r11)
+
+ r22 := uint32(r[10])
+ r13 <<= 24
+ r1 += int64(r12)
+
+ r23 := uint32(r[11])
+ r23 &= 15
+ r2 <<= 51
+ r1 += int64(r13)
+
+ d1 := r1
+ r21 <<= 8
+ r2 += int64(r20)
+
+ r30 := uint32(r[12])
+ r30 &= 252
+ r22 <<= 16
+ r2 += int64(r21)
+
+ r31 := uint32(r[13])
+ r23 <<= 24
+ r2 += int64(r22)
+
+ r32 := uint32(r[14])
+ r2 += int64(r23)
+ r3 := int64(2343)
+
+ d2 := r2
+ r3 <<= 51
+
+ r33 := uint32(r[15])
+ r33 &= 15
+ r31 <<= 8
+ r3 += int64(r30)
+
+ r32 <<= 16
+ r3 += int64(r31)
+
+ r33 <<= 24
+ r3 += int64(r32)
+
+ r3 += int64(r33)
+ h0 := alpha32 - alpha32
+
+ d3 := r3
+ h1 := alpha32 - alpha32
+
+ h2 := alpha32 - alpha32
+
+ h3 := alpha32 - alpha32
+
+ h4 := alpha32 - alpha32
+
+ r0low := math.Float64frombits(uint64(d0))
+ h5 := alpha32 - alpha32
+
+ r1low := math.Float64frombits(uint64(d1))
+ h6 := alpha32 - alpha32
+
+ r2low := math.Float64frombits(uint64(d2))
+ h7 := alpha32 - alpha32
+
+ r0low -= alpha0
+
+ r1low -= alpha32
+
+ r2low -= alpha64
+
+ r0high := r0low + alpha18
+
+ r3low := math.Float64frombits(uint64(d3))
+
+ r1high := r1low + alpha50
+ sr1low := scale * r1low
+
+ r2high := r2low + alpha82
+ sr2low := scale * r2low
+
+ r0high -= alpha18
+ r0high_stack := r0high
+
+ r3low -= alpha96
+
+ r1high -= alpha50
+ r1high_stack := r1high
+
+ sr1high := sr1low + alpham80
+
+ r0low -= r0high
+
+ r2high -= alpha82
+ sr3low = scale * r3low
+
+ sr2high := sr2low + alpham48
+
+ r1low -= r1high
+ r1low_stack := r1low
+
+ sr1high -= alpham80
+ sr1high_stack := sr1high
+
+ r2low -= r2high
+ r2low_stack := r2low
+
+ sr2high -= alpham48
+ sr2high_stack := sr2high
+
+ r3high := r3low + alpha112
+ r0low_stack := r0low
+
+ sr1low -= sr1high
+ sr1low_stack := sr1low
+
+ sr3high := sr3low + alpham16
+ r2high_stack := r2high
+
+ sr2low -= sr2high
+ sr2low_stack := sr2low
+
+ r3high -= alpha112
+ r3high_stack := r3high
+
+ sr3high -= alpham16
+ sr3high_stack := sr3high
+
+ r3low -= r3high
+ r3low_stack := r3low
+
+ sr3low -= sr3high
+ sr3low_stack := sr3low
+
+ if l < 16 {
+ goto addatmost15bytes
+ }
+
+ m00 = uint32(m[p+0])
+ m0 = 2151
+
+ m0 <<= 51
+ m1 = 2215
+ m01 = uint32(m[p+1])
+
+ m1 <<= 51
+ m2 = 2279
+ m02 = uint32(m[p+2])
+
+ m2 <<= 51
+ m3 = 2343
+ m03 = uint32(m[p+3])
+
+ m10 = uint32(m[p+4])
+ m01 <<= 8
+ m0 += int64(m00)
+
+ m11 = uint32(m[p+5])
+ m02 <<= 16
+ m0 += int64(m01)
+
+ m12 = uint32(m[p+6])
+ m03 <<= 24
+ m0 += int64(m02)
+
+ m13 = uint32(m[p+7])
+ m3 <<= 51
+ m0 += int64(m03)
+
+ m20 = uint32(m[p+8])
+ m11 <<= 8
+ m1 += int64(m10)
+
+ m21 = uint32(m[p+9])
+ m12 <<= 16
+ m1 += int64(m11)
+
+ m22 = uint32(m[p+10])
+ m13 <<= 24
+ m1 += int64(m12)
+
+ m23 = uint32(m[p+11])
+ m1 += int64(m13)
+
+ m30 = uint32(m[p+12])
+ m21 <<= 8
+ m2 += int64(m20)
+
+ m31 = uint32(m[p+13])
+ m22 <<= 16
+ m2 += int64(m21)
+
+ m32 = uint32(m[p+14])
+ m23 <<= 24
+ m2 += int64(m22)
+
+ m33 = uint64(m[p+15])
+ m2 += int64(m23)
+
+ d0 = m0
+ m31 <<= 8
+ m3 += int64(m30)
+
+ d1 = m1
+ m32 <<= 16
+ m3 += int64(m31)
+
+ d2 = m2
+ m33 += 256
+
+ m33 <<= 24
+ m3 += int64(m32)
+
+ m3 += int64(m33)
+ d3 = m3
+
+ p += 16
+ l -= 16
+
+ z0 = math.Float64frombits(uint64(d0))
+
+ z1 = math.Float64frombits(uint64(d1))
+
+ z2 = math.Float64frombits(uint64(d2))
+
+ z3 = math.Float64frombits(uint64(d3))
+
+ z0 -= alpha0
+
+ z1 -= alpha32
+
+ z2 -= alpha64
+
+ z3 -= alpha96
+
+ h0 += z0
+
+ h1 += z1
+
+ h3 += z2
+
+ h5 += z3
+
+ if l < 16 {
+ goto multiplyaddatmost15bytes
+ }
+
+multiplyaddatleast16bytes:
+
+ m2 = 2279
+ m20 = uint32(m[p+8])
+ y7 = h7 + alpha130
+
+ m2 <<= 51
+ m3 = 2343
+ m21 = uint32(m[p+9])
+ y6 = h6 + alpha130
+
+ m3 <<= 51
+ m0 = 2151
+ m22 = uint32(m[p+10])
+ y1 = h1 + alpha32
+
+ m0 <<= 51
+ m1 = 2215
+ m23 = uint32(m[p+11])
+ y0 = h0 + alpha32
+
+ m1 <<= 51
+ m30 = uint32(m[p+12])
+ y7 -= alpha130
+
+ m21 <<= 8
+ m2 += int64(m20)
+ m31 = uint32(m[p+13])
+ y6 -= alpha130
+
+ m22 <<= 16
+ m2 += int64(m21)
+ m32 = uint32(m[p+14])
+ y1 -= alpha32
+
+ m23 <<= 24
+ m2 += int64(m22)
+ m33 = uint64(m[p+15])
+ y0 -= alpha32
+
+ m2 += int64(m23)
+ m00 = uint32(m[p+0])
+ y5 = h5 + alpha96
+
+ m31 <<= 8
+ m3 += int64(m30)
+ m01 = uint32(m[p+1])
+ y4 = h4 + alpha96
+
+ m32 <<= 16
+ m02 = uint32(m[p+2])
+ x7 = h7 - y7
+ y7 *= scale
+
+ m33 += 256
+ m03 = uint32(m[p+3])
+ x6 = h6 - y6
+ y6 *= scale
+
+ m33 <<= 24
+ m3 += int64(m31)
+ m10 = uint32(m[p+4])
+ x1 = h1 - y1
+
+ m01 <<= 8
+ m3 += int64(m32)
+ m11 = uint32(m[p+5])
+ x0 = h0 - y0
+
+ m3 += int64(m33)
+ m0 += int64(m00)
+ m12 = uint32(m[p+6])
+ y5 -= alpha96
+
+ m02 <<= 16
+ m0 += int64(m01)
+ m13 = uint32(m[p+7])
+ y4 -= alpha96
+
+ m03 <<= 24
+ m0 += int64(m02)
+ d2 = m2
+ x1 += y7
+
+ m0 += int64(m03)
+ d3 = m3
+ x0 += y6
+
+ m11 <<= 8
+ m1 += int64(m10)
+ d0 = m0
+ x7 += y5
+
+ m12 <<= 16
+ m1 += int64(m11)
+ x6 += y4
+
+ m13 <<= 24
+ m1 += int64(m12)
+ y3 = h3 + alpha64
+
+ m1 += int64(m13)
+ d1 = m1
+ y2 = h2 + alpha64
+
+ x0 += x1
+
+ x6 += x7
+
+ y3 -= alpha64
+ r3low = r3low_stack
+
+ y2 -= alpha64
+ r0low = r0low_stack
+
+ x5 = h5 - y5
+ r3lowx0 = r3low * x0
+ r3high = r3high_stack
+
+ x4 = h4 - y4
+ r0lowx6 = r0low * x6
+ r0high = r0high_stack
+
+ x3 = h3 - y3
+ r3highx0 = r3high * x0
+ sr1low = sr1low_stack
+
+ x2 = h2 - y2
+ r0highx6 = r0high * x6
+ sr1high = sr1high_stack
+
+ x5 += y3
+ r0lowx0 = r0low * x0
+ r1low = r1low_stack
+
+ h6 = r3lowx0 + r0lowx6
+ sr1lowx6 = sr1low * x6
+ r1high = r1high_stack
+
+ x4 += y2
+ r0highx0 = r0high * x0
+ sr2low = sr2low_stack
+
+ h7 = r3highx0 + r0highx6
+ sr1highx6 = sr1high * x6
+ sr2high = sr2high_stack
+
+ x3 += y1
+ r1lowx0 = r1low * x0
+ r2low = r2low_stack
+
+ h0 = r0lowx0 + sr1lowx6
+ sr2lowx6 = sr2low * x6
+ r2high = r2high_stack
+
+ x2 += y0
+ r1highx0 = r1high * x0
+ sr3low = sr3low_stack
+
+ h1 = r0highx0 + sr1highx6
+ sr2highx6 = sr2high * x6
+ sr3high = sr3high_stack
+
+ x4 += x5
+ r2lowx0 = r2low * x0
+ z2 = math.Float64frombits(uint64(d2))
+
+ h2 = r1lowx0 + sr2lowx6
+ sr3lowx6 = sr3low * x6
+
+ x2 += x3
+ r2highx0 = r2high * x0
+ z3 = math.Float64frombits(uint64(d3))
+
+ h3 = r1highx0 + sr2highx6
+ sr3highx6 = sr3high * x6
+
+ r1highx4 = r1high * x4
+ z2 -= alpha64
+
+ h4 = r2lowx0 + sr3lowx6
+ r1lowx4 = r1low * x4
+
+ r0highx4 = r0high * x4
+ z3 -= alpha96
+
+ h5 = r2highx0 + sr3highx6
+ r0lowx4 = r0low * x4
+
+ h7 += r1highx4
+ sr3highx4 = sr3high * x4
+
+ h6 += r1lowx4
+ sr3lowx4 = sr3low * x4
+
+ h5 += r0highx4
+ sr2highx4 = sr2high * x4
+
+ h4 += r0lowx4
+ sr2lowx4 = sr2low * x4
+
+ h3 += sr3highx4
+ r0lowx2 = r0low * x2
+
+ h2 += sr3lowx4
+ r0highx2 = r0high * x2
+
+ h1 += sr2highx4
+ r1lowx2 = r1low * x2
+
+ h0 += sr2lowx4
+ r1highx2 = r1high * x2
+
+ h2 += r0lowx2
+ r2lowx2 = r2low * x2
+
+ h3 += r0highx2
+ r2highx2 = r2high * x2
+
+ h4 += r1lowx2
+ sr3lowx2 = sr3low * x2
+
+ h5 += r1highx2
+ sr3highx2 = sr3high * x2
+
+ p += 16
+ l -= 16
+ h6 += r2lowx2
+
+ h7 += r2highx2
+
+ z1 = math.Float64frombits(uint64(d1))
+ h0 += sr3lowx2
+
+ z0 = math.Float64frombits(uint64(d0))
+ h1 += sr3highx2
+
+ z1 -= alpha32
+
+ z0 -= alpha0
+
+ h5 += z3
+
+ h3 += z2
+
+ h1 += z1
+
+ h0 += z0
+
+ if l >= 16 {
+ goto multiplyaddatleast16bytes
+ }
+
+multiplyaddatmost15bytes:
+
+ y7 = h7 + alpha130
+
+ y6 = h6 + alpha130
+
+ y1 = h1 + alpha32
+
+ y0 = h0 + alpha32
+
+ y7 -= alpha130
+
+ y6 -= alpha130
+
+ y1 -= alpha32
+
+ y0 -= alpha32
+
+ y5 = h5 + alpha96
+
+ y4 = h4 + alpha96
+
+ x7 = h7 - y7
+ y7 *= scale
+
+ x6 = h6 - y6
+ y6 *= scale
+
+ x1 = h1 - y1
+
+ x0 = h0 - y0
+
+ y5 -= alpha96
+
+ y4 -= alpha96
+
+ x1 += y7
+
+ x0 += y6
+
+ x7 += y5
+
+ x6 += y4
+
+ y3 = h3 + alpha64
+
+ y2 = h2 + alpha64
+
+ x0 += x1
+
+ x6 += x7
+
+ y3 -= alpha64
+ r3low = r3low_stack
+
+ y2 -= alpha64
+ r0low = r0low_stack
+
+ x5 = h5 - y5
+ r3lowx0 = r3low * x0
+ r3high = r3high_stack
+
+ x4 = h4 - y4
+ r0lowx6 = r0low * x6
+ r0high = r0high_stack
+
+ x3 = h3 - y3
+ r3highx0 = r3high * x0
+ sr1low = sr1low_stack
+
+ x2 = h2 - y2
+ r0highx6 = r0high * x6
+ sr1high = sr1high_stack
+
+ x5 += y3
+ r0lowx0 = r0low * x0
+ r1low = r1low_stack
+
+ h6 = r3lowx0 + r0lowx6
+ sr1lowx6 = sr1low * x6
+ r1high = r1high_stack
+
+ x4 += y2
+ r0highx0 = r0high * x0
+ sr2low = sr2low_stack
+
+ h7 = r3highx0 + r0highx6
+ sr1highx6 = sr1high * x6
+ sr2high = sr2high_stack
+
+ x3 += y1
+ r1lowx0 = r1low * x0
+ r2low = r2low_stack
+
+ h0 = r0lowx0 + sr1lowx6
+ sr2lowx6 = sr2low * x6
+ r2high = r2high_stack
+
+ x2 += y0
+ r1highx0 = r1high * x0
+ sr3low = sr3low_stack
+
+ h1 = r0highx0 + sr1highx6
+ sr2highx6 = sr2high * x6
+ sr3high = sr3high_stack
+
+ x4 += x5
+ r2lowx0 = r2low * x0
+
+ h2 = r1lowx0 + sr2lowx6
+ sr3lowx6 = sr3low * x6
+
+ x2 += x3
+ r2highx0 = r2high * x0
+
+ h3 = r1highx0 + sr2highx6
+ sr3highx6 = sr3high * x6
+
+ r1highx4 = r1high * x4
+
+ h4 = r2lowx0 + sr3lowx6
+ r1lowx4 = r1low * x4
+
+ r0highx4 = r0high * x4
+
+ h5 = r2highx0 + sr3highx6
+ r0lowx4 = r0low * x4
+
+ h7 += r1highx4
+ sr3highx4 = sr3high * x4
+
+ h6 += r1lowx4
+ sr3lowx4 = sr3low * x4
+
+ h5 += r0highx4
+ sr2highx4 = sr2high * x4
+
+ h4 += r0lowx4
+ sr2lowx4 = sr2low * x4
+
+ h3 += sr3highx4
+ r0lowx2 = r0low * x2
+
+ h2 += sr3lowx4
+ r0highx2 = r0high * x2
+
+ h1 += sr2highx4
+ r1lowx2 = r1low * x2
+
+ h0 += sr2lowx4
+ r1highx2 = r1high * x2
+
+ h2 += r0lowx2
+ r2lowx2 = r2low * x2
+
+ h3 += r0highx2
+ r2highx2 = r2high * x2
+
+ h4 += r1lowx2
+ sr3lowx2 = sr3low * x2
+
+ h5 += r1highx2
+ sr3highx2 = sr3high * x2
+
+ h6 += r2lowx2
+
+ h7 += r2highx2
+
+ h0 += sr3lowx2
+
+ h1 += sr3highx2
+
+addatmost15bytes:
+
+ if l == 0 {
+ goto nomorebytes
+ }
+
+ lbelow2 = l - 2
+
+ lbelow3 = l - 3
+
+ lbelow2 >>= 31
+ lbelow4 = l - 4
+
+ m00 = uint32(m[p+0])
+ lbelow3 >>= 31
+ p += lbelow2
+
+ m01 = uint32(m[p+1])
+ lbelow4 >>= 31
+ p += lbelow3
+
+ m02 = uint32(m[p+2])
+ p += lbelow4
+ m0 = 2151
+
+ m03 = uint32(m[p+3])
+ m0 <<= 51
+ m1 = 2215
+
+ m0 += int64(m00)
+ m01 &^= uint32(lbelow2)
+
+ m02 &^= uint32(lbelow3)
+ m01 -= uint32(lbelow2)
+
+ m01 <<= 8
+ m03 &^= uint32(lbelow4)
+
+ m0 += int64(m01)
+ lbelow2 -= lbelow3
+
+ m02 += uint32(lbelow2)
+ lbelow3 -= lbelow4
+
+ m02 <<= 16
+ m03 += uint32(lbelow3)
+
+ m03 <<= 24
+ m0 += int64(m02)
+
+ m0 += int64(m03)
+ lbelow5 = l - 5
+
+ lbelow6 = l - 6
+ lbelow7 = l - 7
+
+ lbelow5 >>= 31
+ lbelow8 = l - 8
+
+ lbelow6 >>= 31
+ p += lbelow5
+
+ m10 = uint32(m[p+4])
+ lbelow7 >>= 31
+ p += lbelow6
+
+ m11 = uint32(m[p+5])
+ lbelow8 >>= 31
+ p += lbelow7
+
+ m12 = uint32(m[p+6])
+ m1 <<= 51
+ p += lbelow8
+
+ m13 = uint32(m[p+7])
+ m10 &^= uint32(lbelow5)
+ lbelow4 -= lbelow5
+
+ m10 += uint32(lbelow4)
+ lbelow5 -= lbelow6
+
+ m11 &^= uint32(lbelow6)
+ m11 += uint32(lbelow5)
+
+ m11 <<= 8
+ m1 += int64(m10)
+
+ m1 += int64(m11)
+ m12 &^= uint32(lbelow7)
+
+ lbelow6 -= lbelow7
+ m13 &^= uint32(lbelow8)
+
+ m12 += uint32(lbelow6)
+ lbelow7 -= lbelow8
+
+ m12 <<= 16
+ m13 += uint32(lbelow7)
+
+ m13 <<= 24
+ m1 += int64(m12)
+
+ m1 += int64(m13)
+ m2 = 2279
+
+ lbelow9 = l - 9
+ m3 = 2343
+
+ lbelow10 = l - 10
+ lbelow11 = l - 11
+
+ lbelow9 >>= 31
+ lbelow12 = l - 12
+
+ lbelow10 >>= 31
+ p += lbelow9
+
+ m20 = uint32(m[p+8])
+ lbelow11 >>= 31
+ p += lbelow10
+
+ m21 = uint32(m[p+9])
+ lbelow12 >>= 31
+ p += lbelow11
+
+ m22 = uint32(m[p+10])
+ m2 <<= 51
+ p += lbelow12
+
+ m23 = uint32(m[p+11])
+ m20 &^= uint32(lbelow9)
+ lbelow8 -= lbelow9
+
+ m20 += uint32(lbelow8)
+ lbelow9 -= lbelow10
+
+ m21 &^= uint32(lbelow10)
+ m21 += uint32(lbelow9)
+
+ m21 <<= 8
+ m2 += int64(m20)
+
+ m2 += int64(m21)
+ m22 &^= uint32(lbelow11)
+
+ lbelow10 -= lbelow11
+ m23 &^= uint32(lbelow12)
+
+ m22 += uint32(lbelow10)
+ lbelow11 -= lbelow12
+
+ m22 <<= 16
+ m23 += uint32(lbelow11)
+
+ m23 <<= 24
+ m2 += int64(m22)
+
+ m3 <<= 51
+ lbelow13 = l - 13
+
+ lbelow13 >>= 31
+ lbelow14 = l - 14
+
+ lbelow14 >>= 31
+ p += lbelow13
+ lbelow15 = l - 15
+
+ m30 = uint32(m[p+12])
+ lbelow15 >>= 31
+ p += lbelow14
+
+ m31 = uint32(m[p+13])
+ p += lbelow15
+ m2 += int64(m23)
+
+ m32 = uint32(m[p+14])
+ m30 &^= uint32(lbelow13)
+ lbelow12 -= lbelow13
+
+ m30 += uint32(lbelow12)
+ lbelow13 -= lbelow14
+
+ m3 += int64(m30)
+ m31 &^= uint32(lbelow14)
+
+ m31 += uint32(lbelow13)
+ m32 &^= uint32(lbelow15)
+
+ m31 <<= 8
+ lbelow14 -= lbelow15
+
+ m3 += int64(m31)
+ m32 += uint32(lbelow14)
+ d0 = m0
+
+ m32 <<= 16
+ m33 = uint64(lbelow15 + 1)
+ d1 = m1
+
+ m33 <<= 24
+ m3 += int64(m32)
+ d2 = m2
+
+ m3 += int64(m33)
+ d3 = m3
+
+ z3 = math.Float64frombits(uint64(d3))
+
+ z2 = math.Float64frombits(uint64(d2))
+
+ z1 = math.Float64frombits(uint64(d1))
+
+ z0 = math.Float64frombits(uint64(d0))
+
+ z3 -= alpha96
+
+ z2 -= alpha64
+
+ z1 -= alpha32
+
+ z0 -= alpha0
+
+ h5 += z3
+
+ h3 += z2
+
+ h1 += z1
+
+ h0 += z0
+
+ y7 = h7 + alpha130
+
+ y6 = h6 + alpha130
+
+ y1 = h1 + alpha32
+
+ y0 = h0 + alpha32
+
+ y7 -= alpha130
+
+ y6 -= alpha130
+
+ y1 -= alpha32
+
+ y0 -= alpha32
+
+ y5 = h5 + alpha96
+
+ y4 = h4 + alpha96
+
+ x7 = h7 - y7
+ y7 *= scale
+
+ x6 = h6 - y6
+ y6 *= scale
+
+ x1 = h1 - y1
+
+ x0 = h0 - y0
+
+ y5 -= alpha96
+
+ y4 -= alpha96
+
+ x1 += y7
+
+ x0 += y6
+
+ x7 += y5
+
+ x6 += y4
+
+ y3 = h3 + alpha64
+
+ y2 = h2 + alpha64
+
+ x0 += x1
+
+ x6 += x7
+
+ y3 -= alpha64
+ r3low = r3low_stack
+
+ y2 -= alpha64
+ r0low = r0low_stack
+
+ x5 = h5 - y5
+ r3lowx0 = r3low * x0
+ r3high = r3high_stack
+
+ x4 = h4 - y4
+ r0lowx6 = r0low * x6
+ r0high = r0high_stack
+
+ x3 = h3 - y3
+ r3highx0 = r3high * x0
+ sr1low = sr1low_stack
+
+ x2 = h2 - y2
+ r0highx6 = r0high * x6
+ sr1high = sr1high_stack
+
+ x5 += y3
+ r0lowx0 = r0low * x0
+ r1low = r1low_stack
+
+ h6 = r3lowx0 + r0lowx6
+ sr1lowx6 = sr1low * x6
+ r1high = r1high_stack
+
+ x4 += y2
+ r0highx0 = r0high * x0
+ sr2low = sr2low_stack
+
+ h7 = r3highx0 + r0highx6
+ sr1highx6 = sr1high * x6
+ sr2high = sr2high_stack
+
+ x3 += y1
+ r1lowx0 = r1low * x0
+ r2low = r2low_stack
+
+ h0 = r0lowx0 + sr1lowx6
+ sr2lowx6 = sr2low * x6
+ r2high = r2high_stack
+
+ x2 += y0
+ r1highx0 = r1high * x0
+ sr3low = sr3low_stack
+
+ h1 = r0highx0 + sr1highx6
+ sr2highx6 = sr2high * x6
+ sr3high = sr3high_stack
+
+ x4 += x5
+ r2lowx0 = r2low * x0
+
+ h2 = r1lowx0 + sr2lowx6
+ sr3lowx6 = sr3low * x6
+
+ x2 += x3
+ r2highx0 = r2high * x0
+
+ h3 = r1highx0 + sr2highx6
+ sr3highx6 = sr3high * x6
+
+ r1highx4 = r1high * x4
+
+ h4 = r2lowx0 + sr3lowx6
+ r1lowx4 = r1low * x4
+
+ r0highx4 = r0high * x4
+
+ h5 = r2highx0 + sr3highx6
+ r0lowx4 = r0low * x4
+
+ h7 += r1highx4
+ sr3highx4 = sr3high * x4
+
+ h6 += r1lowx4
+ sr3lowx4 = sr3low * x4
+
+ h5 += r0highx4
+ sr2highx4 = sr2high * x4
+
+ h4 += r0lowx4
+ sr2lowx4 = sr2low * x4
+
+ h3 += sr3highx4
+ r0lowx2 = r0low * x2
+
+ h2 += sr3lowx4
+ r0highx2 = r0high * x2
+
+ h1 += sr2highx4
+ r1lowx2 = r1low * x2
+
+ h0 += sr2lowx4
+ r1highx2 = r1high * x2
+
+ h2 += r0lowx2
+ r2lowx2 = r2low * x2
+
+ h3 += r0highx2
+ r2highx2 = r2high * x2
+
+ h4 += r1lowx2
+ sr3lowx2 = sr3low * x2
+
+ h5 += r1highx2
+ sr3highx2 = sr3high * x2
+
+ h6 += r2lowx2
+
+ h7 += r2highx2
+
+ h0 += sr3lowx2
+
+ h1 += sr3highx2
+
+nomorebytes:
+
+ y7 = h7 + alpha130
+
+ y0 = h0 + alpha32
+
+ y1 = h1 + alpha32
+
+ y2 = h2 + alpha64
+
+ y7 -= alpha130
+
+ y3 = h3 + alpha64
+
+ y4 = h4 + alpha96
+
+ y5 = h5 + alpha96
+
+ x7 = h7 - y7
+ y7 *= scale
+
+ y0 -= alpha32
+
+ y1 -= alpha32
+
+ y2 -= alpha64
+
+ h6 += x7
+
+ y3 -= alpha64
+
+ y4 -= alpha96
+
+ y5 -= alpha96
+
+ y6 = h6 + alpha130
+
+ x0 = h0 - y0
+
+ x1 = h1 - y1
+
+ x2 = h2 - y2
+
+ y6 -= alpha130
+
+ x0 += y7
+
+ x3 = h3 - y3
+
+ x4 = h4 - y4
+
+ x5 = h5 - y5
+
+ x6 = h6 - y6
+
+ y6 *= scale
+
+ x2 += y0
+
+ x3 += y1
+
+ x4 += y2
+
+ x0 += y6
+
+ x5 += y3
+
+ x6 += y4
+
+ x2 += x3
+
+ x0 += x1
+
+ x4 += x5
+
+ x6 += y5
+
+ x2 += offset1
+ d1 = int64(math.Float64bits(x2))
+
+ x0 += offset0
