GitHub/boringssl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: GitHub/boringssl:2987
Branches Tags
GitHub/boringssl:master GitHub/boringssl:spm GitHub/boringssl:master-with-bazel GitHub/boringssl:infra/config GitHub/boringssl:chromium-stable-with-bazel GitHub/boringssl:main-with-bazel GitHub/boringssl:chromium-stable GitHub/boringssl:3945 GitHub/boringssl:fips-android-20191008 GitHub/boringssl:esni GitHub/boringssl:3538 GitHub/boringssl:fips-20180730 GitHub/boringssl:3359 GitHub/boringssl:3282 GitHub/boringssl:3239 GitHub/boringssl:3202 GitHub/boringssl:3112 GitHub/boringssl:3071 GitHub/boringssl:3029 GitHub/boringssl:2987 GitHub/boringssl:2924 GitHub/boringssl:2883 GitHub/boringssl:2785 GitHub/boringssl:2661 GitHub/boringssl:2704 GitHub/boringssl:2623 GitHub/boringssl:2564 GitHub/boringssl:2490 GitHub/boringssl:2357 GitHub/boringssl:2311 GitHub/boringssl:2272 GitHub/boringssl:2214
..
pull from: GitHub/boringssl:2883
Branches Tags
GitHub/boringssl:spm GitHub/boringssl:master-with-bazel GitHub/boringssl:master GitHub/boringssl:infra/config GitHub/boringssl:chromium-stable-with-bazel GitHub/boringssl:main-with-bazel GitHub/boringssl:chromium-stable GitHub/boringssl:3945 GitHub/boringssl:fips-android-20191008 GitHub/boringssl:esni GitHub/boringssl:3538 GitHub/boringssl:fips-20180730 GitHub/boringssl:3359 GitHub/boringssl:3282 GitHub/boringssl:3239 GitHub/boringssl:3202 GitHub/boringssl:3112 GitHub/boringssl:3071 GitHub/boringssl:3029 GitHub/boringssl:2987 GitHub/boringssl:2924 GitHub/boringssl:2883 GitHub/boringssl:2785 GitHub/boringssl:2661 GitHub/boringssl:2704 GitHub/boringssl:2623 GitHub/boringssl:2564 GitHub/boringssl:2490 GitHub/boringssl:2357 GitHub/boringssl:2311 GitHub/boringssl:2272 GitHub/boringssl:2214

1 Commits
2987 .. 2883

Author SHA1 Message Date
Adam Langley 78684e5b22 Disable RSA-PSS by default. 
This change reverts 57e929f3c8, although
it was done by hand due to conflicts.

BUG=chromium:667806

Change-Id: I17ddf2e5aa7d5129fe09cdeaf63c675091b445b0
Reviewed-on: https://boringssl-review.googlesource.com/12420
Reviewed-by: Adam Langley <agl@google.com>
 2016-11-22 22:03:32 +00:00
1877 changed files with 27020 additions and 33578 deletions
Expand all files Collapse all files
.gitignore
-15
View File
@@ -4,18 +4,3 @@ ssl/test/runner/runner
*.swo
doc/*.html
doc/doc.css
util/bot/android_tools
util/bot/cmake-linux64
util/bot/cmake-linux64.tar.gz
util/bot/cmake-mac
util/bot/cmake-mac.tar.gz
util/bot/cmake-win32
util/bot/cmake-win32.zip
util/bot/golang
util/bot/gyp
util/bot/llvm-build
util/bot/perl-win32
util/bot/perl-win32.zip
util/bot/win_toolchain.json
util/bot/yasm-win32.exe
API-CONVENTIONS.md
+2 -2
View File
@@ -14,10 +14,10 @@ All supported public APIs are documented in the public header files, found in
Some headers lack documention comments. These are functions and structures from
OpenSSL's legacy ASN.1, X.509, and PEM implementation. If possible, avoid using
them. These are left largely unmodified from upstream and are retained only for
compatibility with existing OpenSSL consumers.
compatibilty with existing OpenSSL consumers.
## Forward declarations
# Forward declarations
Do not write `typedef struct foo_st FOO` or try otherwise to define BoringSSL's
types. Including `openssl/base.h` (or `openssl/ossl_typ.h` for consumers who
BUILDING.md
+2 -2
View File
@@ -2,7 +2,7 @@
## Build Prerequisites
* [CMake](https://cmake.org/download/) 2.8.10 or later is required.
* [CMake](https://cmake.org/download/) 2.8.8 or later is required.
* Perl 5.6.1 or later is required. On Windows,
[Active State Perl](http://www.activestate.com/activeperl/) has been
@@ -33,7 +33,7 @@
executable may be configured explicitly by setting `GO_EXECUTABLE`.
* To build the x86 and x86\_64 assembly, your assembler must support AVX2
instructions and MOVBE. If using GNU binutils, you must have 2.22 or later.
instructions. If using GNU binutils, you must have 2.22 or later.
## Building
CMakeLists.txt
+9 -46
View File
@@ -47,9 +47,6 @@ elseif(MSVC)
"C4127" # conditional expression is constant
"C4200" # nonstandard extension used : zero-sized array in
# struct/union.
"C4204" # nonstandard extension used: non-constant aggregate initializer
"C4221" # nonstandard extension used : 'identifier' : cannot be
# initialized using address of automatic variable
"C4242" # 'function' : conversion from 'int' to 'uint8_t',
# possible loss of data
"C4244" # 'function' : conversion from 'int' to 'uint8_t',
@@ -124,17 +121,12 @@ if(NOT WIN32)
endif()
if(FUZZ)
if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
message(FATAL_ERROR "You need to build with Clang for fuzzing to work")
if(!CMAKE_CXX_COMPILER_ID MATCHES "Clang")
message("You need to build with Clang for fuzzing to work")
endif()
add_definitions(-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE)
set(RUNNER_ARGS "-deterministic")
if(NOT NO_FUZZER_MODE)
add_definitions(-DBORINGSSL_UNSAFE_FUZZER_MODE)
set(RUNNER_ARGS ${RUNNER_ARGS} "-fuzzer" "-shim-config" "fuzzer_mode.json")
endif()
add_definitions(-DBORINGSSL_UNSAFE_FUZZER_MODE)
set(RUNNER_ARGS "-fuzzer")
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize-coverage=edge,indirect-calls,8bit-counters")
@@ -168,14 +160,14 @@ elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i386")
set(ARCH "x86")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "i686")
set(ARCH "x86")
elseif (${CMAKE_SYSTEM_PROCESSOR} MATCHES "^arm*")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "arm")
set(ARCH "arm")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv6")
set(ARCH "arm")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "armv7-a")
set(ARCH "arm")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "aarch64")
set(ARCH "aarch64")
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "mips")
# Just to avoid the “unknown processor” error.
elseif (${CMAKE_SYSTEM_PROCESSOR} STREQUAL "ppc64le")
set(ARCH "ppc64le")
else()
message(FATAL_ERROR "Unknown processor:" ${CMAKE_SYSTEM_PROCESSOR})
endif()
@@ -194,35 +186,6 @@ if (${ARCH} STREQUAL "x86" AND APPLE)
set(ARCH "x86_64")
endif()
if (MSAN)
if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
message(FATAL_ERROR "Cannot enable MSAN unless using Clang")
endif()
if (ASAN)
message(FATAL_ERROR "ASAN and MSAN are mutually exclusive")
endif()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=memory -fsanitize-memory-track-origins -fno-omit-frame-pointer")
set(OPENSSL_NO_ASM "1")
endif()
if (ASAN)
if(NOT CMAKE_CXX_COMPILER_ID MATCHES "Clang")
message(FATAL_ERROR "Cannot enable ASAN unless using Clang")
endif()
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
set(OPENSSL_NO_ASM "1")
endif()
if (GCOV)
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fprofile-arcs -ftest-coverage")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fprofile-arcs -ftest-coverage")
endif()
if (OPENSSL_NO_ASM)
add_definitions(-DOPENSSL_NO_ASM)
set(ARCH "generic")
FUZZING.md
+30 -24
View File
@@ -23,24 +23,22 @@ Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory.
From the `build/` directory, you can then run the fuzzers. For example:
```
./fuzz/cert -max_len=10000 -jobs=32 -workers=32 ../fuzz/cert_corpus/
./fuzz/cert -max_len=3072 -jobs=32 -workers=32 ../fuzz/cert_corpus/
```
The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. By default, libFuzzer uses the largest test in the corpus (or 64 if empty) as the maximum test case length. The `max_len` argument overrides this.
The recommended values of `max_len` for each test are:
| Test | `max_len` value |
|---------------|-----------------|
| `cert` | 10000 |
| `client` | 20000 |
| `pkcs8` | 2048 |
| `privkey` | 2048 |
| `server` | 4096 |
| `session` | 8192 |
| `spki` | 1024 |
| `read_pem` | 512 |
| `ssl_ctx_api` | 256 |
| Test | `max_len` value |
|------------|-----------------|
| `cert` | 3072 |
| `client` | 20000 |
| `pkcs8` | 2048 |
| `privkey` | 2048 |
| `server` | 4096 |
| `spki` | 1024 |
| `read_pem` | 512 |
These were determined by rounding up the length of the largest case in the corpus.
@@ -54,31 +52,39 @@ In order to minimise all the corpuses, build for fuzzing and run `./fuzz/minimis
## Fuzzer mode
When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` and `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. This modifies the library to be more friendly to fuzzers. If `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` is set, BoringSSL will:
When `-DFUZZ=1` is passed into CMake, BoringSSL builds with `BORINGSSL_UNSAFE_FUZZER_MODE` defined. This modifies the library, particularly the TLS stack, to be more friendly to fuzzers. It will:
* Replace `RAND_bytes` with a deterministic PRNG. Call `RAND_reset_for_fuzzing()` at the start of fuzzers which use `RAND_bytes` to reset the PRNG state.
* Use a hard-coded time instead of the actual time.
Additionally, if `BORINGSSL_UNSAFE_FUZZER_MODE` is set, BoringSSL will:
* Modify the TLS stack to perform all signature checks (CertificateVerify and ServerKeyExchange) and the Finished check, but always act as if the check succeeded.
* Treat every cipher as the NULL cipher.
* Use a hard-coded time instead of the actual time.
* Tickets are unencrypted and the MAC check is performed but ignored.
This is to prevent the fuzzer from getting stuck at a cryptographic invariant in the protocol.
## TLS transcripts
The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. The `run_tests` target will pass appropriate command-line flags.
There are separate corpora, `client_corpus_no_fuzzer_mode` and `server_corpus_no_fuzzer_mode`. These are transcripts for fuzzers with only `BORINGSSL_UNSAFE_DETERMINISTIC_MODE` defined. To build in this mode, pass `-DNO_FUZZER_MODE=1` into CMake. This configuration is run in the same way but without `-fuzzer` and `-shim-path` flags.
If both sets of tests pass, refresh the fuzzer corpora with `refresh_ssl_corpora.sh`:
The `client` and `server` corpora are seeded from the test suite. The test suite has a `-fuzzer` flag which mirrors the fuzzer mode changes above and a `-deterministic` flag which removes all non-determinism on the Go side. Not all tests pass, so `ssl/test/runner/fuzzer_mode.json` contains the necessary suppressions. To run the tests against a fuzzer-mode `bssl_shim`, run:
```
cd fuzz
./refresh_fuzzer_corpora.sh /path/to/fuzzer/mode/build /path/to/non/fuzzer/mode/build
cd ssl/test/runner
go test -fuzzer -deterministic -shim-config fuzzer_mode.json
```
For a different build directory from `build/`, pass the appropriate `-shim-path` flag. If those tests pass, record a set of transcripts with:
```
go test -fuzzer -deterministic -transcript-dir /tmp/transcripts/
```
Note the suppressions file is ignored so disabled tests record transcripts too. Then merge into the existing corpora:
```
cd build/
./fuzz/client -max_len=50000 -merge=1 ../fuzz/client_corpus /tmp/transcripts/tls/client
./fuzz/server -max_len=50000 -merge=1 ../fuzz/server_corpus /tmp/transcripts/tls/server
```
INCORPORATING.md
+2 -2
View File
@@ -5,7 +5,7 @@
## Bazel
If you are using [Bazel](https://bazel.build) then you can incorporate
If you are using [Bazel](http://www.bazel.io) then you can incorporate
BoringSSL as an external repository by using a commit from the
`master-with-bazel` branch. That branch is maintained by a bot from `master`
and includes the needed generated files and a top-level BUILD file.
@@ -38,7 +38,7 @@ updating things more complex.
BoringSSL is designed to work with many different build systems. Currently,
different projects use [GYP](https://gyp.gsrc.io/),
[GN](https://chromium.googlesource.com/chromium/src/+/master/tools/gn/docs/quick_start.md),
[Bazel](https://bazel.build/) and [Make](https://www.gnu.org/software/make/) to
[Bazel](http://bazel.io/) and [Make](https://www.gnu.org/software/make/) to
build BoringSSL, without too much pain.
The development build system is CMake and the CMake build knows how to
STYLE.md
-10
View File
@@ -45,16 +45,6 @@ not
Rather than `malloc()` and `free()`, use the wrappers `OPENSSL_malloc()`
and `OPENSSL_free()`. Use the standard C `assert()` function freely.
Use the following wrappers, found in `crypto/internal.h` instead of the
corresponding C standard library functions. They behave the same but avoid
confusing undefined behavior.
* `OPENSSL_memchr`
* `OPENSSL_memcmp`
* `OPENSSL_memcpy`
* `OPENSSL_memmove`
* `OPENSSL_memset`
For new constants, prefer enums when the values are sequential and typed
constants for flags. If adding values to an existing set of `#define`s,
continue with `#define`.
crypto/CMakeLists.txt
+4 -4
View File
@@ -64,7 +64,6 @@ add_subdirectory(err)
add_subdirectory(buf)
add_subdirectory(base64)
add_subdirectory(bytestring)
add_subdirectory(pool)
# Level 0.2 - depends on nothing but itself
add_subdirectory(sha)
@@ -78,6 +77,7 @@ add_subdirectory(conf)
add_subdirectory(chacha)
add_subdirectory(poly1305)
add_subdirectory(curve25519)
add_subdirectory(newhope)
# Level 1, depends only on 0.*
add_subdirectory(digest)
@@ -136,7 +136,6 @@ add_library(
$<TARGET_OBJECTS:err>
$<TARGET_OBJECTS:base64>
$<TARGET_OBJECTS:bytestring>
$<TARGET_OBJECTS:pool>
$<TARGET_OBJECTS:sha>
$<TARGET_OBJECTS:md4>
$<TARGET_OBJECTS:md5>
@@ -171,6 +170,7 @@ add_library(
$<TARGET_OBJECTS:x509>
$<TARGET_OBJECTS:x509v3>
$<TARGET_OBJECTS:pkcs8_lib>
$<TARGET_OBJECTS:newhope>
)
if(NOT MSVC AND NOT ANDROID)
@@ -180,7 +180,7 @@ endif()
add_executable(
constant_time_test
constant_time_test.cc
constant_time_test.c
$<TARGET_OBJECTS:test_support>
)
@@ -202,7 +202,7 @@ add_dependencies(all_tests thread_test)
add_executable(
refcount_test
refcount_test.cc
refcount_test.c
)
target_link_libraries(refcount_test crypto)
crypto/aes/CMakeLists.txt
-1
View File
@@ -53,7 +53,6 @@ add_library(
OBJECT
aes.c
key_wrap.c
mode_wrappers.c
${AES_ARCH_SOURCES}
crypto/aes/aes_test.cc
+48 -136
View File
@@ -15,176 +15,88 @@
#include <stdio.h>
#include <string.h>
#include <memory>
#include <vector>
#include <openssl/aes.h>
#include <openssl/crypto.h>
#include "../internal.h"
#include "../test/file_test.h"
static bool TestRaw(FileTest *t) {
std::vector<uint8_t> key, plaintext, ciphertext;
if (!t->GetBytes(&key, "Key") ||
!t->GetBytes(&plaintext, "Plaintext") ||
!t->GetBytes(&ciphertext, "Ciphertext")) {
return false;
}
if (plaintext.size() != AES_BLOCK_SIZE ||
ciphertext.size() != AES_BLOCK_SIZE) {
t->PrintLine("Plaintext or Ciphertext not a block size.");
return false;
}
static bool TestAES(const uint8_t *key, size_t key_len,
const uint8_t plaintext[AES_BLOCK_SIZE],
const uint8_t ciphertext[AES_BLOCK_SIZE]) {
AES_KEY aes_key;
if (AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
t->PrintLine("AES_set_encrypt_key failed.");
if (AES_set_encrypt_key(key, key_len * 8, &aes_key) != 0) {
fprintf(stderr, "AES_set_encrypt_key failed\n");
return false;
}
// Test encryption.
uint8_t block[AES_BLOCK_SIZE];
AES_encrypt(plaintext.data(), block, &aes_key);
if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, ciphertext.data(),
ciphertext.size())) {
t->PrintLine("AES_encrypt gave the wrong output.");
AES_encrypt(plaintext, block, &aes_key);
if (memcmp(block, ciphertext, AES_BLOCK_SIZE) != 0) {
fprintf(stderr, "AES_encrypt gave the wrong output\n");
return false;
}
// Test in-place encryption.
OPENSSL_memcpy(block, plaintext.data(), AES_BLOCK_SIZE);
memcpy(block, plaintext, AES_BLOCK_SIZE);
AES_encrypt(block, block, &aes_key);
if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, ciphertext.data(),
ciphertext.size())) {
t->PrintLine("In-place AES_encrypt gave the wrong output.");
if (memcmp(block, ciphertext, AES_BLOCK_SIZE) != 0) {
fprintf(stderr, "AES_encrypt gave the wrong output\n");
return false;
}
if (AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
t->PrintLine("AES_set_decrypt_key failed.");
if (AES_set_decrypt_key(key, key_len * 8, &aes_key) != 0) {
fprintf(stderr, "AES_set_decrypt_key failed\n");
return false;
}
// Test decryption.
AES_decrypt(ciphertext.data(), block, &aes_key);
if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, plaintext.data(),
plaintext.size())) {
t->PrintLine("AES_decrypt gave the wrong output.");
AES_decrypt(ciphertext, block, &aes_key);
if (memcmp(block, plaintext, AES_BLOCK_SIZE) != 0) {
fprintf(stderr, "AES_decrypt gave the wrong output\n");
return false;
}
// Test in-place decryption.
OPENSSL_memcpy(block, ciphertext.data(), AES_BLOCK_SIZE);
memcpy(block, ciphertext, AES_BLOCK_SIZE);
AES_decrypt(block, block, &aes_key);
if (!t->ExpectBytesEqual(block, AES_BLOCK_SIZE, plaintext.data(),
plaintext.size())) {
t->PrintLine("In-place AES_decrypt gave the wrong output.");
if (memcmp(block, plaintext, AES_BLOCK_SIZE) != 0) {
fprintf(stderr, "AES_decrypt gave the wrong output\n");
return false;
}
return true;
}
static bool TestKeyWrap(FileTest *t) {
// All test vectors use the default IV, so test both with implicit and
// explicit IV.
//
// TODO(davidben): Find test vectors that use a different IV.
static const uint8_t kDefaultIV[] = {
0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
};
std::vector<uint8_t> key, plaintext, ciphertext;
if (!t->GetBytes(&key, "Key") ||
!t->GetBytes(&plaintext, "Plaintext") ||
!t->GetBytes(&ciphertext, "Ciphertext")) {
return false;
}
if (plaintext.size() + 8 != ciphertext.size()) {
t->PrintLine("Invalid Plaintext and Ciphertext lengths.");
return false;
}
AES_KEY aes_key;
if (AES_set_encrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
t->PrintLine("AES_set_encrypt_key failed.");
return false;
}
std::unique_ptr<uint8_t[]> buf(new uint8_t[ciphertext.size()]);
if (AES_wrap_key(&aes_key, nullptr /* iv */, buf.get(), plaintext.data(),
plaintext.size()) != static_cast<int>(ciphertext.size()) ||
!t->ExpectBytesEqual(buf.get(), ciphertext.size(), ciphertext.data(),
ciphertext.size())) {
t->PrintLine("AES_wrap_key with implicit IV failed.");
return false;
}
OPENSSL_memset(buf.get(), 0, ciphertext.size());
if (AES_wrap_key(&aes_key, kDefaultIV, buf.get(), plaintext.data(),
plaintext.size()) != static_cast<int>(ciphertext.size()) ||
!t->ExpectBytesEqual(buf.get(), ciphertext.size(), ciphertext.data(),
ciphertext.size())) {
t->PrintLine("AES_wrap_key with explicit IV failed.");
return false;
}
if (AES_set_decrypt_key(key.data(), 8 * key.size(), &aes_key) != 0) {
t->PrintLine("AES_set_decrypt_key failed.");
return false;
}
buf.reset(new uint8_t[plaintext.size()]);
if (AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), ciphertext.data(),
ciphertext.size()) != static_cast<int>(plaintext.size()) ||
!t->ExpectBytesEqual(buf.get(), plaintext.size(), plaintext.data(),
plaintext.size())) {
t->PrintLine("AES_unwrap_key with implicit IV failed.");
return false;
}
OPENSSL_memset(buf.get(), 0, plaintext.size());
if (AES_unwrap_key(&aes_key, kDefaultIV, buf.get(), ciphertext.data(),
ciphertext.size()) != static_cast<int>(plaintext.size()) ||
!t->ExpectBytesEqual(buf.get(), plaintext.size(), plaintext.data(),
plaintext.size())) {
t->PrintLine("AES_unwrap_key with explicit IV failed.");
return false;
}
ciphertext[0] ^= 1;
if (AES_unwrap_key(&aes_key, nullptr /* iv */, buf.get(), ciphertext.data(),
ciphertext.size()) != -1) {
t->PrintLine("AES_unwrap_key with bad input unexpectedly succeeded.");
return false;
}
return true;
}
static bool TestAES(FileTest *t, void *arg) {
if (t->GetParameter() == "Raw") {
return TestRaw(t);
}
if (t->GetParameter() == "KeyWrap") {
return TestKeyWrap(t);
}
t->PrintLine("Unknown mode '%s'.", t->GetParameter().c_str());
return false;
}
int main(int argc, char **argv) {
int main() {
CRYPTO_library_init();
if (argc != 2) {
fprintf(stderr, "%s <test file.txt>\n", argv[0]);
return 1;
// Test vectors from FIPS-197, Appendix C.
if (!TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
"\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f",
128 / 8,
(const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
"\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
(const uint8_t *)"\x69\xc4\xe0\xd8\x6a\x7b\x04\x30"
"\xd8\xcd\xb7\x80\x70\xb4\xc5\x5a") ||
!TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
"\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17",
192 / 8,
(const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
"\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
(const uint8_t *)"\xdd\xa9\x7c\xa4\x86\x4c\xdf\xe0"
"\x6e\xaf\x70\xa0\xec\x0d\x71\x91") ||
!TestAES((const uint8_t *)"\x00\x01\x02\x03\x04\x05\x06\x07"
"\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17"
"\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f",
256 / 8,
(const uint8_t *)"\x00\x11\x22\x33\x44\x55\x66\x77"
"\x88\x99\xaa\xbb\xcc\xdd\xee\xff",
(const uint8_t *)"\x8e\xa2\xb7\xca\x51\x67\x45\xbf"
"\xea\xfc\x49\x90\x4b\x49\x60\x89")) {
return false;
}
return FileTestMain(TestAES, nullptr, argv[1]);
printf("PASS\n");
return 0;
}
crypto/aes/aes_tests.txt
-50
View File
@@ -1,50 +0,0 @@
# Test vectors from FIPS-197, Appendix C.
Mode = Raw
Key = 000102030405060708090a0b0c0d0e0f
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = 69c4e0d86a7b0430d8cdb78070b4c55a
Mode = Raw
Key = 000102030405060708090a0b0c0d0e0f1011121314151617
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = dda97ca4864cdfe06eaf70a0ec0d7191
Mode = Raw
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = 8ea2b7ca516745bfeafc49904b496089
# Test vectors from
# http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
Mode = KeyWrap
Key = 000102030405060708090a0b0c0d0e0f
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = 1fa68b0a8112b447aef34bd8fb5a7b829d3e862371d2cfe5
Mode = KeyWrap
Key = 000102030405060708090a0b0c0d0e0f1011121314151617
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = 96778b25ae6ca435f92b5b97c050aed2468ab8a17ad84e5d
Mode = KeyWrap
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
Plaintext = 00112233445566778899aabbccddeeff
Ciphertext = 64e8c3f9ce0f5ba263e9777905818a2a93c8191e7d6e8ae7
Mode = KeyWrap
Key = 000102030405060708090a0b0c0d0e0f1011121314151617
Plaintext = 00112233445566778899aabbccddeeff0001020304050607
Ciphertext = 031d33264e15d33268f24ec260743edce1c6c7ddee725a936ba814915c6762d2
Mode = KeyWrap
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
Plaintext = 00112233445566778899aabbccddeeff0001020304050607
Ciphertext = a8f9bc1612c68b3ff6e6f4fbe30e71e4769c8b80a32cb8958cd5d17d6b254da1
Mode = KeyWrap
Key = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
Plaintext = 00112233445566778899aabbccddeeff000102030405060708090a0b0c0d0e0f
Ciphertext = 28c9f404c4b810f4cbccb35cfb87f8263f5786e2d80ed326cbc7f0e71a99f43bfb988b9b7a02dd21
crypto/aes/asm/aesp8-ppc.pl
+2 -2
View File
@@ -3011,7 +3011,7 @@ _aesp8_xts_enc5x:
vxor $twk0,$twk0,v31
vcipher $out0,$out0,v26
lvsr $inpperm,0,$taillen # $in5 is no more
lvsr $inpperm,r0,$taillen # $in5 is no more
vcipher $out1,$out1,v26
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
@@ -3773,7 +3773,7 @@ foreach(split("\n",$code)) {
if ($flavour =~ /le$/o) {
SWITCH: for($conv) {
/\?inv/ && do { @bytes=map($_^0xf,@bytes); last; };
/\?rev/ && do { @bytes=reverse(@bytes); last; };
/\?rev/ && do { @bytes=reverse(@bytes); last; };
}
}
crypto/aes/key_wrap.c
-138
View File
@@ -1,138 +0,0 @@
/* ====================================================================
* Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ==================================================================== */
#include <openssl/aes.h>
#include <limits.h>
#include <string.h>
#include <openssl/mem.h>
#include "../internal.h"
/* kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1. */
static const uint8_t kDefaultIV[] = {
0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,
};
static const unsigned kBound = 6;
int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
const uint8_t *in, size_t in_len) {
/* See RFC 3394, section 2.2.1. */
if (in_len > INT_MAX - 8 || in_len < 8 || in_len % 8 != 0) {
return -1;
}
if (iv == NULL) {
iv = kDefaultIV;
}
OPENSSL_memmove(out + 8, in, in_len);
uint8_t A[AES_BLOCK_SIZE];
OPENSSL_memcpy(A, iv, 8);
size_t n = in_len / 8;
for (unsigned j = 0; j < kBound; j++) {
for (size_t i = 1; i <= n; i++) {
OPENSSL_memcpy(A + 8, out + 8 * i, 8);
AES_encrypt(A, A, key);
uint32_t t = (uint32_t)(n * j + i);
A[7] ^= t & 0xff;
A[6] ^= (t >> 8) & 0xff;
A[5] ^= (t >> 16) & 0xff;
A[4] ^= (t >> 24) & 0xff;
OPENSSL_memcpy(out + 8 * i, A + 8, 8);
}
}
OPENSSL_memcpy(out, A, 8);
return (int)in_len + 8;
}
int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,
const uint8_t *in, size_t in_len) {
/* See RFC 3394, section 2.2.2. */
if (in_len > INT_MAX || in_len < 16 || in_len % 8 != 0) {
return -1;
}
if (iv == NULL) {
iv = kDefaultIV;
}
uint8_t A[AES_BLOCK_SIZE];
OPENSSL_memcpy(A, in, 8);
OPENSSL_memmove(out, in + 8, in_len - 8);
size_t n = (in_len / 8) - 1;
for (unsigned j = kBound - 1; j < kBound; j--) {
for (size_t i = n; i > 0; i--) {
uint32_t t = (uint32_t)(n * j + i);
A[7] ^= t & 0xff;
A[6] ^= (t >> 8) & 0xff;
A[5] ^= (t >> 16) & 0xff;
A[4] ^= (t >> 24) & 0xff;
OPENSSL_memcpy(A + 8, out + 8 * (i - 1), 8);
AES_decrypt(A, A, key);
OPENSSL_memcpy(out + 8 * (i - 1), A + 8, 8);
}
}
if (CRYPTO_memcmp(A, iv, 8) != 0) {
return -1;
}
return (int)in_len - 8;
}
crypto/asn1/a_bitstr.c
+3 -6
View File
@@ -61,9 +61,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
{
return M_ASN1_BIT_STRING_set(x, d, len);
@@ -118,7 +115,7 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
*(p++) = (unsigned char)bits;
d = a->data;
OPENSSL_memcpy(p, d, len);
memcpy(p, d, len);
p += len;
if (len > 0)
p[-1] &= (0xff << bits);
@@ -165,7 +162,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
goto err;
}
OPENSSL_memcpy(s, p, (int)len);
memcpy(s, p, (int)len);
s[len - 1] &= (0xff << padding);
p += len;
} else
@@ -218,7 +215,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
return 0;
}
if (w + 1 - a->length > 0)
OPENSSL_memset(c + a->length, 0, w + 1 - a->length);
memset(c + a->length, 0, w + 1 - a->length);
a->data = c;
a->length = w + 1;
}
crypto/asn1/a_enum.c
+1 -4
View File
@@ -61,9 +61,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
/*
* Code for ENUMERATED type: identical to INTEGER apart from a different tag.
* for comments on encoding see a_int.c
@@ -82,7 +79,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
OPENSSL_free(a->data);
if ((a->data =
(unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1);
memset((char *)a->data, 0, sizeof(long) + 1);
}
if (a->data == NULL) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
crypto/asn1/a_gentm.c
+14 -20
View File
@@ -220,43 +220,37 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
struct tm *ts;
struct tm data;
size_t len = 20;
ASN1_GENERALIZEDTIME *tmps = NULL;
if (s == NULL)
tmps = ASN1_GENERALIZEDTIME_new();
else
tmps = s;
if (tmps == NULL)
return NULL;
s = M_ASN1_GENERALIZEDTIME_new();
if (s == NULL)
return (NULL);
ts = OPENSSL_gmtime(&t, &data);
if (ts == NULL)
goto err;
return (NULL);
if (offset_day || offset_sec) {
if (!OPENSSL_gmtime_adj(ts, offset_day, offset_sec))
goto err;
return NULL;
}
p = (char *)tmps->data;
if ((p == NULL) || ((size_t)tmps->length < len)) {
p = (char *)s->data;
if ((p == NULL) || ((size_t)s->length < len)) {
p = OPENSSL_malloc(len);
if (p == NULL) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
goto err;
return (NULL);
}
OPENSSL_free(tmps->data);
tmps->data = (unsigned char *)p;
if (s->data != NULL)
OPENSSL_free(s->data);
s->data = (unsigned char *)p;
}
BIO_snprintf(p, len, "%04d%02d%02d%02d%02d%02dZ", ts->tm_year + 1900,
ts->tm_mon + 1, ts->tm_mday, ts->tm_hour, ts->tm_min,
ts->tm_sec);
tmps->length = strlen(p);
tmps->type = V_ASN1_GENERALIZEDTIME;
return tmps;
err:
if (s == NULL)
ASN1_GENERALIZEDTIME_free(tmps);
return NULL;
s->length = strlen(p);
s->type = V_ASN1_GENERALIZEDTIME;
return (s);
}
crypto/asn1/a_int.c
+4 -7
View File
@@ -61,9 +61,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x)
{
return M_ASN1_INTEGER_dup(x);
@@ -160,7 +157,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
if (a->length == 0)
*(p++) = 0;
else if (!neg)
OPENSSL_memcpy(p, a->data, (unsigned int)a->length);
memcpy(p, a->data, (unsigned int)a->length);
else {
/* Begin at the end of the encoding */
n = a->data + a->length - 1;
@@ -257,7 +254,7 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
p++;
len--;
}
OPENSSL_memcpy(s, p, (int)len);
memcpy(s, p, (int)len);
}
if (ret->data != NULL)
@@ -325,7 +322,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
p++;
len--;
}
OPENSSL_memcpy(s, p, (int)len);
memcpy(s, p, (int)len);
p += len;
}
@@ -357,7 +354,7 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
OPENSSL_free(a->data);
if ((a->data =
(unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL)
OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1);
memset((char *)a->data, 0, sizeof(long) + 1);
}
if (a->data == NULL) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
crypto/asn1/a_object.c
+2 -5
View File
@@ -63,9 +63,6 @@
#include <openssl/mem.h>
#include <openssl/obj.h>
#include "../internal.h"
int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
{
unsigned char *p;
@@ -80,7 +77,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
p = *pp;
ASN1_put_object(&p, 0, a->length, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
OPENSSL_memcpy(p, a->data, a->length);
memcpy(p, a->data, a->length);
p += a->length;
*pp = p;
@@ -324,7 +321,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
}
ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA;
}
OPENSSL_memcpy(data, p, length);
memcpy(data, p, length);
/* reattach data to object, after which it remains const */
ret->data = data;
ret->length = length;
crypto/asn1/a_utctm.c
+1 -1
View File
@@ -270,7 +270,7 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s)
struct tm tm;
int offset;
OPENSSL_memset(&tm, '\0', sizeof tm);
memset(&tm, '\0', sizeof tm);
# define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
tm.tm_year = g2(s->data);
crypto/asn1/asn1_lib.c
+2 -5
View File
@@ -63,9 +63,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
/* Cross-module errors from crypto/x509/i2d_pr.c. */
OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE)
@@ -404,7 +401,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
}
str->length = len;
if (data != NULL) {
OPENSSL_memcpy(str->data, data, len);
memcpy(str->data, data, len);
/* an allowance for strings :-) */
str->data[len] = '\0';
}
@@ -455,7 +452,7 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
i = (a->length - b->length);
if (i == 0) {
i = OPENSSL_memcmp(a->data, b->data, a->length);
i = memcmp(a->data, b->data, a->length);
if (i == 0)
return (a->type - b->type);
else
crypto/asn1/tasn_dec.c
+1 -1
View File
@@ -1108,7 +1108,7 @@ static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen)
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}
OPENSSL_memcpy(buf->data + len, *p, plen);
memcpy(buf->data + len, *p, plen);
}
*p += plen;
return 1;
crypto/asn1/tasn_enc.c
+3 -6
View File
@@ -62,9 +62,6 @@
#include <openssl/asn1t.h>
#include <openssl/mem.h>
#include "../internal.h"
static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
const ASN1_ITEM *it, int tag, int aclass);
static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
@@ -418,7 +415,7 @@ static int der_cmp(const void *a, const void *b)
const DER_ENC *d1 = a, *d2 = b;
int cmplen, i;
cmplen = (d1->length < d2->length) ? d1->length : d2->length;
i = OPENSSL_memcmp(d1->data, d2->data, cmplen);
i = memcmp(d1->data, d2->data, cmplen);
if (i)
return i;
return d1->length - d2->length;
@@ -473,7 +470,7 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,
/* Output sorted DER encoding */
p = *out;
for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) {
OPENSSL_memcpy(p, tder->data, tder->length);
memcpy(p, tder->data, tder->length);
p += tder->length;
}
*out = p;
@@ -663,6 +660,6 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
}
if (cout && len)
OPENSSL_memcpy(cout, cont, len);
memcpy(cout, cont, len);
return len;
}
crypto/asn1/tasn_new.c
+2 -5
View File
@@ -63,9 +63,6 @@
#include <openssl/mem.h>
#include <openssl/obj.h>
#include "../internal.h"
static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
int combine);
static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
@@ -156,7 +153,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
*pval = OPENSSL_malloc(it->size);
if (!*pval)
goto memerr;
OPENSSL_memset(*pval, 0, it->size);
memset(*pval, 0, it->size);
}
asn1_set_choice_selector(pval, -1, it);
if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL))
@@ -181,7 +178,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
*pval = OPENSSL_malloc(it->size);
if (!*pval)
goto memerr;
OPENSSL_memset(*pval, 0, it->size);
memset(*pval, 0, it->size);
asn1_refcount_set_one(pval, it);
asn1_enc_init(pval, it);
}
crypto/asn1/tasn_utl.c
+8 -22
View File
@@ -56,7 +56,6 @@
#include <openssl/asn1.h>
#include <assert.h>
#include <string.h>
#include <openssl/asn1t.h>
@@ -71,7 +70,7 @@
/* Utility functions for manipulating fields and offsets */
/* Add 'offset' to 'addr' */
#define offset2ptr(addr, offset) (void *)(((char *)(addr)) + (offset))
#define offset2ptr(addr, offset) (void *)(((char *) addr) + offset)
/* Given an ASN1_ITEM CHOICE type return the selector value */
int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it) {
@@ -135,8 +134,6 @@ void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it) {
if (enc) {
enc->enc = NULL;
enc->len = 0;
enc->alias_only = 0;
enc->alias_only_on_next_parse = 0;
enc->modified = 1;
}
}
@@ -145,13 +142,11 @@ void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {
ASN1_ENCODING *enc;
enc = asn1_get_enc_ptr(pval, it);
if (enc) {
if (enc->enc && !enc->alias_only) {
if (enc->enc) {
OPENSSL_free(enc->enc);
}
enc->enc = NULL;
enc->len = 0;
enc->alias_only = 0;
enc->alias_only_on_next_parse = 0;
enc->modified = 1;
}
}
@@ -164,23 +159,14 @@ int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen,
return 1;
}
if (!enc->alias_only) {
if (enc->enc) {
OPENSSL_free(enc->enc);
}
enc->alias_only = enc->alias_only_on_next_parse;
enc->alias_only_on_next_parse = 0;
if (enc->alias_only) {
enc->enc = (uint8_t *) in;
} else {
enc->enc = OPENSSL_malloc(inlen);
if (!enc->enc) {
return 0;
}
OPENSSL_memcpy(enc->enc, in, inlen);
enc->enc = OPENSSL_malloc(inlen);
if (!enc->enc) {
return 0;
}
memcpy(enc->enc, in, inlen);
enc->len = inlen;
enc->modified = 0;
@@ -195,7 +181,7 @@ int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,
return 0;
}
if (out) {
OPENSSL_memcpy(*out, enc->enc, enc->len);
memcpy(*out, enc->enc, enc->len);
*out += enc->len;
}
if (len) {
crypto/asn1/x_long.c
+2 -5
View File
@@ -63,9 +63,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
/*
* Custom primitive type for long handling. This converts between an
* ASN1_INTEGER and a long directly.
@@ -120,7 +117,7 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype,
char *cp = (char *)pval;
/* use memcpy, because we may not be long aligned */
OPENSSL_memcpy(&ltmp, cp, sizeof(long));
memcpy(&ltmp, cp, sizeof(long));
if (ltmp == it->size)
return -1;
@@ -189,7 +186,7 @@ static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
return 0;
}
OPENSSL_memcpy(cp, &ltmp, sizeof(long));
memcpy(cp, &ltmp, sizeof(long));
return 1;
}
crypto/base64/base64.c
+5 -7
View File
@@ -62,8 +62,6 @@
#include <openssl/type_check.h>
#include "../internal.h"
/* Encoding. */
@@ -97,7 +95,7 @@ int EVP_EncodedLength(size_t *out_len, size_t len) {
}
void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) {
OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
}
void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
@@ -112,14 +110,14 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
assert(ctx->data_used < sizeof(ctx->data));
if (sizeof(ctx->data) - ctx->data_used > in_len) {
OPENSSL_memcpy(&ctx->data[ctx->data_used], in, in_len);
memcpy(&ctx->data[ctx->data_used], in, in_len);
ctx->data_used += (unsigned)in_len;
return;
}
if (ctx->data_used != 0) {
const size_t todo = sizeof(ctx->data) - ctx->data_used;
OPENSSL_memcpy(&ctx->data[ctx->data_used], in, todo);
memcpy(&ctx->data[ctx->data_used], in, todo);
in += todo;
in_len -= todo;
@@ -151,7 +149,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
}
if (in_len != 0) {
OPENSSL_memcpy(ctx->data, in, in_len);
memcpy(ctx->data, in, in_len);
}
ctx->data_used = (unsigned)in_len;
@@ -226,7 +224,7 @@ int EVP_DecodedLength(size_t *out_len, size_t len) {
}
void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) {
OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
memset(ctx, 0, sizeof(EVP_ENCODE_CTX));
}
/* kBase64ASCIIToBinData maps characters (c < 128) to their base64 value, or
crypto/base64/base64_test.cc
+6 -8
View File
@@ -136,7 +136,7 @@ static bool TestEncodeBlock() {
std::string encoded(RemoveNewlines(t->encoded));
if (len != encoded.size() ||
OPENSSL_memcmp(out, encoded.data(), len) != 0) {
memcmp(out, encoded.data(), len) != 0) {
fprintf(stderr, "encode(\"%s\") = \"%.*s\", want \"%s\"\n",
t->decoded, (int)len, (const char*)out, encoded.c_str());
return false;
@@ -178,7 +178,7 @@ static bool TestDecodeBase64() {
}
if (len != strlen(t->decoded) ||
OPENSSL_memcmp(out, t->decoded, len) != 0) {
memcmp(out, t->decoded, len) != 0) {
fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
encoded.c_str(), (int)len, (const char*)out, t->decoded);
return false;
@@ -217,7 +217,7 @@ static bool TestDecodeBlock() {
ret -= 3 - (expected_len % 3);
}
if (static_cast<size_t>(ret) != strlen(t->decoded) ||
OPENSSL_memcmp(out, t->decoded, ret) != 0) {
memcmp(out, t->decoded, ret) != 0) {
fprintf(stderr, "decode(\"%s\") = \"%.*s\", want \"%s\"\n",
t->encoded, ret, (const char*)out, t->decoded);
return false;
@@ -258,8 +258,7 @@ static bool TestEncodeDecode() {
EVP_EncodeFinal(&ctx, out + total, &out_len);
total += out_len;
if (total != strlen(t->encoded) ||
OPENSSL_memcmp(out, t->encoded, total) != 0) {
if (total != strlen(t->encoded) || memcmp(out, t->encoded, total) != 0) {
fprintf(stderr, "#%u: EVP_EncodeUpdate produced different output: '%s' (%u)\n",
test_num, out, static_cast<unsigned>(total));
return false;
@@ -288,8 +287,7 @@ static bool TestEncodeDecode() {
fprintf(stderr, "#%u: EVP_DecodeUpdate failed\n", test_num);
return false;
}
if (total != decoded_len ||
OPENSSL_memcmp(out, t->decoded, decoded_len)) {
if (total != decoded_len || memcmp(out, t->decoded, decoded_len)) {
fprintf(stderr, "#%u: EVP_DecodeUpdate produced incorrect output\n",
test_num);
return false;
@@ -370,7 +368,7 @@ static bool TestDecodeUpdateStreaming() {
out_len += bytes_written;
if (out_len != strlen(t->decoded) ||
OPENSSL_memcmp(out.data(), t->decoded, out_len) != 0) {
memcmp(out.data(), t->decoded, out_len) != 0) {
fprintf(stderr, "#%u: incorrect output\n", test_num);
return 0;
}
crypto/bio/bio.c
+10 -22
View File
@@ -75,7 +75,7 @@ BIO *BIO_new(const BIO_METHOD *method) {
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(BIO));
memset(ret, 0, sizeof(BIO));
ret->method = method;
ret->shutdown = 1;
ret->references = 1;
@@ -336,13 +336,7 @@ long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {
}
size_t BIO_pending(const BIO *bio) {
const long r = BIO_ctrl((BIO *) bio, BIO_CTRL_PENDING, 0, NULL);
assert(r >= 0);
if (r < 0) {
return 0;
}
return r;
return BIO_ctrl((BIO *) bio, BIO_CTRL_PENDING, 0, NULL);
}
size_t BIO_ctrl_pending(const BIO *bio) {
@@ -350,13 +344,7 @@ size_t BIO_ctrl_pending(const BIO *bio) {
}
size_t BIO_wpending(const BIO *bio) {
const long r = BIO_ctrl((BIO *) bio, BIO_CTRL_WPENDING, 0, NULL);
assert(r >= 0);
if (r < 0) {
return 0;
}
return r;
return BIO_ctrl((BIO *) bio, BIO_CTRL_WPENDING, 0, NULL);
}
int BIO_set_close(BIO *bio, int close_flag) {
@@ -460,10 +448,14 @@ static int print_bio(const char *str, size_t len, void *bio) {
return BIO_write((BIO *)bio, str, len);
}
void ERR_print_errors(BIO *bio) {
void BIO_print_errors(BIO *bio) {
ERR_print_errors_cb(print_bio, bio);
}
void ERR_print_errors(BIO *bio) {
BIO_print_errors(bio);
}
/* bio_read_all reads everything from |bio| and prepends |prefix| to it. On
* success, |*out| is set to an allocated buffer (which should be freed with
* |OPENSSL_free|), |*out_len| is set to its length and one is returned. The
@@ -488,7 +480,7 @@ static int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,
if (*out == NULL) {
return 0;
}
OPENSSL_memcpy(*out, prefix, prefix_len);
memcpy(*out, prefix, prefix_len);
size_t done = prefix_len;
for (;;) {
@@ -595,7 +587,7 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
if (*out == NULL) {
return 0;
}
OPENSSL_memcpy(*out, header, header_len);
memcpy(*out, header, header_len);
if (BIO_read(bio, (*out) + header_len, len - header_len) !=
(int) (len - header_len)) {
OPENSSL_free(*out);
@@ -604,7 +596,3 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {
return 1;
}
void BIO_set_retry_special(BIO *bio) {
bio->flags |= BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL;
}
crypto/bio/bio_mem.c
+4 -6
View File
@@ -63,8 +63,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
BIO *BIO_new_mem_buf(const void *buf, int len) {
BIO *ret;
@@ -146,12 +144,12 @@ static int mem_read(BIO *bio, char *out, int outl) {
}
if (ret > 0) {
OPENSSL_memcpy(out, b->data, ret);
memcpy(out, b->data, ret);
b->length -= ret;
if (bio->flags & BIO_FLAGS_MEM_RDONLY) {
b->data += ret;
} else {
OPENSSL_memmove(b->data, &b->data[ret], b->length);
memmove(b->data, &b->data[ret], b->length);
}
} else if (b->length == 0) {
ret = bio->num;
@@ -182,7 +180,7 @@ static int mem_write(BIO *bio, const char *in, int inl) {
if (BUF_MEM_grow_clean(b, blen + inl) != ((size_t) blen) + inl) {
goto err;
}
OPENSSL_memcpy(&b->data[blen], in, inl);
memcpy(&b->data[blen], in, inl);
ret = inl;
err:
@@ -242,7 +240,7 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {
b->data -= b->max - b->length;
b->length = b->max;
} else {
OPENSSL_memset(b->data, 0, b->max);
memset(b->data, 0, b->max);
b->length = 0;
}
}
crypto/bio/bio_test.cc
+158 -142
View File
@@ -59,7 +59,7 @@ static void PrintSocketError(const char *func) {
class ScopedSocket {
public:
explicit ScopedSocket(int sock) : sock_(sock) {}
ScopedSocket(int sock) : sock_(sock) {}
~ScopedSocket() {
closesocket(sock_);
}
@@ -79,7 +79,7 @@ static bool TestSocketConnect() {
ScopedSocket listening_sock_closer(listening_sock);
struct sockaddr_in sin;
OPENSSL_memset(&sin, 0, sizeof(sin));
memset(&sin, 0, sizeof(sin));
sin.sin_family = AF_INET;
if (!inet_pton(AF_INET, "127.0.0.1", &sin.sin_addr)) {
PrintSocketError("inet_pton");
@@ -128,13 +128,159 @@ static bool TestSocketConnect() {
PrintSocketError("read");
return false;
}
if (OPENSSL_memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
if (memcmp(buf, kTestMessage, sizeof(kTestMessage))) {
return false;
}
return true;
}
// BioReadZeroCopyWrapper is a wrapper around the zero-copy APIs to make
// testing easier.
static size_t BioReadZeroCopyWrapper(BIO *bio, uint8_t *data, size_t len) {
uint8_t *read_buf;
size_t read_buf_offset;
size_t available_bytes;
size_t len_read = 0;
do {
if (!BIO_zero_copy_get_read_buf(bio, &read_buf, &read_buf_offset,
&available_bytes)) {
return 0;
}
available_bytes = std::min(available_bytes, len - len_read);
memmove(data + len_read, read_buf + read_buf_offset, available_bytes);
BIO_zero_copy_get_read_buf_done(bio, available_bytes);
len_read += available_bytes;
} while (len - len_read > 0 && available_bytes > 0);
return len_read;
}
// BioWriteZeroCopyWrapper is a wrapper around the zero-copy APIs to make
// testing easier.
static size_t BioWriteZeroCopyWrapper(BIO *bio, const uint8_t *data,
size_t len) {
uint8_t *write_buf;
size_t write_buf_offset;
size_t available_bytes;
size_t len_written = 0;
do {
if (!BIO_zero_copy_get_write_buf(bio, &write_buf, &write_buf_offset,
&available_bytes)) {
return 0;
}
available_bytes = std::min(available_bytes, len - len_written);
memmove(write_buf + write_buf_offset, data + len_written, available_bytes);
BIO_zero_copy_get_write_buf_done(bio, available_bytes);
len_written += available_bytes;
} while (len - len_written > 0 && available_bytes > 0);
return len_written;
}
static bool TestZeroCopyBioPairs() {
// Test read and write, especially triggering the ring buffer wrap-around.
uint8_t bio1_application_send_buffer[1024];
uint8_t bio2_application_recv_buffer[1024];
const size_t kLengths[] = {254, 255, 256, 257, 510, 511, 512, 513};
// These trigger ring buffer wrap around.
const size_t kPartialLengths[] = {0, 1, 2, 3, 128, 255, 256, 257, 511, 512};
static const size_t kBufferSize = 512;
srand(1);
for (size_t i = 0; i < sizeof(bio1_application_send_buffer); i++) {
bio1_application_send_buffer[i] = rand() & 255;
}
// Transfer bytes from bio1_application_send_buffer to
// bio2_application_recv_buffer in various ways.
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kLengths); i++) {
for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(kPartialLengths); j++) {
size_t total_write = 0;
size_t total_read = 0;
BIO *bio1, *bio2;
if (!BIO_new_bio_pair(&bio1, kBufferSize, &bio2, kBufferSize)) {
return false;
}
bssl::UniquePtr<BIO> bio1_scoper(bio1);
bssl::UniquePtr<BIO> bio2_scoper(bio2);
total_write += BioWriteZeroCopyWrapper(
bio1, bio1_application_send_buffer, kLengths[i]);
// This tests interleaved read/write calls. Do a read between zero copy
// write calls.
uint8_t *write_buf;
size_t write_buf_offset;
size_t available_bytes;
if (!BIO_zero_copy_get_write_buf(bio1, &write_buf, &write_buf_offset,
&available_bytes)) {
return false;
}
// Free kPartialLengths[j] bytes in the beginning of bio1 write buffer.
// This enables ring buffer wrap around for the next write.
total_read += BIO_read(bio2, bio2_application_recv_buffer + total_read,
kPartialLengths[j]);
size_t interleaved_write_len = std::min(kPartialLengths[j],
available_bytes);
// Write the data for the interleaved write call. If the buffer becomes
// empty after a read, the write offset is normally set to 0. Check that
// this does not happen for interleaved read/write and that
// |write_buf_offset| is still valid.
memcpy(write_buf + write_buf_offset,
bio1_application_send_buffer + total_write, interleaved_write_len);
if (BIO_zero_copy_get_write_buf_done(bio1, interleaved_write_len)) {
total_write += interleaved_write_len;
}
// Do another write in case |write_buf_offset| was wrapped.
total_write += BioWriteZeroCopyWrapper(
bio1, bio1_application_send_buffer + total_write,
kPartialLengths[j] - interleaved_write_len);
// Drain the rest.
size_t bytes_left = BIO_pending(bio2);
total_read += BioReadZeroCopyWrapper(
bio2, bio2_application_recv_buffer + total_read, bytes_left);
if (total_read != total_write) {
fprintf(stderr, "Lengths not equal in round (%u, %u)\n", (unsigned)i,
(unsigned)j);
return false;
}
if (total_read > kLengths[i] + kPartialLengths[j]) {
fprintf(stderr, "Bad lengths in round (%u, %u)\n", (unsigned)i,
(unsigned)j);
return false;
}
if (memcmp(bio1_application_send_buffer, bio2_application_recv_buffer,
total_read) != 0) {
fprintf(stderr, "Buffers not equal in round (%u, %u)\n", (unsigned)i,
(unsigned)j);
return false;
}
}
}
return true;
}
static bool TestPrintf() {
// Test a short output, a very long one, and various sizes around
// 256 (the size of the buffer) to ensure edge cases are correct.