+ d0 = int64(math.Float64bits(x0))
+
+ x4 += offset2
+ d2 = int64(math.Float64bits(x4))
+
+ x6 += offset3
+ d3 = int64(math.Float64bits(x6))
+
+ f0 = uint64(d0)
+
+ f1 = uint64(d1)
+ bits32 = math.MaxUint64
+
+ f2 = uint64(d2)
+ bits32 >>= 32
+
+ f3 = uint64(d3)
+ f = f0 >> 32
+
+ f0 &= bits32
+ f &= 255
+
+ f1 += f
+ g0 = f0 + 5
+
+ g = g0 >> 32
+ g0 &= bits32
+
+ f = f1 >> 32
+ f1 &= bits32
+
+ f &= 255
+ g1 = f1 + g
+
+ g = g1 >> 32
+ f2 += f
+
+ f = f2 >> 32
+ g1 &= bits32
+
+ f2 &= bits32
+ f &= 255
+
+ f3 += f
+ g2 = f2 + g
+
+ g = g2 >> 32
+ g2 &= bits32
+
+ f4 = f3 >> 32
+ f3 &= bits32
+
+ f4 &= 255
+ g3 = f3 + g
+
+ g = g3 >> 32
+ g3 &= bits32
+
+ g4 = f4 + g
+
+ g4 = g4 - 4
+ s00 = uint32(s[0])
+
+ f = uint64(int64(g4) >> 63)
+ s01 = uint32(s[1])
+
+ f0 &= f
+ g0 &^= f
+ s02 = uint32(s[2])
+
+ f1 &= f
+ f0 |= g0
+ s03 = uint32(s[3])
+
+ g1 &^= f
+ f2 &= f
+ s10 = uint32(s[4])
+
+ f3 &= f
+ g2 &^= f
+ s11 = uint32(s[5])
+
+ g3 &^= f
+ f1 |= g1
+ s12 = uint32(s[6])
+
+ f2 |= g2
+ f3 |= g3
+ s13 = uint32(s[7])
+
+ s01 <<= 8
+ f0 += uint64(s00)
+ s20 = uint32(s[8])
+
+ s02 <<= 16
+ f0 += uint64(s01)
+ s21 = uint32(s[9])
+
+ s03 <<= 24
+ f0 += uint64(s02)
+ s22 = uint32(s[10])
+
+ s11 <<= 8
+ f1 += uint64(s10)
+ s23 = uint32(s[11])
+
+ s12 <<= 16
+ f1 += uint64(s11)
+ s30 = uint32(s[12])
+
+ s13 <<= 24
+ f1 += uint64(s12)
+ s31 = uint32(s[13])
+
+ f0 += uint64(s03)
+ f1 += uint64(s13)
+ s32 = uint32(s[14])
+
+ s21 <<= 8
+ f2 += uint64(s20)
+ s33 = uint32(s[15])
+
+ s22 <<= 16
+ f2 += uint64(s21)
+
+ s23 <<= 24
+ f2 += uint64(s22)
+
+ s31 <<= 8
+ f3 += uint64(s30)
+
+ s32 <<= 16
+ f3 += uint64(s31)
+
+ s33 <<= 24
+ f3 += uint64(s32)
+
+ f2 += uint64(s23)
+ f3 += uint64(s33)
+
+ out[0] = byte(f0)
+ f0 >>= 8
+ out[1] = byte(f0)
+ f0 >>= 8
+ out[2] = byte(f0)
+ f0 >>= 8
+ out[3] = byte(f0)
+ f0 >>= 8
+ f1 += f0
+
+ out[4] = byte(f1)
+ f1 >>= 8
+ out[5] = byte(f1)
+ f1 >>= 8
+ out[6] = byte(f1)
+ f1 >>= 8
+ out[7] = byte(f1)
+ f1 >>= 8
+ f2 += f1
+
+ out[8] = byte(f2)
+ f2 >>= 8
+ out[9] = byte(f2)
+ f2 >>= 8
+ out[10] = byte(f2)
+ f2 >>= 8
+ out[11] = byte(f2)
+ f2 >>= 8
+ f3 += f2
+
+ out[12] = byte(f3)
+ f3 >>= 8
+ out[13] = byte(f3)
+ f3 >>= 8
+ out[14] = byte(f3)
+ f3 >>= 8
+ out[15] = byte(f3)
+}
diff --git a/src/ssl/test/runner/prf.go b/src/ssl/test/runner/prf.go
index 75a8933..d445e76 100644
--- a/src/ssl/test/runner/prf.go
+++ b/src/ssl/test/runner/prf.go
@@ -323,14 +323,14 @@
// selectClientCertSignatureAlgorithm returns a signatureAndHash to sign a
// client's CertificateVerify with, or an error if none can be found.
-func (h finishedHash) selectClientCertSignatureAlgorithm(serverList []signatureAndHash, sigType uint8) (signatureAndHash, error) {
+func (h finishedHash) selectClientCertSignatureAlgorithm(serverList, clientList []signatureAndHash, sigType uint8) (signatureAndHash, error) {
if h.version < VersionTLS12 {
// Nothing to negotiate before TLS 1.2.
return signatureAndHash{signature: sigType}, nil
}
for _, v := range serverList {
- if v.signature == sigType && v.hash == hashSHA256 {
+ if v.signature == sigType && isSupportedSignatureAndHash(v, clientList) {
return v, nil
}
}
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index aaa2a4d..ec2fede 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -20,14 +20,17 @@
"strings"
"sync"
"syscall"
+ "time"
)
var (
- useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
- useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
- flagDebug *bool = flag.Bool("debug", false, "Hexdump the contents of the connection")
- mallocTest *int64 = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
- mallocTestDebug *bool = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
+ useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
+ useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
+ flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
+ mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
+ mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
+ jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
+ pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
)
const (
@@ -132,6 +135,9 @@
// expectedResumeVersion, if non-zero, specifies the TLS version that
// must be negotiated on resumption. If zero, expectedVersion is used.
expectedResumeVersion uint16
+ // expectedCipher, if non-zero, specifies the TLS cipher suite that
+ // should be negotiated.
+ expectedCipher uint16
// expectChannelID controls whether the connection should have
// negotiated a Channel ID with channelIDKey.
expectChannelID bool
@@ -181,6 +187,12 @@
// damageFirstWrite, if true, configures the underlying transport to
// damage the final byte of the first application data write.
damageFirstWrite bool
+ // exportKeyingMaterial, if non-zero, configures the test to exchange
+ // keying material and verify they match.
+ exportKeyingMaterial int
+ exportLabel string
+ exportContext string
+ useExportContext bool
// flags, if not empty, contains a list of command-line flags that will
// be passed to the shim program.
flags []string
@@ -292,6 +304,18 @@
expectedError: ":UNEXPECTED_MESSAGE:",
},
{
+ name: "SkipCertificateStatus",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ Bugs: ProtocolBugs{
+ SkipCertificateStatus: true,
+ },
+ },
+ flags: []string{
+ "-enable-ocsp-stapling",
+ },
+ },
+ {
name: "SkipServerKeyExchange",
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
@@ -376,11 +400,47 @@
},
{
testType: serverTest,
+ name: "Alert",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendSpuriousAlert: alertRecordOverflow,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+ },
+ {
+ protocol: dtls,
+ testType: serverTest,
+ name: "Alert-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendSpuriousAlert: alertRecordOverflow,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+ },
+ {
+ testType: serverTest,
name: "FragmentAlert",
config: Config{
Bugs: ProtocolBugs{
FragmentAlert: true,
- SendSpuriousAlert: true,
+ SendSpuriousAlert: alertRecordOverflow,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":BAD_ALERT:",
+ },
+ {
+ protocol: dtls,
+ testType: serverTest,
+ name: "FragmentAlert-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ FragmentAlert: true,
+ SendSpuriousAlert: alertRecordOverflow,
},
},
shouldFail: true,
@@ -536,11 +596,11 @@
expectedError: ":WRONG_CIPHER_RETURNED:",
},
{
- name: "RSAServerKeyExchange",
+ name: "RSAEphemeralKey",
config: Config{
CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
Bugs: ProtocolBugs{
- RSAServerKeyExchange: true,
+ RSAEphemeralKey: true,
},
},
shouldFail: true,
@@ -650,6 +710,380 @@
AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
},
},
+ // BoringSSL's DTLS implementation will drop the out-of-order
+ // application data.
+ },
+ {
+ name: "AlertAfterChangeCipherSpec",
+ config: Config{
+ Bugs: ProtocolBugs{
+ AlertAfterChangeCipherSpec: alertRecordOverflow,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+ },
+ {
+ protocol: dtls,
+ name: "AlertAfterChangeCipherSpec-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ AlertAfterChangeCipherSpec: alertRecordOverflow,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
+ },
+ {
+ protocol: dtls,
+ name: "ReorderHandshakeFragments-Small-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ ReorderHandshakeFragments: true,
+ // Small enough that every handshake message is
+ // fragmented.
+ MaxHandshakeRecordLength: 2,
+ },
+ },
+ },
+ {
+ protocol: dtls,
+ name: "ReorderHandshakeFragments-Large-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ ReorderHandshakeFragments: true,
+ // Large enough that no handshake message is
+ // fragmented.
+ MaxHandshakeRecordLength: 2048,
+ },
+ },
+ },
+ {
+ protocol: dtls,
+ name: "MixCompleteMessageWithFragments-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ ReorderHandshakeFragments: true,
+ MixCompleteMessageWithFragments: true,
+ MaxHandshakeRecordLength: 2,
+ },
+ },
+ },
+ {
+ name: "SendInvalidRecordType",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendInvalidRecordType: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_RECORD:",
+ },
+ {
+ protocol: dtls,
+ name: "SendInvalidRecordType-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendInvalidRecordType: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_RECORD:",
+ },
+ {
+ name: "FalseStart-SkipServerSecondLeg",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ SkipNewSessionTicket: true,
+ SkipChangeCipherSpec: true,
+ SkipFinished: true,
+ ExpectFalseStart: true,
+ },
+ },
+ flags: []string{
+ "-false-start",
+ "-handshake-never-done",
+ "-advertise-alpn", "\x03foo",
+ },
+ shimWritesFirst: true,
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_RECORD:",
+ },
+ {
+ name: "FalseStart-SkipServerSecondLeg-Implicit",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ SkipNewSessionTicket: true,
+ SkipChangeCipherSpec: true,
+ SkipFinished: true,
+ },
+ },
+ flags: []string{
+ "-implicit-handshake",
+ "-false-start",
+ "-handshake-never-done",
+ "-advertise-alpn", "\x03foo",
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_RECORD:",
+ },
+ {
+ testType: serverTest,
+ name: "FailEarlyCallback",
+ flags: []string{"-fail-early-callback"},
+ shouldFail: true,
+ expectedError: ":CONNECTION_REJECTED:",
+ expectedLocalError: "remote error: access denied",
+ },
+ {
+ name: "WrongMessageType",
+ config: Config{
+ Bugs: ProtocolBugs{
+ WrongCertificateMessageType: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_MESSAGE:",
+ expectedLocalError: "remote error: unexpected message",
+ },
+ {
+ protocol: dtls,
+ name: "WrongMessageType-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ WrongCertificateMessageType: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_MESSAGE:",
+ expectedLocalError: "remote error: unexpected message",
+ },
+ {
+ protocol: dtls,
+ name: "FragmentMessageTypeMismatch-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ MaxHandshakeRecordLength: 2,
+ FragmentMessageTypeMismatch: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":FRAGMENT_MISMATCH:",
+ },
+ {
+ protocol: dtls,
+ name: "FragmentMessageLengthMismatch-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ MaxHandshakeRecordLength: 2,
+ FragmentMessageLengthMismatch: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":FRAGMENT_MISMATCH:",
+ },
+ {
+ protocol: dtls,
+ name: "SplitFragmentHeader-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SplitFragmentHeader: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_MESSAGE:",
+ },
+ {
+ protocol: dtls,
+ name: "SplitFragmentBody-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SplitFragmentBody: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":UNEXPECTED_MESSAGE:",
+ },
+ {
+ protocol: dtls,
+ name: "SendEmptyFragments-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendEmptyFragments: true,
+ },
+ },
+ },
+ {
+ name: "UnsupportedCipherSuite",
+ config: Config{
+ CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
+ Bugs: ProtocolBugs{
+ IgnorePeerCipherPreferences: true,
+ },
+ },
+ flags: []string{"-cipher", "DEFAULT:!RC4"},
+ shouldFail: true,
+ expectedError: ":WRONG_CIPHER_RETURNED:",
+ },
+ {
+ name: "UnsupportedCurve",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ // BoringSSL implements P-224 but doesn't enable it by
+ // default.
+ CurvePreferences: []CurveID{CurveP224},
+ Bugs: ProtocolBugs{
+ IgnorePeerCurvePreferences: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":WRONG_CURVE:",
+ },
+ {
+ name: "SendWarningAlerts",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendWarningAlerts: alertAccessDenied,
+ },
+ },
+ },
+ {
+ protocol: dtls,
+ name: "SendWarningAlerts-DTLS",
+ config: Config{
+ Bugs: ProtocolBugs{
+ SendWarningAlerts: alertAccessDenied,
+ },
+ },
+ },
+ {
+ name: "BadFinished",
+ config: Config{
+ Bugs: ProtocolBugs{
+ BadFinished: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":DIGEST_CHECK_FAILED:",
+ },
+ {
+ name: "FalseStart-BadFinished",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ BadFinished: true,
+ ExpectFalseStart: true,
+ },
+ },
+ flags: []string{
+ "-false-start",
+ "-handshake-never-done",
+ "-advertise-alpn", "\x03foo",
+ },
+ shimWritesFirst: true,
+ shouldFail: true,
+ expectedError: ":DIGEST_CHECK_FAILED:",
+ },
+ {
+ name: "NoFalseStart-NoALPN",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ Bugs: ProtocolBugs{
+ ExpectFalseStart: true,
+ AlertBeforeFalseStartTest: alertAccessDenied,
+ },
+ },
+ flags: []string{
+ "-false-start",
+ },
+ shimWritesFirst: true,
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
+ expectedLocalError: "tls: peer did not false start: EOF",
+ },
+ {
+ name: "NoFalseStart-NoAEAD",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ ExpectFalseStart: true,
+ AlertBeforeFalseStartTest: alertAccessDenied,
+ },
+ },
+ flags: []string{
+ "-false-start",
+ "-advertise-alpn", "\x03foo",
+ },
+ shimWritesFirst: true,
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
+ expectedLocalError: "tls: peer did not false start: EOF",
+ },
+ {
+ name: "NoFalseStart-RSA",
+ config: Config{
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ ExpectFalseStart: true,
+ AlertBeforeFalseStartTest: alertAccessDenied,
+ },
+ },
+ flags: []string{
+ "-false-start",
+ "-advertise-alpn", "\x03foo",
+ },
+ shimWritesFirst: true,
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
+ expectedLocalError: "tls: peer did not false start: EOF",
+ },
+ {
+ name: "NoFalseStart-DHE_RSA",
+ config: Config{
+ CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ ExpectFalseStart: true,
+ AlertBeforeFalseStartTest: alertAccessDenied,
+ },
+ },
+ flags: []string{
+ "-false-start",
+ "-advertise-alpn", "\x03foo",
+ },
+ shimWritesFirst: true,
+ shouldFail: true,
+ expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
+ expectedLocalError: "tls: peer did not false start: EOF",
+ },
+ {
+ testType: serverTest,
+ name: "NoSupportedCurves",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ Bugs: ProtocolBugs{
+ NoSupportedCurves: true,
+ },
+ },
+ },
+ {
+ testType: serverTest,
+ name: "NoCommonCurves",
+ config: Config{
+ CipherSuites: []uint16{
+ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ },
+ CurvePreferences: []CurveID{CurveP224},
+ },
+ expectedCipher: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
},
}
@@ -665,7 +1099,8 @@
}
if test.protocol == dtls {
- conn = newPacketAdaptor(conn)
+ config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
+ conn = config.Bugs.PacketAdaptor
if test.replayWrites {
conn = newReplayAdaptor(conn)
}
@@ -713,6 +1148,10 @@
return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
}
+ if cipher := tlsConn.ConnectionState().CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
+ return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
+ }
+
if test.expectChannelID {
channelID := tlsConn.ConnectionState().ChannelID
if channelID == nil {
@@ -741,6 +1180,20 @@
return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
}
+ if test.exportKeyingMaterial > 0 {
+ actual := make([]byte, test.exportKeyingMaterial)
+ if _, err := io.ReadFull(tlsConn, actual); err != nil {
+ return err
+ }
+ expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
+ if err != nil {
+ return err
+ }
+ if !bytes.Equal(actual, expected) {
+ return fmt.Errorf("keying material mismatch")
+ }
+ }
+
if test.shimWritesFirst {
var buf [5]byte
_, err := io.ReadFull(tlsConn, buf[:])
@@ -778,21 +1231,14 @@
return err
}
- var testMessage []byte
- if config.Bugs.AppDataAfterChangeCipherSpec != nil {
- // We've already sent a message. Expect the shim to echo it
- // back.