@@ -152,7 +298,7 @@ static bool TestPrintf() {
fprintf(stderr, "Bad test string length\n");
return false;
}
OPENSSL_memset(string, 'a', sizeof(string));
memset(string, 'a', sizeof(string));
string[kLengths[i]] = '\0';
int ret = BIO_printf(bio.get(), "test %s", string);
@@ -198,8 +344,8 @@ static bool ReadASN1(bool should_succeed, const uint8_t *data, size_t data_len,
return false;
}
if (should_succeed && (out_len != expected_len ||
OPENSSL_memcmp(data, out, expected_len) != 0)) {
if (should_succeed &&
(out_len != expected_len || memcmp(data, out, expected_len) != 0)) {
return false;
}
@@ -227,8 +373,8 @@ static bool TestASN1() {
if (!large) {
return false;
}
OPENSSL_memset(large.get() + sizeof(kLargePrefix), 0, kLargePayloadLen);
OPENSSL_memcpy(large.get(), kLargePrefix, sizeof(kLargePrefix));
memset(large.get() + sizeof(kLargePrefix), 0, kLargePayloadLen);
memcpy(large.get(), kLargePrefix, sizeof(kLargePrefix));
if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
sizeof(kLargePrefix) + kLargePayloadLen,
@@ -245,7 +391,7 @@ static bool TestASN1() {
}
static const uint8_t kIndefPrefix[] = {0x30, 0x80};
OPENSSL_memcpy(large.get(), kIndefPrefix, sizeof(kIndefPrefix));
memcpy(large.get(), kIndefPrefix, sizeof(kIndefPrefix));
if (!ReadASN1(true, large.get(), sizeof(kLargePrefix) + kLargePayloadLen,
sizeof(kLargePrefix) + kLargePayloadLen,
kLargePayloadLen*2)) {
@@ -263,137 +409,7 @@ static bool TestASN1() {
return true;
}
static bool TestPair() {
// Run through the tests twice, swapping |bio1| and |bio2|, for symmetry.
for (int i = 0; i < 2; i++) {
BIO *bio1, *bio2;
if (!BIO_new_bio_pair(&bio1, 10, &bio2, 10)) {
return false;
}
bssl::UniquePtr<BIO> free_bio1(bio1), free_bio2(bio2);
if (i == 1) {
std::swap(bio1, bio2);
}
// Check initial states.
if (BIO_ctrl_get_write_guarantee(bio1) != 10 ||
BIO_ctrl_get_read_request(bio1) != 0) {
return false;
}
// Data written in one end may be read out the other.
char buf[20];
if (BIO_write(bio1, "12345", 5) != 5 ||
BIO_ctrl_get_write_guarantee(bio1) != 5 ||
BIO_read(bio2, buf, sizeof(buf)) != 5 ||
OPENSSL_memcmp(buf, "12345", 5) != 0 ||
BIO_ctrl_get_write_guarantee(bio1) != 10) {
return false;
}
// Attempting to write more than 10 bytes will write partially.
if (BIO_write(bio1, "1234567890___", 13) != 10 ||
BIO_ctrl_get_write_guarantee(bio1) != 0 ||
BIO_write(bio1, "z", 1) != -1 ||
!BIO_should_write(bio1) ||
BIO_read(bio2, buf, sizeof(buf)) != 10 ||
OPENSSL_memcmp(buf, "1234567890", 10) != 0 ||
BIO_ctrl_get_write_guarantee(bio1) != 10) {
return false;
}
// Unsuccessful reads update the read request.
if (BIO_read(bio2, buf, 5) != -1 ||
!BIO_should_read(bio2) ||
BIO_ctrl_get_read_request(bio1) != 5) {
return false;
}
// The read request is clamped to the size of the buffer.
if (BIO_read(bio2, buf, 20) != -1 ||
!BIO_should_read(bio2) ||
BIO_ctrl_get_read_request(bio1) != 10) {
return false;
}
// Data may be written and read in chunks.
if (BIO_write(bio1, "12345", 5) != 5 ||
BIO_ctrl_get_write_guarantee(bio1) != 5 ||
BIO_write(bio1, "67890___", 8) != 5 ||
BIO_ctrl_get_write_guarantee(bio1) != 0 ||
BIO_read(bio2, buf, 3) != 3 ||
OPENSSL_memcmp(buf, "123", 3) != 0 ||
BIO_ctrl_get_write_guarantee(bio1) != 3 ||
BIO_read(bio2, buf, sizeof(buf)) != 7 ||
OPENSSL_memcmp(buf, "4567890", 7) != 0 ||
BIO_ctrl_get_write_guarantee(bio1) != 10) {
return false;
}
// Successful reads reset the read request.
if (BIO_ctrl_get_read_request(bio1) != 0) {
return false;
}
// Test writes and reads starting in the middle of the ring buffer and
// wrapping to front.
if (BIO_write(bio1, "abcdefgh", 8) != 8 ||
BIO_ctrl_get_write_guarantee(bio1) != 2 ||
BIO_read(bio2, buf, 3) != 3 ||
OPENSSL_memcmp(buf, "abc", 3) != 0 ||
BIO_ctrl_get_write_guarantee(bio1) != 5 ||
BIO_write(bio1, "ijklm___", 8) != 5 ||
BIO_ctrl_get_write_guarantee(bio1) != 0 ||
BIO_read(bio2, buf, sizeof(buf)) != 10 ||
OPENSSL_memcmp(buf, "defghijklm", 10) != 0 ||
BIO_ctrl_get_write_guarantee(bio1) != 10) {
return false;
}
// Data may flow from both ends in parallel.
if (BIO_write(bio1, "12345", 5) != 5 ||
BIO_write(bio2, "67890", 5) != 5 ||
BIO_read(bio2, buf, sizeof(buf)) != 5 ||
OPENSSL_memcmp(buf, "12345", 5) != 0 ||
BIO_read(bio1, buf, sizeof(buf)) != 5 ||
OPENSSL_memcmp(buf, "67890", 5) != 0) {
return false;
}
// Closing the write end causes an EOF on the read half, after draining.
if (BIO_write(bio1, "12345", 5) != 5 ||
!BIO_shutdown_wr(bio1) ||
BIO_read(bio2, buf, sizeof(buf)) != 5 ||
OPENSSL_memcmp(buf, "12345", 5) != 0 ||
BIO_read(bio2, buf, sizeof(buf)) != 0) {
return false;
}
// A closed write end may not be written to.
if (BIO_ctrl_get_write_guarantee(bio1) != 0 ||
BIO_write(bio1, "_____", 5) != -1) {
return false;
}
uint32_t err = ERR_get_error();
if (ERR_GET_LIB(err) != ERR_LIB_BIO ||
ERR_GET_REASON(err) != BIO_R_BROKEN_PIPE) {
return false;
}
// The other end is still functional.
if (BIO_write(bio2, "12345", 5) != 5 ||
BIO_read(bio1, buf, sizeof(buf)) != 5 ||
OPENSSL_memcmp(buf, "12345", 5) != 0) {
return false;
}
}
return true;
}
int main() {
int main(void) {
CRYPTO_library_init();
#if defined(OPENSSL_WINDOWS)
@@ -413,8 +429,8 @@ int main() {
if (!TestSocketConnect() ||
!TestPrintf() ||
!TestASN1() ||
!TestPair()) {
!TestZeroCopyBioPairs() ||
!TestASN1()) {
return 1;
}
crypto/bio/buffer.c
+16 -6
View File
@@ -62,8 +62,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
#define DEFAULT_BUFFER_SIZE 4096
@@ -96,7 +94,7 @@ static int buffer_new(BIO *bio) {
if (ctx == NULL) {
return 0;
}
OPENSSL_memset(ctx, 0, sizeof(BIO_F_BUFFER_CTX));
memset(ctx, 0, sizeof(BIO_F_BUFFER_CTX));
ctx->ibuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE);
if (ctx->ibuf == NULL) {
@@ -160,7 +158,7 @@ static int buffer_read(BIO *bio, char *out, int outl) {
if (i > outl) {
i = outl;
}
OPENSSL_memcpy(out, &ctx->ibuf[ctx->ibuf_off], i);
memcpy(out, &ctx->ibuf[ctx->ibuf_off], i);
ctx->ibuf_off += i;
ctx->ibuf_len -= i;
num += i;
@@ -224,7 +222,7 @@ static int buffer_write(BIO *b, const char *in, int inl) {
i = ctx->obuf_size - (ctx->obuf_off + ctx->obuf_len);
/* add to buffer and return */
if (i >= inl) {
OPENSSL_memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, inl);
memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, inl);
ctx->obuf_len += inl;
return num + inl;
}
@@ -232,7 +230,7 @@ static int buffer_write(BIO *b, const char *in, int inl) {
/* stuff already in buffer, so add to it first, then flush */
if (ctx->obuf_len != 0) {
if (i > 0) {
OPENSSL_memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, i);
memcpy(&ctx->obuf[ctx->obuf_off + ctx->obuf_len], in, i);
in += i;
inl -= i;
num += i;
@@ -312,10 +310,22 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) {
case BIO_CTRL_WPENDING:
ret = (long)ctx->obuf_len;
if (ret == 0) {
if (b->next_bio == NULL) {
return 0;
}
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
}
break;
case BIO_CTRL_PENDING:
ret = (long)ctx->ibuf_len;
if (ret == 0) {
if (b->next_bio == NULL) {
return 0;
}
ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
}
break;
case BIO_C_SET_BUFF_SIZE:
crypto/bio/connect.c
+1 -2
View File
@@ -77,7 +77,6 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
#include <openssl/mem.h>
#include "internal.h"
#include "../internal.h"
enum {
@@ -299,7 +298,7 @@ static BIO_CONNECT *BIO_CONNECT_new(void) {
if (ret == NULL) {
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(BIO_CONNECT));
memset(ret, 0, sizeof(BIO_CONNECT));
ret->state = BIO_CONN_S_BEFORE;
return ret;
crypto/bio/hexdump.c
+2 -4
View File
@@ -59,8 +59,6 @@
#include <limits.h>
#include <string.h>
#include "../internal.h"
/* hexdump_ctx contains the state of a hexdump. */
struct hexdump_ctx {
@@ -156,7 +154,7 @@ static int finish(struct hexdump_ctx *ctx) {
return 1;
}
OPENSSL_memset(buf, ' ', 4);
memset(buf, ' ', 4);
buf[4] = '|';
for (; ctx->used < 16; ctx->used++) {
@@ -181,7 +179,7 @@ static int finish(struct hexdump_ctx *ctx) {
int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len, unsigned indent) {
struct hexdump_ctx ctx;
OPENSSL_memset(&ctx, 0, sizeof(ctx));
memset(&ctx, 0, sizeof(ctx));
ctx.bio = bio;
ctx.indent = indent;
crypto/bio/pair.c
+338 -28
View File
@@ -59,8 +59,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
struct bio_bio_st {
BIO *peer; /* NULL if buf == NULL.
@@ -74,6 +72,12 @@ struct bio_bio_st {
size_t offset; /* valid iff buf != NULL; 0 if len == 0 */
size_t size;
uint8_t *buf; /* "size" elements (if != NULL) */
char buf_externally_allocated; /* true iff buf was externally allocated. */
char zero_copy_read_lock; /* true iff a zero copy read operation
* is in progress. */
char zero_copy_write_lock; /* true iff a zero copy write operation
* is in progress. */
size_t request; /* valid iff peer != NULL; 0 if len != 0,
* otherwise set by peer to number of bytes
@@ -88,7 +92,7 @@ static int bio_new(BIO *bio) {
if (b == NULL) {
return 0;
}
OPENSSL_memset(b, 0, sizeof(struct bio_bio_st));
memset(b, 0, sizeof(struct bio_bio_st));
b->size = 17 * 1024; /* enough for one TLS record (just a default) */
bio->ptr = b;
@@ -141,12 +145,263 @@ static int bio_free(BIO *bio) {
bio_destroy_pair(bio);
}
OPENSSL_free(b->buf);
if (!b->buf_externally_allocated) {
OPENSSL_free(b->buf);
}
OPENSSL_free(b);
return 1;
}
static size_t bio_zero_copy_get_read_buf(struct bio_bio_st* peer_b,
uint8_t** out_read_buf,
size_t* out_buf_offset) {
size_t max_available;
if (peer_b->len > peer_b->size - peer_b->offset) {
/* Only the first half of the ring buffer can be read. */
max_available = peer_b->size - peer_b->offset;
} else {
max_available = peer_b->len;
}
*out_read_buf = peer_b->buf;
*out_buf_offset = peer_b->offset;
return max_available;
}
int BIO_zero_copy_get_read_buf(BIO* bio, uint8_t** out_read_buf,
size_t* out_buf_offset,
size_t* out_available_bytes) {
struct bio_bio_st* b;
struct bio_bio_st* peer_b;
size_t max_available;
*out_available_bytes = 0;
BIO_clear_retry_flags(bio);
if (!bio->init) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
return 0;
}
b = bio->ptr;
if (!b || !b->peer) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
peer_b = b->peer->ptr;
if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
if (peer_b->zero_copy_read_lock) {
OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
return 0;
}
peer_b->request = 0; /* Is not used by zero-copy API. */
max_available =
bio_zero_copy_get_read_buf(peer_b, out_read_buf, out_buf_offset);
assert(peer_b->buf != NULL);
if (max_available > 0) {
peer_b->zero_copy_read_lock = 1;
}
*out_available_bytes = max_available;
return 1;
}
int BIO_zero_copy_get_read_buf_done(BIO* bio, size_t bytes_read) {
struct bio_bio_st* b;
struct bio_bio_st* peer_b;
size_t max_available;
size_t dummy_read_offset;
uint8_t* dummy_read_buf;
assert(BIO_get_retry_flags(bio) == 0);
if (!bio->init) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
return 0;
}
b = bio->ptr;
if (!b || !b->peer) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
peer_b = b->peer->ptr;
if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
if (!peer_b->zero_copy_read_lock) {
OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
return 0;
}
max_available =
bio_zero_copy_get_read_buf(peer_b, &dummy_read_buf, &dummy_read_offset);
if (bytes_read > max_available) {
OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
return 0;
}
assert(peer_b->len >= bytes_read);
peer_b->len -= bytes_read;
assert(peer_b->offset + bytes_read <= peer_b->size);
/* Move read offset. If zero_copy_write_lock == 1 we must advance the
* offset even if buffer becomes empty, to make sure
* write_offset = (offset + len) mod size does not change. */
if (peer_b->offset + bytes_read == peer_b->size ||
(!peer_b->zero_copy_write_lock && peer_b->len == 0)) {
peer_b->offset = 0;
} else {
peer_b->offset += bytes_read;
}
bio->num_read += bytes_read;
peer_b->zero_copy_read_lock = 0;
return 1;
}
static size_t bio_zero_copy_get_write_buf(struct bio_bio_st* b,
uint8_t** out_write_buf,
size_t* out_buf_offset) {
size_t write_offset;
size_t max_available;
assert(b->len <= b->size);
write_offset = b->offset + b->len;
if (write_offset >= b->size) {
/* Only the first half of the ring buffer can be written to. */
write_offset -= b->size;
/* write up to the start of the ring buffer. */
max_available = b->offset - write_offset;
} else {
/* write up to the end the buffer. */
max_available = b->size - write_offset;
}
*out_write_buf = b->buf;
*out_buf_offset = write_offset;
return max_available;
}
int BIO_zero_copy_get_write_buf(BIO* bio, uint8_t** out_write_buf,
size_t* out_buf_offset,
size_t* out_available_bytes) {
struct bio_bio_st* b;
struct bio_bio_st* peer_b;
size_t max_available;
*out_available_bytes = 0;
BIO_clear_retry_flags(bio);
if (!bio->init) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
return 0;
}
b = bio->ptr;
if (!b || !b->buf || !b->peer) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
peer_b = b->peer->ptr;
if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
assert(b->buf != NULL);
if (b->zero_copy_write_lock) {
OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
return 0;
}
b->request = 0;
if (b->closed) {
/* Bio is already closed. */
OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
return 0;
}
max_available = bio_zero_copy_get_write_buf(b, out_write_buf, out_buf_offset);
if (max_available > 0) {
b->zero_copy_write_lock = 1;
}
*out_available_bytes = max_available;
return 1;
}
int BIO_zero_copy_get_write_buf_done(BIO* bio, size_t bytes_written) {
struct bio_bio_st* b;
struct bio_bio_st* peer_b;
size_t rest;
size_t dummy_write_offset;
uint8_t* dummy_write_buf;
if (!bio->init) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);
return 0;
}
b = bio->ptr;
if (!b || !b->buf || !b->peer) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
peer_b = b->peer->ptr;
if (!peer_b || !peer_b->peer || peer_b->peer->ptr != b) {
OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);
return 0;
}
b->request = 0;
if (b->closed) {
/* BIO is already closed. */
OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);
return 0;
}
if (!b->zero_copy_write_lock) {
OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
return 0;
}
rest = bio_zero_copy_get_write_buf(b, &dummy_write_buf, &dummy_write_offset);
if (bytes_written > rest) {
OPENSSL_PUT_ERROR(BIO, BIO_R_INVALID_ARGUMENT);
return 0;
}
bio->num_write += bytes_written;
/* Move write offset. */
b->len += bytes_written;
b->zero_copy_write_lock = 0;
return 1;
}
static int bio_read(BIO *bio, char *buf, int size_) {
size_t size = size_;
size_t rest;
@@ -167,7 +422,7 @@ static int bio_read(BIO *bio, char *buf, int size_) {
peer_b->request = 0; /* will be set in "retry_read" situation */
if (buf == NULL || size == 0) {
if (buf == NULL || size == 0 || peer_b->zero_copy_read_lock) {
return 0;
}
@@ -209,10 +464,13 @@ static int bio_read(BIO *bio, char *buf, int size_) {
}
assert(peer_b->offset + chunk <= peer_b->size);
OPENSSL_memcpy(buf, peer_b->buf + peer_b->offset, chunk);
memcpy(buf, peer_b->buf + peer_b->offset, chunk);
peer_b->len -= chunk;
if (peer_b->len) {
/* If zero_copy_write_lock == 1 we must advance the offset even if buffer
* becomes empty, to make sure write_offset = (offset + len) % size
* does not change. */
if (peer_b->len || peer_b->zero_copy_write_lock) {
peer_b->offset += chunk;
assert(peer_b->offset <= peer_b->size);
if (peer_b->offset == peer_b->size) {
@@ -246,6 +504,10 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
assert(b->peer != NULL);
assert(b->buf != NULL);
if (b->zero_copy_write_lock) {
return 0;
}
b->request = 0;
if (b->closed) {
/* we already closed */
@@ -289,7 +551,7 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
chunk = b->size - write_offset;
}
OPENSSL_memcpy(b->buf + write_offset, buf, chunk);
memcpy(b->buf + write_offset, buf, chunk);
b->len += chunk;
@@ -302,8 +564,9 @@ static int bio_write(BIO *bio, const char *buf, int num_) {
return num;
}
static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,
size_t writebuf2_len) {
static int bio_make_pair(BIO* bio1, BIO* bio2,
size_t writebuf1_len, uint8_t* ext_writebuf1,
size_t writebuf2_len, uint8_t* ext_writebuf2) {
struct bio_bio_st *b1, *b2;
assert(bio1 != NULL);
@@ -317,14 +580,23 @@ static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,
return 0;
}
assert(b1->buf_externally_allocated == 0);
assert(b2->buf_externally_allocated == 0);
if (b1->buf == NULL) {
if (writebuf1_len) {
b1->size = writebuf1_len;
}
b1->buf = OPENSSL_malloc(b1->size);
if (b1->buf == NULL) {
OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
return 0;
if (!ext_writebuf1) {
b1->buf_externally_allocated = 0;
b1->buf = OPENSSL_malloc(b1->size);
if (b1->buf == NULL) {
OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
return 0;
}
} else {
b1->buf = ext_writebuf1;
b1->buf_externally_allocated = 1;
}
b1->len = 0;
b1->offset = 0;
@@ -334,10 +606,16 @@ static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,
if (writebuf2_len) {
b2->size = writebuf2_len;
}
b2->buf = OPENSSL_malloc(b2->size);
if (b2->buf == NULL) {
OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
return 0;
if (!ext_writebuf2) {
b2->buf_externally_allocated = 0;
b2->buf = OPENSSL_malloc(b2->size);
if (b2->buf == NULL) {
OPENSSL_PUT_ERROR(BIO, ERR_R_MALLOC_FAILURE);
return 0;
}
} else {
b2->buf = ext_writebuf2;
b2->buf_externally_allocated = 1;
}
b2->len = 0;
b2->offset = 0;
@@ -346,9 +624,13 @@ static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,
b1->peer = bio2;
b1->closed = 0;
b1->request = 0;
b1->zero_copy_read_lock = 0;
b1->zero_copy_write_lock = 0;
b2->peer = bio1;
b2->closed = 0;
b2->request = 0;
b2->zero_copy_read_lock = 0;
b2->zero_copy_write_lock = 0;
bio1->init = 1;
bio2->init = 1;
@@ -462,22 +744,50 @@ static const BIO_METHOD methods_biop = {
static const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }
int BIO_new_bio_pair(BIO** bio1_p, size_t writebuf1_len,
BIO** bio2_p, size_t writebuf2_len) {
BIO *bio1 = BIO_new(bio_s_bio());
BIO *bio2 = BIO_new(bio_s_bio());
if (bio1 == NULL || bio2 == NULL ||
!bio_make_pair(bio1, bio2, writebuf1_len, writebuf2_len)) {
int BIO_new_bio_pair(BIO** bio1_p, size_t writebuf1,
BIO** bio2_p, size_t writebuf2) {
return BIO_new_bio_pair_external_buf(bio1_p, writebuf1, NULL, bio2_p,
writebuf2, NULL);
}
int BIO_new_bio_pair_external_buf(BIO** bio1_p, size_t writebuf1_len,
uint8_t* ext_writebuf1,
BIO** bio2_p, size_t writebuf2_len,
uint8_t* ext_writebuf2) {
BIO *bio1 = NULL, *bio2 = NULL;
int ret = 0;
/* External buffers must have sizes greater than 0. */
if ((ext_writebuf1 && !writebuf1_len) || (ext_writebuf2 && !writebuf2_len)) {
goto err;
}
bio1 = BIO_new(bio_s_bio());
if (bio1 == NULL) {
goto err;
}
bio2 = BIO_new(bio_s_bio());
if (bio2 == NULL) {
goto err;
}
if (!bio_make_pair(bio1, bio2, writebuf1_len, ext_writebuf1, writebuf2_len,
ext_writebuf2)) {
goto err;
}
ret = 1;
err:
if (ret == 0) {
BIO_free(bio1);
bio1 = NULL;
BIO_free(bio2);
*bio1_p = NULL;
*bio2_p = NULL;
return 0;
bio2 = NULL;
}
*bio1_p = bio1;
*bio2_p = bio2;
return 1;
return ret;
}
size_t BIO_ctrl_get_read_request(BIO *bio) {
crypto/bio/socket.c
+1 -1
View File
@@ -67,7 +67,7 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
OPENSSL_MSVC_PRAGMA(warning(pop))
OPENSSL_MSVC_PRAGMA(comment(lib, "Ws2_32.lib"))
#pragma comment(lib, "Ws2_32.lib")
#endif
#include "internal.h"
crypto/bio/socket_helper.c
+3 -4
View File
@@ -33,7 +33,6 @@ OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include "internal.h"
#include "../internal.h"
int bio_ip_and_port_to_socket_and_addr(int *out_sock,
@@ -46,7 +45,7 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock,
*out_sock = -1;
OPENSSL_memset(&hint, 0, sizeof(hint));
memset(&hint, 0, sizeof(hint));
hint.ai_family = AF_UNSPEC;
hint.ai_socktype = SOCK_STREAM;
@@ -63,8 +62,8 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock,
if ((size_t) cur->ai_addrlen > sizeof(struct sockaddr_storage)) {
continue;
}
OPENSSL_memset(out_addr, 0, sizeof(struct sockaddr_storage));
OPENSSL_memcpy(out_addr, cur->ai_addr, cur->ai_addrlen);
memset(out_addr, 0, sizeof(struct sockaddr_storage));
memcpy(out_addr, cur->ai_addr, cur->ai_addrlen);
*out_addr_length = cur->ai_addrlen;
*out_sock = socket(cur->ai_family, cur->ai_socktype, cur->ai_protocol);
crypto/bn/CMakeLists.txt
+2
View File
@@ -6,6 +6,7 @@ if (${ARCH} STREQUAL "x86_64")
x86_64-mont.${ASM_EXT}
x86_64-mont5.${ASM_EXT}
rsaz-x86_64.${ASM_EXT}
rsaz-avx2.${ASM_EXT}
rsaz_exp.c
@@ -68,6 +69,7 @@ add_library(
perlasm(x86_64-mont.${ASM_EXT} asm/x86_64-mont.pl)
perlasm(x86_64-mont5.${ASM_EXT} asm/x86_64-mont5.pl)
perlasm(rsaz-x86_64.${ASM_EXT} asm/rsaz-x86_64.pl)
perlasm(rsaz-avx2.${ASM_EXT} asm/rsaz-avx2.pl)
perlasm(bn-586.${ASM_EXT} asm/bn-586.pl)
perlasm(co-586.${ASM_EXT} asm/co-586.pl)
crypto/bn/add.c
+1 -1
View File
@@ -314,7 +314,7 @@ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {
}
if (dif > 0 && rp != ap) {
OPENSSL_memcpy(rp, ap, sizeof(*rp) * dif);
memcpy(rp, ap, sizeof(*rp) * dif);
}
r->top = max;
crypto/bn/asm/rsaz-x86_64.pl
Executable
+2338
View File
File diff suppressed because it is too large Load Diff
crypto/bn/asm/x86_64-gcc.c
+10 -11
View File
@@ -80,7 +80,7 @@
: "+m"(r), "+d"(high) \
: "r"(carry), "g"(0) \
: "cc"); \
(carry) = high; \
carry = high; \
} while (0)
#define mul(r, a, word, carry) \
@@ -91,8 +91,7 @@
: "+r"(carry), "+d"(high) \
: "a"(low), "g"(0) \
: "cc"); \
(r) = (carry); \
(carry) = high; \
(r) = carry, carry = high; \
} while (0)
#undef sqr
#define sqr(r0, r1, a) asm("mulq %2" : "=a"(r0), "=d"(r1) : "a"(a) : "cc");
@@ -257,14 +256,14 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
: "cc"); \
} while (0)
#define sqr_add_c(a, i, c0, c1, c2) \
do { \
BN_ULONG t1, t2; \
asm("mulq %2" : "=a"(t1), "=d"(t2) : "a"((a)[i]) : "cc"); \
asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
: "+r"(c0), "+r"(c1), "+r"(c2) \
: "r"(t1), "r"(t2), "g"(0) \
: "cc"); \
#define sqr_add_c(a, i, c0, c1, c2) \
do { \
BN_ULONG t1, t2; \
asm("mulq %2" : "=a"(t1), "=d"(t2) : "a"(a[i]) : "cc"); \
asm("addq %3,%0; adcq %4,%1; adcq %5,%2" \
: "+r"(c0), "+r"(c1), "+r"(c2) \
: "r"(t1), "r"(t2), "g"(0) \
: "cc"); \
} while (0)
#define mul_add_c2(a, b, c0, c1, c2) \
crypto/bn/asm/x86_64-mont.pl
+3 -2
View File
@@ -1059,17 +1059,18 @@ $code.=<<___;
mulx 2*8($aptr),%r15,%r13 # ...
adox -3*8($tptr),%r11
adcx %r15,%r12
adox -2*8($tptr),%r12
adox $zero,%r12
adcx $zero,%r13
adox $zero,%r13
mov $bptr,8(%rsp) # off-load &b[i]
.byte 0x67
mov $mi,%r15
imulq 24(%rsp),$mi # "t[0]"*n0
xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
mulx 3*8($aptr),%rax,%r14
mov $mi,%rdx
adox -2*8($tptr),%r12
adcx %rax,%r13
adox -1*8($tptr),%r13
adcx $zero,%r14
crypto/bn/bn.c
+20 -6
View File
@@ -73,14 +73,14 @@ BIGNUM *BN_new(void) {
return NULL;
}
OPENSSL_memset(bn, 0, sizeof(BIGNUM));
memset(bn, 0, sizeof(BIGNUM));
bn->flags = BN_FLG_MALLOCED;
return bn;
}
void BN_init(BIGNUM *bn) {
OPENSSL_memset(bn, 0, sizeof(BIGNUM));
memset(bn, 0, sizeof(BIGNUM));
}
void BN_free(BIGNUM *bn) {
@@ -149,7 +149,7 @@ BIGNUM *BN_copy(BIGNUM *dest, const BIGNUM *src) {
return NULL;
}
OPENSSL_memcpy(dest->d, src->d, sizeof(src->d[0]) * src->top);
memcpy(dest->d, src->d, sizeof(src->d[0]) * src->top);
dest->top = src->top;
dest->neg = src->neg;
@@ -158,7 +158,7 @@ BIGNUM *BN_copy(BIGNUM *dest, const BIGNUM *src) {
void BN_clear(BIGNUM *bn) {
if (bn->d != NULL) {
OPENSSL_memset(bn->d, 0, bn->dmax * sizeof(bn->d[0]));
memset(bn->d, 0, bn->dmax * sizeof(bn->d[0]));
}
bn->top = 0;
@@ -172,6 +172,12 @@ const BIGNUM *BN_value_one(void) {
return &kOne;
}
void BN_with_flags(BIGNUM *out, const BIGNUM *in, int flags) {
memcpy(out, in, sizeof(BIGNUM));
out->flags &= ~BN_FLG_MALLOCED;
out->flags |= BN_FLG_STATIC_DATA | flags;
}
/* BN_num_bits_word returns the minimum number of bits needed to represent the
* value in |l|. */
unsigned BN_num_bits_word(BN_ULONG l) {
@@ -286,7 +292,7 @@ int bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num) {
if (bn_wexpand(bn, num) == NULL) {
return 0;
}
OPENSSL_memmove(bn->d, words, num * sizeof(BN_ULONG));
memmove(bn->d, words, num * sizeof(BN_ULONG));
/* |bn_wexpand| verified that |num| isn't too large. */
bn->top = (int)num;
bn_correct_top(bn);
@@ -329,7 +335,7 @@ BIGNUM *bn_wexpand(BIGNUM *bn, size_t words) {
return NULL;
}
OPENSSL_memcpy(a, bn->d, sizeof(BN_ULONG) * bn->top);
memcpy(a, bn->d, sizeof(BN_ULONG) * bn->top);
OPENSSL_free(bn->d);
bn->d = a;
@@ -363,3 +369,11 @@ void bn_correct_top(BIGNUM *bn) {
bn->neg = 0;
}
}
int BN_get_flags(const BIGNUM *bn, int flags) {
return bn->flags & flags;
}
void BN_set_flags(BIGNUM *bn, int flags) {
bn->flags |= flags;
}
crypto/bn/bn_test.cc
+74 -225
View File
@@ -340,7 +340,7 @@ static bool TestSquare(FileTest *t, BN_CTX *ctx) {
BN_zero(zero.get());
bssl::UniquePtr<BIGNUM> ret(BN_new()), remainder(BN_new());
if (!ret || !remainder ||
if (!ret ||
!BN_sqr(ret.get(), a.get(), ctx) ||
!ExpectBIGNUMsEqual(t, "A^2", square.get(), ret.get()) ||
!BN_mul(ret.get(), a.get(), a.get(), ctx) ||
@@ -568,25 +568,21 @@ static bool TestModSqrt(FileTest *t, BN_CTX *ctx) {
bssl::UniquePtr<BIGNUM> a = GetBIGNUM(t, "A");
bssl::UniquePtr<BIGNUM> p = GetBIGNUM(t, "P");
bssl::UniquePtr<BIGNUM> mod_sqrt = GetBIGNUM(t, "ModSqrt");
bssl::UniquePtr<BIGNUM> mod_sqrt2(BN_new());
if (!a || !p || !mod_sqrt || !mod_sqrt2 ||
// There are two possible answers.
!BN_sub(mod_sqrt2.get(), p.get(), mod_sqrt.get())) {
if (!a || !p || !mod_sqrt) {
return false;
}
// -0 is 0, not P.
if (BN_is_zero(mod_sqrt.get())) {
BN_zero(mod_sqrt2.get());
}
bssl::UniquePtr<BIGNUM> ret(BN_new());
bssl::UniquePtr<BIGNUM> ret2(BN_new());
if (!ret ||
!BN_mod_sqrt(ret.get(), a.get(), p.get(), ctx)) {
!ret2 ||
!BN_mod_sqrt(ret.get(), a.get(), p.get(), ctx) ||
// There are two possible answers.
!BN_sub(ret2.get(), p.get(), ret.get())) {
return false;
}
if (BN_cmp(ret.get(), mod_sqrt2.get()) != 0 &&
if (BN_cmp(ret2.get(), mod_sqrt.get()) != 0 &&
!ExpectBIGNUMsEqual(t, "sqrt(A) (mod P)", mod_sqrt.get(), ret.get())) {
return false;
}
@@ -594,29 +590,6 @@ static bool TestModSqrt(FileTest *t, BN_CTX *ctx) {
return true;
}
static bool TestNotModSquare(FileTest *t, BN_CTX *ctx) {
bssl::UniquePtr<BIGNUM> not_mod_square = GetBIGNUM(t, "NotModSquare");
bssl::UniquePtr<BIGNUM> p = GetBIGNUM(t, "P");
bssl::UniquePtr<BIGNUM> ret(BN_new());
if (!not_mod_square || !p || !ret) {
return false;
}
if (BN_mod_sqrt(ret.get(), not_mod_square.get(), p.get(), ctx)) {
t->PrintLine("BN_mod_sqrt unexpectedly succeeded.");
return false;
}
uint32_t err = ERR_peek_error();
if (ERR_GET_LIB(err) == ERR_LIB_BN &&
ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
ERR_clear_error();
return true;
}
return false;
}
static bool TestModInv(FileTest *t, BN_CTX *ctx) {
bssl::UniquePtr<BIGNUM> a = GetBIGNUM(t, "A");
bssl::UniquePtr<BIGNUM> m = GetBIGNUM(t, "M");
@@ -632,6 +605,15 @@ static bool TestModInv(FileTest *t, BN_CTX *ctx) {
return false;
}
BN_set_flags(a.get(), BN_FLG_CONSTTIME);
if (!ret ||
!BN_mod_inverse(ret.get(), a.get(), m.get(), ctx) ||
!ExpectBIGNUMsEqual(t, "inv(A) (mod M) (constant-time)", mod_inv.get(),
ret.get())) {
return false;
}
return true;
}
@@ -652,7 +634,6 @@ static const Test kTests[] = {
{"ModExp", TestModExp},
{"Exp", TestExp},
{"ModSqrt", TestModSqrt},
{"NotModSquare", TestNotModSquare},
{"ModInv", TestModInv},
};
@@ -671,7 +652,7 @@ static bool RunTest(FileTest *t, void *arg) {
static bool TestBN2BinPadded(BN_CTX *ctx) {
uint8_t zeros[256], out[256], reference[128];
OPENSSL_memset(zeros, 0, sizeof(zeros));
memset(zeros, 0, sizeof(zeros));
// Test edge case at 0.
bssl::UniquePtr<BIGNUM> n(BN_new());
@@ -680,13 +661,13 @@ static bool TestBN2BinPadded(BN_CTX *ctx) {
"BN_bn2bin_padded failed to encode 0 in an empty buffer.\n");
return false;
}
OPENSSL_memset(out, -1, sizeof(out));
memset(out, -1, sizeof(out));
if (!BN_bn2bin_padded(out, sizeof(out), n.get())) {
fprintf(stderr,
"BN_bn2bin_padded failed to encode 0 in a non-empty buffer.\n");
return false;
}
if (OPENSSL_memcmp(zeros, out, sizeof(out))) {
if (memcmp(zeros, out, sizeof(out))) {
fprintf(stderr, "BN_bn2bin_padded did not zero buffer.\n");
return false;
}
@@ -715,21 +696,20 @@ static bool TestBN2BinPadded(BN_CTX *ctx) {
}
// Exactly right size should encode.
if (!BN_bn2bin_padded(out, bytes, n.get()) ||
OPENSSL_memcmp(out, reference, bytes) != 0) {
memcmp(out, reference, bytes) != 0) {
fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
return false;
}
// Pad up one byte extra.
if (!BN_bn2bin_padded(out, bytes + 1, n.get()) ||
OPENSSL_memcmp(out + 1, reference, bytes) ||
OPENSSL_memcmp(out, zeros, 1)) {
memcmp(out + 1, reference, bytes) || memcmp(out, zeros, 1)) {
fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
return false;
}
// Pad up to 256.
if (!BN_bn2bin_padded(out, sizeof(out), n.get()) ||
OPENSSL_memcmp(out + sizeof(out) - bytes, reference, bytes) ||
OPENSSL_memcmp(out, zeros, sizeof(out) - bytes)) {
memcmp(out + sizeof(out) - bytes, reference, bytes) ||
memcmp(out, zeros, sizeof(out) - bytes)) {
fprintf(stderr, "BN_bn2bin_padded gave a bad result.\n");
return false;
}
@@ -738,82 +718,6 @@ static bool TestBN2BinPadded(BN_CTX *ctx) {
return true;
}
static bool TestLittleEndian() {
bssl::UniquePtr<BIGNUM> x(BN_new());
bssl::UniquePtr<BIGNUM> y(BN_new());
if (!x || !y) {
fprintf(stderr, "BN_new failed to malloc.\n");
return false;
}
// Test edge case at 0. Fill |out| with garbage to ensure |BN_bn2le_padded|
// wrote the result.
uint8_t out[256], zeros[256];
OPENSSL_memset(out, -1, sizeof(out));
OPENSSL_memset(zeros, 0, sizeof(zeros));
if (!BN_bn2le_padded(out, sizeof(out), x.get()) ||
OPENSSL_memcmp(zeros, out, sizeof(out))) {
fprintf(stderr, "BN_bn2le_padded failed to encode 0.\n");
return false;
}
if (!BN_le2bn(out, sizeof(out), y.get()) ||
BN_cmp(x.get(), y.get()) != 0) {
fprintf(stderr, "BN_le2bn failed to decode 0 correctly.\n");
return false;
}
// Test random numbers at various byte lengths.
for (size_t bytes = 128 - 7; bytes <= 128; bytes++) {
if (!BN_rand(x.get(), bytes * 8, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) {
ERR_print_errors_fp(stderr);
return false;
}
// Fill |out| with garbage to ensure |BN_bn2le_padded| wrote the result.
OPENSSL_memset(out, -1, sizeof(out));
if (!BN_bn2le_padded(out, sizeof(out), x.get())) {
fprintf(stderr, "BN_bn2le_padded failed to encode random value.\n");
return false;
}
// Compute the expected value by reversing the big-endian output.
uint8_t expected[sizeof(out)];
if (!BN_bn2bin_padded(expected, sizeof(expected), x.get())) {
return false;
}
for (size_t i = 0; i < sizeof(expected) / 2; i++) {
uint8_t tmp = expected[i];
expected[i] = expected[sizeof(expected) - 1 - i];
expected[sizeof(expected) - 1 - i] = tmp;
}
if (OPENSSL_memcmp(expected, out, sizeof(out))) {
fprintf(stderr, "BN_bn2le_padded failed to encode value correctly.\n");
hexdump(stderr, "Expected: ", expected, sizeof(expected));
hexdump(stderr, "Got: ", out, sizeof(out));
return false;
}
// Make sure the decoding produces the same BIGNUM.
if (!BN_le2bn(out, bytes, y.get()) ||
BN_cmp(x.get(), y.get()) != 0) {
bssl::UniquePtr<char> x_hex(BN_bn2hex(x.get())),
y_hex(BN_bn2hex(y.get()));
if (!x_hex || !y_hex) {
return false;
}
fprintf(stderr, "BN_le2bn failed to decode value correctly.\n");
fprintf(stderr, "Expected: %s\n", x_hex.get());
hexdump(stderr, "Encoding: ", out, bytes);
fprintf(stderr, "Got: %s\n", y_hex.get());
return false;
}
}
return true;
}
static int DecimalToBIGNUM(bssl::UniquePtr<BIGNUM> *out, const char *in) {
BIGNUM *raw = NULL;
int ret = BN_dec2bn(&raw, in);
@@ -972,10 +876,6 @@ static bool TestMPI() {
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMPITests); i++) {
const MPITest &test = kMPITests[i];
bssl::UniquePtr<BIGNUM> bn(ASCIIToBIGNUM(test.base10));
if (!bn) {
return false;
}
const size_t mpi_len = BN_bn2mpi(bn.get(), NULL);
if (mpi_len > sizeof(scratch)) {
fprintf(stderr, "MPI test #%u: MPI size is too large to test.\n",
@@ -990,7 +890,7 @@ static bool TestMPI() {
}
if (mpi_len != test.mpi_len ||
OPENSSL_memcmp(test.mpi, scratch, mpi_len) != 0) {
memcmp(test.mpi, scratch, mpi_len) != 0) {
fprintf(stderr, "MPI test #%u failed:\n", (unsigned)i);
hexdump(stderr, "Expected: ", test.mpi, test.mpi_len);
hexdump(stderr, "Got: ", scratch, mpi_len);
@@ -1120,18 +1020,19 @@ static bool TestASN1() {
}
// Test the value serializes correctly.
bssl::ScopedCBB cbb;
CBB cbb;
uint8_t *der;
size_t der_len;
if (!CBB_init(cbb.get(), 0) ||
!BN_marshal_asn1(cbb.get(), bn.get()) ||
!CBB_finish(cbb.get(), &der, &der_len)) {
CBB_zero(&cbb);
if (!CBB_init(&cbb, 0) ||
!BN_marshal_asn1(&cbb, bn.get()) ||
!CBB_finish(&cbb, &der, &der_len)) {
CBB_cleanup(&cbb);
return false;
}
bssl::UniquePtr<uint8_t> delete_der(der);
if (der_len != test.der_len ||
OPENSSL_memcmp(der, reinterpret_cast<const uint8_t *>(test.der),
der_len) != 0) {
memcmp(der, reinterpret_cast<const uint8_t*>(test.der), der_len) != 0) {
fprintf(stderr, "Bad serialization.\n");
return false;
}
@@ -1209,13 +1110,16 @@ static bool TestASN1() {
if (!bn) {
return false;
}
bssl::ScopedCBB cbb;
if (!CBB_init(cbb.get(), 0) ||
BN_marshal_asn1(cbb.get(), bn.get())) {
CBB cbb;
CBB_zero(&cbb);
if (!CBB_init(&cbb, 0) ||
BN_marshal_asn1(&cbb, bn.get())) {
fprintf(stderr, "Serialized negative number.\n");
CBB_cleanup(&cbb);
return false;
}
ERR_clear_error();
CBB_cleanup(&cbb);
return true;
}
@@ -1242,35 +1146,42 @@ static bool TestNegativeZero(BN_CTX *ctx) {
return false;
}
bssl::UniquePtr<BIGNUM> numerator(BN_new()), denominator(BN_new());
if (!numerator || !denominator) {
return false;
}
for (int consttime = 0; consttime < 2; consttime++) {
bssl::UniquePtr<BIGNUM> numerator(BN_new()), denominator(BN_new());
if (!numerator || !denominator) {
return false;
}
// Test that BN_div never gives negative zero in the quotient.
if (!BN_set_word(numerator.get(), 1) ||
!BN_set_word(denominator.get(), 2)) {
return false;
}
BN_set_negative(numerator.get(), 1);
if (!BN_div(a.get(), b.get(), numerator.get(), denominator.get(), ctx)) {
return false;
}
if (!BN_is_zero(a.get()) || BN_is_negative(a.get())) {
fprintf(stderr, "Incorrect quotient.\n");
return false;
}
if (consttime) {
BN_set_flags(numerator.get(), BN_FLG_CONSTTIME);
BN_set_flags(denominator.get(), BN_FLG_CONSTTIME);
}
// Test that BN_div never gives negative zero in the remainder.
if (!BN_set_word(denominator.get(), 1)) {
return false;
}
if (!BN_div(a.get(), b.get(), numerator.get(), denominator.get(), ctx)) {
return false;
}
if (!BN_is_zero(b.get()) || BN_is_negative(b.get())) {
fprintf(stderr, "Incorrect remainder.\n");
return false;
// Test that BN_div never gives negative zero in the quotient.
if (!BN_set_word(numerator.get(), 1) ||
!BN_set_word(denominator.get(), 2)) {
return false;
}
BN_set_negative(numerator.get(), 1);
if (!BN_div(a.get(), b.get(), numerator.get(), denominator.get(), ctx)) {
return false;
}
if (!BN_is_zero(a.get()) || BN_is_negative(a.get())) {
fprintf(stderr, "Incorrect quotient (consttime = %d).\n", consttime);
return false;
}
// Test that BN_div never gives negative zero in the remainder.
if (!BN_set_word(denominator.get(), 1)) {
return false;
}
if (!BN_div(a.get(), b.get(), numerator.get(), denominator.get(), ctx)) {
return false;
}
if (!BN_is_zero(b.get()) || BN_is_negative(b.get())) {
fprintf(stderr, "Incorrect remainder (consttime = %d).\n", consttime);
return false;
}
}
// Test that BN_set_negative will not produce a negative zero.
@@ -1293,37 +1204,6 @@ static bool TestNegativeZero(BN_CTX *ctx) {
return false;
}
// Test that |BN_rshift| and |BN_rshift1| will not produce a negative zero.
if (!BN_set_word(a.get(), 1)) {
return false;
}
BN_set_negative(a.get(), 1);
if (!BN_rshift(b.get(), a.get(), 1) ||
!BN_rshift1(c.get(), a.get())) {
return false;
}
if (!BN_is_zero(b.get()) || BN_is_negative(b.get())) {
fprintf(stderr, "BN_rshift(-1, 1) produced the wrong result.\n");
return false;
}
if (!BN_is_zero(c.get()) || BN_is_negative(c.get())) {
fprintf(stderr, "BN_rshift1(-1) produced the wrong result.\n");
return false;
}
// Test that |BN_div_word| will not produce a negative zero.
if (BN_div_word(a.get(), 2) == (BN_ULONG)-1) {
return false;
}
if (!BN_is_zero(a.get()) || BN_is_negative(a.get())) {
fprintf(stderr, "BN_div_word(-1, 2) produced the wrong result.\n");
return false;
}
return true;
}
@@ -1562,7 +1442,7 @@ static bool TestBN2Dec() {
return true;
}
static bool TestBNSetGetU64() {
static bool TestBNSetU64() {
static const struct {
const char *hex;
uint64_t value;
@@ -1584,36 +1464,6 @@ static bool TestBNSetGetU64() {
ERR_print_errors_fp(stderr);
return false;
}
uint64_t tmp;
if (!BN_get_u64(bn.get(), &tmp) || tmp != test.value) {
fprintf(stderr, "BN_get_u64 test failed for 0x%s.\n", test.hex);
return false;
}
BN_set_negative(bn.get(), 1);
if (!BN_get_u64(bn.get(), &tmp) || tmp != test.value) {
fprintf(stderr, "BN_get_u64 test failed for -0x%s.\n", test.hex);
return false;
}
}
// Test that BN_get_u64 fails on large numbers.
bssl::UniquePtr<BIGNUM> bn(BN_new());
if (!BN_lshift(bn.get(), BN_value_one(), 64)) {
return false;
}
uint64_t tmp;
if (BN_get_u64(bn.get(), &tmp)) {
fprintf(stderr, "BN_get_u64 of 2^64 unexpectedly succeeded.\n");
return false;
}
BN_set_negative(bn.get(), 1);
if (BN_get_u64(bn.get(), &tmp)) {
fprintf(stderr, "BN_get_u64 of -2^64 unexpectedly succeeded.\n");
return false;
}
return true;
@@ -1636,7 +1486,6 @@ int main(int argc, char *argv[]) {
!TestDec2BN(ctx.get()) ||
!TestHex2BN(ctx.get()) ||
!TestASC2BN(ctx.get()) ||
!TestLittleEndian() ||
!TestMPI() ||
!TestRand() ||
!TestASN1() ||
@@ -1646,7 +1495,7 @@ int main(int argc, char *argv[]) {
!TestSmallPrime(ctx.get()) ||
!TestCmpWord() ||
!TestBN2Dec() ||
!TestBNSetGetU64()) {
!TestBNSetU64()) {
return 1;
}
crypto/bn/bn_tests.txt
-117
View File
@@ -9875,18 +9875,6 @@ A = 1c08cec52d96136fbd9078b7b8db36ab63b86e19dd3dba7b2e3190ff566180e89dfee9423fa4
B = a8b4bc9647d8df9b7c76cc6d0f2248cdbc41f5da9c061f9864aa8415c9557582cada456cf23cc32d47d1fc1caf19d36b398019aac4734e10f55ce3cad419e5e7
M = 7eacffe21f88413af94155a2a8e37f70a431a59653738afda04a1bec72d0d9ed
# Regression tests for CVE-2016-7055.
ModMul = ccd6f75b5f24b7c5ce2ce755fa89c2450c6a7d96ce8c8791e659eab84577a7695e3b2caa7c980fb23f60634233e9798499c28b0338c1f1a326d0ca89fd41f2fd88b759f317889832966b551a950043ec7a4b6152d3e2cbfb40e88458e70ab783b96f12d271f828d5b39e198ccaf8665411d85026282dbead5d24cd01b6c8a8e9
A = 7878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878
B = 095d72c08c097ba488c5e439c655a192eafb6380073d8c2664668eddb4060744e16e57fb4edb9ae10a0cefcdc28a894f689a128379db279d48a2e20849d685939b7803bcf46cebf5c533fb0dd35b080593de5472e3fe5db951b8bff9b4cb8f039cc638a5ee8cdd703719f8000e6a9f63beed5f2fcd52ff293ea05a251bb4ab81
M = d78af684e71db0c39cff4e64fb9db567132cb9c50cc98009feb820b26f2ded9b91b9b5e2b83ae0ae4eb4e0523ca726bfbe969b89fd754f674ce99118c3f2d1c5d81fdc7c54e02b60262b241d53c040e99e45826eca37a804668e690e1afc1ca42c9a15d84d4954425f0b7642fc0bd9d7b24e2618d2dcc9b729d944badacfddaf
ModMul = ccd6f75b5f24b7c5ce2ce755fa89c2450c6a7d96ce8c8791e659eab84577a7695e3b2caa7c980fb23f60634233e9798499c28b0338c1f1a326d0ca89fd41f2fd88b759f317889832966b551a950043ec7a4b6152d3e2cbfb40e88458e70ab783b96f12d271f828d5b39e198ccaf8665411d85026282dbead5d24cd01b6c8a8e9
A = 095d72c08c097ba488c5e439c655a192eafb6380073d8c2664668eddb4060744e16e57fb4edb9ae10a0cefcdc28a894f689a128379db279d48a2e20849d685939b7803bcf46cebf5c533fb0dd35b080593de5472e3fe5db951b8bff9b4cb8f039cc638a5ee8cdd703719f8000e6a9f63beed5f2fcd52ff293ea05a251bb4ab81
B = 7878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878
M = d78af684e71db0c39cff4e64fb9db567132cb9c50cc98009feb820b26f2ded9b91b9b5e2b83ae0ae4eb4e0523ca726bfbe969b89fd754f674ce99118c3f2d1c5d81fdc7c54e02b60262b241d53c040e99e45826eca37a804668e690e1afc1ca42c9a15d84d4954425f0b7642fc0bd9d7b24e2618d2dcc9b729d944badacfddaf
# ModExp tests.
#
@@ -10387,89 +10375,6 @@ E = d7e6df5d755284929b986cd9b61c9c2c8843f24c711fbdbae1a468edcae15940094372557072
M = e4e784aa1fa88625a43ba0185a153a929663920be7fe674a4d33c943d3b898cff051482e7050a070cede53be5e89f31515772c7aea637576f99f82708f89d9e244f6ad3a24a02cbe5c0ff7bcf2dad5491f53db7c3f2698a7c41b44f086652f17bb05fe4c5c0a92433c34086b49d7e1825b28bab6c5a9bd0bc95b53d659afa0d7
# RSAZ 512-bit.
#
# These are regression tests for code which historically reached the RSAZ-512
# code. That has since been removed, but the test vectors remain. Note that the
# lengths of the inputs, especially the *bit* length of |M|, matter a lot.
# Control: No relationship between A and M except that A < M and they're the same number of limbs.
ModExp = 7f34c1cd63377bc3abf2bb5b2d1bf5f06454e1e8040fe19a72245ce9731cbee1bf9e84532300776c8021ed4f3a8de508d85b4cf320bd82065a013754857b50c4
A = 8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364
E = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
M = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
# Same as above except A is negative.
ModExp = 71fa6a4c8ae75368eda8cc6282c26afa69e2af12a97fb9444f16b7dd6c99e0a5d6034cab4248cae4357346b211039f4a2bc4c5a20a297372094162417af703cd
A = -8e4e67da6ff890643d0599387955996ef6f0c2045eb9944576ddb965ca64cdb6247727ce128ef178d4a84e5a56d2e67eb0fe389ecbf691f9244ae80f4c11b364
E = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
M = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.
ModExp = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490
A = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490
E = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
M = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
# Same inputs as above except A is negative. Note that A mod M with a "correct top" isn't the right length for RSAZ.
ModExp = 1
A = -f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725490
E = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
M = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
# A == M, so A == 0 (mod M) so A ^ E (mod M) == 0. Note that A mod M with a "correct top" isn't the right length for RSAZ.
ModExp = 0
A = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
E = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
M = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
# A is negative, and A (mod M) is the right length for RSAZ.
ModExp = 8d76eb0f8c7bc3160cc8bb0e0c3590fbed26c5932f5f525b48045c0bd46dda287ba5483f97c851fb7c12c2e858ee7a4a4d1af745cbfb3eb311fa54bea12cde25
A = -80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
E = be99d8f0650e540b9b191e9cf96f74881b902e32ed169ffd8a1776c3f3e80f0ac765aa14615713e1549f250a20fe4ee48c4e0c6176162fc7842a0dd64d640d1
M = f12f2c19ee1ecf2c999b87bdafde60eace3790faad8f9adec13b14c6dfb69f8795a1d0fe65494250b59534014b918453042012952ae6f5786342999600725491
# RSAZ 1024-bit.
# Note that the lengths of the inputs, especially the *bit* length of |M|, matter a lot.
# Control: No relationship between A and M except that A < M and they're the same number of limbs.
ModExp = 8984f8c16044f9c0ad7bd72347af90f58e6e003acda92b76e3c7c4a56ea8e918409d8e9b34884d4c89d0b17cb40fe898f2627c084a0f1698e46beccbf6f48eecc281e11ea9e5135adba460ddae157f2c655b5f589ce29b254d43a960a71cede8a08dbb86be4dac22458da232fb1ec2470856827302ed772c9ddafa408c931aa7
A = 21158da5fe20356825e72b3f5384ec57720d22f727b27ce2f945c8ee311db781add73bf8fae96b775c909bd22fca75c44c2b0584284a5bb1c07f8eefcd6b0a44047a02b185df34f897f11d4fb9a86c9eb841b4cb8d0383441fdc5af3ef385b5e8380f605d73ed41bb42eb2c2a5704d6034b3ad058dafffce83dbbfb6295daaf8
E = ecdebd112b3b5788669449dcddbd479a203ee9ab72a9bb9c406b97623513bf0ab9a22f1f23634d269e16bfd6d3b64202b71fc355057411967b6ac70f8d9cef0a4e06819a9a18cc06bbe438243fa9759303d98be8a65dc1cb13595ee9b99f138554425d50f6fbc025d8ffa3eaea828d6f3b82a3584146bafde34da257995f0575
M = ff3a3e023db3bba929ca4ededbace13d0d1264387b5ef62734e177eaf47a78af56b58aacc8ac5d46f5b066bafb95d93d4442bb948653613eec76837b4ffb7991cb080b6c8b403fb09bc817d026e283ee47ab2fc9af274b12f626eda2fe02004a8e27b9ed7d3b614e8955c7e7c2c0700edd079455237c4475fbd41857e206e4b7
# Same as above except A is negative.
ModExp = 75b54540dd6ec1e87c4e77bb93fd50477ea463fdadb5cab05119b34585d18f971617fc1194240ffa6bdfb53e4785f0a451e03f8c3c444aa6080a96af5906eaa508862a4de15b2c55c023b6f278cd04c1e24fd0711244afeda8e3444256e51261ed99fe66beedb52c43c825b4c7a1adc7d4b111e2208ecd495df91e175573ca10
A = -21158da5fe20356825e72b3f5384ec57720d22f727b27ce2f945c8ee311db781add73bf8fae96b775c909bd22fca75c44c2b0584284a5bb1c07f8eefcd6b0a44047a02b185df34f897f11d4fb9a86c9eb841b4cb8d0383441fdc5af3ef385b5e8380f605d73ed41bb42eb2c2a5704d6034b3ad058dafffce83dbbfb6295daaf8
E = ecdebd112b3b5788669449dcddbd479a203ee9ab72a9bb9c406b97623513bf0ab9a22f1f23634d269e16bfd6d3b64202b71fc355057411967b6ac70f8d9cef0a4e06819a9a18cc06bbe438243fa9759303d98be8a65dc1cb13595ee9b99f138554425d50f6fbc025d8ffa3eaea828d6f3b82a3584146bafde34da257995f0575
M = ff3a3e023db3bba929ca4ededbace13d0d1264387b5ef62734e177eaf47a78af56b58aacc8ac5d46f5b066bafb95d93d4442bb948653613eec76837b4ffb7991cb080b6c8b403fb09bc817d026e283ee47ab2fc9af274b12f626eda2fe02004a8e27b9ed7d3b614e8955c7e7c2c0700edd079455237c4475fbd41857e206e4b7
# A == M - 1 == -1 (mod M) and the exponent is odd so A ^ E (mod M) == A.
ModExp = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964
A = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964
E = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103
M = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965
# Same inputs as above except A is negative. Note that A mod M with a "correct top" isn't the right length for RSAZ.
ModExp = 1
A = -b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d964
E = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103
M = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965
# A == M, so A == 0 (mod M) so A ^ E (mod M) == 0. Note that A mod M with a "correct top" isn't the right length for RSAZ.