- testMessage = config.Bugs.AppDataAfterChangeCipherSpec
- } else {
- if messageLen == 0 {
- messageLen = 32
- }
- testMessage = make([]byte, messageLen)
- for i := range testMessage {
- testMessage[i] = 0x42
- }
- tlsConn.Write(testMessage)
+ if messageLen == 0 {
+ messageLen = 32
}
+ testMessage := make([]byte, messageLen)
+ for i := range testMessage {
+ testMessage[i] = 0x42
+ }
+ tlsConn.Write(testMessage)
buf := make([]byte, len(testMessage))
if test.protocol == dtls {
@@ -840,27 +1286,6 @@
return exec.Command("xterm", xtermArgs...)
}
-func openSocketPair() (shimEnd *os.File, conn net.Conn) {
- socks, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_STREAM, 0)
- if err != nil {
- panic(err)
- }
-
- syscall.CloseOnExec(socks[0])
- syscall.CloseOnExec(socks[1])
- shimEnd = os.NewFile(uintptr(socks[0]), "shim end")
- connFile := os.NewFile(uintptr(socks[1]), "our end")
- conn, err = net.FileConn(connFile)
- if err != nil {
- panic(err)
- }
- connFile.Close()
- if err != nil {
- panic(err)
- }
- return shimEnd, conn
-}
-
type moreMallocsError struct{}
func (moreMallocsError) Error() string {
@@ -869,16 +1294,45 @@
var errMoreMallocs = moreMallocsError{}
+// accept accepts a connection from listener, unless waitChan signals a process
+// exit first.
+func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
+ type connOrError struct {
+ conn net.Conn
+ err error
+ }
+ connChan := make(chan connOrError, 1)
+ go func() {
+ conn, err := listener.Accept()
+ connChan <- connOrError{conn, err}
+ close(connChan)
+ }()
+ select {
+ case result := <-connChan:
+ return result.conn, result.err
+ case childErr := <-waitChan:
+ waitChan <- childErr
+ return nil, fmt.Errorf("child exited early: %s", childErr)
+ }
+}
+
func runTest(test *testCase, buildDir string, mallocNumToFail int64) error {
if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
panic("Error expected without shouldFail in " + test.name)
}
- shimEnd, conn := openSocketPair()
- shimEndResume, connResume := openSocketPair()
+ listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
+ if err != nil {
+ panic(err)
+ }
+ defer func() {
+ if listener != nil {
+ listener.Close()
+ }
+ }()
shim_path := path.Join(buildDir, "ssl/test/bssl_shim")
- var flags []string
+ flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
if test.testType == serverTest {
flags = append(flags, "-server")
@@ -909,6 +1363,15 @@
flags = append(flags, "-shim-writes-first")
}
+ if test.exportKeyingMaterial > 0 {
+ flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
+ flags = append(flags, "-export-label", test.exportLabel)
+ flags = append(flags, "-export-context", test.exportContext)
+ if test.useExportContext {
+ flags = append(flags, "-use-export-context")
+ }
+ }
+
flags = append(flags, test.flags...)
var shim *exec.Cmd
@@ -919,13 +1382,13 @@
} else {
shim = exec.Command(shim_path, flags...)
}
- shim.ExtraFiles = []*os.File{shimEnd, shimEndResume}
shim.Stdin = os.Stdin
var stdoutBuf, stderrBuf bytes.Buffer
shim.Stdout = &stdoutBuf
shim.Stderr = &stderrBuf
if mallocNumToFail >= 0 {
- shim.Env = []string{"MALLOC_NUMBER_TO_FAIL=" + strconv.FormatInt(mallocNumToFail, 10)}
+ shim.Env = os.Environ()
+ shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
if *mallocTestDebug {
shim.Env = append(shim.Env, "MALLOC_ABORT_ON_FAIL=1")
}
@@ -935,8 +1398,8 @@
if err := shim.Start(); err != nil {
panic(err)
}
- shimEnd.Close()
- shimEndResume.Close()
+ waitChan := make(chan error, 1)
+ go func() { waitChan <- shim.Wait() }()
config := test.config
config.ClientSessionCache = NewLRUClientSessionCache(1)
@@ -945,16 +1408,27 @@
if len(config.Certificates) == 0 {
config.Certificates = []Certificate{getRSACertificate()}
}
+ } else {
+ // Supply a ServerName to ensure a constant session cache key,
+ // rather than falling back to net.Conn.RemoteAddr.
+ if len(config.ServerName) == 0 {
+ config.ServerName = "test"
+ }
}
- err := doExchange(test, &config, conn, test.messageLen,
- false /* not a resumption */)
- conn.Close()
+ conn, err := acceptOrWait(listener, waitChan)
+ if err == nil {
+ err = doExchange(test, &config, conn, test.messageLen, false /* not a resumption */)
+ conn.Close()
+ }
if err == nil && test.resumeSession {
var resumeConfig Config
if test.resumeConfig != nil {
resumeConfig = *test.resumeConfig
+ if len(resumeConfig.ServerName) == 0 {
+ resumeConfig.ServerName = config.ServerName
+ }
if len(resumeConfig.Certificates) == 0 {
resumeConfig.Certificates = []Certificate{getRSACertificate()}
}
@@ -966,12 +1440,20 @@
} else {
resumeConfig = config
}
- err = doExchange(test, &resumeConfig, connResume, test.messageLen,
- true /* resumption */)
+ var connResume net.Conn
+ connResume, err = acceptOrWait(listener, waitChan)
+ if err == nil {
+ err = doExchange(test, &resumeConfig, connResume, test.messageLen, true /* resumption */)
+ connResume.Close()
+ }
}
- connResume.Close()
- childErr := shim.Wait()
+ // Close the listener now. This is to avoid hangs should the shim try to
+ // open more connections than expected.
+ listener.Close()
+ listener = nil
+
+ childErr := <-waitChan
if exitError, ok := childErr.(*exec.ExitError); ok {
if exitError.Sys().(syscall.WaitStatus).ExitStatus() == 88 {
return errMoreMallocs
@@ -981,7 +1463,7 @@
stdout := string(stdoutBuf.Bytes())
stderr := string(stderrBuf.Bytes())
failed := err != nil || childErr != nil
- correctFailure := len(test.expectedError) == 0 || strings.Contains(stdout, test.expectedError)
+ correctFailure := len(test.expectedError) == 0 || strings.Contains(stderr, test.expectedError)
localError := "none"
if err != nil {
localError = err.Error()
@@ -1008,10 +1490,10 @@
panic("internal error")
}
- return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s", msg, localError, childError, string(stdoutBuf.Bytes()), stderr)
+ return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s", msg, localError, childError, stdout, stderr)
}
- if !*useValgrind && len(stderr) > 0 {
+ if !*useValgrind && !failed && len(stderr) > 0 {
println(stderr)
}
@@ -1047,12 +1529,14 @@
{"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
{"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
{"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
+ {"DHE-RSA-CHACHA20-POLY1305", TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
{"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
{"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
{"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
{"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
{"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
{"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
+ {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
{"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA},
{"ECDHE-PSK-AES128-GCM-SHA256", TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256},
{"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
@@ -1061,6 +1545,7 @@
{"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
{"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
{"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
+ {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
{"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA},
{"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
{"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
@@ -1076,7 +1561,8 @@
func isTLS12Only(suiteName string) bool {
return hasComponent(suiteName, "GCM") ||
hasComponent(suiteName, "SHA256") ||
- hasComponent(suiteName, "SHA384")
+ hasComponent(suiteName, "SHA384") ||
+ hasComponent(suiteName, "POLY1305")
}
func isDTLSCipher(suiteName string) bool {
@@ -1454,6 +1940,17 @@
})
testCases = append(testCases, testCase{
protocol: protocol,
+ name: "Basic-Client-Implicit" + suffix,
+ config: Config{
+ Bugs: ProtocolBugs{
+ MaxHandshakeRecordLength: maxHandshakeRecordLength,
+ },
+ },
+ flags: append(flags, "-implicit-handshake"),
+ resumeSession: true,
+ })
+ testCases = append(testCases, testCase{
+ protocol: protocol,
testType: serverTest,
name: "Basic-Server" + suffix,
config: Config{
@@ -1477,6 +1974,30 @@
flags: flags,
resumeSession: true,
})
+ testCases = append(testCases, testCase{
+ protocol: protocol,
+ testType: serverTest,
+ name: "Basic-Server-Implicit" + suffix,
+ config: Config{
+ Bugs: ProtocolBugs{
+ MaxHandshakeRecordLength: maxHandshakeRecordLength,
+ },
+ },
+ flags: append(flags, "-implicit-handshake"),
+ resumeSession: true,
+ })
+ testCases = append(testCases, testCase{
+ protocol: protocol,
+ testType: serverTest,
+ name: "Basic-Server-EarlyCallback" + suffix,
+ config: Config{
+ Bugs: ProtocolBugs{
+ MaxHandshakeRecordLength: maxHandshakeRecordLength,
+ },
+ },
+ flags: append(flags, "-use-early-callback"),
+ resumeSession: true,
+ })
// TLS client auth.
testCases = append(testCases, testCase{
@@ -1588,6 +2109,8 @@
expectedNextProtoType: npn,
})
+ // TODO(davidben): Add tests for when False Start doesn't trigger.
+
// Client does False Start and negotiates NPN.
testCases = append(testCases, testCase{
protocol: protocol,
@@ -1626,9 +2149,27 @@
resumeSession: true,
})
+ // Client does False Start but doesn't explicitly call
+ // SSL_connect.
+ testCases = append(testCases, testCase{
+ protocol: protocol,
+ name: "FalseStart-Implicit" + suffix,
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ NextProtos: []string{"foo"},
+ Bugs: ProtocolBugs{
+ MaxHandshakeRecordLength: maxHandshakeRecordLength,
+ },
+ },
+ flags: append(flags,
+ "-implicit-handshake",
+ "-false-start",
+ "-advertise-alpn", "\x03foo"),
+ })
+
// False Start without session tickets.
testCases = append(testCases, testCase{
- name: "FalseStart-SessionTicketsDisabled",
+ name: "FalseStart-SessionTicketsDisabled" + suffix,
config: Config{
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
NextProtos: []string{"foo"},
@@ -1710,17 +2251,36 @@
},
flags: flags,
})
+ }
+}
+
+func addDDoSCallbackTests() {
+ // DDoS callback.
+
+ for _, resume := range []bool{false, true} {
+ suffix := "Resume"
+ if resume {
+ suffix = "No" + suffix
+ }
testCases = append(testCases, testCase{
- testType: serverTest,
- protocol: protocol,
- name: "CookieExchange" + suffix,
- config: Config{
- Bugs: ProtocolBugs{
- MaxHandshakeRecordLength: maxHandshakeRecordLength,
- },
- },
- flags: append(flags, "-cookie-exchange"),
+ testType: serverTest,
+ name: "Server-DDoS-OK-" + suffix,
+ flags: []string{"-install-ddos-callback"},
+ resumeSession: resume,
+ })
+
+ failFlag := "-fail-ddos-callback"
+ if resume {
+ failFlag = "-fail-second-ddos-callback"
+ }
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "Server-DDoS-Reject-" + suffix,
+ flags: []string{"-install-ddos-callback", failFlag},
+ resumeSession: resume,
+ shouldFail: true,
+ expectedError: ":CONNECTION_REJECTED:",
})
}
}
@@ -1976,7 +2536,7 @@
})
testCases = append(testCases, testCase{
testType: clientTest,
- name: "ServerNameExtensionClient",
+ name: "ServerNameExtensionClientMismatch",
config: Config{
Bugs: ProtocolBugs{
ExpectServerName: "mismatch.com",
@@ -1988,7 +2548,7 @@
})
testCases = append(testCases, testCase{
testType: clientTest,
- name: "ServerNameExtensionClient",
+ name: "ServerNameExtensionClientMissing",
config: Config{
Bugs: ProtocolBugs{
ExpectServerName: "missing.com",
@@ -2201,27 +2761,40 @@
suffix += "-DTLS"
}
- testCases = append(testCases, testCase{
- protocol: protocol,
- name: "Resume-Client" + suffix,
- resumeSession: true,
- config: Config{
- MaxVersion: sessionVers.version,
- CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
- Bugs: ProtocolBugs{
- AllowSessionVersionMismatch: true,
+ if sessionVers.version == resumeVers.version {
+ testCases = append(testCases, testCase{
+ protocol: protocol,
+ name: "Resume-Client" + suffix,
+ resumeSession: true,
+ config: Config{
+ MaxVersion: sessionVers.version,
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
},
- },
- expectedVersion: sessionVers.version,
- resumeConfig: &Config{
- MaxVersion: resumeVers.version,
- CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
- Bugs: ProtocolBugs{
- AllowSessionVersionMismatch: true,
+ expectedVersion: sessionVers.version,
+ expectedResumeVersion: resumeVers.version,
+ })
+ } else {
+ testCases = append(testCases, testCase{
+ protocol: protocol,
+ name: "Resume-Client-Mismatch" + suffix,
+ resumeSession: true,
+ config: Config{
+ MaxVersion: sessionVers.version,
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
},
- },
- expectedResumeVersion: resumeVers.version,
- })
+ expectedVersion: sessionVers.version,
+ resumeConfig: &Config{
+ MaxVersion: resumeVers.version,
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
+ Bugs: ProtocolBugs{
+ AllowSessionVersionMismatch: true,
+ },
+ },
+ expectedResumeVersion: resumeVers.version,
+ shouldFail: true,
+ expectedError: ":OLD_SESSION_VERSION_NOT_RETURNED:",
+ })
+ }
testCases = append(testCases, testCase{
protocol: protocol,
@@ -2265,6 +2838,22 @@
}
}
}
+
+ testCases = append(testCases, testCase{
+ name: "Resume-Client-CipherMismatch",
+ resumeSession: true,
+ config: Config{
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+ },
+ resumeConfig: &Config{
+ CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
+ Bugs: ProtocolBugs{
+ SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
+ })
}
func addRenegotiationTests() {
@@ -2276,6 +2865,17 @@
})
testCases = append(testCases, testCase{
testType: serverTest,
+ name: "Renegotiate-Server-Full",
+ config: Config{
+ Bugs: ProtocolBugs{
+ NeverResumeOnRenego: true,
+ },
+ },
+ flags: []string{"-renegotiate"},
+ shimWritesFirst: true,
+ })
+ testCases = append(testCases, testCase{
+ testType: serverTest,
name: "Renegotiate-Server-EmptyExt",
config: Config{
Bugs: ProtocolBugs{
@@ -2328,12 +2928,43 @@
},
flags: []string{"-allow-unsafe-legacy-renegotiation"},
})
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "Renegotiate-Server-ClientInitiated-Forbidden",
+ renegotiate: true,
+ flags: []string{"-reject-peer-renegotiations"},
+ shouldFail: true,
+ expectedError: ":NO_RENEGOTIATION:",
+ expectedLocalError: "remote error: no renegotiation",
+ })
+ // Regression test for CVE-2015-0291.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "Renegotiate-Server-NoSignatureAlgorithms",
+ config: Config{
+ Bugs: ProtocolBugs{
+ NeverResumeOnRenego: true,
+ NoSignatureAlgorithmsOnRenego: true,
+ },
+ },
+ flags: []string{"-renegotiate"},
+ shimWritesFirst: true,
+ })
// TODO(agl): test the renegotiation info SCSV.
testCases = append(testCases, testCase{
name: "Renegotiate-Client",
renegotiate: true,
})
testCases = append(testCases, testCase{
+ name: "Renegotiate-Client-Full",
+ config: Config{
+ Bugs: ProtocolBugs{
+ NeverResumeOnRenego: true,
+ },
+ },
+ renegotiate: true,
+ })
+ testCases = append(testCases, testCase{
name: "Renegotiate-Client-EmptyExt",
renegotiate: true,
config: Config{
@@ -2372,6 +3003,14 @@
renegotiateCiphers: []uint16{TLS_RSA_WITH_RC4_128_SHA},
})
testCases = append(testCases, testCase{
+ name: "Renegotiate-Client-Forbidden",
+ renegotiate: true,
+ flags: []string{"-reject-peer-renegotiations"},
+ shouldFail: true,
+ expectedError: ":NO_RENEGOTIATION:",
+ expectedLocalError: "remote error: no renegotiation",
+ })
+ testCases = append(testCases, testCase{
name: "Renegotiate-SameClientVersion",
renegotiate: true,
config: Config{
@@ -2418,7 +3057,7 @@
})
testCases = append(testCases, testCase{
protocol: dtls,
- name: "FastRadio-Padding",
+ name: "FastRadio-Padding-DTLS",
config: Config{
Bugs: ProtocolBugs{
RequireFastradioPadding: true,
@@ -2534,6 +3173,196 @@
},
},
})
+
+ // Test that hash preferences are enforced. BoringSSL defaults to
+ // rejecting MD5 signatures.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "SigningHash-ClientAuth-Enforced",
+ config: Config{
+ Certificates: []Certificate{rsaCertificate},
+ SignatureAndHashes: []signatureAndHash{
+ {signatureRSA, hashMD5},
+ // Advertise SHA-1 so the handshake will
+ // proceed, but the shim's preferences will be
+ // ignored in CertificateVerify generation, so
+ // MD5 will be chosen.
+ {signatureRSA, hashSHA1},
+ },
+ Bugs: ProtocolBugs{
+ IgnorePeerSignatureAlgorithmPreferences: true,
+ },
+ },
+ flags: []string{"-require-any-client-certificate"},
+ shouldFail: true,
+ expectedError: ":WRONG_SIGNATURE_TYPE:",
+ })
+
+ testCases = append(testCases, testCase{
+ name: "SigningHash-ServerKeyExchange-Enforced",
+ config: Config{
+ CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+ SignatureAndHashes: []signatureAndHash{
+ {signatureRSA, hashMD5},
+ },
+ Bugs: ProtocolBugs{
+ IgnorePeerSignatureAlgorithmPreferences: true,
+ },
+ },
+ shouldFail: true,
+ expectedError: ":WRONG_SIGNATURE_TYPE:",
+ })
+}
+
+// timeouts is the retransmit schedule for BoringSSL. It doubles and
+// caps at 60 seconds. On the 13th timeout, it gives up.
+var timeouts = []time.Duration{
+ 1 * time.Second,
+ 2 * time.Second,
+ 4 * time.Second,
+ 8 * time.Second,
+ 16 * time.Second,
+ 32 * time.Second,
+ 60 * time.Second,
+ 60 * time.Second,
+ 60 * time.Second,
+ 60 * time.Second,
+ 60 * time.Second,
+ 60 * time.Second,
+ 60 * time.Second,
+}
+
+func addDTLSRetransmitTests() {
+ // Test that this is indeed the timeout schedule. Stress all
+ // four patterns of handshake.
+ for i := 1; i < len(timeouts); i++ {
+ number := strconv.Itoa(i)
+ testCases = append(testCases, testCase{
+ protocol: dtls,
+ name: "DTLS-Retransmit-Client-" + number,
+ config: Config{
+ Bugs: ProtocolBugs{
+ TimeoutSchedule: timeouts[:i],
+ },
+ },
+ resumeSession: true,
+ flags: []string{"-async"},
+ })
+ testCases = append(testCases, testCase{
+ protocol: dtls,
+ testType: serverTest,
+ name: "DTLS-Retransmit-Server-" + number,
+ config: Config{
+ Bugs: ProtocolBugs{
+ TimeoutSchedule: timeouts[:i],
+ },
+ },
+ resumeSession: true,
+ flags: []string{"-async"},
+ })
+ }
+
+ // Test that exceeding the timeout schedule hits a read
+ // timeout.
+ testCases = append(testCases, testCase{
+ protocol: dtls,
+ name: "DTLS-Retransmit-Timeout",
+ config: Config{
+ Bugs: ProtocolBugs{
+ TimeoutSchedule: timeouts,
+ },
+ },
+ resumeSession: true,
+ flags: []string{"-async"},
+ shouldFail: true,
+ expectedError: ":READ_TIMEOUT_EXPIRED:",
+ })
+
+ // Test that timeout handling has a fudge factor, due to API
+ // problems.
+ testCases = append(testCases, testCase{
+ protocol: dtls,
+ name: "DTLS-Retransmit-Fudge",
+ config: Config{
+ Bugs: ProtocolBugs{
+ TimeoutSchedule: []time.Duration{
+ timeouts[0] - 10*time.Millisecond,
+ },
+ },
+ },
+ resumeSession: true,
+ flags: []string{"-async"},
+ })
+
+ // Test that the final Finished retransmitting isn't
+ // duplicated if the peer badly fragments everything.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ protocol: dtls,
+ name: "DTLS-Retransmit-Fragmented",
+ config: Config{
+ Bugs: ProtocolBugs{
+ TimeoutSchedule: []time.Duration{timeouts[0]},
+ MaxHandshakeRecordLength: 2,
+ },
+ },
+ flags: []string{"-async"},
+ })
+}
+
+func addExportKeyingMaterialTests() {
+ for _, vers := range tlsVersions {
+ if vers.version == VersionSSL30 {
+ continue
+ }
+ testCases = append(testCases, testCase{
+ name: "ExportKeyingMaterial-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ exportKeyingMaterial: 1024,
+ exportLabel: "label",
+ exportContext: "context",
+ useExportContext: true,
+ })
+ testCases = append(testCases, testCase{
+ name: "ExportKeyingMaterial-NoContext-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ exportKeyingMaterial: 1024,
+ })
+ testCases = append(testCases, testCase{
+ name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ exportKeyingMaterial: 1024,
+ useExportContext: true,
+ })
+ testCases = append(testCases, testCase{
+ name: "ExportKeyingMaterial-Small-" + vers.name,
+ config: Config{
+ MaxVersion: vers.version,
+ },
+ exportKeyingMaterial: 1,
+ exportLabel: "label",
+ exportContext: "context",
+ useExportContext: true,
+ })
+ }
+ testCases = append(testCases, testCase{
+ name: "ExportKeyingMaterial-SSL3",
+ config: Config{
+ MaxVersion: VersionSSL30,
+ },
+ exportKeyingMaterial: 1024,
+ exportLabel: "label",
+ exportContext: "context",
+ useExportContext: true,
+ shouldFail: true,
+ expectedError: "failed to export keying material",
+ })
}
func worker(statusChan chan statusMsg, c chan *testCase, buildDir string, wg *sync.WaitGroup) {
@@ -2566,27 +3395,47 @@
err error
}
-func statusPrinter(doneChan chan struct{}, statusChan chan statusMsg, total int) {
+func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
var started, done, failed, lineLen int
- defer close(doneChan)
+ testOutput := newTestOutput()
for msg := range statusChan {
+ if !*pipe {
+ // Erase the previous status line.