ModExp = 0
A = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965
E = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103
M = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965
# A is negative, and A (mod M) is the right length for RSAZ.
ModExp = 9cf810b9e89d5cbc4b79ae64e123ea06d92965e2bab077df97a1b906dc2e1ddcf96a9c4ed14e2cd96309b829ea9cc2a74a7d4b43c5f34d792a7c583201427754b8f78b783608070a84b61f18913e3ced7f7f530972de7764667c54e29d756eea38a93cd1703c676a4587231b0ebfeadddf908e2877a7a84b5bfc370ecf0d158d
A = -8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
E = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103
M = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965
# Exp tests.
#
# These test vectors satisfy A ^ E = Exp.
@@ -10820,28 +10725,6 @@ ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
# NotModSquare tests.
#
# These test vectors are such that NotModSquare is not a square modulo P.
NotModSquare = 03
P = 07
NotModSquare = 05
P = 07
NotModSquare = 06
P = 07
NotModSquare = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951e
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
# ModInv tests.
#
# These test vectors satisfy ModInv * A = 1 (mod M) and 0 <= ModInv < M.
ModInv = 00
A = 00
M = 01
crypto/bn/convert.c
+2 -73
View File
@@ -118,42 +118,6 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
return ret;
}
BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {
BIGNUM *bn = NULL;
if (ret == NULL) {
bn = BN_new();
ret = bn;
}
if (ret == NULL) {
return NULL;
}
if (len == 0) {
ret->top = 0;
ret->neg = 0;
return ret;
}
/* Reserve enough space in |ret|. */
size_t num_words = ((len - 1) / BN_BYTES) + 1;
if (!bn_wexpand(ret, num_words)) {
BN_free(bn);
return NULL;
}
ret->top = num_words;
/* Make sure the top bytes will be zeroed. */
ret->d[num_words - 1] = 0;
/* We only support little-endian platforms, so we can simply memcpy the
* internal representation. */
OPENSSL_memcpy(ret->d, in, len);
bn_correct_top(ret);
return ret;
}
size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {
size_t n, i;
BN_ULONG l;
@@ -166,23 +130,6 @@ size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {
return n;
}
int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {
/* If we don't have enough space, fail out. */
size_t num_bytes = BN_num_bytes(in);
if (len < num_bytes) {
return 0;
}
/* We only support little-endian platforms, so we can simply memcpy into the
* internal representation. */
OPENSSL_memcpy(out, in->d, num_bytes);
/* Pad out the rest of the buffer with zeroes. */
OPENSSL_memset(out + num_bytes, 0, len - num_bytes);
return 1;
}
/* constant_time_select_ulong returns |x| if |v| is 1 and |y| if |v| is 0. Its
* behavior is undefined if |v| takes any other value. */
static BN_ULONG constant_time_select_ulong(int v, BN_ULONG x, BN_ULONG y) {
@@ -215,7 +162,7 @@ static BN_ULONG read_word_padded(const BIGNUM *in, size_t i) {
int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {
/* Special case for |in| = 0. Just branch as the probability is negligible. */
if (BN_is_zero(in)) {
OPENSSL_memset(out, 0, len);
memset(out, 0, len);
return 1;
}
@@ -568,24 +515,6 @@ BN_ULONG BN_get_word(const BIGNUM *bn) {
}
}
int BN_get_u64(const BIGNUM *bn, uint64_t *out) {
switch (bn->top) {
case 0:
*out = 0;
return 1;
case 1:
*out = bn->d[0];
return 1;
#if defined(OPENSSL_32_BIT)
case 2:
*out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32);
return 1;
#endif
default:
return 0;
}
}
size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
const size_t bits = BN_num_bits(in);
const size_t bytes = (bits + 7) / 8;
@@ -603,7 +532,7 @@ size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {
/* If we cannot represent the number then we emit zero as the interface
* doesn't allow an error to be signalled. */
if (out) {
OPENSSL_memset(out, 0, 4);
memset(out, 0, 4);
}
return 4;
}
crypto/bn/ctx.c
+1 -3
View File
@@ -59,8 +59,6 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
/* How many bignums are in each "pool item"; */
#define BN_CTX_POOL_SIZE 16
@@ -220,7 +218,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx) {
return 0;
}
if (st->depth) {
OPENSSL_memcpy(newitems, st->indexes, st->depth * sizeof(unsigned int));
memcpy(newitems, st->indexes, st->depth * sizeof(unsigned int));
}
OPENSSL_free(st->indexes);
st->indexes = newitems;
crypto/bn/div.c
+51 -28
View File
@@ -182,12 +182,7 @@ static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out,
* Thus:
* dv->neg == num->neg ^ divisor->neg (unless the result is zero)
* rm->neg == num->neg (unless the remainder is zero)
* If 'dv' or 'rm' is NULL, the respective value is not returned.
*
* This was specifically designed to contain fewer branches that may leak
* sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL
* and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and
* Jean-Pierre Seifert. */
* If 'dv' or 'rm' is NULL, the respective value is not returned. */
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx) {
int norm_shift, i, loop;
@@ -195,6 +190,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_ULONG *resp, *wnump;
BN_ULONG d0, d1;
int num_n, div_n;
int no_branch = 0;
/* Invalid zero-padding would have particularly bad consequences
* so don't just rely on bn_check_top() here */
@@ -204,11 +200,28 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
return 0;
}
if ((num->flags & BN_FLG_CONSTTIME) != 0 ||
(divisor->flags & BN_FLG_CONSTTIME) != 0) {
no_branch = 1;
}
if (BN_is_zero(divisor)) {
OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);
return 0;
}
if (!no_branch && BN_ucmp(num, divisor) < 0) {
if (rm != NULL) {
if (BN_copy(rm, num) == NULL) {
return 0;
}
}
if (dv != NULL) {
BN_zero(dv);
}
return 1;
}
BN_CTX_start(ctx);
tmp = BN_CTX_get(ctx);
snum = BN_CTX_get(ctx);
@@ -234,23 +247,26 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
}
snum->neg = 0;
/* Since we don't want to have special-case logic for the case where snum is
* larger than sdiv, we pad snum with enough zeroes without changing its
* value. */
if (snum->top <= sdiv->top + 1) {
if (bn_wexpand(snum, sdiv->top + 2) == NULL) {
goto err;
if (no_branch) {
/* Since we don't know whether snum is larger than sdiv,
* we pad snum with enough zeroes without changing its
* value.
*/
if (snum->top <= sdiv->top + 1) {
if (bn_wexpand(snum, sdiv->top + 2) == NULL) {
goto err;
}
for (i = snum->top; i < sdiv->top + 2; i++) {
snum->d[i] = 0;
}
snum->top = sdiv->top + 2;
} else {
if (bn_wexpand(snum, snum->top + 1) == NULL) {
goto err;
}
snum->d[snum->top] = 0;
snum->top++;
}
for (i = snum->top; i < sdiv->top + 2; i++) {
snum->d[i] = 0;
}
snum->top = sdiv->top + 2;
} else {
if (bn_wexpand(snum, snum->top + 1) == NULL) {
goto err;
}
snum->d[snum->top] = 0;
snum->top++;
}
div_n = sdiv->top;
@@ -278,7 +294,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
if (!bn_wexpand(res, (loop + 1))) {
goto err;
}
res->top = loop - 1;
res->top = loop - no_branch;
resp = &(res->d[loop - 1]);
/* space for temp */
@@ -286,6 +302,15 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
goto err;
}
if (!no_branch) {
if (BN_ucmp(&wnum, sdiv) >= 0) {
bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
*resp = 1;
} else {
res->top--;
}
}
/* if res->top == 0 then clear the neg value otherwise decrease
* the resp pointer */
if (res->top == 0) {
@@ -376,7 +401,9 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
rm->neg = neg;
}
}
bn_correct_top(res);
if (no_branch) {
bn_correct_top(res);
}
BN_CTX_end(ctx);
return 1;
@@ -601,10 +628,6 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) {
a->top--;
}
if (a->top == 0) {
a->neg = 0;
}
ret >>= j;
return ret;
}
crypto/bn/exponentiation.c
+33 -15
View File
@@ -140,6 +140,12 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {
int i, bits, ret = 0;
BIGNUM *v, *rr;
if ((p->flags & BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
BN_CTX_start(ctx);
if (r == a || r == p) {
rr = BN_CTX_get(ctx);
@@ -431,6 +437,12 @@ static int mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
BIGNUM *val[TABLE_SIZE];
BN_RECP_CTX recp;
if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
/* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
bits = BN_num_bits(p);
if (bits == 0) {
@@ -581,6 +593,10 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
BIGNUM *val[TABLE_SIZE];
BN_MONT_CTX *new_mont = NULL;
if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) {
return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, mont);
}
if (!BN_is_odd(m)) {
OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
return 0;
@@ -860,7 +876,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
int powerbufLen = 0;
unsigned char *powerbuf = NULL;
BIGNUM tmp, am;
BIGNUM *new_a = NULL;
if (!BN_is_odd(m)) {
OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -888,15 +903,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
mont = new_mont;
}
if (a->neg || BN_ucmp(a, m) >= 0) {
new_a = BN_new();
if (new_a == NULL ||
!BN_nnmod(new_a, a, m, ctx)) {
goto err;
}
a = new_a;
}
#ifdef RSAZ_ENABLED
/* If the size of the operands allow it, perform the optimized
* RSAZ exponentiation. For further information see
@@ -912,6 +918,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
bn_correct_top(rr);
ret = 1;
goto err;
} else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
if (NULL == bn_wexpand(rr, 8)) {
goto err;
}
RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
rr->top = 8;
rr->neg = 0;
bn_correct_top(rr);
ret = 1;
goto err;
}
#endif
@@ -945,7 +961,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
}
powerbuf = MOD_EXP_CTIME_ALIGN(powerbufFree);
OPENSSL_memset(powerbuf, 0, powerbufLen);
memset(powerbuf, 0, powerbufLen);
#ifdef alloca
if (powerbufLen < 3072) {
@@ -975,9 +991,12 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
}
/* prepare a^1 in Montgomery domain */
assert(!a->neg);
assert(BN_ucmp(a, m) < 0);
if (!BN_to_montgomery(&am, a, mont, ctx)) {
if (a->neg || BN_ucmp(a, m) >= 0) {
if (!BN_nnmod(&am, a, m, ctx) ||
!BN_to_montgomery(&am, &am, mont, ctx)) {
goto err;
}
} else if (!BN_to_montgomery(&am, a, mont, ctx)) {
goto err;
}
@@ -1171,7 +1190,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
err:
BN_MONT_CTX_free(new_mont);
BN_clear_free(new_a);
if (powerbuf != NULL) {
OPENSSL_cleanse(powerbuf, powerbufLen);
OPENSSL_free(powerbufFree);
crypto/bn/gcd.c
+22 -29
View File
@@ -399,6 +399,10 @@ err:
BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx) {
int no_inverse;
BIGNUM *a_reduced = NULL;
BIGNUM *new_out = NULL;
if (out == NULL) {
new_out = BN_new();
@@ -410,20 +414,25 @@ BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
}
int ok = 0;
BIGNUM *a_reduced = NULL;
int no_branch =
(a->flags & BN_FLG_CONSTTIME) != 0 || (n->flags & BN_FLG_CONSTTIME) != 0;
if (a->neg || BN_ucmp(a, n) >= 0) {
a_reduced = BN_dup(a);
if (a_reduced == NULL) {
goto err;
}
if (no_branch) {
BN_set_flags(a_reduced, BN_FLG_CONSTTIME);
}
if (!BN_nnmod(a_reduced, a_reduced, n, ctx)) {
goto err;
}
a = a_reduced;
}
int no_inverse;
if (!BN_is_odd(n)) {
if (no_branch || !BN_is_odd(n)) {
if (!bn_mod_inverse_general(out, &no_inverse, a, n, ctx)) {
goto err;
}
@@ -472,13 +481,15 @@ err:
/* bn_mod_inverse_general is the general inversion algorithm that works for
* both even and odd |n|. It was specifically designed to contain fewer
* branches that may leak sensitive information; see "New Branch Prediction
* branches that may leak sensitive information. See "New Branch Prediction
* Vulnerabilities in OpenSSL and Necessary Software Countermeasures" by
* Onur Acıçmez, Shay Gueron, and Jean-Pierre Seifert. */
static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx) {
BIGNUM *A, *B, *X, *Y, *M, *D, *T;
BIGNUM local_A;
BIGNUM *pA;
int ret = 0;
int sign;
@@ -521,8 +532,14 @@ static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
* sign*Y*a == A (mod |n|)
*/
/* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
* BN_div_no_branch will be called eventually.
*/
pA = &local_A;
BN_with_flags(pA, A, BN_FLG_CONSTTIME);
/* (D, M) := (A/B, A%B) ... */
if (!BN_div(D, M, A, B, ctx)) {
if (!BN_div(D, M, pA, B, ctx)) {
goto err;
}
@@ -609,27 +626,3 @@ err:
BN_CTX_end(ctx);
return ret;
}
int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p) {
BN_CTX_start(ctx);
BIGNUM *p_minus_2 = BN_CTX_get(ctx);
int ok = p_minus_2 != NULL &&
BN_copy(p_minus_2, p) &&
BN_sub_word(p_minus_2, 2) &&
BN_mod_exp_mont(out, a, p_minus_2, p, ctx, mont_p);
BN_CTX_end(ctx);
return ok;
}
int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p) {
BN_CTX_start(ctx);
BIGNUM *p_minus_2 = BN_CTX_get(ctx);
int ok = p_minus_2 != NULL &&
BN_copy(p_minus_2, p) &&
BN_sub_word(p_minus_2, 2) &&
BN_mod_exp_mont_consttime(out, a, p_minus_2, p, ctx, mont_p);
BN_CTX_end(ctx);
return ok;
}
crypto/bn/generic.c
+67 -71
View File
@@ -67,34 +67,34 @@
!(defined(OPENSSL_X86) || (defined(OPENSSL_X86_64) && defined(__GNUC__)))
#ifdef BN_ULLONG
#define mul_add(r, a, w, c) \
do { \
BN_ULLONG t; \
t = (BN_ULLONG)(w) * (a) + (r) + (c); \
(r) = Lw(t); \
(c) = Hw(t); \
} while (0)
#define mul_add(r, a, w, c) \
{ \
BN_ULLONG t; \
t = (BN_ULLONG)w * (a) + (r) + (c); \
(r) = Lw(t); \
(c) = Hw(t); \
}
#define mul(r, a, w, c) \
do { \
BN_ULLONG t; \
t = (BN_ULLONG)(w) * (a) + (c); \
(r) = Lw(t); \
(c) = Hw(t); \
} while (0)
#define mul(r, a, w, c) \
{ \
BN_ULLONG t; \
t = (BN_ULLONG)w * (a) + (c); \
(r) = Lw(t); \
(c) = Hw(t); \
}
#define sqr(r0, r1, a) \
do { \
{ \
BN_ULLONG t; \
t = (BN_ULLONG)(a) * (a); \
(r0) = Lw(t); \
(r1) = Hw(t); \
} while (0)
}
#else
#define mul_add(r, a, w, c) \
do { \
{ \
BN_ULONG high, low, ret, tmp = (a); \
ret = (r); \
BN_UMULT_LOHI(low, high, w, tmp); \
@@ -104,23 +104,23 @@
ret += low; \
(c) += (ret < low) ? 1 : 0; \
(r) = ret; \
} while (0)
}
#define mul(r, a, w, c) \
do { \
{ \
BN_ULONG high, low, ret, ta = (a); \
BN_UMULT_LOHI(low, high, w, ta); \
ret = low + (c); \
(c) = high; \
(c) += (ret < low) ? 1 : 0; \
(r) = ret; \
} while (0)
}
#define sqr(r0, r1, a) \
do { \
{ \
BN_ULONG tmp = (a); \
BN_UMULT_LOHI(r0, r1, tmp, tmp); \
} while (0)
}
#endif /* !BN_ULLONG */
@@ -369,46 +369,42 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
do { \
BN_ULONG hi; \
BN_ULLONG t = (BN_ULLONG)(a) * (b); \
t += (c0); /* no carry */ \
(c0) = (BN_ULONG)Lw(t); \
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
(c1) = ((c1) + (hi)) & BN_MASK2; \
if ((c1) < hi) { \
(c2)++; \
} \
c1 = (c1 + hi) & BN_MASK2; \
if (c1 < hi) \
c2++; \
} while (0)
#define mul_add_c2(a, b, c0, c1, c2) \
do { \
BN_ULONG hi; \
BN_ULLONG t = (BN_ULLONG)(a) * (b); \
BN_ULLONG tt = t + (c0); /* no carry */ \
(c0) = (BN_ULONG)Lw(tt); \
hi = (BN_ULONG)Hw(tt); \
(c1) = ((c1) + hi) & BN_MASK2; \
if ((c1) < hi) { \
(c2)++; \
} \
t += (c0); /* no carry */ \
(c0) = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
(c1) = ((c1) + hi) & BN_MASK2; \
if ((c1) < hi) { \
(c2)++; \
} \
#define mul_add_c2(a, b, c0, c1, c2) \
do { \
BN_ULONG hi; \
BN_ULLONG t = (BN_ULLONG)(a) * (b); \
BN_ULLONG tt = t + c0; /* no carry */ \
c0 = (BN_ULONG)Lw(tt); \
hi = (BN_ULONG)Hw(tt); \
c1 = (c1 + hi) & BN_MASK2; \
if (c1 < hi) \
c2++; \
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1 + hi) & BN_MASK2; \
if (c1 < hi) \
c2++; \
} while (0)
#define sqr_add_c(a, i, c0, c1, c2) \
do { \
BN_ULONG hi; \
BN_ULLONG t = (BN_ULLONG)(a)[i] * (a)[i]; \
t += (c0); /* no carry */ \
(c0) = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
(c1) = ((c1) + hi) & BN_MASK2; \
if ((c1) < hi) { \
(c2)++; \
} \
#define sqr_add_c(a, i, c0, c1, c2) \
do { \
BN_ULONG hi; \
BN_ULLONG t = (BN_ULLONG)a[i] * a[i]; \
t += c0; /* no carry */ \
c0 = (BN_ULONG)Lw(t); \
hi = (BN_ULONG)Hw(t); \
c1 = (c1 + hi) & BN_MASK2; \
if (c1 < hi) \
c2++; \
} while (0)
#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
@@ -422,10 +418,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo, hi; \
BN_UMULT_LOHI(lo, hi, ta, tb); \
(c0) += lo; \
hi += ((c0) < lo) ? 1 : 0; \
(c1) += hi; \
(c2) += ((c1) < hi) ? 1 : 0; \
c0 += lo; \
hi += (c0 < lo) ? 1 : 0; \
c1 += hi; \
c2 += (c1 < hi) ? 1 : 0; \
} while (0)
#define mul_add_c2(a, b, c0, c1, c2) \
@@ -433,14 +429,14 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a), tb = (b); \
BN_ULONG lo, hi, tt; \
BN_UMULT_LOHI(lo, hi, ta, tb); \
(c0) += lo; \
tt = hi + (((c0) < lo) ? 1 : 0); \
(c1) += tt; \
(c2) += ((c1) < tt) ? 1 : 0; \
(c0) += lo; \
c0 += lo; \
tt = hi + ((c0 < lo) ? 1 : 0); \
c1 += tt; \
c2 += (c1 < tt) ? 1 : 0; \
c0 += lo; \
hi += (c0 < lo) ? 1 : 0; \
(c1) += hi; \
(c2) += ((c1) < hi) ? 1 : 0; \
c1 += hi; \
c2 += (c1 < hi) ? 1 : 0; \
} while (0)
#define sqr_add_c(a, i, c0, c1, c2) \
@@ -448,10 +444,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
BN_ULONG ta = (a)[i]; \
BN_ULONG lo, hi; \
BN_UMULT_LOHI(lo, hi, ta, ta); \
(c0) += lo; \
c0 += lo; \
hi += (c0 < lo) ? 1 : 0; \
(c1) += hi; \
(c2) += ((c1) < hi) ? 1 : 0; \
c1 += hi; \
c2 += (c1 < hi) ? 1 : 0; \
} while (0)
#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)
crypto/bn/internal.h
+6 -19
View File
@@ -160,7 +160,7 @@ BIGNUM *bn_expand(BIGNUM *bn, size_t bits);
#define BN_TBIT (0x8000000000000000UL)
#define BN_DEC_CONV (10000000000000000000UL)
#define BN_DEC_NUM 19
#define TOBN(hi, lo) ((BN_ULONG)(hi) << 32 | (lo))
#define TOBN(hi, lo) ((BN_ULONG)hi << 32 | lo)
#elif defined(OPENSSL_32_BIT)
@@ -181,17 +181,17 @@ BIGNUM *bn_expand(BIGNUM *bn, size_t bits);
#define BN_TBIT (0x80000000UL)
#define BN_DEC_CONV (1000000000UL)
#define BN_DEC_NUM 9
#define TOBN(hi, lo) (lo), (hi)
#define TOBN(hi, lo) lo, hi
#else
#error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
#endif
#define STATIC_BIGNUM(x) \
{ \
(BN_ULONG *)(x), sizeof(x) / sizeof(BN_ULONG), \
sizeof(x) / sizeof(BN_ULONG), 0, BN_FLG_STATIC_DATA \
#define STATIC_BIGNUM(x) \
{ \
(BN_ULONG *)x, sizeof(x) / sizeof(BN_ULONG), \
sizeof(x) / sizeof(BN_ULONG), 0, BN_FLG_STATIC_DATA \
}
#if defined(BN_ULLONG)
@@ -228,7 +228,6 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
const BN_ULONG *np, const BN_ULONG *n0, int num);
uint64_t bn_mont_n0(const BIGNUM *n);
int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n);
#if defined(OPENSSL_X86_64) && defined(_MSC_VER)
#define BN_UMULT_LOHI(low, high, a, b) ((low) = _umul128((a), (b), &(high)))
@@ -238,18 +237,6 @@ int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n);
#error "Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform."
#endif
/* bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,
* computed with Fermat's Little Theorem. It returns one on success and zero on
* error. If |mont_p| is NULL, one will be computed temporarily. */
int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p);
/* bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses
* |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of
* protecting the exponent. */
int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,
BN_CTX *ctx, const BN_MONT_CTX *mont_p);
#if defined(__cplusplus)
} /* extern C */
crypto/bn/kronecker.c
-1
View File
@@ -144,7 +144,6 @@ int BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {
i++;
}
if (!BN_rshift(A, A, i)) {
ret = -2;
goto end;
}
if (i & 1) {
crypto/bn/montgomery.c
+10 -9
View File
@@ -108,7 +108,6 @@
#include <openssl/bn.h>
#include <assert.h>
#include <string.h>
#include <openssl/err.h>
@@ -132,7 +131,7 @@ BN_MONT_CTX *BN_MONT_CTX_new(void) {
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(BN_MONT_CTX));
memset(ret, 0, sizeof(BN_MONT_CTX));
BN_init(&ret->RR);
BN_init(&ret->N);
@@ -187,6 +186,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);
return 0;
}
if (BN_get_flags(mod, BN_FLG_CONSTTIME)) {
BN_set_flags(&mont->N, BN_FLG_CONSTTIME);
}
/* Find n0 such that n0 * N == -1 (mod r).
*
@@ -205,13 +207,12 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {
/* Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS such that R
* > mod. Even though the assembly on some 32-bit platforms works with 64-bit
* values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *
* BN_BITS2|, is correct because R**2 will still be a multiple of the latter
* as |BN_MONT_CTX_N0_LIMBS| is either one or two.
*
* XXX: This is not constant time with respect to |mont->N|, but it should
* be. */
* BN_BITS2|, is correct because because R^2 will still be a multiple of the
* latter as |BN_MONT_CTX_N0_LIMBS| is either one or two. */
unsigned lgBigR = (BN_num_bits(mod) + (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2;
if (!bn_mod_exp_base_2_vartime(&mont->RR, lgBigR * 2, &mont->N)) {
BN_zero(&mont->RR);
if (!BN_set_bit(&mont->RR, lgBigR * 2) ||
!BN_mod(&mont->RR, &mont->RR, &mont->N, ctx)) {
return 0;
}
@@ -278,7 +279,7 @@ static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r,
/* clear the top words of T */
if (max > r->top) {
OPENSSL_memset(&rp[r->top], 0, (max - r->top) * sizeof(BN_ULONG));
memset(&rp[r->top], 0, (max - r->top) * sizeof(BN_ULONG));
}
r->top = max;
crypto/bn/montgomery_inv.c
-47
View File
@@ -158,50 +158,3 @@ static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
return v;
}
/* bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger
* than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and
* odd. */
int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) {
assert(!BN_is_zero(n));
assert(!BN_is_negative(n));
assert(BN_is_odd(n));
BN_zero(r);
unsigned n_bits = BN_num_bits(n);
assert(n_bits != 0);
if (n_bits == 1) {
return 1;
}
/* Set |r| to the smallest power of two larger than |n|. */
assert(p > n_bits);
if (!BN_set_bit(r, n_bits)) {
return 0;
}
/* Unconditionally reduce |r|. */
assert(BN_cmp(r, n) > 0);
if (!BN_usub(r, r, n)) {
return 0;
}
assert(BN_cmp(r, n) < 0);
for (unsigned i = n_bits; i < p; ++i) {
/* This is like |BN_mod_lshift1_quick| except using |BN_usub|.