+ var erase string
+ for i := 0; i < lineLen; i++ {
+ erase += "\b \b"
+ }
+ fmt.Print(erase)
+ }
+
if msg.started {
started++
} else {
done++
+
+ if msg.err != nil {
+ fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
+ failed++
+ testOutput.addResult(msg.test.name, "FAIL")
+ } else {
+ if *pipe {
+ // Print each test instead of a status line.
+ fmt.Printf("PASSED (%s)\n", msg.test.name)
+ }
+ testOutput.addResult(msg.test.name, "PASS")
+ }
}
- fmt.Printf("\x1b[%dD\x1b[K", lineLen)
-
- if msg.err != nil {
- fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
- failed++
+ if !*pipe {
+ // Print a new status line.
+ line := fmt.Sprintf("%d/%d/%d/%d", failed, done, started, total)
+ lineLen = len(line)
+ os.Stdout.WriteString(line)
}
- line := fmt.Sprintf("%d/%d/%d/%d", failed, done, started, total)
- lineLen = len(line)
- os.Stdout.WriteString(line)
}
+
+ doneChan <- testOutput
}
func main() {
@@ -2601,6 +3450,7 @@
addCBCPaddingTests()
addCBCSplittingTests()
addClientAuthTests()
+ addDDoSCallbackTests()
addVersionNegotiationTests()
addMinimumVersionTests()
addD5BugTests()
@@ -2611,6 +3461,8 @@
addDTLSReplayTests()
addSigningHashTests()
addFastRadioPaddingTests()
+ addDTLSRetransmitTests()
+ addExportKeyingMaterialTests()
for _, async := range []bool{false, true} {
for _, splitHandshake := range []bool{false, true} {
for _, protocol := range []protocol{tls, dtls} {
@@ -2625,7 +3477,7 @@
statusChan := make(chan statusMsg, numWorkers)
testChan := make(chan *testCase, numWorkers)
- doneChan := make(chan struct{})
+ doneChan := make(chan *testOutput)
go statusPrinter(doneChan, statusChan, len(testCases))
@@ -2643,7 +3495,17 @@
close(testChan)
wg.Wait()
close(statusChan)
- <-doneChan
+ testOutput := <-doneChan
fmt.Printf("\n")
+
+ if *jsonOutput != "" {
+ if err := testOutput.writeTo(*jsonOutput); err != nil {
+ fmt.Fprintf(os.Stderr, "Error: %s\n", err)
+ }
+ }
+
+ if !testOutput.allPassed {
+ os.Exit(1)
+ }
}
diff --git a/src/ssl/test/runner/test_output.go b/src/ssl/test/runner/test_output.go
new file mode 100644
index 0000000..bcb7a93
--- /dev/null
+++ b/src/ssl/test/runner/test_output.go
@@ -0,0 +1,79 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+package main
+
+import (
+ "encoding/json"
+ "os"
+ "time"
+)
+
+// testOutput is a representation of Chromium's JSON test result format. See
+// https://www.chromium.org/developers/the-json-test-results-format
+type testOutput struct {
+ Version int `json:"version"`
+ Interrupted bool `json:"interrupted"`
+ PathDelimiter string `json:"path_delimiter"`
+ SecondsSinceEpoch float64 `json:"seconds_since_epoch"`
+ NumFailuresByType map[string]int `json:"num_failures_by_type"`
+ Tests map[string]testResult `json:"tests"`
+ allPassed bool
+}
+
+type testResult struct {
+ Actual string `json:"actual"`
+ Expected string `json:"expected"`
+ IsUnexpected bool `json:"is_unexpected"`
+}
+
+func newTestOutput() *testOutput {
+ return &testOutput{
+ Version: 3,
+ PathDelimiter: ".",
+ SecondsSinceEpoch: float64(time.Now().UnixNano()) / float64(time.Second/time.Nanosecond),
+ NumFailuresByType: make(map[string]int),
+ Tests: make(map[string]testResult),
+ allPassed: true,
+ }
+}
+
+func (t *testOutput) addResult(name, result string) {
+ if _, found := t.Tests[name]; found {
+ panic(name)
+ }
+ t.Tests[name] = testResult{
+ Actual: result,
+ Expected: "PASS",
+ IsUnexpected: result != "PASS",
+ }
+ t.NumFailuresByType[result]++
+ if result != "PASS" {
+ t.allPassed = false
+ }
+}
+
+func (t *testOutput) writeTo(name string) error {
+ file, err := os.Create(name)
+ if err != nil {
+ return err
+ }
+ defer file.Close()
+ out, err := json.MarshalIndent(t, "", " ")
+ if err != nil {
+ return err
+ }
+ _, err = file.Write(out)
+ return err
+}
diff --git a/src/crypto/crypto_error.h b/src/ssl/test/scoped_types.h
similarity index 61%
rename from src/crypto/crypto_error.h
rename to src/ssl/test/scoped_types.h
index c0cb2bd..7e92cee 100644
--- a/src/crypto/crypto_error.h
+++ b/src/ssl/test/scoped_types.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014, Google Inc.
+/* Copyright (c) 2015, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,17 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-#define CRYPTO_F_CRYPTO_set_ex_data 100
-#define CRYPTO_F_get_class 101
-#define CRYPTO_F_get_new_index 102
-#define CRYPTO_F_get_func_pointers 103
+#ifndef OPENSSL_HEADER_SSL_TEST_SCOPED_TYPES_H
+#define OPENSSL_HEADER_SSL_TEST_SCOPED_TYPES_H
+
+#include <openssl/ssl.h>
+
+#include "../../crypto/test/scoped_types.h"
+
+
+using ScopedSSL = ScopedOpenSSLType<SSL, SSL_free>;
+using ScopedSSL_CTX = ScopedOpenSSLType<SSL_CTX, SSL_CTX_free>;
+using ScopedSSL_SESSION = ScopedOpenSSLType<SSL_SESSION, SSL_SESSION_free>;
+
+
+#endif // OPENSSL_HEADER_SSL_TEST_SCOPED_TYPES_H
diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc
index c032d96..25906f7 100644
--- a/src/ssl/test/test_config.cc
+++ b/src/ssl/test/test_config.cc
@@ -60,7 +60,6 @@
{ "-no-tls11", &TestConfig::no_tls11 },
{ "-no-tls1", &TestConfig::no_tls1 },
{ "-no-ssl3", &TestConfig::no_ssl3 },
- { "-cookie-exchange", &TestConfig::cookie_exchange },
{ "-shim-writes-first", &TestConfig::shim_writes_first },
{ "-tls-d5-bug", &TestConfig::tls_d5_bug },
{ "-expect-session-miss", &TestConfig::expect_session_miss },
@@ -73,6 +72,15 @@
{ "-enable-signed-cert-timestamps",
&TestConfig::enable_signed_cert_timestamps },
{ "-fastradio-padding", &TestConfig::fastradio_padding },
+ { "-implicit-handshake", &TestConfig::implicit_handshake },
+ { "-use-early-callback", &TestConfig::use_early_callback },
+ { "-fail-early-callback", &TestConfig::fail_early_callback },
+ { "-install-ddos-callback", &TestConfig::install_ddos_callback },
+ { "-fail-ddos-callback", &TestConfig::fail_ddos_callback },
+ { "-fail-second-ddos-callback", &TestConfig::fail_second_ddos_callback },
+ { "-handshake-never-done", &TestConfig::handshake_never_done },
+ { "-use-export-context", &TestConfig::use_export_context },
+ { "-reject-peer-renegotiations", &TestConfig::reject_peer_renegotiations },
};
const Flag<std::string> kStringFlags[] = {
@@ -91,6 +99,9 @@
{ "-psk", &TestConfig::psk },
{ "-psk-identity", &TestConfig::psk_identity },
{ "-srtp-profiles", &TestConfig::srtp_profiles },
+ { "-cipher", &TestConfig::cipher },
+ { "-export-label", &TestConfig::export_label },
+ { "-export-context", &TestConfig::export_context },
};
const Flag<std::string> kBase64Flags[] = {
@@ -102,43 +113,15 @@
};
const Flag<int> kIntFlags[] = {
+ { "-port", &TestConfig::port },
{ "-min-version", &TestConfig::min_version },
{ "-max-version", &TestConfig::max_version },
{ "-mtu", &TestConfig::mtu },
+ { "-export-keying-material", &TestConfig::export_keying_material },
};
} // namespace
-TestConfig::TestConfig()
- : is_server(false),
- is_dtls(false),
- resume(false),
- fallback_scsv(false),
- require_any_client_certificate(false),
- false_start(false),
- async(false),
- write_different_record_sizes(false),
- cbc_record_splitting(false),
- partial_write(false),
- no_tls12(false),
- no_tls11(false),
- no_tls1(false),
- no_ssl3(false),
- cookie_exchange(false),
- shim_writes_first(false),
- tls_d5_bug(false),
- expect_session_miss(false),
- expect_extended_master_secret(false),
- renegotiate(false),
- allow_unsafe_legacy_renegotiation(false),
- enable_ocsp_stapling(false),
- enable_signed_cert_timestamps(false),
- fastradio_padding(false),
- min_version(0),
- max_version(0),
- mtu(0) {
-}
-
bool ParseConfig(int argc, char **argv, TestConfig *out_config) {
for (int i = 0; i < argc; i++) {
bool *bool_field = FindField(out_config, kBoolFlags, argv[i]);
diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h
index ba54227..f107a0f 100644
--- a/src/ssl/test/test_config.h
+++ b/src/ssl/test/test_config.h
@@ -19,54 +19,65 @@
struct TestConfig {
- TestConfig();
-
- bool is_server;
- bool is_dtls;
- bool resume;
- bool fallback_scsv;
+ int port = 0;
+ bool is_server = false;
+ bool is_dtls = false;
+ bool resume = false;
+ bool fallback_scsv = false;
std::string key_file;
std::string cert_file;
std::string expected_server_name;
std::string expected_certificate_types;
- bool require_any_client_certificate;
+ bool require_any_client_certificate = false;
std::string advertise_npn;
std::string expected_next_proto;
- bool false_start;
+ bool false_start = false;
std::string select_next_proto;
- bool async;
- bool write_different_record_sizes;
- bool cbc_record_splitting;
- bool partial_write;
- bool no_tls12;
- bool no_tls11;
- bool no_tls1;
- bool no_ssl3;
- bool cookie_exchange;
+ bool async = false;
+ bool write_different_record_sizes = false;
+ bool cbc_record_splitting = false;
+ bool partial_write = false;
+ bool no_tls12 = false;
+ bool no_tls11 = false;
+ bool no_tls1 = false;
+ bool no_ssl3 = false;
std::string expected_channel_id;
std::string send_channel_id;
- bool shim_writes_first;
- bool tls_d5_bug;
+ bool shim_writes_first = false;
+ bool tls_d5_bug = false;
std::string host_name;
std::string advertise_alpn;
std::string expected_alpn;
std::string expected_advertised_alpn;
std::string select_alpn;
- bool expect_session_miss;
- bool expect_extended_master_secret;
+ bool expect_session_miss = false;
+ bool expect_extended_master_secret = false;
std::string psk;
std::string psk_identity;
- bool renegotiate;
- bool allow_unsafe_legacy_renegotiation;
+ bool renegotiate = false;
+ bool allow_unsafe_legacy_renegotiation = false;
std::string srtp_profiles;
- bool enable_ocsp_stapling;
+ bool enable_ocsp_stapling = false;
std::string expected_ocsp_response;
- bool enable_signed_cert_timestamps;
+ bool enable_signed_cert_timestamps = false;
std::string expected_signed_cert_timestamps;
- bool fastradio_padding;
- int min_version;
- int max_version;
- int mtu;
+ bool fastradio_padding = false;
+ int min_version = 0;
+ int max_version = 0;
+ int mtu = 0;
+ bool implicit_handshake = false;
+ bool use_early_callback = false;
+ bool fail_early_callback = false;
+ bool install_ddos_callback = false;
+ bool fail_ddos_callback = false;
+ bool fail_second_ddos_callback = false;
+ std::string cipher;
+ bool handshake_never_done = false;
+ int export_keying_material = 0;
+ std::string export_label;
+ std::string export_context;
+ bool use_export_context = false;
+ bool reject_peer_renegotiations = false;
};
bool ParseConfig(int argc, char **argv, TestConfig *out_config);
diff --git a/src/tool/CMakeLists.txt b/src/tool/CMakeLists.txt
index d542f26..4bb6ca2 100644
--- a/src/tool/CMakeLists.txt
+++ b/src/tool/CMakeLists.txt
@@ -8,14 +8,11 @@
const.cc
digest.cc
pkcs12.cc
+ rand.cc
server.cc
speed.cc
tool.cc
transport_common.cc
)
-if (APPLE OR WIN32)
- target_link_libraries(bssl ssl crypto)
-else()
- target_link_libraries(bssl ssl crypto -lrt)
-endif()
+target_link_libraries(bssl ssl crypto)
diff --git a/src/tool/args.cc b/src/tool/args.cc
index 52856d4..a164476 100644
--- a/src/tool/args.cc
+++ b/src/tool/args.cc
@@ -41,22 +41,26 @@
return false;
}
- if (i + 1 >= args.size()) {
- fprintf(stderr, "Missing argument for option: %s\n", arg.c_str());
- return false;
- }
-
if (out_args->find(arg) != out_args->end()) {
- fprintf(stderr, "Duplicate value given for: %s\n", arg.c_str());
+ fprintf(stderr, "Duplicate argument: %s\n", arg.c_str());
return false;
}
- (*out_args)[arg] = args[++i];
+ if (templ->type == kBooleanArgument) {
+ (*out_args)[arg] = "";
+ } else {
+ if (i + 1 >= args.size()) {
+ fprintf(stderr, "Missing argument for option: %s\n", arg.c_str());
+ return false;
+ }
+ (*out_args)[arg] = args[++i];
+ }
}
for (size_t j = 0; templates[j].name[0] != 0; j++) {
const struct argument *templ = &templates[j];
- if (templ->required && out_args->find(templ->name) == out_args->end()) {
+ if (templ->type == kRequiredArgument &&
+ out_args->find(templ->name) == out_args->end()) {
fprintf(stderr, "Missing value for required argument: %s\n", templ->name);
return false;
}
diff --git a/src/tool/client.cc b/src/tool/client.cc
index 59c5fe3..1de0df2 100644
--- a/src/tool/client.cc
+++ b/src/tool/client.cc
@@ -14,34 +14,101 @@
#include <openssl/base.h>
-#include <string>
-#include <vector>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/types.h>
-
#include <openssl/err.h>
+#include <openssl/pem.h>
#include <openssl/ssl.h>
+#include "../crypto/test/scoped_types.h"
+#include "../ssl/test/scoped_types.h"
#include "internal.h"
#include "transport_common.h"
static const struct argument kArguments[] = {
{
- "-connect", true,
+ "-connect", kRequiredArgument,
"The hostname and port of the server to connect to, e.g. foo.com:443",
},
{
- "-cipher", false,
+ "-cipher", kOptionalArgument,
"An OpenSSL-style cipher suite string that configures the offered ciphers",
},
{
- "", false, "",
+ "-max-version", kOptionalArgument,
+ "The maximum acceptable protocol version",
+ },
+ {
+ "-min-version", kOptionalArgument,
+ "The minimum acceptable protocol version",
+ },
+ {
+ "-server-name", kOptionalArgument,
+ "The server name to advertise",
+ },
+ {
+ "-select-next-proto", kOptionalArgument,
+ "An NPN protocol to select if the server supports NPN",
+ },
+ {
+ "-alpn-protos", kOptionalArgument,
+ "A comma-separated list of ALPN protocols to advertise",
+ },
+ {
+ "-fallback-scsv", kBooleanArgument,
+ "Enable FALLBACK_SCSV",
+ },
+ {
+ "-ocsp-stapling", kBooleanArgument,
+ "Advertise support for OCSP stabling",
+ },
+ {
+ "-signed-certificate-timestamps", kBooleanArgument,
+ "Advertise support for signed certificate timestamps",
+ },
+ {
+ "-channel-id-key", kOptionalArgument,
+ "The key to use for signing a channel ID",
+ },
+ {
+ "", kOptionalArgument, "",
},
};
+static ScopedEVP_PKEY LoadPrivateKey(const std::string &file) {
+ ScopedBIO bio(BIO_new(BIO_s_file()));
+ if (!bio || !BIO_read_filename(bio.get(), file.c_str())) {
+ return nullptr;
+ }
+ ScopedEVP_PKEY pkey(PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr,
+ nullptr));
+ return pkey;
+}
+
+static bool VersionFromString(uint16_t *out_version,
+ const std::string& version) {
+ if (version == "ssl3") {
+ *out_version = SSL3_VERSION;
+ return true;
+ } else if (version == "tls1" || version == "tls1.0") {
+ *out_version = TLS1_VERSION;
+ return true;
+ } else if (version == "tls1.1") {
+ *out_version = TLS1_1_VERSION;
+ return true;
+ } else if (version == "tls1.2") {
+ *out_version = TLS1_2_VERSION;
+ return true;
+ }
+ return false;
+}
+
+static int NextProtoSelectCallback(SSL* ssl, uint8_t** out, uint8_t* outlen,
+ const uint8_t* in, unsigned inlen, void* arg) {
+ *out = reinterpret_cast<uint8_t *>(arg);
+ *outlen = strlen(reinterpret_cast<const char *>(arg));
+ return SSL_TLSEXT_ERR_OK;
+}
+
bool Client(const std::vector<std::string> &args) {
if (!InitSocketLibrary()) {
return false;
@@ -54,7 +121,7 @@
return false;
}
- SSL_CTX *ctx = SSL_CTX_new(SSLv23_client_method());
+ ScopedSSL_CTX ctx(SSL_CTX_new(SSLv23_client_method()));
const char *keylog_file = getenv("SSLKEYLOGFILE");
if (keylog_file) {
@@ -63,38 +130,117 @@
ERR_print_errors_cb(PrintErrorCallback, stderr);
return false;
}
- SSL_CTX_set_keylog_bio(ctx, keylog_bio);
+ SSL_CTX_set_keylog_bio(ctx.get(), keylog_bio);
}
if (args_map.count("-cipher") != 0 &&
- !SSL_CTX_set_cipher_list(ctx, args_map["-cipher"].c_str())) {
+ !SSL_CTX_set_cipher_list(ctx.get(), args_map["-cipher"].c_str())) {
fprintf(stderr, "Failed setting cipher list\n");
return false;
}
+ if (args_map.count("-max-version") != 0) {
+ uint16_t version;
+ if (!VersionFromString(&version, args_map["-max-version"])) {
+ fprintf(stderr, "Unknown protocol version: '%s'\n",
+ args_map["-max-version"].c_str());
+ return false;
+ }
+ SSL_CTX_set_max_version(ctx.get(), version);
+ }
+
+ if (args_map.count("-min-version") != 0) {
+ uint16_t version;
+ if (!VersionFromString(&version, args_map["-min-version"])) {
+ fprintf(stderr, "Unknown protocol version: '%s'\n",
+ args_map["-min-version"].c_str());
+ return false;
+ }
+ SSL_CTX_set_min_version(ctx.get(), version);
+ }
+
+ if (args_map.count("-select-next-proto") != 0) {
+ const std::string &proto = args_map["-select-next-proto"];
+ if (proto.size() > 255) {
+ fprintf(stderr, "Bad NPN protocol: '%s'\n", proto.c_str());
+ return false;
+ }
+ // |SSL_CTX_set_next_proto_select_cb| is not const-correct.