*
* TODO: Replace this with the use of a constant-time variant of
* |BN_mod_lshift1_quick|. */
if (!BN_lshift1(r, r)) {
return 0;
}
if (BN_cmp(r, n) >= 0) {
if (!BN_usub(r, r, n)) {
return 0;
}
}
}
return 1;
}
crypto/bn/mul.c
+9 -11
View File
@@ -312,8 +312,7 @@ static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {
bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);
if ((dna + dnb) < 0) {
OPENSSL_memset(&r[2 * n2 + dna + dnb], 0,
sizeof(BN_ULONG) * -(dna + dnb));
memset(&r[2 * n2 + dna + dnb], 0, sizeof(BN_ULONG) * -(dna + dnb));
}
return;
}
@@ -359,7 +358,7 @@ static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
if (!zero) {
bn_mul_comba4(&(t[n2]), t, &(t[n]));
} else {
OPENSSL_memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG));
memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG));
}
bn_mul_comba4(r, a, b);
@@ -369,7 +368,7 @@ static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
if (!zero) {
bn_mul_comba8(&(t[n2]), t, &(t[n]));
} else {
OPENSSL_memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG));
memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG));
}
bn_mul_comba8(r, a, b);
@@ -379,7 +378,7 @@ static void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
if (!zero) {
bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
} else {
OPENSSL_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
}
bn_mul_recursive(r, a, b, n, 0, 0, p);
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p);
@@ -474,7 +473,7 @@ static void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
bn_mul_comba8(&(t[n2]), t, &(t[n]));
bn_mul_comba8(r, a, b);
bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
OPENSSL_memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
} else {
p = &(t[n2 * 2]);
bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p);
@@ -490,15 +489,14 @@ static void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
if (j == 0) {
bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
OPENSSL_memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
memset(&(r[n2 + i * 2]), 0, sizeof(BN_ULONG) * (n2 - i * 2));
} else if (j > 0) {
/* eg, n == 16, i == 8 and tn == 11 */
bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), i, tna - i, tnb - i, p);
OPENSSL_memset(&(r[n2 + tna + tnb]), 0,
sizeof(BN_ULONG) * (n2 - tna - tnb));
memset(&(r[n2 + tna + tnb]), 0, sizeof(BN_ULONG) * (n2 - tna - tnb));
} else {
/* (j < 0) eg, n == 16, i == 8 and tn == 5 */
OPENSSL_memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2);
if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&
tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {
bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb);
@@ -737,7 +735,7 @@ static void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t
if (!zero) {
bn_sqr_recursive(&(t[n2]), t, n, p);
} else {
OPENSSL_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
}
bn_sqr_recursive(r, a, n, p);
bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
crypto/bn/random.c
+3 -6
View File
@@ -115,9 +115,6 @@
#include <openssl/rand.h>
#include <openssl/sha.h>
#include "../internal.h"
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {
uint8_t *buf = NULL;
int ret = 0, bit, bytes, mask;
@@ -301,8 +298,8 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
OPENSSL_PUT_ERROR(BN, BN_R_PRIVATE_KEY_TOO_LARGE);
goto err;
}
OPENSSL_memcpy(private_bytes, priv->d, todo);
OPENSSL_memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
memcpy(private_bytes, priv->d, todo);
memset(private_bytes + todo, 0, sizeof(private_bytes) - todo);
for (attempt = 0;; attempt++) {
for (done = 0; done < num_k_bytes;) {
@@ -321,7 +318,7 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range, const BIGNUM *priv,
if (todo > SHA512_DIGEST_LENGTH) {
todo = SHA512_DIGEST_LENGTH;
}
OPENSSL_memcpy(k_bytes + done, digest, todo);
memcpy(k_bytes + done, digest, todo);
done += todo;
}
crypto/bn/rsaz_exp.c
+65
View File
@@ -251,4 +251,69 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],
OPENSSL_cleanse(storage,sizeof(storage));
}
/*
* See crypto/bn/rsaz-x86_64.pl for further details.
*/
void rsaz_512_mul(void *ret,const void *a,const void *b,const void *n,BN_ULONG k);
void rsaz_512_mul_scatter4(void *ret,const void *a,const void *n,BN_ULONG k,const void *tbl,unsigned int power);
void rsaz_512_mul_gather4(void *ret,const void *a,const void *tbl,const void *n,BN_ULONG k,unsigned int power);
void rsaz_512_mul_by_one(void *ret,const void *a,const void *n,BN_ULONG k);
void rsaz_512_sqr(void *ret,const void *a,const void *n,BN_ULONG k,int cnt);
void rsaz_512_scatter4(void *tbl, const BN_ULONG *val, int power);
void rsaz_512_gather4(BN_ULONG *val, const void *tbl, int power);
void RSAZ_512_mod_exp(BN_ULONG result[8],
const BN_ULONG base[8], const BN_ULONG exponent[8],
const BN_ULONG m[8], BN_ULONG k0, const BN_ULONG RR[8])
{
alignas(64) uint8_t storage[(16*8*8) + (64 * 2)]; /* 1.2KB */
unsigned char *table = storage;
BN_ULONG *a_inv = (BN_ULONG *)(table+16*8*8),
*temp = (BN_ULONG *)(table+16*8*8+8*8);
int index;
unsigned int wvalue;
/* table[0] = 1_inv */
temp[0] = 0-m[0]; temp[1] = ~m[1];
temp[2] = ~m[2]; temp[3] = ~m[3];
temp[4] = ~m[4]; temp[5] = ~m[5];
temp[6] = ~m[6]; temp[7] = ~m[7];
rsaz_512_scatter4(table, temp, 0);
/* table [1] = a_inv^1 */
rsaz_512_mul(a_inv, base, RR, m, k0);
rsaz_512_scatter4(table, a_inv, 1);
/* table [2] = a_inv^2 */
rsaz_512_sqr(temp, a_inv, m, k0, 1);
rsaz_512_scatter4(table, temp, 2);
for (index=3; index<16; index++)
rsaz_512_mul_scatter4(temp, a_inv, m, k0, table, index);
const uint8_t *p_str = (const uint8_t *)exponent;
/* load first window */
wvalue = p_str[63];
rsaz_512_gather4(temp, table, wvalue>>4);
rsaz_512_sqr(temp, temp, m, k0, 4);
rsaz_512_mul_gather4(temp, temp, table, m, k0, wvalue&0xf);
for (index=62; index>=0; index--) {
wvalue = p_str[index];
rsaz_512_sqr(temp, temp, m, k0, 4);
rsaz_512_mul_gather4(temp, temp, table, m, k0, wvalue>>4);
rsaz_512_sqr(temp, temp, m, k0, 4);
rsaz_512_mul_gather4(temp, temp, table, m, k0, wvalue&0x0f);
}
/* from Montgomery */
rsaz_512_mul_by_one(result, temp, m, k0);
OPENSSL_cleanse(storage,sizeof(storage));
}
#endif /* OPENSSL_X86_64 */
crypto/bn/rsaz_exp.h
+3
View File
@@ -50,4 +50,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16],
const BN_ULONG m_norm[16], const BN_ULONG RR[16], BN_ULONG k0);
int rsaz_avx2_eligible(void);
void RSAZ_512_mod_exp(BN_ULONG result[8],
const BN_ULONG base_norm[8], const BN_ULONG exponent[8],
const BN_ULONG m_norm[8], BN_ULONG k0, const BN_ULONG RR[8]);
#endif
crypto/bn/shift.c
+1 -9
View File
@@ -94,7 +94,7 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n) {
t[nw + i] = (l << lb) & BN_MASK2;
}
}
OPENSSL_memset(t, 0, nw * sizeof(t[0]));
memset(t, 0, nw * sizeof(t[0]));
r->top = a->top + nw + 1;
bn_correct_top(r);
@@ -182,10 +182,6 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) {
}
}
if (r->top == 0) {
r->neg = 0;
}
return 1;
}
@@ -219,10 +215,6 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a) {
}
r->top = j;
if (r->top == 0) {
r->neg = 0;
}
return 1;
}
crypto/bn/sqrt.c
+1 -3
View File
@@ -456,9 +456,7 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {
}
/* We estimate that the square root of an n-bit number is 2^{n/2}. */
if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) {
goto err;
}
BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2);
/* This is Newton's method for finding a root of the equation |estimate|^2 -
* |in| = 0. */
crypto/buf/buf.c
+4 -6
View File
@@ -61,8 +61,6 @@
#include <openssl/mem.h>
#include <openssl/err.h>
#include "../internal.h"
BUF_MEM *BUF_MEM_new(void) {
BUF_MEM *ret;
@@ -73,7 +71,7 @@ BUF_MEM *BUF_MEM_new(void) {
return NULL;
}
OPENSSL_memset(ret, 0, sizeof(BUF_MEM));
memset(ret, 0, sizeof(BUF_MEM));
return ret;
}
@@ -139,7 +137,7 @@ static size_t buf_mem_grow(BUF_MEM *buf, size_t len, int clean) {
return 0;
}
if (buf->length < len) {
OPENSSL_memset(&buf->data[buf->length], 0, len - buf->length);
memset(&buf->data[buf->length], 0, len - buf->length);
}
buf->length = len;
return len;
@@ -195,7 +193,7 @@ char *BUF_strndup(const char *buf, size_t size) {
return NULL;
}
OPENSSL_memcpy(ret, buf, size);
memcpy(ret, buf, size);
ret[size] = '\0';
return ret;
}
@@ -236,6 +234,6 @@ void *BUF_memdup(const void *data, size_t dst_size) {
return NULL;
}
OPENSSL_memcpy(ret, data, dst_size);
memcpy(ret, data, dst_size);
return ret;
}
crypto/bytestring/asn1_compat.c
+1 -2
View File
@@ -22,7 +22,6 @@
#include <openssl/mem.h>
#include "internal.h"
#include "../internal.h"
int CBB_finish_i2d(CBB *cbb, uint8_t **outp) {
@@ -43,7 +42,7 @@ int CBB_finish_i2d(CBB *cbb, uint8_t **outp) {
*outp = der;
der = NULL;
} else {
OPENSSL_memcpy(*outp, der, der_len);
memcpy(*outp, der, der_len);
*outp += der_len;
}
}
crypto/bytestring/ber.c
+1 -2
View File
@@ -18,7 +18,6 @@
#include <string.h>
#include "internal.h"
#include "../internal.h"
/* kMaxDepth is a just a sanity limit. The code should be such that the length
@@ -101,7 +100,7 @@ static int cbs_find_ber(const CBS *orig_in, char *ber_found, unsigned depth) {
* |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. */
static char is_eoc(size_t header_len, CBS *contents) {
return header_len == 2 && CBS_len(contents) == 2 &&
OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
memcmp(CBS_data(contents), "\x00\x00", 2) == 0;
}
/* cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If
crypto/bytestring/bytestring_test.cc
+30 -125
View File
@@ -28,6 +28,7 @@
#include "internal.h"
#include "../internal.h"
namespace bssl {
static bool TestSkip() {
static const uint8_t kData[] = {1, 2, 3};
@@ -132,7 +133,7 @@ static bool TestGetASN1() {
}
if (!CBS_get_asn1(&data, &contents, 0x30) ||
CBS_len(&contents) != 2 ||
OPENSSL_memcmp(CBS_data(&contents), "\x01\x02", 2) != 0) {
memcmp(CBS_data(&contents), "\x01\x02", 2) != 0) {
return false;
}
@@ -193,7 +194,7 @@ static bool TestGetASN1() {
!CBS_get_optional_asn1(&data, &contents, &present, 0xa1) ||
!present ||
CBS_len(&contents) != 3 ||
OPENSSL_memcmp(CBS_data(&contents), "\x04\x01\x01", 3) != 0) {
memcmp(CBS_data(&contents), "\x04\x01\x01", 3) != 0) {
return false;
}
@@ -230,25 +231,6 @@ static bool TestGetASN1() {
return false;
}
unsigned tag;
CBS_init(&data, kData1, sizeof(kData1));
if (!CBS_get_any_asn1(&data, &contents, &tag) ||
tag != CBS_ASN1_SEQUENCE ||
CBS_len(&contents) != 2 ||
OPENSSL_memcmp(CBS_data(&contents), "\x01\x02", 2) != 0) {
return false;
}
size_t header_len;
CBS_init(&data, kData1, sizeof(kData1));
if (!CBS_get_any_asn1_element(&data, &contents, &tag, &header_len) ||
tag != CBS_ASN1_SEQUENCE ||
header_len != 2 ||
CBS_len(&contents) != 4 ||
OPENSSL_memcmp(CBS_data(&contents), "\x30\x02\x01\x02", 2) != 0) {
return false;
}
return true;
}
@@ -312,12 +294,11 @@ static bool TestCBBBasic() {
}
bssl::UniquePtr<uint8_t> scoper(buf);
return buf_len == sizeof(kExpected) &&
OPENSSL_memcmp(buf, kExpected, buf_len) == 0;
return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
}
static bool TestCBBFixed() {
bssl::ScopedCBB cbb;
ScopedCBB cbb;
uint8_t buf[1];
uint8_t *out_buf;
size_t out_size;
@@ -397,12 +378,11 @@ static bool TestCBBPrefixed() {
}
bssl::UniquePtr<uint8_t> scoper(buf);
return buf_len == sizeof(kExpected) &&
OPENSSL_memcmp(buf, kExpected, buf_len) == 0;
return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
}
static bool TestCBBDiscardChild() {
bssl::ScopedCBB cbb;
ScopedCBB cbb;
CBB contents, inner_contents, inner_inner_contents;
if (!CBB_init(cbb.get(), 0) ||
@@ -447,8 +427,7 @@ static bool TestCBBDiscardChild() {
0, 0, 3, 0xdd, 0xdd, 0xdd,
1, 0xff,
};
return buf_len == sizeof(kExpected) &&
OPENSSL_memcmp(buf, kExpected, buf_len) == 0;
return buf_len == sizeof(kExpected) && memcmp(buf, kExpected, buf_len) == 0;
}
static bool TestCBBMisuse() {
@@ -487,7 +466,7 @@ static bool TestCBBMisuse() {
bssl::UniquePtr<uint8_t> scoper(buf);
if (buf_len != 3 ||
OPENSSL_memcmp(buf, "\x01\x01\x02", 3) != 0) {
memcmp(buf, "\x01\x01\x02", 3) != 0) {
return false;
}
return true;
@@ -510,8 +489,7 @@ static bool TestCBBASN1() {
}
bssl::UniquePtr<uint8_t> scoper(buf);
if (buf_len != sizeof(kExpected) ||
OPENSSL_memcmp(buf, kExpected, buf_len) != 0) {
if (buf_len != sizeof(kExpected) || memcmp(buf, kExpected, buf_len) != 0) {
return false;
}
@@ -529,8 +507,8 @@ static bool TestCBBASN1() {
scoper.reset(buf);
if (buf_len != 3 + 130 ||
OPENSSL_memcmp(buf, "\x30\x81\x82", 3) != 0 ||
OPENSSL_memcmp(buf + 3, test_data.data(), 130) != 0) {
memcmp(buf, "\x30\x81\x82", 3) != 0 ||
memcmp(buf + 3, test_data.data(), 130) != 0) {
return false;
}
@@ -546,8 +524,8 @@ static bool TestCBBASN1() {
scoper.reset(buf);
if (buf_len != 4 + 1000 ||
OPENSSL_memcmp(buf, "\x30\x82\x03\xe8", 4) != 0 ||
OPENSSL_memcmp(buf + 4, test_data.data(), 1000)) {
memcmp(buf, "\x30\x82\x03\xe8", 4) != 0 ||
memcmp(buf + 4, test_data.data(), 1000)) {
return false;
}
@@ -564,9 +542,8 @@ static bool TestCBBASN1() {
scoper.reset(buf);
if (buf_len != 5 + 5 + 100000 ||
OPENSSL_memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) !=
0 ||
OPENSSL_memcmp(buf + 10, test_data.data(), 100000)) {
memcmp(buf, "\x30\x83\x01\x86\xa5\x30\x83\x01\x86\xa0", 10) != 0 ||
memcmp(buf + 10, test_data.data(), 100000)) {
return false;
}
@@ -589,7 +566,7 @@ static bool DoBerConvert(const char *name,
if (out == NULL) {
if (ber_len != der_len ||
OPENSSL_memcmp(der_expected, ber, ber_len) != 0) {
memcmp(der_expected, ber, ber_len) != 0) {
fprintf(stderr, "%s: incorrect unconverted result.\n", name);
return false;
}
@@ -598,7 +575,7 @@ static bool DoBerConvert(const char *name,
}
if (out_len != der_len ||
OPENSSL_memcmp(out, der_expected, der_len) != 0) {
memcmp(out, der_expected, der_len) != 0) {
fprintf(stderr, "%s: incorrect converted result.\n", name);
return false;
}
@@ -707,7 +684,7 @@ static bool TestImplicitString() {
}
if (ok && (CBS_len(&out) != test.out_len ||
OPENSSL_memcmp(CBS_data(&out), test.out, test.out_len) != 0)) {
memcmp(CBS_data(&out), test.out, test.out_len) != 0)) {
fprintf(stderr, "CBS_get_asn1_implicit_string gave the wrong output\n");
return false;
}
@@ -777,8 +754,7 @@ static bool TestASN1Uint64() {
return false;
}
bssl::UniquePtr<uint8_t> scoper(out);
if (len != test->encoding_len ||
OPENSSL_memcmp(out, test->encoding, len) != 0) {
if (len != test->encoding_len || memcmp(out, test->encoding, len) != 0) {
return false;
}
}
@@ -809,7 +785,7 @@ static bool TestCBBReserve() {
uint8_t buf[10];
uint8_t *ptr;
size_t len;
bssl::ScopedCBB cbb;
ScopedCBB cbb;
if (!CBB_init_fixed(cbb.get(), buf, sizeof(buf)) ||
// Too large.
CBB_reserve(cbb.get(), &ptr, 11)) {
@@ -832,7 +808,7 @@ static bool TestCBBReserve() {
static bool TestStickyError() {
// Write an input that exceeds the limit for its length prefix.
bssl::ScopedCBB cbb;
ScopedCBB cbb;
CBB child;
static const uint8_t kZeros[256] = {0};
if (!CBB_init(cbb.get(), 0) ||
@@ -895,83 +871,7 @@ static bool TestStickyError() {
return true;
}
static bool TestBitString() {
static const std::vector<uint8_t> kValidBitStrings[] = {
{0x00}, // 0 bits
{0x07, 0x80}, // 1 bit
{0x04, 0xf0}, // 4 bits
{0x00, 0xff}, // 8 bits
{0x06, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc0}, // 42 bits
};
for (const auto& test : kValidBitStrings) {
CBS cbs;
CBS_init(&cbs, test.data(), test.size());
if (!CBS_is_valid_asn1_bitstring(&cbs)) {
return false;
}
}
static const std::vector<uint8_t> kInvalidBitStrings[] = {
// BIT STRINGs always have a leading byte.
std::vector<uint8_t>{},
// It's not possible to take an unused bit off the empty string.
{0x01},
// There can be at most 7 unused bits.
{0x08, 0xff},
{0xff, 0xff},
// All unused bits must be cleared.
{0x06, 0xff, 0xc1},
};
for (const auto& test : kInvalidBitStrings) {
CBS cbs;
CBS_init(&cbs, test.data(), test.size());
if (CBS_is_valid_asn1_bitstring(&cbs)) {
return false;
}
// CBS_asn1_bitstring_has_bit returns false on invalid inputs.
if (CBS_asn1_bitstring_has_bit(&cbs, 0)) {
return false;
}
}
static const struct {
std::vector<uint8_t> in;
unsigned bit;
bool bit_set;
} kBitTests[] = {
// Basic tests.
{{0x00}, 0, false},
{{0x07, 0x80}, 0, true},
{{0x06, 0x0f, 0x40}, 0, false},
{{0x06, 0x0f, 0x40}, 1, false},
{{0x06, 0x0f, 0x40}, 2, false},
{{0x06, 0x0f, 0x40}, 3, false},
{{0x06, 0x0f, 0x40}, 4, true},
{{0x06, 0x0f, 0x40}, 5, true},
{{0x06, 0x0f, 0x40}, 6, true},
{{0x06, 0x0f, 0x40}, 7, true},
{{0x06, 0x0f, 0x40}, 8, false},
{{0x06, 0x0f, 0x40}, 9, true},
// Out-of-bounds bits return 0.
{{0x06, 0x0f, 0x40}, 10, false},
{{0x06, 0x0f, 0x40}, 15, false},
{{0x06, 0x0f, 0x40}, 16, false},
{{0x06, 0x0f, 0x40}, 1000, false},
};
for (const auto& test : kBitTests) {
CBS cbs;
CBS_init(&cbs, test.in.data(), test.in.size());
if (CBS_asn1_bitstring_has_bit(&cbs, test.bit) !=
static_cast<int>(test.bit_set)) {
return false;
}
}
return true;
}
int main() {
static int Main() {
CRYPTO_library_init();
if (!TestSkip() ||
@@ -992,11 +892,16 @@ int main() {
!TestGetOptionalASN1Bool() ||
!TestZero() ||
!TestCBBReserve() ||
!TestStickyError() ||
!TestBitString()) {
!TestStickyError()) {
return 1;
}
printf("PASS\n");
return 0;
}
} // namespace bssl
int main() {
return bssl::Main();
}
crypto/bytestring/cbb.c
+7 -9
View File
@@ -19,11 +19,9 @@
#include <openssl/mem.h>
#include "../internal.h"
void CBB_zero(CBB *cbb) {
OPENSSL_memset(cbb, 0, sizeof(CBB));
memset(cbb, 0, sizeof(CBB));
}
static int cbb_init(CBB *cbb, uint8_t *buf, size_t cap) {
@@ -254,8 +252,8 @@ int CBB_flush(CBB *cbb) {
if (!cbb_buffer_add(cbb->base, NULL, extra_bytes)) {
goto err;
}
OPENSSL_memmove(cbb->base->buf + child_start + extra_bytes,
cbb->base->buf + child_start, len);
memmove(cbb->base->buf + child_start + extra_bytes,
cbb->base->buf + child_start, len);
}
cbb->base->buf[cbb->child->offset++] = initial_length_byte;
cbb->child->pending_len_len = len_len - 1;
@@ -305,8 +303,8 @@ static int cbb_add_length_prefixed(CBB *cbb, CBB *out_contents,
return 0;
}
OPENSSL_memset(prefix_bytes, 0, len_len);
OPENSSL_memset(out_contents, 0, sizeof(CBB));
memset(prefix_bytes, 0, len_len);
memset(out_contents, 0, sizeof(CBB));
out_contents->base = cbb->base;
cbb->child = out_contents;
cbb->child->offset = offset;
@@ -348,7 +346,7 @@ int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag) {
return 0;
}
OPENSSL_memset(out_contents, 0, sizeof(CBB));
memset(out_contents, 0, sizeof(CBB));
out_contents->base = cbb->base;
cbb->child = out_contents;
cbb->child->offset = offset;
@@ -365,7 +363,7 @@ int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) {
!cbb_buffer_add(cbb->base, &dest, len)) {
return 0;
}
OPENSSL_memcpy(dest, data, len);
memcpy(dest, data, len);
return 1;
}
crypto/bytestring/cbs.c
+2 -54
View File
@@ -20,7 +20,6 @@
#include <string.h>
#include "internal.h"
#include "../internal.h"
void CBS_init(CBS *cbs, const uint8_t *data, size_t len) {
@@ -77,7 +76,7 @@ int CBS_strdup(const CBS *cbs, char **out_ptr) {
}
int CBS_contains_zero_byte(const CBS *cbs) {
return OPENSSL_memchr(cbs->data, 0, cbs->len) != NULL;
return memchr(cbs->data, 0, cbs->len) != NULL;
}
int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) {
@@ -151,7 +150,7 @@ int CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len) {
if (!cbs_get(cbs, &v, len)) {
return 0;
}
OPENSSL_memcpy(out, v, len);
memcpy(out, v, len);
return 1;
}
@@ -263,20 +262,6 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
return CBS_get_bytes(cbs, out, len);
}
int CBS_get_any_asn1(CBS *cbs, CBS *out, unsigned *out_tag) {
size_t header_len;
if (!CBS_get_any_asn1_element(cbs, out, out_tag, &header_len)) {
return 0;
}
if (!CBS_skip(out, header_len)) {
assert(0);
return 0;
}
return 1;
}
int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag,
size_t *out_header_len) {
return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len,
@@ -452,40 +437,3 @@ int CBS_get_optional_asn1_bool(CBS *cbs, int *out, unsigned tag,
}
return 1;
}
int CBS_is_valid_asn1_bitstring(const CBS *cbs) {
CBS in = *cbs;
uint8_t num_unused_bits;
if (!CBS_get_u8(&in, &num_unused_bits) ||
num_unused_bits > 7) {
return 0;
}
if (num_unused_bits == 0) {
return 1;
}
/* All num_unused_bits bits must exist and be zeros. */
uint8_t last;
if (!CBS_get_last_u8(&in, &last) ||
(last & ((1 << num_unused_bits) - 1)) != 0) {
return 0;
}
return 1;
}
int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit) {
if (!CBS_is_valid_asn1_bitstring(cbs)) {
return 0;
}
const unsigned byte_num = (bit >> 3) + 1;
const unsigned bit_num = 7 - (bit & 7);
/* Unused bits are zero, and this function does not distinguish between
* missing and unset bits. Thus it is sufficient to do a byte-level length
* check. */
return byte_num < CBS_len(cbs) &&
(CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;
}
crypto/chacha/chacha.c
+1 -1
View File
@@ -96,7 +96,7 @@ static void chacha_core(uint8_t output[64], const uint32_t input[16]) {
uint32_t x[16];
int i;
OPENSSL_memcpy(x, input, sizeof(uint32_t) * 16);
memcpy(x, input, sizeof(uint32_t) * 16);
for (i = 20; i > 0; i -= 2) {
QUARTERROUND(0, 4, 8, 12)
QUARTERROUND(1, 5, 9, 13)
crypto/chacha/chacha_test.cc
+3 -5
View File
@@ -21,8 +21,6 @@
#include <openssl/crypto.h>
#include <openssl/chacha.h>
#include "../internal.h"
static const uint8_t kKey[32] = {
0x98, 0xbe, 0xf1, 0x46, 0x9b, 0xe7, 0x26, 0x98, 0x37, 0xa4, 0x5b,
@@ -219,15 +217,15 @@ static_assert(sizeof(kInput) == sizeof(kOutput),
static bool TestChaCha20(size_t len) {
std::unique_ptr<uint8_t[]> buf(new uint8_t[len]);
CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter);
if (OPENSSL_memcmp(buf.get(), kOutput, len) != 0) {
if (memcmp(buf.get(), kOutput, len) != 0) {
fprintf(stderr, "Mismatch at length %zu.\n", len);
return false;
}
// Test in-place.