+ SSL_CTX_set_next_proto_select_cb(ctx.get(), NextProtoSelectCallback,
+ const_cast<char *>(proto.c_str()));
+ }
+
+ if (args_map.count("-alpn-protos") != 0) {
+ const std::string &alpn_protos = args_map["-alpn-protos"];
+ std::vector<uint8_t> wire;
+ size_t i = 0;
+ while (i <= alpn_protos.size()) {
+ size_t j = alpn_protos.find(',', i);
+ if (j == std::string::npos) {
+ j = alpn_protos.size();
+ }
+ size_t len = j - i;
+ if (len > 255) {
+ fprintf(stderr, "Invalid ALPN protocols: '%s'\n", alpn_protos.c_str());
+ return false;
+ }
+ wire.push_back(static_cast<uint8_t>(len));
+ wire.resize(wire.size() + len);
+ memcpy(wire.data() + wire.size() - len, alpn_protos.data() + i, len);
+ i = j + 1;
+ }
+ if (SSL_CTX_set_alpn_protos(ctx.get(), wire.data(), wire.size()) != 0) {
+ return false;
+ }
+ }
+
+ if (args_map.count("-fallback-scsv") != 0) {
+ SSL_CTX_set_mode(ctx.get(), SSL_MODE_SEND_FALLBACK_SCSV);
+ }
+
+ if (args_map.count("-ocsp-stapling") != 0) {
+ SSL_CTX_enable_ocsp_stapling(ctx.get());
+ }
+
+ if (args_map.count("-signed-certificate-timestamps") != 0) {
+ SSL_CTX_enable_signed_cert_timestamps(ctx.get());
+ }
+
+ if (args_map.count("-channel-id-key") != 0) {
+ ScopedEVP_PKEY pkey = LoadPrivateKey(args_map["-channel-id-key"]);
+ if (!pkey || !SSL_CTX_set1_tls_channel_id(ctx.get(), pkey.get())) {
+ return false;
+ }
+ ctx->tlsext_channel_id_enabled_new = 1;
+ }
+
int sock = -1;
if (!Connect(&sock, args_map["-connect"])) {
return false;
}
- BIO *bio = BIO_new_socket(sock, BIO_CLOSE);
- SSL *ssl = SSL_new(ctx);
- SSL_set_bio(ssl, bio, bio);
+ ScopedBIO bio(BIO_new_socket(sock, BIO_CLOSE));
+ ScopedSSL ssl(SSL_new(ctx.get()));
- int ret = SSL_connect(ssl);
+ if (args_map.count("-server-name") != 0) {
+ SSL_set_tlsext_host_name(ssl.get(), args_map["-server-name"].c_str());
+ }
+
+ SSL_set_bio(ssl.get(), bio.get(), bio.get());
+ bio.release();
+
+ int ret = SSL_connect(ssl.get());
if (ret != 1) {
- int ssl_err = SSL_get_error(ssl, ret);
+ int ssl_err = SSL_get_error(ssl.get(), ret);
fprintf(stderr, "Error while connecting: %d\n", ssl_err);
ERR_print_errors_cb(PrintErrorCallback, stderr);
return false;
}
fprintf(stderr, "Connected.\n");
- PrintConnectionInfo(ssl);
+ PrintConnectionInfo(ssl.get());
- bool ok = TransferData(ssl, sock);
+ bool ok = TransferData(ssl.get(), sock);
- SSL_free(ssl);
- SSL_CTX_free(ctx);
return ok;
}
diff --git a/src/tool/const.cc b/src/tool/const.cc
index 219fd3c..5222667 100644
--- a/src/tool/const.cc
+++ b/src/tool/const.cc
@@ -12,8 +12,8 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+#include <stddef.h>
#include <stdint.h>
-#include <stdlib.h>
extern "C" {
diff --git a/src/tool/digest.cc b/src/tool/digest.cc
index f95f412..7cd8827 100644
--- a/src/tool/digest.cc
+++ b/src/tool/digest.cc
@@ -21,18 +21,16 @@
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
-#include <stdio.h>
-#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#if !defined(OPENSSL_WINDOWS)
+#include <string.h>
#include <unistd.h>
#if !defined(O_BINARY)
#define O_BINARY 0
#endif
#else
-#define NOMINMAX
#pragma warning(push, 3)
#include <windows.h>
#pragma warning(pop)
@@ -89,29 +87,25 @@
strerror(errno));
return false;
}
+ std::unique_ptr<int, close_delete> scoped_fd(&fd);
#if !defined(OPENSSL_WINDOWS)
struct stat st;
if (fstat(fd, &st)) {
fprintf(stderr, "Failed to stat input file '%s': %s\n", filename.c_str(),
strerror(errno));
- goto err;
+ return false;
}
if (!S_ISREG(st.st_mode)) {
fprintf(stderr, "%s: not a regular file\n", filename.c_str());
- goto err;
+ return false;
}
#endif
*out_fd = fd;
+ scoped_fd.release();
return true;
-
-#if !defined(OPENSSL_WINDOWS)
-err:
- close(fd);
- return false;
-#endif
}
// SumFile hashes the contents of |source| with |md| and sets |*out_hex| to the
diff --git a/src/tool/internal.h b/src/tool/internal.h
index bc87c51..277d099 100644
--- a/src/tool/internal.h
+++ b/src/tool/internal.h
@@ -32,9 +32,15 @@
#pragma warning(pop)
#endif
+enum ArgumentType {
+ kRequiredArgument,
+ kOptionalArgument,
+ kBooleanArgument,
+};
+
struct argument {
- const char name[15];
- bool required;
+ const char *name;
+ ArgumentType type;
const char *description;
};
diff --git a/src/tool/pkcs12.cc b/src/tool/pkcs12.cc
index e0133e5..c191531 100644
--- a/src/tool/pkcs12.cc
+++ b/src/tool/pkcs12.cc
@@ -31,6 +31,7 @@
#endif
#include <openssl/bytestring.h>
+#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs8.h>
#include <openssl/stack.h>
@@ -46,10 +47,11 @@
static const struct argument kArguments[] = {
{
- "-dump", false, "Dump the key and contents of the given file to stdout",
+ "-dump", kOptionalArgument,
+ "Dump the key and contents of the given file to stdout",
},
{
- "", false, "",
+ "", kOptionalArgument, "",
},
};
@@ -122,7 +124,7 @@
if (!PKCS12_get_key_and_certs(&key, certs, &pkcs12, password)) {
fprintf(stderr, "Failed to parse PKCS#12 data:\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return false;
}
diff --git a/src/tool/rand.cc b/src/tool/rand.cc
new file mode 100644
index 0000000..10078e2
--- /dev/null
+++ b/src/tool/rand.cc
@@ -0,0 +1,95 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <string>
+#include <vector>
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include <openssl/rand.h>
+
+#include "internal.h"
+
+
+static const struct argument kArguments[] = {
+ {
+ "-hex", kBooleanArgument,
+ "Hex encoded output."
+ },
+ {
+ "", kOptionalArgument, "",
+ },
+};
+
+bool Rand(const std::vector<std::string> &args) {
+ bool forever = true, hex = false;
+ size_t len = 0;
+
+ if (!args.empty()) {
+ std::vector<std::string> args_copy(args);
+ const std::string &last_arg = args.back();
+
+ if (last_arg.size() > 0 && last_arg[0] != '-') {
+ char *endptr;
+ unsigned long long num = strtoull(last_arg.c_str(), &endptr, 10);
+ if (*endptr == 0) {
+ len = num;
+ forever = false;
+ args_copy.pop_back();
+ }
+ }
+
+ std::map<std::string, std::string> args_map;
+ if (!ParseKeyValueArguments(&args_map, args_copy, kArguments)) {
+ PrintUsage(kArguments);
+ return false;
+ }
+
+ hex = args_map.count("-hex") > 0;
+ }
+
+ uint8_t buf[4096];
+ uint8_t hex_buf[8192];
+
+ size_t done = 0;
+ while (forever || done < len) {
+ size_t todo = sizeof(buf);
+ if (!forever && todo > len - done) {
+ todo = len - done;
+ }
+ RAND_bytes(buf, todo);
+ if (hex) {
+ static const char hextable[] = "0123456789abdef";
+ for (unsigned i = 0; i < todo; i++) {
+ hex_buf[i*2] = hextable[buf[i] >> 4];
+ hex_buf[i*2 + 1] = hextable[buf[i] & 0xf];
+ }
+ if (fwrite(hex_buf, todo*2, 1, stdout) != 1) {
+ return false;
+ }
+ } else {
+ if (fwrite(buf, todo, 1, stdout) != 1) {
+ return false;
+ }
+ }
+ done += todo;
+ }
+
+ if (hex && fwrite("\n", 1, 1, stdout) != 1) {
+ return false;
+ }
+
+ return true;
+}
diff --git a/src/tool/server.cc b/src/tool/server.cc
index 120e450..164d6a5 100644
--- a/src/tool/server.cc
+++ b/src/tool/server.cc
@@ -14,13 +14,6 @@
#include <openssl/base.h>
-#include <string>
-#include <vector>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/types.h>
-
#include <openssl/err.h>
#include <openssl/ssl.h>
@@ -30,19 +23,19 @@
static const struct argument kArguments[] = {
{
- "-accept", true,
+ "-accept", kRequiredArgument,
"The port of the server to bind on; eg 45102",
},
{
- "-cipher", false,
+ "-cipher", kOptionalArgument,
"An OpenSSL-style cipher suite string that configures the offered ciphers",
},
{
- "-key", false,
+ "-key", kOptionalArgument,
"Private-key file to use (default is server.pem)",
},
{
- "", false, "",
+ "", kOptionalArgument, "",
},
};
diff --git a/src/tool/speed.cc b/src/tool/speed.cc
index 3c2a0f1..ab17c2f 100644
--- a/src/tool/speed.cc
+++ b/src/tool/speed.cc
@@ -19,12 +19,12 @@
#include <stdint.h>
#include <string.h>
-#include <time.h>
#include <openssl/aead.h>
-#include <openssl/bio.h>
#include <openssl/digest.h>
+#include <openssl/err.h>
#include <openssl/obj.h>
+#include <openssl/rand.h>
#include <openssl/rsa.h>
#if defined(OPENSSL_WINDOWS)
@@ -35,6 +35,8 @@
#include <sys/time.h>
#endif
+#include "../crypto/test/scoped_types.h"
+
extern "C" {
// These values are DER encoded, RSA private keys.
@@ -93,7 +95,7 @@
static bool TimeFunction(TimeResults *results, std::function<bool()> func) {
// kTotalMS is the total amount of time that we'll aim to measure a function
// for.
- static const uint64_t kTotalUS = 3000000;
+ static const uint64_t kTotalUS = 1000000;
uint64_t start = time_now(), now, delta;
unsigned done = 0, iterations_between_time_checks;
@@ -134,20 +136,24 @@
return true;
}
-static bool SpeedRSA(const std::string& key_name, RSA *key) {
- TimeResults results;
+static bool SpeedRSA(const std::string &key_name, RSA *key,
+ const std::string &selected) {
+ if (!selected.empty() && key_name.find(selected) == std::string::npos) {
+ return true;
+ }
std::unique_ptr<uint8_t[]> sig(new uint8_t[RSA_size(key)]);
const uint8_t fake_sha256_hash[32] = {0};
unsigned sig_len;
+ TimeResults results;
if (!TimeFunction(&results,
[key, &sig, &fake_sha256_hash, &sig_len]() -> bool {
return RSA_sign(NID_sha256, fake_sha256_hash, sizeof(fake_sha256_hash),
sig.get(), &sig_len, key);
})) {
fprintf(stderr, "RSA_sign failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return false;
}
results.Print(key_name + " signing");
@@ -158,7 +164,7 @@
sizeof(fake_sha256_hash), sig.get(), sig_len, key);
})) {
fprintf(stderr, "RSA_verify failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return false;
}
results.Print(key_name + " verify");
@@ -166,16 +172,10 @@
return true;
}
-template<typename T>
-struct free_functor {
- void operator()(T* ptr) {
- free(ptr);
- }
-};
-
static uint8_t *align(uint8_t *in, unsigned alignment) {
return reinterpret_cast<uint8_t *>(
- (reinterpret_cast<uintptr_t>(in) + alignment) & ~(alignment - 1));
+ (reinterpret_cast<uintptr_t>(in) + alignment) &
+ ~static_cast<size_t>(alignment - 1));
}
static bool SpeedAEADChunk(const EVP_AEAD *aead, const std::string &name,
@@ -191,10 +191,8 @@
memset(key.get(), 0, key_len);
std::unique_ptr<uint8_t[]> nonce(new uint8_t[nonce_len]);
memset(nonce.get(), 0, nonce_len);
- std::unique_ptr<uint8_t, free_functor<uint8_t>> in_storage(
- new uint8_t[chunk_len + kAlignment]);
- std::unique_ptr<uint8_t, free_functor<uint8_t>> out_storage(
- new uint8_t[chunk_len + overhead_len + kAlignment]);
+ std::unique_ptr<uint8_t[]> in_storage(new uint8_t[chunk_len + kAlignment]);
+ std::unique_ptr<uint8_t[]> out_storage(new uint8_t[chunk_len + overhead_len + kAlignment]);
std::unique_ptr<uint8_t[]> ad(new uint8_t[ad_len]);
memset(ad.get(), 0, ad_len);
@@ -203,10 +201,11 @@
uint8_t *const out = align(out_storage.get(), kAlignment);
memset(out, 0, chunk_len + overhead_len);
- if (!EVP_AEAD_CTX_init(&ctx, aead, key.get(), key_len,
- EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {
+ if (!EVP_AEAD_CTX_init_with_direction(&ctx, aead, key.get(), key_len,
+ EVP_AEAD_DEFAULT_TAG_LENGTH,
+ evp_aead_seal)) {
fprintf(stderr, "Failed to create EVP_AEAD_CTX.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return false;
}
@@ -220,7 +219,7 @@
nonce_len, in, chunk_len, ad.get(), ad_len);
})) {
fprintf(stderr, "EVP_AEAD_CTX_seal failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return false;
}
@@ -232,7 +231,11 @@
}
static bool SpeedAEAD(const EVP_AEAD *aead, const std::string &name,
- size_t ad_len) {
+ size_t ad_len, const std::string &selected) {
+ if (!selected.empty() && name.find(selected) == std::string::npos) {
+ return true;
+ }
+
return SpeedAEADChunk(aead, name + " (16 bytes)", 16, ad_len) &&
SpeedAEADChunk(aead, name + " (1350 bytes)", 1350, ad_len) &&
SpeedAEADChunk(aead, name + " (8192 bytes)", 8192, ad_len);
@@ -257,7 +260,7 @@
EVP_DigestFinal_ex(ctx, digest, &md_len);
})) {
fprintf(stderr, "EVP_DigestInit_ex failed.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return false;
}
@@ -267,24 +270,159 @@
return true;
}
-static bool SpeedHash(const EVP_MD *md, const std::string &name) {
+static bool SpeedHash(const EVP_MD *md, const std::string &name,
+ const std::string &selected) {
+ if (!selected.empty() && name.find(selected) == std::string::npos) {
+ return true;
+ }
+
return SpeedHashChunk(md, name + " (16 bytes)", 16) &&
SpeedHashChunk(md, name + " (256 bytes)", 256) &&
SpeedHashChunk(md, name + " (8192 bytes)", 8192);
}
-bool Speed(const std::vector<std::string>& /*args*/) {
- const uint8_t *inp;
+static bool SpeedRandomChunk(const std::string name, size_t chunk_len) {
+ uint8_t scratch[8192];
- RSA *key = NULL;
- inp = kDERRSAPrivate2048;
- if (NULL == d2i_RSAPrivateKey(&key, &inp, kDERRSAPrivate2048Len)) {
- fprintf(stderr, "Failed to parse RSA key.\n");
- BIO_print_errors_fp(stderr);
+ if (chunk_len > sizeof(scratch)) {
return false;
}
- if (!SpeedRSA("RSA 2048", key)) {
+ TimeResults results;
+ if (!TimeFunction(&results, [chunk_len, &scratch]() -> bool {
+ RAND_bytes(scratch, chunk_len);
+ return true;
+ })) {
+ return false;
+ }
+
+ results.PrintWithBytes(name, chunk_len);
+ return true;
+}
+
+static bool SpeedRandom(const std::string &selected) {
+ if (!selected.empty() && selected != "RNG") {
+ return true;
+ }
+
+ return SpeedRandomChunk("RNG (16 bytes)", 16) &&
+ SpeedRandomChunk("RNG (256 bytes)", 256) &&
+ SpeedRandomChunk("RNG (8192 bytes)", 8192);
+}
+
+static bool SpeedECDHCurve(const std::string &name, int nid,
+ const std::string &selected) {
+ if (!selected.empty() && name.find(selected) == std::string::npos) {
+ return true;
+ }
+
+ TimeResults results;
+ if (!TimeFunction(&results, [nid]() -> bool {
+ ScopedEC_KEY key(EC_KEY_new_by_curve_name(nid));
+ if (!key ||
+ !EC_KEY_generate_key(key.get())) {
+ return false;
+ }
+ const EC_GROUP *const group = EC_KEY_get0_group(key.get());
+ ScopedEC_POINT point(EC_POINT_new(group));
+ ScopedBN_CTX ctx(BN_CTX_new());
+
+ ScopedBIGNUM x(BN_new());
+ ScopedBIGNUM y(BN_new());
+
+ if (!point || !ctx || !x || !y ||
+ !EC_POINT_mul(group, point.get(), NULL,
+ EC_KEY_get0_public_key(key.get()),
+ EC_KEY_get0_private_key(key.get()), ctx.get()) ||
+ !EC_POINT_get_affine_coordinates_GFp(group, point.get(), x.get(),
+ y.get(), ctx.get())) {
+ return false;
+ }
+
+ return true;
+ })) {
+ return false;
+ }
+
+ results.Print(name);
+ return true;
+}
+
+static bool SpeedECDSACurve(const std::string &name, int nid,
+ const std::string &selected) {
+ if (!selected.empty() && name.find(selected) == std::string::npos) {
+ return true;
+ }
+
+ ScopedEC_KEY key(EC_KEY_new_by_curve_name(nid));
+ if (!key ||
+ !EC_KEY_generate_key(key.get())) {
+ return false;
+ }
+
+ uint8_t signature[256];
+ if (ECDSA_size(key.get()) > sizeof(signature)) {
+ return false;
+ }
+ uint8_t digest[20];
+ memset(digest, 42, sizeof(digest));
+ unsigned sig_len;
+
+ TimeResults results;
+ if (!TimeFunction(&results, [&key, &signature, &digest, &sig_len]() -> bool {
+ return ECDSA_sign(0, digest, sizeof(digest), signature, &sig_len,
+ key.get()) == 1;
+ })) {
+ return false;
+ }
+
+ results.Print(name + " signing");
+
+ if (!TimeFunction(&results, [&key, &signature, &digest, sig_len]() -> bool {
+ return ECDSA_verify(0, digest, sizeof(digest), signature, sig_len,
+ key.get()) == 1;
+ })) {
+ return false;
+ }
+
+ results.Print(name + " verify");
+
+ return true;
+}
+
+static bool SpeedECDH(const std::string &selected) {
+ return SpeedECDHCurve("ECDH P-224", NID_secp224r1, selected) &&
+ SpeedECDHCurve("ECDH P-256", NID_X9_62_prime256v1, selected) &&
+ SpeedECDHCurve("ECDH P-384", NID_secp384r1, selected) &&
+ SpeedECDHCurve("ECDH P-521", NID_secp521r1, selected);
+}
+
+static bool SpeedECDSA(const std::string &selected) {
+ return SpeedECDSACurve("ECDSA P-224", NID_secp224r1, selected) &&
+ SpeedECDSACurve("ECDSA P-256", NID_X9_62_prime256v1, selected) &&
+ SpeedECDSACurve("ECDSA P-384", NID_secp384r1, selected) &&
+ SpeedECDSACurve("ECDSA P-521", NID_secp521r1, selected);
+}
+
+bool Speed(const std::vector<std::string> &args) {
+ std::string selected;
+ if (args.size() > 1) {
+ fprintf(stderr, "Usage: bssl speed [speed test selector, i.e. 'RNG']\n");
+ return false;
+ }
+ if (args.size() > 0) {
+ selected = args[0];
+ }
+
+ RSA *key = NULL;
+ const uint8_t *inp = kDERRSAPrivate2048;
+ if (NULL == d2i_RSAPrivateKey(&key, &inp, kDERRSAPrivate2048Len)) {
+ fprintf(stderr, "Failed to parse RSA key.\n");
+ ERR_print_errors_fp(stderr);
+ return false;
+ }
+
+ if (!SpeedRSA("RSA 2048", key, selected)) {
return false;
}
@@ -294,11 +432,11 @@
inp = kDERRSAPrivate4096;
if (NULL == d2i_RSAPrivateKey(&key, &inp, kDERRSAPrivate4096Len)) {
fprintf(stderr, "Failed to parse 4096-bit RSA key.\n");
- BIO_print_errors_fp(stderr);
+ ERR_print_errors_fp(stderr);
return 1;
}
- if (!SpeedRSA("RSA 4096", key)) {
+ if (!SpeedRSA("RSA 4096", key, selected)) {
return false;
}
@@ -313,17 +451,23 @@
// knowledge in them and construct a couple of the AD bytes internally.
static const size_t kLegacyADLen = kTLSADLen - 2;
- if (!SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen) ||
- !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen) ||
- !SpeedAEAD(EVP_aead_chacha20_poly1305(), "ChaCha20-Poly1305", kTLSADLen) ||
- !SpeedAEAD(EVP_aead_rc4_md5_tls(), "RC4-MD5", kLegacyADLen) ||
- !SpeedAEAD(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1", kLegacyADLen) ||
- !SpeedAEAD(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1", kLegacyADLen) ||
- !SpeedHash(EVP_sha1(), "SHA-1") ||
- !SpeedHash(EVP_sha256(), "SHA-256") ||
- !SpeedHash(EVP_sha512(), "SHA-512")) {
+ if (!SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen, selected) ||
+ !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen, selected) ||
+ !SpeedAEAD(EVP_aead_chacha20_poly1305(), "ChaCha20-Poly1305", kTLSADLen,
+ selected) ||
+ !SpeedAEAD(EVP_aead_rc4_md5_tls(), "RC4-MD5", kLegacyADLen, selected) ||
+ !SpeedAEAD(EVP_aead_aes_128_cbc_sha1_tls(), "AES-128-CBC-SHA1",
+ kLegacyADLen, selected) ||
+ !SpeedAEAD(EVP_aead_aes_256_cbc_sha1_tls(), "AES-256-CBC-SHA1",
+ kLegacyADLen, selected) ||
+ !SpeedHash(EVP_sha1(), "SHA-1", selected) ||
+ !SpeedHash(EVP_sha256(), "SHA-256", selected) ||
+ !SpeedHash(EVP_sha512(), "SHA-512", selected) ||
+ !SpeedRandom(selected) ||
+ !SpeedECDH(selected) ||
+ !SpeedECDSA(selected)) {
return false;
}
- return 0;
+ return true;
}
diff --git a/src/tool/tool.cc b/src/tool/tool.cc
index 36e3de9..4bd7d1a 100644
--- a/src/tool/tool.cc
+++ b/src/tool/tool.cc
@@ -36,6 +36,7 @@
bool SHA512Sum(const std::vector<std::string> &args);
bool DoPKCS12(const std::vector<std::string> &args);
bool Speed(const std::vector<std::string> &args);
+bool Rand(const std::vector<std::string> &args);
typedef bool (*tool_func_t)(const std::vector<std::string> &args);
@@ -57,6 +58,7 @@
{ "sha256sum", SHA256Sum },
{ "sha384sum", SHA384Sum },
{ "sha512sum", SHA512Sum },
+ { "rand", Rand },
{ "", nullptr },
};
diff --git a/src/tool/transport_common.cc b/src/tool/transport_common.cc
index 1a09d08..3f5e631 100644
--- a/src/tool/transport_common.cc
+++ b/src/tool/transport_common.cc
@@ -18,6 +18,7 @@
#include <vector>
#include <errno.h>
+#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
@@ -31,7 +32,6 @@
#include <sys/socket.h>
#include <unistd.h>
#else
-#define NOMINMAX
#include <io.h>
#pragma warning(push, 3)
#include <winsock2.h>
@@ -172,6 +172,17 @@
fprintf(stderr, " Cipher: %s\n", SSL_CIPHER_get_name(cipher));
fprintf(stderr, " Secure renegotiation: %s\n",
SSL_get_secure_renegotiation_support(ssl) ? "yes" : "no");
+
+ const uint8_t *next_proto;
+ unsigned next_proto_len;
+ SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);
+ fprintf(stderr, " Next protocol negotiated: %.*s\n", next_proto_len,
+ next_proto);
+
+ const uint8_t *alpn;
+ unsigned alpn_len;
+ SSL_get0_alpn_selected(ssl, &alpn, &alpn_len);
+ fprintf(stderr, " ALPN protocol: %.*s\n", alpn_len, alpn);
}
bool SocketSetNonBlocking(int sock, bool is_non_blocking) {
diff --git a/src/util/aarch64-toolchain.cmake b/src/util/aarch64-toolchain.cmake
deleted file mode 100644
index 77f33ab..0000000
--- a/src/util/aarch64-toolchain.cmake
+++ /dev/null
@@ -1,6 +0,0 @@
-set(CMAKE_SYSTEM_NAME Linux)
-set(CMAKE_SYSTEM_VERSION 1)
-set(CMAKE_SYSTEM_PROCESSOR "aarch64")
-set(CMAKE_CXX_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-g++")
-set(CMAKE_C_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_aarch64-linux-gnu/bin/aarch64-linux-gnu-gcc")
-set(CMAKE_EXE_LINKER_FLAGS "-static")
diff --git a/src/util/all_tests.go b/src/util/all_tests.go
new file mode 100644
index 0000000..91822d1
--- /dev/null
+++ b/src/util/all_tests.go
@@ -0,0 +1,240 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+package main
+
+import (
+ "bytes"
+ "encoding/json"
+ "flag"
+ "fmt"
+ "os"
+ "os/exec"
+ "path"
+ "strings"
+ "time"
+)
+
+// TODO(davidben): Link tests with the malloc shim and port -malloc-test to this runner.
+
+var (
+ useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
+ buildDir = flag.String("build-dir", "build", "The build directory to run the tests from.")
+ jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
+)
+
+type test []string
+
+var tests = []test{
+ {"crypto/base64/base64_test"},
+ {"crypto/bio/bio_test"},
+ {"crypto/bn/bn_test"},
+ {"crypto/bytestring/bytestring_test"},
+ {"crypto/cipher/aead_test", "aes-128-gcm", "crypto/cipher/test/aes_128_gcm_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-128-key-wrap", "crypto/cipher/test/aes_128_key_wrap_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-gcm", "crypto/cipher/test/aes_256_gcm_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-key-wrap", "crypto/cipher/test/aes_256_key_wrap_tests.txt"},
+ {"crypto/cipher/aead_test", "chacha20-poly1305", "crypto/cipher/test/chacha20_poly1305_tests.txt"},
+ {"crypto/cipher/aead_test", "rc4-md5-tls", "crypto/cipher/test/rc4_md5_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "rc4-sha1-tls", "crypto/cipher/test/rc4_sha1_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-128-cbc-sha1-tls", "crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-128-cbc-sha1-tls-implicit-iv", "crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-128-cbc-sha256-tls", "crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-cbc-sha1-tls", "crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-cbc-sha1-tls-implicit-iv", "crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-cbc-sha256-tls", "crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-cbc-sha384-tls", "crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "des-ede3-cbc-sha1-tls", "crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt"},
+ {"crypto/cipher/aead_test", "des-ede3-cbc-sha1-tls-implicit-iv", "crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt"},
+ {"crypto/cipher/aead_test", "rc4-md5-ssl3", "crypto/cipher/test/rc4_md5_ssl3_tests.txt"},
+ {"crypto/cipher/aead_test", "rc4-sha1-ssl3", "crypto/cipher/test/rc4_sha1_ssl3_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-128-cbc-sha1-ssl3", "crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-256-cbc-sha1-ssl3", "crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt"},
+ {"crypto/cipher/aead_test", "des-ede3-cbc-sha1-ssl3", "crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt"},
+ {"crypto/cipher/aead_test", "aes-128-ctr-hmac-sha256", "crypto/cipher/test/aes_128_ctr_hmac_sha256.txt"},
+ {"crypto/cipher/aead_test", "aes-256-ctr-hmac-sha256", "crypto/cipher/test/aes_256_ctr_hmac_sha256.txt"},
+ {"crypto/cipher/cipher_test", "crypto/cipher/test/cipher_test.txt"},
+ {"crypto/cmac/cmac_test"},
+ {"crypto/constant_time_test"},
+ {"crypto/dh/dh_test"},
+ {"crypto/digest/digest_test"},
+ {"crypto/dsa/dsa_test"},
+ {"crypto/ec/ec_test"},
+ {"crypto/ec/example_mul"},
+ {"crypto/ecdsa/ecdsa_test"},
+ {"crypto/err/err_test"},
+ {"crypto/evp/evp_extra_test"},
+ {"crypto/evp/evp_test", "crypto/evp/evp_tests.txt"},
+ {"crypto/evp/evp_test", "crypto/hmac/hmac_tests.txt"},
+ {"crypto/evp/pbkdf_test"},
+ {"crypto/hkdf/hkdf_test"},
+ {"crypto/hmac/hmac_test", "crypto/hmac/hmac_tests.txt"},
+ {"crypto/lhash/lhash_test"},
+ {"crypto/modes/gcm_test"},
+ {"crypto/pkcs8/pkcs12_test"},
+ {"crypto/rsa/rsa_test"},
+ {"crypto/thread_test"},
+ {"crypto/x509/pkcs7_test"},
+ {"crypto/x509v3/tab_test"},
+ {"crypto/x509v3/v3name_test"},
+ {"ssl/pqueue/pqueue_test"},
+ {"ssl/ssl_test"},
+}
+
+// testOutput is a representation of Chromium's JSON test result format. See
+// https://www.chromium.org/developers/the-json-test-results-format
+type testOutput struct {
+ Version int `json:"version"`
+ Interrupted bool `json:"interrupted"`
+ PathDelimiter string `json:"path_delimiter"`
+ SecondsSinceEpoch float64 `json:"seconds_since_epoch"`
+ NumFailuresByType map[string]int `json:"num_failures_by_type"`
+ Tests map[string]testResult `json:"tests"`
+}
+
+type testResult struct {
+ Actual string `json:"actual"`
+ Expected string `json:"expected"`
+ IsUnexpected bool `json:"is_unexpected"`
+}
+
+func newTestOutput() *testOutput {
+ return &testOutput{
+ Version: 3,
+ PathDelimiter: ".",
+ SecondsSinceEpoch: float64(time.Now().UnixNano()) / float64(time.Second/time.Nanosecond),
+ NumFailuresByType: make(map[string]int),
+ Tests: make(map[string]testResult),
+ }
+}
+
+func (t *testOutput) addResult(name, result string) {
+ if _, found := t.Tests[name]; found {
+ panic(name)
+ }
+ t.Tests[name] = testResult{
+ Actual: result,
+ Expected: "PASS",
+ IsUnexpected: result != "PASS",
+ }
+ t.NumFailuresByType[result]++
+}
+
+func (t *testOutput) writeTo(name string) error {
+ file, err := os.Create(name)
+ if err != nil {
+ return err
+ }
+ defer file.Close()
+ out, err := json.MarshalIndent(t, "", " ")
+ if err != nil {
+ return err
+ }
+ _, err = file.Write(out)
+ return err
+}
+
+func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
+ valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full"}
+ if dbAttach {
+ valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
+ }
+ valgrindArgs = append(valgrindArgs, path)
+ valgrindArgs = append(valgrindArgs, args...)
+
+ return exec.Command("valgrind", valgrindArgs...)
+}
+
+func runTest(test test) (passed bool, err error) {
+ prog := path.Join(*buildDir, test[0])
+ args := test[1:]
+ var cmd *exec.Cmd
+ if *useValgrind {
+ cmd = valgrindOf(false, prog, args...)
+ } else {
+ cmd = exec.Command(prog, args...)
+ }
+ var stdoutBuf bytes.Buffer
+ cmd.Stdout = &stdoutBuf
+ cmd.Stderr = os.Stderr
+
+ if err := cmd.Start(); err != nil {
+ return false, err
+ }
+ if err := cmd.Wait(); err != nil {
+ return false, err
+ }
+
+ // Account for Windows line-endings.
+ stdout := bytes.Replace(stdoutBuf.Bytes(), []byte("\r\n"), []byte("\n"), -1)
+
+ if bytes.HasSuffix(stdout, []byte("PASS\n")) &&
+ (len(stdout) == 5 || stdout[len(stdout)-6] == '\n') {
+ return true, nil
+ }
+ return false, nil
+}
+
+// shortTestName returns the short name of a test. Except for evp_test, it
+// assumes that any argument which ends in .txt is a path to a data file and not
+// relevant to the test's uniqueness.
+func shortTestName(test test) string {
+ var args []string
+ for _, arg := range test {
+ if test[0] == "crypto/evp/evp_test" || !strings.HasSuffix(arg, ".txt") {
+ args = append(args, arg)
+ }
+ }
+ return strings.Join(args, " ")
+}
+
+func main() {
+ flag.Parse()
+
+ testOutput := newTestOutput()
+ var failed []test
+ for _, test := range tests {
+ fmt.Printf("%s\n", strings.Join([]string(test), " "))
+
+ name := shortTestName(test)
+ passed, err := runTest(test)
+ if err != nil {
+ fmt.Printf("%s failed to complete: %s\n", test[0], err)
+ failed = append(failed, test)
+ testOutput.addResult(name, "CRASHED")
+ } else if !passed {
+ fmt.Printf("%s failed to print PASS on the last line.\n", test[0])
+ failed = append(failed, test)
+ testOutput.addResult(name, "FAIL")
+ } else {
+ testOutput.addResult(name, "PASS")
+ }
+ }
+
+ if *jsonOutput != "" {
+ if err := testOutput.writeTo(*jsonOutput); err != nil {
+ fmt.Fprintf(os.Stderr, "Error: %s\n", err)
+ }
+ }
+
+ if len(failed) > 0 {
+ fmt.Printf("\n%d of %d tests failed:\n", len(failed), len(tests))
+ for _, test := range failed {
+ fmt.Printf("\t%s\n", strings.Join([]string(test), " "))
+ }
+ os.Exit(1)
+ }
+
+ fmt.Printf("\nAll tests passed!\n")
+}
diff --git a/src/util/all_tests.sh b/src/util/all_tests.sh
deleted file mode 100644
index bcb5c24..0000000
--- a/src/util/all_tests.sh
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env bash
-
-# Copyright (c) 2014, Google Inc.
-#
-# Permission to use, copy, modify, and/or distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-SRC=..
-if [ "$#" -ge 1 ]; then
- SRC=$1
-fi
-
-TESTS="
-./crypto/base64/base64_test
-./crypto/bio/bio_test
-./crypto/bn/bn_test
-./crypto/bytestring/bytestring_test
-./crypto/cipher/aead_test aes-128-gcm $SRC/crypto/cipher/test/aes_128_gcm_tests.txt
-./crypto/cipher/aead_test aes-128-key-wrap $SRC/crypto/cipher/test/aes_128_key_wrap_tests.txt
-./crypto/cipher/aead_test aes-256-gcm $SRC/crypto/cipher/test/aes_256_gcm_tests.txt
-./crypto/cipher/aead_test aes-256-key-wrap $SRC/crypto/cipher/test/aes_256_key_wrap_tests.txt
-./crypto/cipher/aead_test chacha20-poly1305 $SRC/crypto/cipher/test/chacha20_poly1305_tests.txt
-./crypto/cipher/aead_test rc4-md5-tls $SRC/crypto/cipher/test/rc4_md5_tls_tests.txt
-./crypto/cipher/aead_test rc4-sha1-tls $SRC/crypto/cipher/test/rc4_sha1_tls_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha1-tls $SRC/crypto/cipher/test/aes_128_cbc_sha1_tls_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha1-tls-implicit-iv $SRC/crypto/cipher/test/aes_128_cbc_sha1_tls_implicit_iv_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha256-tls $SRC/crypto/cipher/test/aes_128_cbc_sha256_tls_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha1-tls $SRC/crypto/cipher/test/aes_256_cbc_sha1_tls_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha1-tls-implicit-iv $SRC/crypto/cipher/test/aes_256_cbc_sha1_tls_implicit_iv_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha256-tls $SRC/crypto/cipher/test/aes_256_cbc_sha256_tls_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha384-tls $SRC/crypto/cipher/test/aes_256_cbc_sha384_tls_tests.txt
-./crypto/cipher/aead_test des-ede3-cbc-sha1-tls $SRC/crypto/cipher/test/des_ede3_cbc_sha1_tls_tests.txt
-./crypto/cipher/aead_test des-ede3-cbc-sha1-tls-implicit-iv $SRC/crypto/cipher/test/des_ede3_cbc_sha1_tls_implicit_iv_tests.txt
-./crypto/cipher/aead_test rc4-md5-ssl3 $SRC/crypto/cipher/test/rc4_md5_ssl3_tests.txt
-./crypto/cipher/aead_test rc4-sha1-ssl3 $SRC/crypto/cipher/test/rc4_sha1_ssl3_tests.txt
-./crypto/cipher/aead_test aes-128-cbc-sha1-ssl3 $SRC/crypto/cipher/test/aes_128_cbc_sha1_ssl3_tests.txt
-./crypto/cipher/aead_test aes-256-cbc-sha1-ssl3 $SRC/crypto/cipher/test/aes_256_cbc_sha1_ssl3_tests.txt
-./crypto/cipher/aead_test des-ede3-cbc-sha1-ssl3 $SRC/crypto/cipher/test/des_ede3_cbc_sha1_ssl3_tests.txt
-./crypto/cipher/cipher_test $SRC/crypto/cipher/test/cipher_test.txt
-./crypto/constant_time_test
-./crypto/dh/dh_test
-./crypto/digest/digest_test
-./crypto/dsa/dsa_test
-./crypto/ec/ec_test
-./crypto/ec/example_mul
-./crypto/ecdsa/ecdsa_test
-./crypto/err/err_test
-./crypto/evp/evp_test
-./crypto/evp/pbkdf_test
-./crypto/hkdf/hkdf_test
-./crypto/hmac/hmac_test
-./crypto/lhash/lhash_test
-./crypto/modes/gcm_test
-./crypto/pkcs8/pkcs12_test
-./crypto/rsa/rsa_test
-./crypto/x509/pkcs7_test
-./crypto/x509v3/tab_test
-./crypto/x509v3/v3name_test
-./ssl/pqueue/pqueue_test
-./ssl/ssl_test
-"
-
-IFS=$'\n'
-for bin in $TESTS; do
- echo $bin
- out=$(bash -c "$bin" | tail -n 1)
- if [ $? -ne 0 ]; then
- echo $bin failed to complete.
- exit 1
- fi
-
- if [ "x$out" != "xPASS" ]; then
- echo $bin failed to print PASS on the last line.
- exit 1
- fi
-done
diff --git a/src/util/arm-toolchain.cmake b/src/util/arm-toolchain.cmake
deleted file mode 100644
index 2dfd2bd..0000000
--- a/src/util/arm-toolchain.cmake
+++ /dev/null
@@ -1,6 +0,0 @@
-set(CMAKE_SYSTEM_NAME Linux)
-set(CMAKE_SYSTEM_VERSION 1)
-set(CMAKE_SYSTEM_PROCESSOR "arm")
-set(CMAKE_CXX_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-g++")
-set(CMAKE_C_COMPILER "/opt/gcc-linaro-4.9-2014.11-x86_64_arm-linux-gnueabihf/bin/arm-linux-gnueabihf-gcc")
-set(CMAKE_EXE_LINKER_FLAGS "-static")
diff --git a/src/util/bot/DEPS b/src/util/bot/DEPS
new file mode 100644
index 0000000..738fbd3
--- /dev/null
+++ b/src/util/bot/DEPS
@@ -0,0 +1,134 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+vars = {
+ 'chromium_git': 'https://chromium.googlesource.com',
+}
+
+deps = {
+ 'boringssl/util/bot/gyp':
+ Var('chromium_git') + '/external/gyp.git' + '@' + '4a9b712d5cb4a5ba7a9950128a7219569caf7263',
+}
+
+hooks = [
+ {
+ 'name': 'cmake_linux64',
+ 'pattern': '.',
+ 'action': [ 'download_from_google_storage',
+ '--no_resume',
+ '--platform=linux*',
+ '--no_auth',
+ '--bucket', 'chromium-tools',
+ '-s', 'boringssl/util/bot/cmake-linux64.tar.gz.sha1',
+ ],
+ },
+ {
+ 'name': 'cmake_mac',
+ 'pattern': '.',
+ 'action': [ 'download_from_google_storage',
+ '--no_resume',
+ '--platform=darwin',
+ '--no_auth',
+ '--bucket', 'chromium-tools',
+ '-s', 'boringssl/util/bot/cmake-mac.tar.gz.sha1',
+ ],
+ },
+ {
+ 'name': 'cmake_win32',
+ 'pattern': '.',
+ 'action': [ 'download_from_google_storage',
+ '--no_resume',
+ '--platform=win32',
+ '--no_auth',
+ '--bucket', 'chromium-tools',
+ '-s', 'boringssl/util/bot/cmake-win32.zip.sha1',
+ ],
+ },
+ {
+ 'name': 'perl_win32',
+ 'pattern': '.',
+ 'action': [ 'download_from_google_storage',
+ '--no_resume',
+ '--platform=win32',
+ '--no_auth',
+ '--bucket', 'chromium-tools',
+ '-s', 'boringssl/util/bot/perl-win32.zip.sha1',
+ ],
+ },
+ {
+ 'name': 'yasm_win32',
+ 'pattern': '.',
+ 'action': [ 'download_from_google_storage',
+ '--no_resume',
+ '--platform=win32',
+ '--no_auth',
+ '--bucket', 'chromium-tools',
+ '-s', 'boringssl/util/bot/yasm-win32.exe.sha1',
+ ],
+ },
+ {
+ 'name': 'win_toolchain',
+ 'pattern': '.',
+ 'action': [ 'python',
+ 'boringssl/util/bot/vs_toolchain.py',
+ 'update',
+ ],
+ },
+ {
+ 'name': 'clang',
+ 'pattern': '.',
+ 'action': [ 'python',
+ 'boringssl/util/bot/update_clang.py',
+ ],
+ },
+ # TODO(davidben): Only extract archives when they've changed. Extracting perl
+ # on Windows is a significant part of the cycle time.
+ {
+ 'name': 'cmake_linux64_extract',
+ 'pattern': '.',
+ 'action': [ 'python',
+ 'boringssl/util/bot/extract.py',
+ 'boringssl/util/bot/cmake-linux64.tar.gz',
+ 'boringssl/util/bot/cmake-linux64/',
+ ],
+ },
+ {
+ 'name': 'cmake_mac_extract',
+ 'pattern': '.',
+ 'action': [ 'python',
+ 'boringssl/util/bot/extract.py',
+ 'boringssl/util/bot/cmake-mac.tar.gz',
+ 'boringssl/util/bot/cmake-mac/',
+ ],
+ },
+ {
+ 'name': 'cmake_win32_extract',
+ 'pattern': '.',
+ 'action': [ 'python',
+ 'boringssl/util/bot/extract.py',
+ 'boringssl/util/bot/cmake-win32.zip',
+ 'boringssl/util/bot/cmake-win32/',
+ ],
+ },
+ {
+ 'name': 'perl_win32_extract',
+ 'pattern': '.',
+ 'action': [ 'python',
+ 'boringssl/util/bot/extract.py',
+ '--no-prefix',
+ 'boringssl/util/bot/perl-win32.zip',
+ 'boringssl/util/bot/perl-win32/',
+ ],
+ },
+]
diff --git a/src/util/bot/README b/src/util/bot/README
new file mode 100644
index 0000000..b7a4332
--- /dev/null
+++ b/src/util/bot/README
@@ -0,0 +1,3 @@
+This directory contains tools for setting up a hermetic toolchain on the
+continuous integration bots. It is in the repository for convenience and can be
+ignored in development.
diff --git a/src/util/bot/cmake-linux64.tar.gz.sha1 b/src/util/bot/cmake-linux64.tar.gz.sha1
new file mode 100644
index 0000000..6a8aa1c
--- /dev/null
+++ b/src/util/bot/cmake-linux64.tar.gz.sha1
@@ -0,0 +1 @@
+32cd1d5fe84ae569dbb36f5767650d62efb8be38
\ No newline at end of file
diff --git a/src/util/bot/cmake-mac.tar.gz.sha1 b/src/util/bot/cmake-mac.tar.gz.sha1
new file mode 100644
index 0000000..cb7251b
--- /dev/null
+++ b/src/util/bot/cmake-mac.tar.gz.sha1
@@ -0,0 +1 @@
+310df6945ae7f8c9da559d22f5794ee8e578a663
\ No newline at end of file
diff --git a/src/util/bot/cmake-win32.zip.sha1 b/src/util/bot/cmake-win32.zip.sha1
new file mode 100644
index 0000000..9196b58
--- /dev/null
+++ b/src/util/bot/cmake-win32.zip.sha1
@@ -0,0 +1 @@
+e9493171de0edd8879755aa7229a701010a19561
\ No newline at end of file
diff --git a/src/util/bot/extract.py b/src/util/bot/extract.py
new file mode 100644
index 0000000..77603c0
--- /dev/null
+++ b/src/util/bot/extract.py
@@ -0,0 +1,139 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+"""Extracts archives."""
+
+
+import optparse
+import os
+import os.path
+import tarfile
+import shutil
+import sys
+import zipfile
+
+
+def CheckedJoin(output, path):
+ """
+ CheckedJoin returns os.path.join(output, path). It does sanity checks to
+ ensure the resulting path is under output, but shouldn't be used on untrusted
+ input.
+ """
+ path = os.path.normpath(path)
+ if os.path.isabs(path) or path.startswith('.'):
+ raise ValueError(path)
+ return os.path.join(output, path)
+
+
+def IterateZip(path):
+ """
+ IterateZip opens the zip file at path and returns a generator of
+ (filename, mode, fileobj) tuples for each file in it.