OPENSSL_memcpy(buf.get(), kInput, len);
memcpy(buf.get(), kInput, len);
CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter);
if (OPENSSL_memcmp(buf.get(), kOutput, len) != 0) {
if (memcmp(buf.get(), kOutput, len) != 0) {
fprintf(stderr, "Mismatch at length %zu, in-place.\n", len);
return false;
}
crypto/cipher/aead.c
+3 -3
View File
@@ -32,7 +32,7 @@ size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; }
size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; }
void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) {
OPENSSL_memset(ctx, 0, sizeof(EVP_AEAD_CTX));
memset(ctx, 0, sizeof(EVP_AEAD_CTX));
}
int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,
@@ -116,7 +116,7 @@ int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
error:
/* In the event of an error, clear the output buffer so that a caller
* that doesn't check the return value doesn't send raw data. */
OPENSSL_memset(out, 0, max_out_len);
memset(out, 0, max_out_len);
*out_len = 0;
return 0;
}
@@ -139,7 +139,7 @@ error:
/* In the event of an error, clear the output buffer so that a caller
* that doesn't check the return value doesn't try and process bad
* data. */
OPENSSL_memset(out, 0, max_out_len);
memset(out, 0, max_out_len);
*out_len = 0;
return 0;
}
crypto/cipher/aead_test.cc
+21 -29
View File
@@ -21,18 +21,9 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include "../internal.h"
#include "../test/file_test.h"
#if defined(OPENSSL_SMALL)
const EVP_AEAD* EVP_aead_aes_128_gcm_siv(void) {
return nullptr;
}
const EVP_AEAD* EVP_aead_aes_256_gcm_siv(void) {
return nullptr;
}
#endif
namespace bssl {
// This program tests an AEAD against a series of test vectors from a file,
// using the FileTest format. As an example, here's a valid test case:
@@ -57,7 +48,7 @@ static bool TestAEAD(FileTest *t, void *arg) {
return false;
}
bssl::ScopedEVP_AEAD_CTX ctx;
ScopedEVP_AEAD_CTX ctx;
if (!EVP_AEAD_CTX_init_with_direction(ctx.get(), aead, key.data(), key.size(),
tag.size(), evp_aead_seal)) {
t->PrintLine("Failed to init AEAD.");
@@ -87,8 +78,8 @@ static bool TestAEAD(FileTest *t, void *arg) {
}
} else {
out.resize(ct.size() + tag.size());
OPENSSL_memcpy(out.data(), ct.data(), ct.size());
OPENSSL_memcpy(out.data() + ct.size(), tag.data(), tag.size());
memcpy(out.data(), ct.data(), ct.size());
memcpy(out.data() + ct.size(), tag.data(), tag.size());
}
// The "stateful" AEADs for implementing pre-AEAD cipher suites need to be
@@ -171,7 +162,7 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) {
EVP_AEAD_CTX ctx;
uint8_t key[128];
OPENSSL_memset(key, 0, sizeof(key));
memset(key, 0, sizeof(key));
const size_t key_len = EVP_AEAD_key_length(aead);
if (key_len > sizeof(key)) {
fprintf(stderr, "Key length of AEAD too long.\n");
@@ -207,7 +198,7 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
const size_t max_overhead = EVP_AEAD_max_overhead(aead);
std::vector<uint8_t> key(key_len, 'a');
bssl::ScopedEVP_AEAD_CTX ctx;
ScopedEVP_AEAD_CTX ctx;
if (!EVP_AEAD_CTX_init(ctx.get(), aead, key.data(), key_len,
EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr)) {
return false;
@@ -240,7 +231,7 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
uint8_t *out1 = buffer.data();
uint8_t *out2 = buffer.data() + 2;
OPENSSL_memcpy(in, kPlaintext, sizeof(kPlaintext));
memcpy(in, kPlaintext, sizeof(kPlaintext));
size_t out_len;
if (EVP_AEAD_CTX_seal(ctx.get(), out1, &out_len,
sizeof(kPlaintext) + max_overhead, nonce.data(),
@@ -253,7 +244,7 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
}
ERR_clear_error();
OPENSSL_memcpy(in, valid_encryption.data(), valid_encryption_len);
memcpy(in, valid_encryption.data(), valid_encryption_len);
if (EVP_AEAD_CTX_open(ctx.get(), out1, &out_len, valid_encryption_len,
nonce.data(), nonce_len, in, valid_encryption_len,
nullptr, 0) ||
@@ -266,7 +257,7 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
ERR_clear_error();
// Test with out == in, which we expect to work.
OPENSSL_memcpy(in, kPlaintext, sizeof(kPlaintext));
memcpy(in, kPlaintext, sizeof(kPlaintext));
if (!EVP_AEAD_CTX_seal(ctx.get(), in, &out_len,
sizeof(kPlaintext) + max_overhead, nonce.data(),
@@ -276,12 +267,12 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
}
if (out_len != valid_encryption_len ||
OPENSSL_memcmp(in, valid_encryption.data(), out_len) != 0) {
memcmp(in, valid_encryption.data(), out_len) != 0) {
fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output in-place.\n");
return false;
}
OPENSSL_memcpy(in, valid_encryption.data(), valid_encryption_len);
memcpy(in, valid_encryption.data(), valid_encryption_len);
if (!EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len,
nonce.data(), nonce_len, in, valid_encryption_len,
nullptr, 0)) {
@@ -290,7 +281,7 @@ static bool TestWithAliasedBuffers(const EVP_AEAD *aead) {
}
if (out_len != sizeof(kPlaintext) ||
OPENSSL_memcmp(in, kPlaintext, out_len) != 0) {
memcmp(in, kPlaintext, out_len) != 0) {
fprintf(stderr, "EVP_AEAD_CTX_open produced bad output in-place.\n");
return false;
}
@@ -311,8 +302,6 @@ struct KnownAEAD {
static const struct KnownAEAD kAEADs[] = {
{ "aes-128-gcm", EVP_aead_aes_128_gcm, false },
{ "aes-256-gcm", EVP_aead_aes_256_gcm, false },
{ "aes-128-gcm-siv", EVP_aead_aes_128_gcm_siv, false },
{ "aes-256-gcm-siv", EVP_aead_aes_256_gcm_siv, false },
{ "chacha20-poly1305", EVP_aead_chacha20_poly1305, false },
{ "chacha20-poly1305-old", EVP_aead_chacha20_poly1305_old, false },
{ "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls, true },
@@ -327,12 +316,14 @@ static const struct KnownAEAD kAEADs[] = {
{ "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3, true },
{ "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3, true },
{ "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3, true },
{ "aes-128-key-wrap", EVP_aead_aes_128_key_wrap, true },
{ "aes-256-key-wrap", EVP_aead_aes_256_key_wrap, true },
{ "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256, false },
{ "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256, false },
{ "", NULL, false },
};
int main(int argc, char **argv) {
static int Main(int argc, char **argv) {
CRYPTO_library_init();
if (argc != 3) {
@@ -353,11 +344,6 @@ int main(int argc, char **argv) {
}
const EVP_AEAD *const aead = known_aead->func();
if (aead == NULL) {
// AEAD is not compiled in this configuration.
printf("PASS\n");
return 0;
}
if (!TestCleanupAfterInitFailure(aead)) {
return 1;
@@ -370,3 +356,9 @@ int main(int argc, char **argv) {
return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]);
}
} // namespace bssl
int main(int argc, char **argv) {
return bssl::Main(argc, argv);
}
crypto/cipher/cipher.c
+12 -13
View File
@@ -64,7 +64,6 @@
#include <openssl/nid.h>
#include "internal.h"
#include "../internal.h"
const EVP_CIPHER *EVP_get_cipherbynid(int nid) {
@@ -89,7 +88,7 @@ const EVP_CIPHER *EVP_get_cipherbynid(int nid) {
}
void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) {
OPENSSL_memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
memset(ctx, 0, sizeof(EVP_CIPHER_CTX));
}
EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) {
@@ -109,7 +108,7 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) {
}
OPENSSL_free(c->cipher_data);
OPENSSL_memset(c, 0, sizeof(EVP_CIPHER_CTX));
memset(c, 0, sizeof(EVP_CIPHER_CTX));
return 1;
}
@@ -127,7 +126,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) {
}
EVP_CIPHER_CTX_cleanup(out);
OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX));
memcpy(out, in, sizeof(EVP_CIPHER_CTX));
if (in->cipher_data && in->cipher->ctx_size) {
out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size);
@@ -135,7 +134,7 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) {
OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
return 0;
}
OPENSSL_memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size);
}
if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) {
@@ -211,9 +210,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
case EVP_CIPH_CBC_MODE:
assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv));
if (iv) {
OPENSSL_memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
}
OPENSSL_memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
break;
case EVP_CIPH_CTR_MODE:
@@ -221,7 +220,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
ctx->num = 0;
/* Don't reuse IV for CTR mode */
if (iv) {
OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));
}
break;
@@ -286,13 +285,13 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
if (bl - i > in_len) {
OPENSSL_memcpy(&ctx->buf[i], in, in_len);
memcpy(&ctx->buf[i], in, in_len);
ctx->buf_len += in_len;
*out_len = 0;
return 1;
} else {
j = bl - i;
OPENSSL_memcpy(&ctx->buf[i], in, j);
memcpy(&ctx->buf[i], in, j);
if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) {
return 0;
}
@@ -315,7 +314,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
}
if (i != 0) {
OPENSSL_memcpy(ctx->buf, &in[in_len], i);
memcpy(ctx->buf, &in[in_len], i);
}
ctx->buf_len = i;
return 1;
@@ -394,7 +393,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
assert(b <= sizeof(ctx->final));
if (ctx->final_used) {
OPENSSL_memcpy(out, ctx->final, b);
memcpy(out, ctx->final, b);
out += b;
fix_len = 1;
} else {
@@ -410,7 +409,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,
if (b > 1 && !ctx->buf_len) {
*out_len -= b;
ctx->final_used = 1;
OPENSSL_memcpy(ctx->final, &out[*out_len], b);
memcpy(ctx->final, &out[*out_len], b);
} else {
ctx->final_used = 0;
}
crypto/cipher/cipher_test.cc
+9 -2
View File
@@ -63,6 +63,7 @@
#include "../test/file_test.h"
namespace bssl {
static const EVP_CIPHER *GetCipher(const std::string &name) {
if (name == "DES-CBC") {
@@ -126,7 +127,7 @@ static bool TestOperation(FileTest *t,
bool is_aead = EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE;
bssl::ScopedEVP_CIPHER_CTX ctx;
ScopedEVP_CIPHER_CTX ctx;
if (!EVP_CipherInit_ex(ctx.get(), cipher, nullptr, nullptr, nullptr,
encrypt ? 1 : 0)) {
return false;
@@ -283,7 +284,7 @@ static bool TestCipher(FileTest *t, void *arg) {
return true;
}
int main(int argc, char **argv) {
static int Main(int argc, char **argv) {
CRYPTO_library_init();
if (argc != 2) {
@@ -293,3 +294,9 @@ int main(int argc, char **argv) {
return FileTestMain(TestCipher, nullptr, argv[1]);
}
} // namespace bssl
int main(int argc, char **argv) {
return bssl::Main(argc, argv);
}
crypto/cipher/e_aes.c
+281 -320
View File
@@ -479,7 +479,7 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
if (gctx->key_set) {
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
} else {
OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen);
memcpy(gctx->iv, iv, gctx->ivlen);
}
gctx->iv_set = 1;
gctx->iv_gen = 0;
@@ -545,7 +545,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
if (arg <= 0 || arg > 16 || c->encrypt) {
return 0;
}
OPENSSL_memcpy(c->buf, ptr, arg);
memcpy(c->buf, ptr, arg);
gctx->taglen = arg;
return 1;
@@ -553,13 +553,13 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) {
return 0;
}
OPENSSL_memcpy(ptr, c->buf, arg);
memcpy(ptr, c->buf, arg);
return 1;
case EVP_CTRL_GCM_SET_IV_FIXED:
/* Special case: -1 length restores whole IV */
if (arg == -1) {
OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen);
memcpy(gctx->iv, ptr, gctx->ivlen);
gctx->iv_gen = 1;
return 1;
}
@@ -569,7 +569,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
return 0;
}
if (arg) {
OPENSSL_memcpy(gctx->iv, ptr, arg);
memcpy(gctx->iv, ptr, arg);
}
if (c->encrypt && !RAND_bytes(gctx->iv + arg, gctx->ivlen - arg)) {
return 0;
@@ -585,7 +585,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
if (arg <= 0 || arg > gctx->ivlen) {
arg = gctx->ivlen;
}
OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);
/* Invocation field will be at least 8 bytes in size and
* so no need to check wrap around or increment more than
* last 8 bytes. */
@@ -597,7 +597,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) {
return 0;
}
OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, gctx->iv, gctx->ivlen);
gctx->iv_set = 1;
return 1;
@@ -612,7 +612,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
if (!gctx_out->iv) {
return 0;
}
OPENSSL_memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
memcpy(gctx_out->iv, gctx->iv, gctx->ivlen);
}
return 1;
}
@@ -860,7 +860,7 @@ static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
if (gctx->key_set) {
CRYPTO_gcm128_setiv(&gctx->gcm, &gctx->ks.ks, iv, gctx->ivlen);
} else {
OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen);
memcpy(gctx->iv, iv, gctx->ivlen);
}
gctx->iv_set = 1;
gctx->iv_gen = 0;
@@ -1073,7 +1073,7 @@ static int aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
const AES_KEY *key = &gcm_ctx->ks.ks;
OPENSSL_memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
if (ad_len > 0 && !CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
@@ -1120,7 +1120,7 @@ static int aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
const AES_KEY *key = &gcm_ctx->ks.ks;
OPENSSL_memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm));
CRYPTO_gcm128_setiv(&gcm, key, nonce, nonce_len);
if (!CRYPTO_gcm128_aad(&gcm, ad, ad_len)) {
@@ -1179,6 +1179,266 @@ const EVP_AEAD *EVP_aead_aes_128_gcm(void) { return &aead_aes_128_gcm; }
const EVP_AEAD *EVP_aead_aes_256_gcm(void) { return &aead_aes_256_gcm; }
/* AES Key Wrap is specified in
* http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
* or https://tools.ietf.org/html/rfc3394 */
struct aead_aes_key_wrap_ctx {
uint8_t key[32];
unsigned key_bits;
};
static int aead_aes_key_wrap_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
size_t key_len, size_t tag_len) {
struct aead_aes_key_wrap_ctx *kw_ctx;
const size_t key_bits = key_len * 8;
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
return 0; /* EVP_AEAD_CTX_init should catch this. */
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
tag_len = 8;
}
if (tag_len != 8) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);
return 0;
}
kw_ctx = OPENSSL_malloc(sizeof(struct aead_aes_key_wrap_ctx));
if (kw_ctx == NULL) {
OPENSSL_PUT_ERROR(CIPHER, ERR_R_MALLOC_FAILURE);
return 0;
}
memcpy(kw_ctx->key, key, key_len);
kw_ctx->key_bits = key_bits;
ctx->aead_state = kw_ctx;
return 1;
}
static void aead_aes_key_wrap_cleanup(EVP_AEAD_CTX *ctx) {
struct aead_aes_key_wrap_ctx *kw_ctx = ctx->aead_state;
OPENSSL_cleanse(kw_ctx, sizeof(struct aead_aes_key_wrap_ctx));
OPENSSL_free(kw_ctx);
}
/* kDefaultAESKeyWrapNonce is the default nonce value given in 2.2.3.1. */
static const uint8_t kDefaultAESKeyWrapNonce[8] = {0xa6, 0xa6, 0xa6, 0xa6,
0xa6, 0xa6, 0xa6, 0xa6};
static int aead_aes_key_wrap_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
const struct aead_aes_key_wrap_ctx *kw_ctx = ctx->aead_state;
union {
double align;
AES_KEY ks;
} ks;
/* Variables in this function match up with the variables in the second half
* of section 2.2.1. */
unsigned i, j, n;
uint8_t A[AES_BLOCK_SIZE];
if (ad_len != 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE);
return 0;
}
if (nonce_len == 0) {
nonce = kDefaultAESKeyWrapNonce;
nonce_len = sizeof(kDefaultAESKeyWrapNonce);
}
if (nonce_len != 8) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
return 0;
}
if (in_len % 8 != 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
return 0;
}
/* The code below only handles a 32-bit |t| thus 6*|n| must be less than
* 2^32, where |n| is |in_len| / 8. So in_len < 4/3 * 2^32 and we
* conservatively cap it to 2^32-16 to stop 32-bit platforms complaining that
* a comparison is always true. */
if (in_len > 0xfffffff0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
n = in_len / 8;
if (n < 2) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
return 0;
}
if (in_len + 8 < in_len) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
if (max_out_len < in_len + 8) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
if (AES_set_encrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
return 0;
}
memmove(out + 8, in, in_len);
memcpy(A, nonce, 8);
for (j = 0; j < 6; j++) {
for (i = 1; i <= n; i++) {
uint32_t t;
memcpy(A + 8, out + 8 * i, 8);
AES_encrypt(A, A, &ks.ks);
t = n * j + i;
A[7] ^= t & 0xff;
A[6] ^= (t >> 8) & 0xff;
A[5] ^= (t >> 16) & 0xff;
A[4] ^= (t >> 24) & 0xff;
memcpy(out + 8 * i, A + 8, 8);
}
}
memcpy(out, A, 8);
*out_len = in_len + 8;
return 1;
}
static int aead_aes_key_wrap_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
const struct aead_aes_key_wrap_ctx *kw_ctx = ctx->aead_state;
union {
double align;
AES_KEY ks;
} ks;
/* Variables in this function match up with the variables in the second half
* of section 2.2.1. */
unsigned i, j, n;
uint8_t A[AES_BLOCK_SIZE];
if (ad_len != 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_AD_SIZE);
return 0;
}
if (nonce_len == 0) {
nonce = kDefaultAESKeyWrapNonce;
nonce_len = sizeof(kDefaultAESKeyWrapNonce);
}
if (nonce_len != 8) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
return 0;
}
if (in_len % 8 != 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_INPUT_SIZE);
return 0;
}
/* The code below only handles a 32-bit |t| thus 6*|n| must be less than
* 2^32, where |n| is |in_len| / 8. So in_len < 4/3 * 2^32 and we
* conservatively cap it to 2^32-8 to stop 32-bit platforms complaining that
* a comparison is always true. */
if (in_len > 0xfffffff8) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
if (in_len < 24) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
n = (in_len / 8) - 1;
if (max_out_len < in_len - 8) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
if (AES_set_decrypt_key(kw_ctx->key, kw_ctx->key_bits, &ks.ks) < 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);
return 0;
}
memcpy(A, in, 8);
memmove(out, in + 8, in_len - 8);
for (j = 5; j < 6; j--) {
for (i = n; i > 0; i--) {
uint32_t t;
t = n * j + i;
A[7] ^= t & 0xff;
A[6] ^= (t >> 8) & 0xff;
A[5] ^= (t >> 16) & 0xff;
A[4] ^= (t >> 24) & 0xff;
memcpy(A + 8, out + 8 * (i - 1), 8);
AES_decrypt(A, A, &ks.ks);
memcpy(out + 8 * (i - 1), A + 8, 8);
}
}
if (CRYPTO_memcmp(A, nonce, 8) != 0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
*out_len = in_len - 8;
return 1;
}
static const EVP_AEAD aead_aes_128_key_wrap = {
16, /* key len */
8, /* nonce len */
8, /* overhead */
8, /* max tag length */
aead_aes_key_wrap_init,
NULL, /* init_with_direction */
aead_aes_key_wrap_cleanup,
aead_aes_key_wrap_seal,
aead_aes_key_wrap_open,
NULL, /* get_iv */
};
static const EVP_AEAD aead_aes_256_key_wrap = {
32, /* key len */
8, /* nonce len */
8, /* overhead */
8, /* max tag length */
aead_aes_key_wrap_init,
NULL, /* init_with_direction */
aead_aes_key_wrap_cleanup,
aead_aes_key_wrap_seal,
aead_aes_key_wrap_open,
NULL, /* get_iv */
};
const EVP_AEAD *EVP_aead_aes_128_key_wrap(void) { return &aead_aes_128_key_wrap; }
const EVP_AEAD *EVP_aead_aes_256_key_wrap(void) { return &aead_aes_256_key_wrap; }
#define EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN SHA256_DIGEST_LENGTH
#define EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN 12
@@ -1198,8 +1458,8 @@ static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
const uint8_t hmac_key[32]) {
static const size_t hmac_key_len = 32;
uint8_t block[SHA256_CBLOCK];
OPENSSL_memcpy(block, hmac_key, hmac_key_len);
OPENSSL_memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);
memcpy(block, hmac_key, hmac_key_len);
memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);
unsigned i;
for (i = 0; i < hmac_key_len; i++) {
@@ -1209,7 +1469,7 @@ static void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,
SHA256_Init(out_inner);
SHA256_Update(out_inner, block, sizeof(block));
OPENSSL_memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);
memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);
for (i = 0; i < hmac_key_len; i++) {
block[i] ^= (0x36 ^ 0x5c);
}
@@ -1284,7 +1544,7 @@ static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
const uint8_t *nonce, const uint8_t *ciphertext,
size_t ciphertext_len) {
SHA256_CTX sha256;
OPENSSL_memcpy(&sha256, inner_init_state, sizeof(sha256));
memcpy(&sha256, inner_init_state, sizeof(sha256));
hmac_update_uint64(&sha256, ad_len);
hmac_update_uint64(&sha256, ciphertext_len);
SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
@@ -1297,7 +1557,7 @@ static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
SHA256_CBLOCK)) %
SHA256_CBLOCK;
uint8_t padding[SHA256_CBLOCK];
OPENSSL_memset(padding, 0, num_padding);
memset(padding, 0, num_padding);
SHA256_Update(&sha256, padding, num_padding);
SHA256_Update(&sha256, ciphertext, ciphertext_len);
@@ -1305,7 +1565,7 @@ static void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],
uint8_t inner_digest[SHA256_DIGEST_LENGTH];
SHA256_Final(inner_digest, &sha256);
OPENSSL_memcpy(&sha256, outer_init_state, sizeof(sha256));
memcpy(&sha256, outer_init_state, sizeof(sha256));
SHA256_Update(&sha256, inner_digest, sizeof(inner_digest));
SHA256_Final(out, &sha256);
}
@@ -1317,11 +1577,11 @@ static void aead_aes_ctr_hmac_sha256_crypt(
* bytes is pointless. However, |CRYPTO_ctr128_encrypt| requires it. */
uint8_t partial_block_buffer[AES_BLOCK_SIZE];
unsigned partial_block_offset = 0;
OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
memset(partial_block_buffer, 0, sizeof(partial_block_buffer));
uint8_t counter[AES_BLOCK_SIZE];
OPENSSL_memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
OPENSSL_memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);
memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);
memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);
if (aes_ctx->ctr) {
CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter,
@@ -1364,7 +1624,7 @@ static int aead_aes_ctr_hmac_sha256_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
uint8_t hmac_result[SHA256_DIGEST_LENGTH];
hmac_calculate(hmac_result, &aes_ctx->inner_init_state,
&aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);
OPENSSL_memcpy(out + in_len, hmac_result, aes_ctx->tag_len);
memcpy(out + in_len, hmac_result, aes_ctx->tag_len);
*out_len = in_len + aes_ctx->tag_len;
return 1;
@@ -1446,305 +1706,6 @@ const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void) {
return &aead_aes_256_ctr_hmac_sha256;
}
#if !defined(OPENSSL_SMALL)
#define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16
struct aead_aes_gcm_siv_ctx {
union {
double align;
AES_KEY ks;
} ks;
block128_f kgk_block;
unsigned is_256:1;
};
static int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
size_t key_len, size_t tag_len) {
const size_t key_bits = key_len * 8;
if (key_bits != 128 && key_bits != 256) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);
return 0; /* EVP_AEAD_CTX_init should catch this. */
}
if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {
tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;
}
if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);
return 0;
}
struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =
OPENSSL_malloc(sizeof(struct aead_aes_gcm_siv_ctx));
if (gcm_siv_ctx == NULL) {
return 0;
}
OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));
if (aesni_capable()) {
aesni_set_encrypt_key(key, key_len * 8, &gcm_siv_ctx->ks.ks);
gcm_siv_ctx->kgk_block = (block128_f)aesni_encrypt;
} else if (hwaes_capable()) {
aes_hw_set_encrypt_key(key, key_len * 8, &gcm_siv_ctx->ks.ks);
gcm_siv_ctx->kgk_block = (block128_f)aes_hw_encrypt;
} else if (vpaes_capable()) {
vpaes_set_encrypt_key(key, key_len * 8, &gcm_siv_ctx->ks.ks);
gcm_siv_ctx->kgk_block = (block128_f)vpaes_encrypt;
} else {
AES_set_encrypt_key(key, key_len * 8, &gcm_siv_ctx->ks.ks);
gcm_siv_ctx->kgk_block = (block128_f)AES_encrypt;
}
gcm_siv_ctx->is_256 = (key_len == 32);
ctx->aead_state = gcm_siv_ctx;
return 1;
}
static void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {
struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
OPENSSL_cleanse(gcm_siv_ctx, sizeof(struct aead_aes_gcm_siv_ctx));
OPENSSL_free(gcm_siv_ctx);
}
/* gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from
* |in| to |out|, using the block function |enc_block| with |key| in counter
* mode, starting at |initial_counter|. This differs from the traditional
* counter mode code in that the counter is handled little-endian, only the
* first four bytes are used and the GCM-SIV tweak to the final byte is
* applied. The |in| and |out| pointers may be equal but otherwise must not
* alias. */
static void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t initial_counter[AES_BLOCK_SIZE],
block128_f enc_block, const AES_KEY *key) {
union {
uint32_t w[4];
uint8_t c[16];
} counter;
OPENSSL_memcpy(counter.c, initial_counter, AES_BLOCK_SIZE);
counter.c[15] |= 0x80;
for (size_t done = 0; done < in_len;) {
uint8_t keystream[AES_BLOCK_SIZE];
enc_block(counter.c, keystream, key);
counter.w[0]++;
size_t todo = AES_BLOCK_SIZE;