+ """
+ with zipfile.ZipFile(path, 'r') as zip_file:
+ for info in zip_file.infolist():
+ if info.filename.endswith('/'):
+ continue
+ yield (info.filename, None, zip_file.open(info))
+
+
+def IterateTar(path):
+ """
+ IterateTar opens the tar.gz file at path and returns a generator of
+ (filename, mode, fileobj) tuples for each file in it.
+ """
+ with tarfile.open(path, 'r:gz') as tar_file:
+ for info in tar_file:
+ if info.isdir():
+ continue
+ if not info.isfile():
+ raise ValueError('Unknown entry type "%s"' % (info.name, ))
+ yield (info.name, info.mode, tar_file.extractfile(info))
+
+
+def main(args):
+ parser = optparse.OptionParser(usage='Usage: %prog ARCHIVE OUTPUT')
+ parser.add_option('--no-prefix', dest='no_prefix', action='store_true',
+ help='Do not remove a prefix from paths in the archive.')
+ options, args = parser.parse_args(args)
+
+ if len(args) != 2:
+ parser.print_help()
+ return 1
+
+ archive, output = args
+
+ if not os.path.exists(archive):
+ # Skip archives that weren't downloaded.
+ return 0
+
+ if archive.endswith('.zip'):
+ entries = IterateZip(archive)
+ elif archive.endswith('.tar.gz'):
+ entries = IterateTar(archive)
+ else:
+ raise ValueError(archive)
+
+ try:
+ if os.path.exists(output):
+ print "Removing %s" % (output, )
+ shutil.rmtree(output)
+
+ print "Extracting %s to %s" % (archive, output)
+ prefix = None
+ num_extracted = 0
+ for path, mode, inp in entries:
+ # Even on Windows, zip files must always use forward slashes.
+ if '\\' in path or path.startswith('/'):
+ raise ValueError(path)
+
+ if not options.no_prefix:
+ new_prefix, rest = path.split('/', 1)
+
+ # Ensure the archive is consistent.
+ if prefix is None:
+ prefix = new_prefix
+ if prefix != new_prefix:
+ raise ValueError((prefix, new_prefix))
+ else:
+ rest = path
+
+ # Extract the file into the output directory.
+ fixed_path = CheckedJoin(output, rest)
+ if not os.path.isdir(os.path.dirname(fixed_path)):
+ os.makedirs(os.path.dirname(fixed_path))
+ with open(fixed_path, 'wb') as out:
+ shutil.copyfileobj(inp, out)
+
+ # Fix up permissions if needbe.
+ # TODO(davidben): To be extra tidy, this should only track the execute bit
+ # as in git.
+ if mode is not None:
+ os.chmod(fixed_path, mode)
+
+ # Print every 100 files, so bots do not time out on large archives.
+ num_extracted += 1
+ if num_extracted % 100 == 0:
+ print "Extracted %d files..." % (num_extracted,)
+ finally:
+ entries.close()
+
+ if num_extracted % 100 == 0:
+ print "Done. Extracted %d files." % (num_extracted,)
+
+ return 0
+
+
+if __name__ == '__main__':
+ sys.exit(main(sys.argv[1:]))
diff --git a/src/util/bot/go/bootstrap.py b/src/util/bot/go/bootstrap.py
new file mode 100755
index 0000000..166ef3b
--- /dev/null
+++ b/src/util/bot/go/bootstrap.py
@@ -0,0 +1,297 @@
+#!/usr/bin/env python
+# Copyright 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Modified from go/bootstrap.py in Chromium infrastructure's repository to patch
+# out everything but the core toolchain.
+#
+# https://chromium.googlesource.com/infra/infra/
+
+"""Prepares a local hermetic Go installation.
+
+- Downloads and unpacks the Go toolset in ../golang.
+"""
+
+import contextlib
+import logging
+import os
+import platform
+import shutil
+import stat
+import subprocess
+import sys
+import tarfile
+import tempfile
+import urllib
+import zipfile
+
+# TODO(vadimsh): Migrate to new golang.org/x/ paths once Golang moves to
+# git completely.
+
+LOGGER = logging.getLogger(__name__)
+
+
+# /path/to/util/bot
+ROOT = os.path.dirname(os.path.abspath(__file__))
+
+# Where to install Go toolset to. GOROOT would be <TOOLSET_ROOT>/go.
+TOOLSET_ROOT = os.path.join(os.path.dirname(ROOT), 'golang')
+
+# Default workspace with infra go code.
+WORKSPACE = os.path.join(ROOT, 'go')
+
+# Platform depended suffix for executable files.
+EXE_SFX = '.exe' if sys.platform == 'win32' else ''
+
+# Pinned version of Go toolset to download.
+TOOLSET_VERSION = 'go1.4'
+
+# Platform dependent portion of a download URL. See http://golang.org/dl/.
+TOOLSET_VARIANTS = {
+ ('darwin', 'x86-32'): 'darwin-386-osx10.8.tar.gz',
+ ('darwin', 'x86-64'): 'darwin-amd64-osx10.8.tar.gz',
+ ('linux2', 'x86-32'): 'linux-386.tar.gz',
+ ('linux2', 'x86-64'): 'linux-amd64.tar.gz',
+ ('win32', 'x86-32'): 'windows-386.zip',
+ ('win32', 'x86-64'): 'windows-amd64.zip',
+}
+
+# Download URL root.
+DOWNLOAD_URL_PREFIX = 'https://storage.googleapis.com/golang'
+
+
+class Failure(Exception):
+ """Bootstrap failed."""
+
+
+def get_toolset_url():
+ """URL of a platform specific Go toolset archive."""
+ # TODO(vadimsh): Support toolset for cross-compilation.
+ arch = {
+ 'amd64': 'x86-64',
+ 'x86_64': 'x86-64',
+ 'i386': 'x86-32',
+ 'x86': 'x86-32',
+ }.get(platform.machine().lower())
+ variant = TOOLSET_VARIANTS.get((sys.platform, arch))
+ if not variant:
+ # TODO(vadimsh): Compile go lang from source.
+ raise Failure('Unrecognized platform')
+ return '%s/%s.%s' % (DOWNLOAD_URL_PREFIX, TOOLSET_VERSION, variant)
+
+
+def read_file(path):
+ """Returns contents of a given file or None if not readable."""
+ assert isinstance(path, (list, tuple))
+ try:
+ with open(os.path.join(*path), 'r') as f:
+ return f.read()
+ except IOError:
+ return None
+
+
+def write_file(path, data):
+ """Writes |data| to a file."""
+ assert isinstance(path, (list, tuple))
+ with open(os.path.join(*path), 'w') as f:
+ f.write(data)
+
+
+def remove_directory(path):
+ """Recursively removes a directory."""
+ assert isinstance(path, (list, tuple))
+ p = os.path.join(*path)
+ if not os.path.exists(p):
+ return
+ LOGGER.info('Removing %s', p)
+ # Crutch to remove read-only file (.git/* in particular) on Windows.
+ def onerror(func, path, _exc_info):
+ if not os.access(path, os.W_OK):
+ os.chmod(path, stat.S_IWUSR)
+ func(path)
+ else:
+ raise
+ shutil.rmtree(p, onerror=onerror if sys.platform == 'win32' else None)
+
+
+def install_toolset(toolset_root, url):
+ """Downloads and installs Go toolset.
+
+ GOROOT would be <toolset_root>/go/.
+ """
+ if not os.path.exists(toolset_root):
+ os.makedirs(toolset_root)
+ pkg_path = os.path.join(toolset_root, url[url.rfind('/')+1:])
+
+ LOGGER.info('Downloading %s...', url)
+ download_file(url, pkg_path)
+
+ LOGGER.info('Extracting...')
+ if pkg_path.endswith('.zip'):
+ with zipfile.ZipFile(pkg_path, 'r') as f:
+ f.extractall(toolset_root)
+ elif pkg_path.endswith('.tar.gz'):
+ with tarfile.open(pkg_path, 'r:gz') as f:
+ f.extractall(toolset_root)
+ else:
+ raise Failure('Unrecognized archive format')
+
+ LOGGER.info('Validating...')
+ if not check_hello_world(toolset_root):
+ raise Failure('Something is not right, test program doesn\'t work')
+
+
+def download_file(url, path):
+ """Fetches |url| to |path|."""
+ last_progress = [0]
+ def report(a, b, c):
+ progress = int(a * b * 100.0 / c)
+ if progress != last_progress[0]:
+ print >> sys.stderr, 'Downloading... %d%%' % progress
+ last_progress[0] = progress
+ # TODO(vadimsh): Use something less crippled, something that validates SSL.
+ urllib.urlretrieve(url, path, reporthook=report)
+
+
+@contextlib.contextmanager
+def temp_dir(path):
+ """Creates a temporary directory, then deletes it."""
+ tmp = tempfile.mkdtemp(dir=path)
+ try:
+ yield tmp
+ finally:
+ remove_directory([tmp])
+
+
+def check_hello_world(toolset_root):
+ """Compiles and runs 'hello world' program to verify that toolset works."""
+ with temp_dir(toolset_root) as tmp:
+ path = os.path.join(tmp, 'hello.go')
+ write_file([path], r"""
+ package main
+ func main() { println("hello, world\n") }
+ """)
+ out = subprocess.check_output(
+ [get_go_exe(toolset_root), 'run', path],
+ env=get_go_environ(toolset_root, tmp),
+ stderr=subprocess.STDOUT)
+ if out.strip() != 'hello, world':
+ LOGGER.error('Failed to run sample program:\n%s', out)
+ return False
+ return True
+
+
+def ensure_toolset_installed(toolset_root):
+ """Installs or updates Go toolset if necessary.
+
+ Returns True if new toolset was installed.
+ """
+ installed = read_file([toolset_root, 'INSTALLED_TOOLSET'])
+ available = get_toolset_url()
+ if installed == available:
+ LOGGER.debug('Go toolset is up-to-date: %s', TOOLSET_VERSION)
+ return False
+
+ LOGGER.info('Installing Go toolset.')
+ LOGGER.info(' Old toolset is %s', installed)
+ LOGGER.info(' New toolset is %s', available)
+ remove_directory([toolset_root])
+ install_toolset(toolset_root, available)
+ LOGGER.info('Go toolset installed: %s', TOOLSET_VERSION)
+ write_file([toolset_root, 'INSTALLED_TOOLSET'], available)
+ return True
+
+
+def get_go_environ(
+ toolset_root,
+ workspace=None):
+ """Returns a copy of os.environ with added GO* environment variables.
+
+ Overrides GOROOT, GOPATH and GOBIN. Keeps everything else. Idempotent.
+
+ Args:
+ toolset_root: GOROOT would be <toolset_root>/go.
+ workspace: main workspace directory or None if compiling in GOROOT.
+ """
+ env = os.environ.copy()
+ env['GOROOT'] = os.path.join(toolset_root, 'go')
+ if workspace:
+ env['GOBIN'] = os.path.join(workspace, 'bin')
+ else:
+ env.pop('GOBIN', None)
+
+ all_go_paths = []
+ if workspace:
+ all_go_paths.append(workspace)
+ env['GOPATH'] = os.pathsep.join(all_go_paths)
+
+ # New PATH entries.
+ paths_to_add = [
+ os.path.join(env['GOROOT'], 'bin'),
+ env.get('GOBIN'),
+ ]
+
+ # Make sure not to add duplicates entries to PATH over and over again when
+ # get_go_environ is invoked multiple times.
+ path = env['PATH'].split(os.pathsep)
+ paths_to_add = [p for p in paths_to_add if p and p not in path]
+ env['PATH'] = os.pathsep.join(paths_to_add + path)
+
+ return env
+
+
+def get_go_exe(toolset_root):
+ """Returns path to go executable."""
+ return os.path.join(toolset_root, 'go', 'bin', 'go' + EXE_SFX)
+
+
+def bootstrap(logging_level):
+ """Installs all dependencies in default locations.
+
+ Supposed to be called at the beginning of some script (it modifies logger).
+
+ Args:
+ logging_level: logging level of bootstrap process.
+ """
+ logging.basicConfig()
+ LOGGER.setLevel(logging_level)
+ ensure_toolset_installed(TOOLSET_ROOT)
+
+
+def prepare_go_environ():
+ """Returns dict with environment variables to set to use Go toolset.
+
+ Installs or updates the toolset if necessary.
+ """
+ bootstrap(logging.INFO)
+ return get_go_environ(TOOLSET_ROOT, WORKSPACE)
+
+
+def find_executable(name, workspaces):
+ """Returns full path to an executable in some bin/ (in GOROOT or GOBIN)."""
+ basename = name
+ if EXE_SFX and basename.endswith(EXE_SFX):
+ basename = basename[:-len(EXE_SFX)]
+ roots = [os.path.join(TOOLSET_ROOT, 'go', 'bin')]
+ for path in workspaces:
+ roots.extend([
+ os.path.join(path, 'bin'),
+ ])
+ for root in roots:
+ full_path = os.path.join(root, basename + EXE_SFX)
+ if os.path.exists(full_path):
+ return full_path
+ return name
+
+
+def main(args):
+ if args:
+ print >> sys.stderr, sys.modules[__name__].__doc__,
+ return 2
+ bootstrap(logging.DEBUG)
+ return 0
+
+
+if __name__ == '__main__':
+ sys.exit(main(sys.argv[1:]))
diff --git a/src/util/bot/go/env.py b/src/util/bot/go/env.py
new file mode 100755
index 0000000..820968c
--- /dev/null
+++ b/src/util/bot/go/env.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+# Copyright 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Modified from go/env.py in Chromium infrastructure's repository to patch out
+# everything but the core toolchain.
+#
+# https://chromium.googlesource.com/infra/infra/
+
+"""Can be used to point environment variable to hermetic Go toolset.
+
+Usage (on linux and mac):
+$ eval `./env.py`
+$ go version
+
+Or it can be used to wrap a command:
+
+$ ./env.py go version
+"""
+
+assert __name__ == '__main__'
+
+import imp
+import os
+import subprocess
+import sys
+
+# Do not want to mess with sys.path, load the module directly.
+bootstrap = imp.load_source(
+ 'bootstrap', os.path.join(os.path.dirname(__file__), 'bootstrap.py'))
+
+old = os.environ.copy()
+new = bootstrap.prepare_go_environ()
+
+if len(sys.argv) == 1:
+ for key, value in sorted(new.iteritems()):
+ if old.get(key) != value:
+ print 'export %s="%s"' % (key, value)
+else:
+ exe = sys.argv[1]
+ if exe == 'python':
+ exe = sys.executable
+ else:
+ # Help Windows to find the executable in new PATH, do it only when
+ # executable is referenced by name (and not by path).
+ if os.sep not in exe:
+ exe = bootstrap.find_executable(exe, [bootstrap.WORKSPACE])
+ sys.exit(subprocess.call([exe] + sys.argv[2:], env=new))
diff --git a/src/util/bot/perl-win32.zip.sha1 b/src/util/bot/perl-win32.zip.sha1
new file mode 100644
index 0000000..a5559d8
--- /dev/null
+++ b/src/util/bot/perl-win32.zip.sha1
@@ -0,0 +1 @@
+ab6e7aee6a915c4d820b86f5227094763b649fce
\ No newline at end of file
diff --git a/src/util/bot/toolchain_vs2013.hash b/src/util/bot/toolchain_vs2013.hash
new file mode 100644
index 0000000..4ed8816
--- /dev/null
+++ b/src/util/bot/toolchain_vs2013.hash
@@ -0,0 +1 @@
+ee7d718ec60c2dc5d255bbe325909c2021a7efef
diff --git a/src/util/bot/update_clang.py b/src/util/bot/update_clang.py
new file mode 100644
index 0000000..0836d11
--- /dev/null
+++ b/src/util/bot/update_clang.py
@@ -0,0 +1,71 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import os.path
+import shutil
+import sys
+import tarfile
+import tempfile
+import urllib
+
+# CLANG_REVISION and CLANG_SUB_REVISION determine the build of clang
+# to use. These should be synced with tools/clang/scripts/update.sh in
+# Chromium.
+CLANG_REVISION = "233105"
+CLANG_SUB_REVISION = "1"
+
+PACKAGE_VERSION = "%s-%s" % (CLANG_REVISION, CLANG_SUB_REVISION)
+LLVM_BUILD_DIR = os.path.join(os.path.dirname(__file__), "llvm-build")
+STAMP_FILE = os.path.join(LLVM_BUILD_DIR, "cr_build_revision")
+
+CDS_URL = "https://commondatastorage.googleapis.com/chromium-browser-clang"
+
+def DownloadFile(url, path):
+ """DownloadFile fetches |url| to |path|."""
+ last_progress = [0]
+ def report(a, b, c):
+ progress = int(a * b * 100.0 / c)
+ if progress != last_progress[0]:
+ print >> sys.stderr, "Downloading... %d%%" % progress
+ last_progress[0] = progress
+ urllib.urlretrieve(url, path, reporthook=report)
+
+def main(args):
+ # For now, only download clang on Linux.
+ if not sys.platform.startswith("linux"):
+ return 0
+
+ if os.path.exists(STAMP_FILE):
+ with open(STAMP_FILE) as f:
+ if f.read().strip() == PACKAGE_VERSION:
+ print >> sys.stderr, "Clang already at %s" % (PACKAGE_VERSION,)
+ return 0
+
+ if os.path.exists(LLVM_BUILD_DIR):
+ shutil.rmtree(LLVM_BUILD_DIR)
+
+ print >> sys.stderr, "Downloading Clang %s" % (PACKAGE_VERSION,)
+ cds_full_url = "%s/Linux_x64/clang-%s.tgz" % (CDS_URL, PACKAGE_VERSION)
+ with tempfile.NamedTemporaryFile() as temp:
+ DownloadFile(cds_full_url, temp.name)
+ with tarfile.open(temp.name, "r:gz") as tar_file:
+ tar_file.extractall(LLVM_BUILD_DIR)
+
+ with open(STAMP_FILE, "wb") as stamp_file:
+ stamp_file.write(PACKAGE_VERSION)
+
+ return 0
+
+if __name__ == "__main__":
+ sys.exit(main(sys.argv[1:]))
diff --git a/src/util/bot/vs_env.py b/src/util/bot/vs_env.py
new file mode 100644
index 0000000..1847500
--- /dev/null
+++ b/src/util/bot/vs_env.py
@@ -0,0 +1,37 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+import subprocess
+import sys
+
+import vs_toolchain
+# vs_toolchain adds gyp to sys.path.
+import gyp.MSVSVersion
+
+if len(sys.argv) < 2:
+ print >>sys.stderr, "Usage: vs_env.py TARGET_ARCH CMD..."
+ sys.exit(1)
+
+target_arch = sys.argv[1]
+cmd = sys.argv[2:]
+
+vs_toolchain.SetEnvironmentAndGetRuntimeDllDirs()
+vs_version = gyp.MSVSVersion.SelectVisualStudioVersion()
+
+# Using shell=True is somewhat ugly, but the alternative is to pull in a copy
+# of the Chromium GN build's setup_toolchain.py which runs the setup script,
+# then 'set', and then parses the environment variables out. (GYP internally
+# does the same thing.)
+sys.exit(subprocess.call(vs_version.SetupScript(target_arch) + ["&&"] + cmd,
+ shell=True))
diff --git a/src/util/bot/vs_toolchain.py b/src/util/bot/vs_toolchain.py
new file mode 100644
index 0000000..fd76f39
--- /dev/null
+++ b/src/util/bot/vs_toolchain.py
@@ -0,0 +1,114 @@
+# Copyright 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import json
+import os
+import pipes
+import shutil
+import subprocess
+import sys
+
+
+script_dir = os.path.dirname(os.path.realpath(__file__))
+sys.path.insert(0, os.path.join(script_dir, 'gyp', 'pylib'))
+json_data_file = os.path.join(script_dir, 'win_toolchain.json')
+
+
+import gyp
+
+
+def SetEnvironmentAndGetRuntimeDllDirs():
+ """Sets up os.environ to use the depot_tools VS toolchain with gyp, and
+ returns the location of the VS runtime DLLs so they can be copied into
+ the output directory after gyp generation.
+ """
+ vs2013_runtime_dll_dirs = None
+ depot_tools_win_toolchain = \
+ bool(int(os.environ.get('DEPOT_TOOLS_WIN_TOOLCHAIN', '1')))
+ if sys.platform in ('win32', 'cygwin') and depot_tools_win_toolchain:
+ if not os.path.exists(json_data_file):
+ Update()
+ with open(json_data_file, 'r') as tempf:
+ toolchain_data = json.load(tempf)
+
+ toolchain = toolchain_data['path']
+ version = toolchain_data['version']
+ version_is_pro = version[-1] != 'e'
+ win8sdk = toolchain_data['win8sdk']
+ wdk = toolchain_data['wdk']
+ # TODO(scottmg): The order unfortunately matters in these. They should be
+ # split into separate keys for x86 and x64. (See CopyVsRuntimeDlls call
+ # below). http://crbug.com/345992
+ vs2013_runtime_dll_dirs = toolchain_data['runtime_dirs']
+
+ os.environ['GYP_MSVS_OVERRIDE_PATH'] = toolchain
+ os.environ['GYP_MSVS_VERSION'] = version
+ # We need to make sure windows_sdk_path is set to the automated
+ # toolchain values in GYP_DEFINES, but don't want to override any
+ # otheroptions.express
+ # values there.
+ gyp_defines_dict = gyp.NameValueListToDict(gyp.ShlexEnv('GYP_DEFINES'))
+ gyp_defines_dict['windows_sdk_path'] = win8sdk
+ os.environ['GYP_DEFINES'] = ' '.join('%s=%s' % (k, pipes.quote(str(v)))
+ for k, v in gyp_defines_dict.iteritems())
+ os.environ['WINDOWSSDKDIR'] = win8sdk
+ os.environ['WDK_DIR'] = wdk
+ # Include the VS runtime in the PATH in case it's not machine-installed.
+ runtime_path = ';'.join(vs2013_runtime_dll_dirs)
+ os.environ['PATH'] = runtime_path + ';' + os.environ['PATH']
+ return vs2013_runtime_dll_dirs
+
+
+def _GetDesiredVsToolchainHashes():
+ """Load a list of SHA1s corresponding to the toolchains that we want installed
+ to build with."""
+ sha1path = os.path.join(script_dir, 'toolchain_vs2013.hash')
+ with open(sha1path, 'rb') as f:
+ return f.read().strip().splitlines()
+
+
+def FindDepotTools():
+ """Returns the path to depot_tools in $PATH."""
+ for path in os.environ['PATH'].split(os.pathsep):
+ if os.path.isfile(os.path.join(path, 'gclient.py')):
+ return path
+ raise Exception("depot_tools not found!")
+
+
+def Update():
+ """Requests an update of the toolchain to the specific hashes we have at
+ this revision. The update outputs a .json of the various configuration
+ information required to pass to gyp which we use in |GetToolchainDir()|.
+ """
+ depot_tools_win_toolchain = \
+ bool(int(os.environ.get('DEPOT_TOOLS_WIN_TOOLCHAIN', '1')))
+ if sys.platform in ('win32', 'cygwin') and depot_tools_win_toolchain:
+ depot_tools_path = FindDepotTools()
+ json_data_file = os.path.join(script_dir, 'win_toolchain.json')
+ get_toolchain_args = [
+ sys.executable,
+ os.path.join(depot_tools_path,
+ 'win_toolchain',
+ 'get_toolchain_if_necessary.py'),
+ '--output-json', json_data_file,
+ ] + _GetDesiredVsToolchainHashes()
+ subprocess.check_call(get_toolchain_args)
+
+ return 0
+
+
+def main():
+ if not sys.platform.startswith(('win32', 'cygwin')):
+ return 0
+ commands = {
+ 'update': Update,
+ }
+ if len(sys.argv) < 2 or sys.argv[1] not in commands:
+ print >>sys.stderr, 'Expected one of: %s' % ', '.join(commands)
+ return 1
+ return commands[sys.argv[1]](*sys.argv[2:])
+
+
+if __name__ == '__main__':
+ sys.exit(main())
diff --git a/src/util/bot/yasm-win32.exe.sha1 b/src/util/bot/yasm-win32.exe.sha1
new file mode 100644
index 0000000..5b8c9aa
--- /dev/null
+++ b/src/util/bot/yasm-win32.exe.sha1
@@ -0,0 +1 @@
+4c4d1951181a610923523cb10d83d9ae9952fbf3
\ No newline at end of file
diff --git a/src/util/clang-toolchain.cmake b/src/util/clang-toolchain.cmake
deleted file mode 100644
index 8d81379..0000000
--- a/src/util/clang-toolchain.cmake
+++ /dev/null
@@ -1,2 +0,0 @@
-set(CMAKE_CXX_COMPILER "/agl/chromium/src/third_party/llvm-build/Release+Asserts/bin/clang++")
-set(CMAKE_C_COMPILER "/agl/chromium/src/third_party/llvm-build/Release+Asserts/bin/clang")
diff --git a/src/util/doc.config b/src/util/doc.config
index 62db0f3..a427e04 100644
--- a/src/util/doc.config
+++ b/src/util/doc.config
@@ -9,10 +9,12 @@
"include/openssl/bytestring.h",
"include/openssl/err.h",
"include/openssl/cpu.h",
+ "include/openssl/crypto.h",
"include/openssl/ex_data.h",
"include/openssl/lhash.h",
"include/openssl/mem.h",
"include/openssl/obj.h",
+ "include/openssl/rand.h",
"include/openssl/stack.h",
"include/openssl/thread.h",
"include/openssl/time_support.h"
@@ -22,6 +24,7 @@
"Headers": [
"include/openssl/aes.h",
"include/openssl/bn.h",
+ "include/openssl/cmac.h",
"include/openssl/des.h",
"include/openssl/dh.h",
"include/openssl/dsa.h",
@@ -45,5 +48,10 @@
"include/openssl/aead.h",
"include/openssl/evp.h"
]
+ },{
+ "Name": "SSL implementation",
+ "Headers": [
+ "include/openssl/ssl.h"
+ ]
}]
}
diff --git a/src/util/doc.go b/src/util/doc.go
index 7c96af8..20feae5 100644
--- a/src/util/doc.go
+++ b/src/util/doc.go
@@ -111,7 +111,9 @@
err = fmt.Errorf("comment doesn't start with block prefix on line %d: %s", restLineNo, line)
return
}
- line = line[2:]
+ if len(line) == 2 || line[2] != '/' {
+ line = line[2:]
+ }
if strings.HasPrefix(line, " ") {
/* Identing the lines of a paragraph marks them as
* preformatted. */
@@ -193,12 +195,23 @@
func skipPast(s, skip string) string {
i := strings.Index(s, skip)
if i > 0 {
- return s[len(skip):]
+ return s[i:]
}
return s
}
+func skipLine(s string) string {
+ i := strings.Index(s, "\n")
+ if i > 0 {
+ return s[i:]
+ }
+ return ""
+}
+
func getNameFromDecl(decl string) (string, bool) {
+ for strings.HasPrefix(decl, "#if") {
+ decl = skipLine(decl)
+ }
if strings.HasPrefix(decl, "struct ") {
return "", false
}
@@ -582,8 +595,8 @@
func main() {
var (
- configFlag *string = flag.String("config", "", "Location of config file")
- outputDir *string = flag.String("out", "", "Path to the directory where the output will be written")
+ configFlag *string = flag.String("config", "doc.config", "Location of config file")
+ outputDir *string = flag.String("out", ".", "Path to the directory where the output will be written")
config Config
)
diff --git a/src/util/generate_build_files.py b/src/util/generate_build_files.py
new file mode 100644
index 0000000..94de546
--- /dev/null
+++ b/src/util/generate_build_files.py
@@ -0,0 +1,341 @@
+# Copyright (c) 2015, Google Inc.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+# SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+# OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+# CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+"""Enumerates the BoringSSL source in src/ and either generates two gypi files
+ (boringssl.gypi and boringssl_tests.gypi) for Chromium, or generates
+ source-list files for Android."""
+
+import os
+import subprocess
+import sys
+
+
+# OS_ARCH_COMBOS maps from OS and platform to the OpenSSL assembly "style" for
+# that platform and the extension used by asm files.
+OS_ARCH_COMBOS = [
+ ('linux', 'arm', 'linux32', [], 'S'),
+ ('linux', 'aarch64', 'linux64', [], 'S'),
+ ('linux', 'x86', 'elf', ['-fPIC', '-DOPENSSL_IA32_SSE2'], 'S'),
+ ('linux', 'x86_64', 'elf', [], 'S'),
+ ('mac', 'x86', 'macosx', ['-fPIC', '-DOPENSSL_IA32_SSE2'], 'S'),
+ ('mac', 'x86_64', 'macosx', [], 'S'),
+ ('win', 'x86', 'win32n', ['-DOPENSSL_IA32_SSE2'], 'asm'),
+ ('win', 'x86_64', 'nasm', [], 'asm'),
+]
+
+# NON_PERL_FILES enumerates assembly files that are not processed by the
+# perlasm system.
+NON_PERL_FILES = {
+ ('linux', 'arm'): [
+ 'src/crypto/poly1305/poly1305_arm_asm.S',
+ 'src/crypto/chacha/chacha_vec_arm.S',
+ 'src/crypto/cpu-arm-asm.S',
+ ],
+}
+
+
+class Chromium(object):
+
+ def __init__(self):
+ self.header = \
+"""# Copyright (c) 2014 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# This file is created by generate_build_files.py. Do not edit manually.
+
+"""
+
+ def PrintVariableSection(self, out, name, files):
+ out.write(' \'%s\': [\n' % name)
+ for f in sorted(files):
+ out.write(' \'%s\',\n' % f)
+ out.write(' ],\n')
+
+ def WriteFiles(self, files, asm_outputs):
+ with open('boringssl.gypi', 'w+') as gypi:
+ gypi.write(self.header + '{\n \'variables\': {\n')
+
+ self.PrintVariableSection(
+ gypi, 'boringssl_lib_sources', files['crypto'] + files['ssl'])
+
+ for ((osname, arch), asm_files) in asm_outputs:
+ self.PrintVariableSection(gypi, 'boringssl_%s_%s_sources' %
+ (osname, arch), asm_files)
+
+ gypi.write(' }\n}\n')
+
+ with open('boringssl_tests.gypi', 'w+') as test_gypi:
+ test_gypi.write(self.header + '{\n \'targets\': [\n')
+
+ test_names = []
+ for test in sorted(files['test']):
+ test_name = 'boringssl_%s' % os.path.splitext(os.path.basename(test))[0]
+ test_gypi.write(""" {
+ 'target_name': '%s',
+ 'type': 'executable',
+ 'dependencies': [
+ 'boringssl.gyp:boringssl',
+ ],
+ 'sources': [
+ '%s',
+ ],
+ # TODO(davidben): Fix size_t truncations in BoringSSL.
+ # https://crbug.com/429039
+ 'msvs_disabled_warnings': [ 4267, ],
+ },\n""" % (test_name, test))
+ test_names.append(test_name)
+
+ test_names.sort()
+
+ test_gypi.write(""" ],
+ 'variables': {
+ 'boringssl_test_targets': [\n""")
+
+ for test in test_names:
+ test_gypi.write(""" '%s',\n""" % test)
+
+ test_gypi.write(' ],\n }\n}\n')
+
+
+class Android(object):
+
+ def __init__(self):
+ self.header = \
+"""# Copyright (C) 2015 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""
+
+ def PrintVariableSection(self, out, name, files):
+ out.write('%s := \\\n' % name)
+ for f in sorted(files):
+ out.write(' %s\\\n' % f)
+ out.write('\n')
+
+ def WriteFiles(self, files, asm_outputs):
+ with open('sources.mk', 'w+') as makefile:
+ makefile.write(self.header)
+
+ files['crypto'].append('android_compat_hacks.c')
+ files['crypto'].append('android_compat_keywrap.c')
+ self.PrintVariableSection(makefile, 'crypto_sources', files['crypto'])
+ self.PrintVariableSection(makefile, 'ssl_sources', files['ssl'])
+ self.PrintVariableSection(makefile, 'tool_sources', files['tool'])
+
+ for ((osname, arch), asm_files) in asm_outputs:
+ self.PrintVariableSection(
+ makefile, '%s_%s_sources' % (osname, arch), asm_files)
+
+
+def FindCMakeFiles(directory):
+ """Returns list of all CMakeLists.txt files recursively in directory."""
+ cmakefiles = []
+
+ for (path, _, filenames) in os.walk(directory):
+ for filename in filenames:
+ if filename == 'CMakeLists.txt':
+ cmakefiles.append(os.path.join(path, filename))
+
+ return cmakefiles
+
+
+def NoTests(dent, is_dir):
+ """Filter function that can be passed to FindCFiles in order to remove test
+ sources."""
+ if is_dir:
+ return dent != 'test'
+ return 'test.' not in dent and not dent.startswith('example_')
+
+
+def OnlyTests(dent, is_dir):
+ """Filter function that can be passed to FindCFiles in order to remove
+ non-test sources."""
+ if is_dir:
+ return True
+ return '_test.' in dent or dent.startswith('example_')
+
+
+def FindCFiles(directory, filter_func):
+ """Recurses through directory and returns a list of paths to all the C source
+ files that pass filter_func."""
+ cfiles = []
+
+ for (path, dirnames, filenames) in os.walk(directory):
+ for filename in filenames:
+ if not filename.endswith('.c') and not filename.endswith('.cc'):
+ continue
+ if not filter_func(filename, False):
+ continue
+ cfiles.append(os.path.join(path, filename))
+
+ for (i, dirname) in enumerate(dirnames):
+ if not filter_func(dirname, True):
+ del dirnames[i]
+
+ return cfiles
+
+
+def ExtractPerlAsmFromCMakeFile(cmakefile):
+ """Parses the contents of the CMakeLists.txt file passed as an argument and
+ returns a list of all the perlasm() directives found in the file."""
+ perlasms = []
+ with open(cmakefile) as f:
+ for line in f:
+ line = line.strip()
+ if not line.startswith('perlasm('):
+ continue
+ if not line.endswith(')'):
+ raise ValueError('Bad perlasm line in %s' % cmakefile)
+ # Remove "perlasm(" from start and ")" from end
+ params = line[8:-1].split()
+ if len(params) < 2:
+ raise ValueError('Bad perlasm line in %s' % cmakefile)
+ perlasms.append({
+ 'extra_args': params[2:],
+ 'input': os.path.join(os.path.dirname(cmakefile), params[1]),
+ 'output': os.path.join(os.path.dirname(cmakefile), params[0]),
+ })
+
+ return perlasms
+
+
+def ReadPerlAsmOperations():
+ """Returns a list of all perlasm() directives found in CMake config files in
+ src/."""
+ perlasms = []
+ cmakefiles = FindCMakeFiles('src')
+
+ for cmakefile in cmakefiles:
+ perlasms.extend(ExtractPerlAsmFromCMakeFile(cmakefile))
+
+ return perlasms
+
+
+def PerlAsm(output_filename, input_filename, perlasm_style, extra_args):
+ """Runs the a perlasm script and puts the output into output_filename."""
+ base_dir = os.path.dirname(output_filename)
+ if not os.path.isdir(base_dir):
+ os.makedirs(base_dir)
+ output = subprocess.check_output(
+ ['perl', input_filename, perlasm_style] + extra_args)
+ with open(output_filename, 'w+') as out_file:
+ out_file.write(output)
+
+
+def ArchForAsmFilename(filename):
+ """Returns the architectures that a given asm file should be compiled for
+ based on substrings in the filename."""
+
+ if 'x86_64' in filename or 'avx2' in filename:
+ return ['x86_64']
+ elif ('x86' in filename and 'x86_64' not in filename) or '586' in filename:
+ return ['x86']
+ elif 'armx' in filename:
+ return ['arm', 'aarch64']
+ elif 'armv8' in filename:
+ return ['aarch64']
+ elif 'arm' in filename:
+ return ['arm']
+ else:
+ raise ValueError('Unknown arch for asm filename: ' + filename)
+
+
+def WriteAsmFiles(perlasms):
+ """Generates asm files from perlasm directives for each supported OS x
+ platform combination."""
+ asmfiles = {}
+
+ for osarch in OS_ARCH_COMBOS:
+ (osname, arch, perlasm_style, extra_args, asm_ext) = osarch
+ key = (osname, arch)
+ outDir = '%s-%s' % key
+
+ for perlasm in perlasms:
+ filename = os.path.basename(perlasm['input'])
+ output = perlasm['output']
+ if not output.startswith('src'):
+ raise ValueError('output missing src: %s' % output)
+ output = os.path.join(outDir, output[4:])
+ output = output.replace('${ASM_EXT}', asm_ext)
+
+ if arch in ArchForAsmFilename(filename):
+ PerlAsm(output, perlasm['input'], perlasm_style,
+ perlasm['extra_args'] + extra_args)
+ asmfiles.setdefault(key, []).append(output)
+
+ for (key, non_perl_asm_files) in NON_PERL_FILES.iteritems():
+ asmfiles.setdefault(key, []).extend(non_perl_asm_files)
+
+ return asmfiles
+
+
+def main(platform):
+ crypto_c_files = FindCFiles(os.path.join('src', 'crypto'), NoTests)
+ ssl_c_files = FindCFiles(os.path.join('src', 'ssl'), NoTests)
+ tool_cc_files = FindCFiles(os.path.join('src', 'tool'), NoTests)
+
+ # Generate err_data.c
+ with open('err_data.c', 'w+') as err_data:
+ subprocess.check_call(['go', 'run', 'err_data_generate.go'],
+ cwd=os.path.join('src', 'crypto', 'err'),
+ stdout=err_data)
+ crypto_c_files.append('err_data.c')
+
+ test_c_files = FindCFiles(os.path.join('src', 'crypto'), OnlyTests)
+ test_c_files += FindCFiles(os.path.join('src', 'ssl'), OnlyTests)
+
+ files = {
+ 'crypto': crypto_c_files,
+ 'ssl': ssl_c_files,
+ 'tool': tool_cc_files,
+ 'test': test_c_files,
+ }
+
+ asm_outputs = sorted(WriteAsmFiles(ReadPerlAsmOperations()).iteritems())
+
+ platform.WriteFiles(files, asm_outputs)
+
+ return 0
+
+
+def Usage():
+ print 'Usage: python %s [chromium|android]' % sys.argv[0]
+ sys.exit(1)
+
+
+if __name__ == '__main__':
+ if len(sys.argv) != 2:
+ Usage()
+
+ platform = None
+ if sys.argv[1] == 'chromium':
+ platform = Chromium()
+ elif sys.argv[1] == 'android':
+ platform = Android()
+ else:
+ Usage()
+
+ sys.exit(main(platform))
diff --git a/src/util/make_errors.go b/src/util/make_errors.go
index 5fd75e2..dc8039a 100644
--- a/src/util/make_errors.go
+++ b/src/util/make_errors.go
@@ -36,17 +36,20 @@
var resetFlag *bool = flag.Bool("reset", false, "If true, ignore current assignments and reassign from scratch")
func makeErrors(reset bool) error {
+ topLevelPath, err := findToplevel()
+ if err != nil {
+ return err
+ }
+
dirName, err := os.Getwd()
if err != nil {
return err
}
lib := filepath.Base(dirName)
- headerPath, err := findHeader(lib + ".h")
- if err != nil {
- return err
- }
- sourcePath := lib + "_error.c"
+ headerPath := filepath.Join(topLevelPath, "include", "openssl", lib+".h")
+ errDir := filepath.Join(topLevelPath, "crypto", "err")
+ dataPath := filepath.Join(errDir, lib+".errordata")
headerFile, err := os.Open(headerPath)
if err != nil {
@@ -90,7 +93,7 @@
}
for _, name := range filenames {
- if !strings.HasSuffix(name, ".c") || name == sourcePath {
+ if !strings.HasSuffix(name, ".c") {
continue
}
@@ -119,55 +122,32 @@
}
os.Rename(headerPath+".tmp", headerPath)
- sourceFile, err := os.OpenFile(sourcePath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
+ dataFile, err := os.OpenFile(dataPath, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0644)
if err != nil {
return err
}
- defer sourceFile.Close()
- fmt.Fprintf(sourceFile, `/* Copyright (c) 2014, Google Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-
-#include <openssl/err.h>
-
-#include <openssl/%s.h>
-
-const ERR_STRING_DATA %s_error_string_data[] = {
-`, lib, prefix)
- outputStrings(sourceFile, lib, typeFunctions, functions)
- outputStrings(sourceFile, lib, typeReasons, reasons)
-
- sourceFile.WriteString(" {0, NULL},\n};\n")
+ outputStrings(dataFile, lib, typeFunctions, functions)
+ outputStrings(dataFile, lib, typeReasons, reasons)
+ dataFile.Close()
return nil
}
-func findHeader(basename string) (path string, err error) {
- includeDir := filepath.Join("..", "include")
+func findToplevel() (path string, err error) {
+ path = ".."
+ buildingPath := filepath.Join(path, "BUILDING")
- fi, err := os.Stat(includeDir)
+ _, err = os.Stat(buildingPath)
if err != nil && os.IsNotExist(err) {
- includeDir = filepath.Join("..", includeDir)
- fi, err = os.Stat(includeDir)
+ path = filepath.Join("..", path)
+ buildingPath = filepath.Join(path, "BUILDING")
+ _, err = os.Stat(buildingPath)
}
if err != nil {
- return "", errors.New("cannot find path to include directory")
+ return "", errors.New("Cannot find BUILDING file at the top-level")
}
- if !fi.IsDir() {
- return "", errors.New("include node is not a directory")
- }
- return filepath.Join(includeDir, "openssl", basename), nil
+ return path, nil
}
type assignment struct {
@@ -295,18 +275,17 @@
sort.Strings(keys)
for _, key := range keys {
- var pack string
- if ty == typeFunctions {
- pack = key + ", 0"
- } else {
- pack = "0, " + key
+ typeString := "function"
+ if ty == typeReasons {
+ typeString = "reason"
}
-
- fmt.Fprintf(w, " {ERR_PACK(ERR_LIB_%s, %s), \"%s\"},\n", lib, pack, key[prefixLen:])
+ fmt.Fprintf(w, "%s,%s,%d,%s\n", lib, typeString, assignments[key], key[prefixLen:])
}
}
func assignNewValues(assignments map[string]int, reserved int) {
+ // Needs to be in sync with the reason limit in
+ // |ERR_reason_error_string|.
max := 99
for _, value := range assignments {
@@ -320,17 +299,24 @@
max++
+ // Sort the keys, so this script is reproducible.
+ keys := make([]string, 0, len(assignments))
for key, value := range assignments {
if value == -1 {
- if reserved >= 0 && max >= reserved {
- // If this happens, try passing
- // -reset. Otherwise bump up reservedReasonCode.
- panic("Automatically-assigned values exceeded limit!")
- }
- assignments[key] = max
- max++
+ keys = append(keys, key)
}
}
+ sort.Strings(keys)
+
+ for _, key := range keys {
+ if reserved >= 0 && max >= reserved {
+ // If this happens, try passing -reset. Otherwise bump
+ // up reservedReasonCode.
+ panic("Automatically-assigned values exceeded limit!")
+ }
+ assignments[key] = max
+ max++
+ }
}
func handleDeclareMacro(line, join, macroName string, m map[string]int) {
@@ -360,8 +346,7 @@
}
defer file.Close()
- prefix += "_"
- reasonPrefix := prefix + "R_"
+ reasonPrefix := prefix + "_R_"
var currentFunction string
scanner := bufio.NewScanner(file)
@@ -388,8 +373,9 @@
}
}
- if strings.Contains(line, "OPENSSL_PUT_ERROR(") {
- functionToken := prefix + "F_" + currentFunction
+ // Do not include cross-module error lines.
+ if strings.Contains(line, "OPENSSL_PUT_ERROR(" + prefix + ",") {
+ functionToken := prefix + "_F_" + currentFunction
if _, ok := functions[functionToken]; !ok {
functions[functionToken] = -1
}
@@ -399,7 +385,7 @@
handleDeclareMacro(line, "_F_", "OPENSSL_DECLARE_ERROR_FUNCTION(", functions)
for len(line) > 0 {
- i := strings.Index(line, prefix)
+ i := strings.Index(line, prefix + "_")
if i == -1 {
break
}