if (in_len - done < todo) {
todo = in_len - done;
}
for (size_t i = 0; i < todo; i++) {
out[done + i] = keystream[i] ^ in[done + i];
}
done += todo;
}
}
/* gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and
* AD. The result is written to |out_tag|. */
static void gcm_siv_polyval(uint8_t out_tag[16], const uint8_t *in,
size_t in_len, const uint8_t *ad, size_t ad_len,
const uint8_t auth_key[16]) {
struct polyval_ctx polyval_ctx;
CRYPTO_POLYVAL_init(&polyval_ctx, auth_key);
CRYPTO_POLYVAL_update_blocks(&polyval_ctx, ad, ad_len & ~15);
uint8_t scratch[16];
if (ad_len & 15) {
OPENSSL_memset(scratch, 0, sizeof(scratch));
OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15);
CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch));
}
CRYPTO_POLYVAL_update_blocks(&polyval_ctx, in, in_len & ~15);
if (in_len & 15) {
OPENSSL_memset(scratch, 0, sizeof(scratch));
OPENSSL_memcpy(scratch, &in[in_len & ~15], in_len & 15);
CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch));
}
union {
uint8_t c[16];
struct {
uint64_t ad;
uint64_t in;
} bitlens;
} length_block;
length_block.bitlens.ad = ad_len * 8;
length_block.bitlens.in = in_len * 8;
CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block.c,
sizeof(length_block));
CRYPTO_POLYVAL_finish(&polyval_ctx, out_tag);
out_tag[15] &= 0x7f;
}
/* gcm_siv_record_keys contains the keys used for a specific GCM-SIV record. */
struct gcm_siv_record_keys {
uint8_t auth_key[16];
union {
double align;
AES_KEY ks;
} enc_key;
block128_f enc_block;
};
/* gcm_siv_keys calculates the keys for a specific GCM-SIV record with the
* given nonce and writes them to |*out_keys|. */
static void gcm_siv_keys(
const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx,
struct gcm_siv_record_keys *out_keys,
const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_TAG_LEN]) {
const AES_KEY *const key = &gcm_siv_ctx->ks.ks;
gcm_siv_ctx->kgk_block(nonce, out_keys->auth_key, key);
if (gcm_siv_ctx->is_256) {
uint8_t record_enc_key[32];
gcm_siv_ctx->kgk_block(out_keys->auth_key, record_enc_key + 16, key);
gcm_siv_ctx->kgk_block(record_enc_key + 16, record_enc_key, key);
aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
record_enc_key, sizeof(record_enc_key));
} else {
uint8_t record_enc_key[16];
gcm_siv_ctx->kgk_block(out_keys->auth_key, record_enc_key, key);
aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,
record_enc_key, sizeof(record_enc_key));
}
}
static int aead_aes_gcm_siv_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
const uint64_t in_len_64 = in_len;
const uint64_t ad_len_64 = ad_len;
if (in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN < in_len ||
in_len_64 > (UINT64_C(1) << 36) ||
ad_len_64 >= (UINT64_C(1) << 61)) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
if (max_out_len < in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
if (nonce_len != AES_BLOCK_SIZE) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);
return 0;
}
struct gcm_siv_record_keys keys;
gcm_siv_keys(gcm_siv_ctx, &keys, nonce);
uint8_t tag[16];
gcm_siv_polyval(tag, in, in_len, ad, ad_len, keys.auth_key);
keys.enc_block(tag, tag, &keys.enc_key.ks);
gcm_siv_crypt(out, in, in_len, tag, keys.enc_block, &keys.enc_key.ks);
OPENSSL_memcpy(&out[in_len], tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN);
*out_len = in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN;
return 1;
}
static int aead_aes_gcm_siv_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
size_t *out_len, size_t max_out_len,
const uint8_t *nonce, size_t nonce_len,
const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
const uint64_t ad_len_64 = ad_len;
if (ad_len_64 >= (UINT64_C(1) << 61)) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);
return 0;
}
const uint64_t in_len_64 = in_len;
if (in_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN ||
in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx = ctx->aead_state;
const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN;
if (max_out_len < plaintext_len) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);
return 0;
}
struct gcm_siv_record_keys keys;
gcm_siv_keys(gcm_siv_ctx, &keys, nonce);
gcm_siv_crypt(out, in, plaintext_len, &in[plaintext_len], keys.enc_block,
&keys.enc_key.ks);
uint8_t expected_tag[EVP_AEAD_AES_GCM_SIV_TAG_LEN];
gcm_siv_polyval(expected_tag, out, plaintext_len, ad, ad_len, keys.auth_key);
keys.enc_block(expected_tag, expected_tag, &keys.enc_key.ks);
if (CRYPTO_memcmp(expected_tag, &in[plaintext_len], sizeof(expected_tag)) !=
0) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);
return 0;
}
*out_len = plaintext_len;
return 1;
}
static const EVP_AEAD aead_aes_128_gcm_siv = {
16, /* key length */
AES_BLOCK_SIZE, /* nonce length */
EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
aead_aes_gcm_siv_init,
NULL /* init_with_direction */,
aead_aes_gcm_siv_cleanup,
aead_aes_gcm_siv_seal,
aead_aes_gcm_siv_open,
NULL /* get_iv */,
};
static const EVP_AEAD aead_aes_256_gcm_siv = {
32, /* key length */
AES_BLOCK_SIZE, /* nonce length */
EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* overhead */
EVP_AEAD_AES_GCM_SIV_TAG_LEN, /* max tag length */
aead_aes_gcm_siv_init,
NULL /* init_with_direction */,
aead_aes_gcm_siv_cleanup,
aead_aes_gcm_siv_seal,
aead_aes_gcm_siv_open,
NULL /* get_iv */,
};
const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) {
return &aead_aes_128_gcm_siv;
}
const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {
return &aead_aes_256_gcm_siv;
}
#endif /* !OPENSSL_SMALL */
int EVP_has_aes_hardware(void) {
#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
return aesni_capable() && crypto_gcm_clmul_enabled();
crypto/cipher/e_chacha20poly1305.c
+7 -7
View File
@@ -55,7 +55,7 @@ static int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,
return 0;
}
OPENSSL_memcpy(c20_ctx->key, key, key_len);
memcpy(c20_ctx->key, key, key_len);
c20_ctx->tag_len = tag_len;
ctx->aead_state = c20_ctx;
@@ -94,7 +94,7 @@ static void aead_poly1305(aead_poly1305_update update,
size_t ad_len, const uint8_t *ciphertext,
size_t ciphertext_len) {
alignas(16) uint8_t poly1305_key[32];
OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));
memset(poly1305_key, 0, sizeof(poly1305_key));
CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key),
c20_ctx->key, nonce, 0);
poly1305_state ctx;
@@ -137,7 +137,7 @@ static int seal_impl(aead_poly1305_update poly1305_update,
alignas(16) uint8_t tag[POLY1305_TAG_LEN];
aead_poly1305(poly1305_update, tag, c20_ctx, nonce, ad, ad_len, out, in_len);
OPENSSL_memcpy(out + in_len, tag, c20_ctx->tag_len);
memcpy(out + in_len, tag, c20_ctx->tag_len);
*out_len = in_len + c20_ctx->tag_len;
return 1;
}
@@ -261,8 +261,8 @@ static int aead_chacha20_poly1305_old_seal(
return 0;
}
uint8_t nonce_96[12];
OPENSSL_memset(nonce_96, 0, 4);
OPENSSL_memcpy(nonce_96 + 4, nonce, 8);
memset(nonce_96, 0, 4);
memcpy(nonce_96 + 4, nonce, 8);
return seal_impl(poly1305_update_old, ctx, out, out_len, max_out_len,
nonce_96, in, in_len, ad, ad_len);
}
@@ -276,8 +276,8 @@ static int aead_chacha20_poly1305_old_open(
return 0;
}
uint8_t nonce_96[12];
OPENSSL_memset(nonce_96, 0, 4);
OPENSSL_memcpy(nonce_96 + 4, nonce, 8);
memset(nonce_96, 0, 4);
memcpy(nonce_96 + 4, nonce, 8);
return open_impl(poly1305_update_old, ctx, out, out_len, max_out_len,
nonce_96, in, in_len, ad, ad_len);
}
crypto/cipher/e_null.c
+1 -2
View File
@@ -60,7 +60,6 @@
#include <openssl/nid.h>
#include "../internal.h"
#include "internal.h"
@@ -72,7 +71,7 @@ static int null_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
static int null_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
const uint8_t *in, size_t in_len) {
if (in != out) {
OPENSSL_memcpy(out, in, in_len);
memcpy(out, in, in_len);
}
return 1;
}
crypto/cipher/e_rc2.c
+46 -51
View File
@@ -60,68 +60,63 @@
#include "internal.h"
#define c2l(c, l) \
do { \
(l) = ((uint32_t)(*((c)++))); \
(l) |= ((uint32_t)(*((c)++))) << 8L; \
(l) |= ((uint32_t)(*((c)++))) << 16L; \
(l) |= ((uint32_t)(*((c)++))) << 24L; \
} while (0)
#define c2l(c, l) \
(l = ((uint32_t)(*((c)++))), l |= ((uint32_t)(*((c)++))) << 8L, \
l |= ((uint32_t)(*((c)++))) << 16L, \
l |= ((uint32_t)(*((c)++))) << 24L)
#define c2ln(c, l1, l2, n) \
do { \
(c) += (n); \
(l1) = (l2) = 0; \
switch (n) { \
case 8: \
(l2) = ((uint32_t)(*(--(c)))) << 24L; \
case 7: \
(l2) |= ((uint32_t)(*(--(c)))) << 16L; \
case 6: \
(l2) |= ((uint32_t)(*(--(c)))) << 8L; \
case 5: \
(l2) |= ((uint32_t)(*(--(c)))); \
case 4: \
(l1) = ((uint32_t)(*(--(c)))) << 24L; \
case 3: \
(l1) |= ((uint32_t)(*(--(c)))) << 16L; \
case 2: \
(l1) |= ((uint32_t)(*(--(c)))) << 8L; \
case 1: \
(l1) |= ((uint32_t)(*(--(c)))); \
} \
} while (0)
#define c2ln(c, l1, l2, n) \
{ \
c += n; \
l1 = l2 = 0; \
switch (n) { \
case 8: \
l2 = ((uint32_t)(*(--(c)))) << 24L; \
case 7: \
l2 |= ((uint32_t)(*(--(c)))) << 16L; \
case 6: \
l2 |= ((uint32_t)(*(--(c)))) << 8L; \
case 5: \
l2 |= ((uint32_t)(*(--(c)))); \
case 4: \
l1 = ((uint32_t)(*(--(c)))) << 24L; \
case 3: \
l1 |= ((uint32_t)(*(--(c)))) << 16L; \
case 2: \
l1 |= ((uint32_t)(*(--(c)))) << 8L; \
case 1: \
l1 |= ((uint32_t)(*(--(c)))); \
} \
}
#define l2c(l, c) \
do { \
*((c)++) = (uint8_t)(((l)) & 0xff); \
*((c)++) = (uint8_t)(((l) >> 8L) & 0xff); \
*((c)++) = (uint8_t)(((l) >> 16L) & 0xff); \
*((c)++) = (uint8_t)(((l) >> 24L) & 0xff); \
} while (0)
#define l2c(l, c) \
(*((c)++) = (uint8_t)(((l)) & 0xff), \
*((c)++) = (uint8_t)(((l) >> 8L) & 0xff), \
*((c)++) = (uint8_t)(((l) >> 16L) & 0xff), \
*((c)++) = (uint8_t)(((l) >> 24L) & 0xff))
#define l2cn(l1, l2, c, n) \
do { \
(c) += (n); \
switch (n) { \
case 8: \
#define l2cn(l1, l2, c, n) \
{ \
c += n; \
switch (n) { \
case 8: \
*(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \
case 7: \
case 7: \
*(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \
case 6: \
case 6: \
*(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff); \
case 5: \
case 5: \
*(--(c)) = (uint8_t)(((l2)) & 0xff); \
case 4: \
case 4: \
*(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \
case 3: \
case 3: \
*(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \
case 2: \
case 2: \
*(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff); \
case 1: \
case 1: \
*(--(c)) = (uint8_t)(((l1)) & 0xff); \
} \
} while (0)
} \
}
typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY;
crypto/cipher/e_ssl3.c
+3 -4
View File
@@ -25,7 +25,6 @@
#include <openssl/sha.h>
#include "internal.h"
#include "../internal.h"
typedef struct {
@@ -50,7 +49,7 @@ static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
uint8_t pad[48];
uint8_t tmp[EVP_MAX_MD_SIZE];
OPENSSL_memset(pad, 0x36, pad_len);
memset(pad, 0x36, pad_len);
if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
!EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
!EVP_DigestUpdate(&md_ctx, ad, ad_len) ||
@@ -61,7 +60,7 @@ static int ssl3_mac(AEAD_SSL3_CTX *ssl3_ctx, uint8_t *out, unsigned *out_len,
return 0;
}
OPENSSL_memset(pad, 0x5c, pad_len);
memset(pad, 0x5c, pad_len);
if (!EVP_MD_CTX_copy_ex(&md_ctx, &ssl3_ctx->md_ctx) ||
!EVP_DigestUpdate(&md_ctx, pad, pad_len) ||
!EVP_DigestUpdate(&md_ctx, tmp, md_size) ||
@@ -189,7 +188,7 @@ static int aead_ssl3_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
/* Compute padding and feed that into the cipher. */
uint8_t padding[256];
unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
OPENSSL_memset(padding, 0, padding_len - 1);
memset(padding, 0, padding_len - 1);
padding[padding_len - 1] = padding_len - 1;
if (!EVP_EncryptUpdate(&ssl3_ctx->cipher_ctx, out + total, &len, padding,
(int)padding_len)) {
crypto/cipher/e_tls.c
+5 -5
View File
@@ -80,7 +80,7 @@ static int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,
EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);
HMAC_CTX_init(&tls_ctx->hmac_ctx);
assert(mac_key_len <= EVP_MAX_MD_SIZE);
OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);
memcpy(tls_ctx->mac_key, key, mac_key_len);
tls_ctx->mac_key_len = (uint8_t)mac_key_len;
tls_ctx->implicit_iv = implicit_iv;
@@ -182,7 +182,7 @@ static int aead_tls_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,
/* Compute padding and feed that into the cipher. */
uint8_t padding[256];
unsigned padding_len = block_size - ((in_len + mac_len) % block_size);
OPENSSL_memset(padding, padding_len - 1, padding_len);
memset(padding, padding_len - 1, padding_len);
if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out + total, &len, padding,
(int)padding_len)) {
return 0;
@@ -262,7 +262,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
/* Remove CBC padding. Code from here on is timing-sensitive with respect to
* |padding_ok| and |data_plus_mac_len| for CBC ciphers. */
unsigned padding_ok, data_plus_mac_len;
unsigned padding_ok, data_plus_mac_len, data_len;
if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {
if (!EVP_tls_cbc_remove_padding(
&padding_ok, &data_plus_mac_len, out, total,
@@ -279,7 +279,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
* already been checked against the MAC size at the top of the function. */
assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));
}
unsigned data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);
/* At this point, if the padding is valid, the first |data_plus_mac_len| bytes
* after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is
@@ -288,7 +288,7 @@ static int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out,
/* To allow for CBC mode which changes cipher length, |ad| doesn't include the
* length for legacy ciphers. */
uint8_t ad_fixed[13];
OPENSSL_memcpy(ad_fixed, ad, 11);
memcpy(ad_fixed, ad, 11);
ad_fixed[11] = (uint8_t)(data_len >> 8);
ad_fixed[12] = (uint8_t)(data_len & 0xff);
ad_len += 2;
crypto/cipher/test/aes_128_gcm_siv_tests.txt
-245
View File
@@ -1,245 +0,0 @@
# This is the example from
# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#section-8
KEY: ee8e1ed9ff2540ae8f2ba9f50bc2f27c
NONCE: 752abad3e0afb5f434dc4310f71f3d21
IN: "Hello world"
AD: "example"
CT: 810649724764545b3625ff
TAG: 010a10f4942710781d2948ac0192572f
# Test vectors from
# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-B
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN:
AD:
CT:
TAG: cb52de357fad226ae428d0ed5a575496
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000
AD:
CT: 7e139f58002d68ee
TAG: 715835541f2136f03b6dc80ae0a8ac46
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000
AD:
CT: 4a87f0cd26e5d5086e90da02
TAG: 4dff905e48d512e9c34ae8f3be66ec43
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000
AD:
CT: 048ca58c46d2368ce00132389f40b511
TAG: 971da9aa385283522c4f67a9aedb37e5
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000000000000000000002000000000000000000000000000000
AD:
CT: e1cf1cf545d2743ec005b26bd2c836ac1a4233d646c195ffa401f28063127baa
TAG: 1071338b8c2930d3ec4c17cecbefa4b4
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000
AD:
CT: 2e7e6881a02d57b877794b2fbfbfef5484f1cf74f4ad53a751b2582c0e698466bd9a49dcab53806d8e31d864c4632d00
TAG: 04b1b8a9c1630ff028b14d2e57bca429
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD:
CT: 0ac5be860726209d9218de3e9d533743e1efe1595bc58f93f00e9bb9a7558dc1e1b14a9c0d49eb5064c7efa79842f9c7cfdd77614709f0b545d3227498e774d5
TAG: 860b73a1ed8a5b9acd925c3f3f49c5c5
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000
AD: 01
CT: 4919e29e9890e452
TAG: 1433a5c0284c911163888dbd128e6874
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000
AD: 01
CT: db55d6da719fe0473538294e
TAG: 5a8ab948ccd205a70c78e8fdf954693b
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000
AD: 01
CT: aea3c54272abc1b58ed34a536743f4da
TAG: da10d98bfe23784cfdfd0af97b6d5b78
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000000000000000000003000000000000000000000000000000
AD: 01
CT: aa694c0cfe148100cb5c6e27a77a7ff7b4233d6af251d9faa3d84f7c0d1113f1
TAG: 778c5b68356a1a6a6f3c14a8f96c35ca
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD: 01
CT: 9ac909928bcde79c2afa885df9c035c85a9eab136f6f6ea11034456bd306ea3c5dd542f706fffe538b5f139fa9dc622e
TAG: 26c0c0d146d38787ca0fcbc3f911577a
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000
AD: 01
CT: c56be9d61ecf6a31a6289cddc9b91aaf84cdb53a3913b825d6eb5e157906dfb0a308c6b0b095d6fd1a5b761ca7fa0e39ca92f38ae206eec844c0c4ab0c1c165e
TAG: a60986309b99431a35dd8c5ebeef8375
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000
AD: 010000000000000000000000
CT: 47995b96
TAG: 16b668094202cadde992e0c16205793c
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0300000000000000000000000000000004000000
AD: 010000000000000000000000000000000200
CT: 8fe25de75089e9f849150e57ab7f7810981cd319
TAG: 89ca91ebc560709432fe9496746404cc
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 030000000000000000000000000000000400
AD: 0100000000000000000000000000000002000000
CT: b26d43ae158316ac37f41579ccf1d461274e
TAG: 13b7c01d08dd6969d51d1bf0fbbdc4d2
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN:
AD:
CT:
TAG: cb52de357fad226ae428d0ed5a575496
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000
AD:
CT: 7e139f58002d68ee
TAG: 715835541f2136f03b6dc80ae0a8ac46
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000
AD:
CT: 4a87f0cd26e5d5086e90da02
TAG: 4dff905e48d512e9c34ae8f3be66ec43
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000
AD:
CT: 048ca58c46d2368ce00132389f40b511
TAG: 971da9aa385283522c4f67a9aedb37e5
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000000000000000000002000000000000000000000000000000
AD:
CT: e1cf1cf545d2743ec005b26bd2c836ac1a4233d646c195ffa401f28063127baa
TAG: 1071338b8c2930d3ec4c17cecbefa4b4
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000
AD:
CT: 2e7e6881a02d57b877794b2fbfbfef5484f1cf74f4ad53a751b2582c0e698466bd9a49dcab53806d8e31d864c4632d00
TAG: 04b1b8a9c1630ff028b14d2e57bca429
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD:
CT: 0ac5be860726209d9218de3e9d533743e1efe1595bc58f93f00e9bb9a7558dc1e1b14a9c0d49eb5064c7efa79842f9c7cfdd77614709f0b545d3227498e774d5
TAG: 860b73a1ed8a5b9acd925c3f3f49c5c5
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000
AD: 01
CT: 4919e29e9890e452
TAG: 1433a5c0284c911163888dbd128e6874
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000
AD: 01
CT: db55d6da719fe0473538294e
TAG: 5a8ab948ccd205a70c78e8fdf954693b
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000
AD: 01
CT: aea3c54272abc1b58ed34a536743f4da
TAG: da10d98bfe23784cfdfd0af97b6d5b78
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000000000000000000003000000000000000000000000000000
AD: 01
CT: aa694c0cfe148100cb5c6e27a77a7ff7b4233d6af251d9faa3d84f7c0d1113f1
TAG: 778c5b68356a1a6a6f3c14a8f96c35ca
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD: 01
CT: 9ac909928bcde79c2afa885df9c035c85a9eab136f6f6ea11034456bd306ea3c5dd542f706fffe538b5f139fa9dc622e
TAG: 26c0c0d146d38787ca0fcbc3f911577a
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000
AD: 01
CT: c56be9d61ecf6a31a6289cddc9b91aaf84cdb53a3913b825d6eb5e157906dfb0a308c6b0b095d6fd1a5b761ca7fa0e39ca92f38ae206eec844c0c4ab0c1c165e
TAG: a60986309b99431a35dd8c5ebeef8375
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000
AD: 010000000000000000000000
CT: 47995b96
TAG: 16b668094202cadde992e0c16205793c
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0300000000000000000000000000000004000000
AD: 010000000000000000000000000000000200
CT: 8fe25de75089e9f849150e57ab7f7810981cd319
TAG: 89ca91ebc560709432fe9496746404cc
KEY: 01000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 030000000000000000000000000000000400
AD: 0100000000000000000000000000000002000000
CT: b26d43ae158316ac37f41579ccf1d461274e
TAG: 13b7c01d08dd6969d51d1bf0fbbdc4d2
# Sample large random test vector.
KEY: ee0f62a965fa640d1c95d79b215dca71
NONCE: 7df5a22c91e6b6f37594dfef54847bd9
IN: 5d90037e677666fbc0215305096301d852609e1380992d8c2e3594344a7f9a0521fdeda53de07d3184d590667fc7151a93ba097f20c67da0b1da8c23bd05887a4b66ab50333874819035eafd775fcfa86b380968f15d8cd46483d418b2c074f0dc18407108f63abe89c5448e83d064b6544a275dd75a21dd0241dafa086beb8446f398f6c1b2b117ad6f2cdb04031640852b5e15560d39b8d9088824f728ae66b2214e4cd70f60174313a5f0286741caeb4b66d0513b63c4a1325306f79f1f79bb28ccf6448fa3160876eefd85ca03c196a3e5568b0f3c818e7cf9d661423ed6a50a6911d52217a1b81e94ba040f336e74ac71b33964c3a7d960a32c255e22fcb7dcc41b9b136815b784ce4015b61b55e305e2ab1f96d17b561eb0281476cbaec54e942a186fbf3df92358960182c3c034066364e80fa492b36d36ee68f2738220f249a69f24405fe9995dab0b0b338ee68d85f0e59870903ca9d02f32ee6a24efc85434610586470b938daa9d14206c360339f7ec50857f4e5075a29bb51720d9a6f399f7b8bd45b402b0eed8f6e427d5dd358a0c3f10a58582be8934ebd7903497cc6622a977d6045f97a58f5ed7a3470583ebf88f71150499047e4b624f8018cffaca0d5a9db7f73da2db6770c98cd628d2d6682a4c41d584f37ea0ff7e8763616a548027e29cb3ec3e02a82eab205f7af46b6c9b02a15de54fc301a9845d50396cf3826b23296c360fafbaf65e5f48c4998085d7dac07736b106a8bb1e8e69dca15464d1bf156a5f84b62170f680826dcca7bf1c126cdb70dc872a005806d423cee46ab0d84d2d8d490c8eaec8b17b12913d4856c59f5348c6956c96a32595eef8c89ee5ae99706c92e748714dae4ae45685710261cd66d3ef93ed01bb862bfeb3b4fb5074ffec5517c8845173fde2774cd3b5a25cc1dc11d833c29614b7272bf213aeb19f83603aee97a9bc43e8b88c8789c520f634028cce2b0be343e74c8c341a153a36f797f38a4ebb53589e45f1e64299fedd2e9bbdeb9ad9ab4e2eccb4bd2b57000a5d7b064e6b6fb5cb9c743d6afe697bac549ade238c7a3a094e799e9c7e6cef6e6d4b8c8f1d862bc8ab9b96238c7d5393b2f684c5b4826df6c5f48cadb43fd6d6cb189ca56125bfee9dd44d22a2e28d7a9e63565321c9ecad96b3ae7376c984c44cab978002ff78d947230fe15918b3a73232ff5c05586c4b0e2e0d737be6abef80414b008ad2deea1944a4248f02063500a9276217ceabeca39ec4d6af647395a9c91401dcbe8f9645ef97eca5624029f942cc9979fd31636d65ed181a65763c5c16e65f8673a3cc6143ede8144d894559dedfac3000e8d86590b0ced25dd8666d71f237fd3511d7f8a20dbb4e95e3aca9807a2351bf705a7eec5a80f2b390ef9df496c5cd7ca9f5d8846df291025beb9781c793613efe7798
AD: 4b7531e0a946b20c80f70dea4d437833f3dd26ae6f6dc37b7b99e82122acf2b7975f6d8efcb7ec4c6ff3c0ce4a5864adba0e658aeb8d9b839f3509f033827bc69a1ab080a0a1cc63559b00a3a259c53c145b0282f5e56930fc35b11c83b6564f2e80f186c2ef2e8886641fe6c4966dc9f86c567e73902d1a8fc33be1551e8359aa585bd2b8da83c0cd78a086cdebf8904d1b66a2fee176fa19714f062b752653d75a0e441ff7fba0c5a0cb6ded48f68b38af82faa985f9d97ba3c0978e1d23d8eb8899072fbec9379ca5f2b91293cb57eac81a6d711f9cccb36ff16b0de86d27d62e136ddbc1a2be38d5a1284e4620f4f9ab1f16729630e16dd2901f24f5ad6e
CT: 1b5a273ee4e1f87516bb711bd97c559fd5139286d90d3f64813f88c697ff448c7ce57ff3a2b70479c0f904f0c6de92234ef72b4ad62038a32108804042e07ad94e49a327bd28f1c49786c2b1537392c582031f52e3bd27336dab9d237ce47ffd0c8002b60b1055226cf28c6d99be0e4f75afb72c6953ffa0b033f74304efe19601d34dfda29874efdc9ebfa74c9d55c7273561c46b7cd4d631ab05ca7172111c13f0703ff9cec063988b7bf1bd9557b8d8a914162d2f31113f1682e951acaba4a314aabf901bdc5117184109fca1cecfe552f2e7d003eab51ceb992c2bb11245e1cd7e230398a3d18bab59c9acf033bde779166bfd3f98792902f84e4ef32cf5f410af2cec9cbe67ebb28f3fceb497abf4b1c240cab4852d840de9dec20f0e21853be6227784beee276ea3a4c6092654f7d62af614e5ea976791195415befa1f4a9d77c35a84b0d54b5eb1e00f55bbafac209468532b18d020e16798256aab9ea3989d876822cc68135ee103169962965a9383b2cff70213f9c52bcf2441e7b8ec07bee0c225be5353bcfe6d9ff546d30889813a13e1e966028dd80ec096202a26e478278af8b15bcf29137d536658d51293c6cfecde110e5b17ec39ce5317db5a03a1919f52f89ceeec0b5f48875e9692501b34303110e52ef4ea96d98cc28ab6e9ca24a8bb124629ac480b06fa8321b5712f2ae22e750848404ac20232716e195b343adebb52234cbc002c602574a7fbad638c1a7201eb38d4404b3d672119617e1190402b57568ee1e776ba18087164ddfbbf77f26ae5ee229ef101f10306f6449920b08d4e46bb2039d4777319547d7b4ef32e61c3cc897bc36cc2d5983c63e38814276a28125468112b646b877bbe2d206e578a8fd402be6d963b1d79c8b14dbca801bb92d7217cb7375d5e126702270158c89db653f1ee34e1c1ca066fe854532a36b74d36d9bc077506349a4cb8143dca1be3241f64cdc410c4d362982500aeea2a12172ccac996a333a2bff5393e0be9bcb93ca0fd62a22f0f72618325e233b42214ce8683c57dcf3113edbc5102e84b265aa031e26ec5fa18b1a7fa72358072d47b85e045cd52541e49b94d74fb21bb19725675c0d014ca8f8219c26cb8158f5d84b2cafb0474b2b39cb7f21c3320b5cbd57cff7133243a462e492de6340ee7d60ef888d639ca50380529f09b9eb279c49ad04662b7ec4f579fcec011790f18b2c0ad081eaf2be13d6f6a5969db46d56df9daea2cb332e719135109fd1d7caa84af315c0054f37177312c01a9f3f05a6e9bca719f906d1e8af7fdc24a3677c922f435e6e4c069073ea779c2b74c98f9374f5a38961a4354e74803f0f4042b91fb82a0c593c13f9ff720a70136d0b108acdb762a08f98a222f48c2858c0cc9a27edc9e79fe0f71ebe2940c60a279476975926eab478685ebf8a74705
TAG: 6f5223329c07cbf6b038d307cbb8a719
crypto/cipher/test/aes_128_key_wrap_tests.txt
+9
View File
@@ -0,0 +1,9 @@
# These test vectors have been taken from
# http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
KEY: 000102030405060708090A0B0C0D0E0F
NONCE:
IN: 00112233445566778899AABBCCDDEEFF
AD:
CT: 1FA68B0A8112B447AEF34BD8FB5A7B82
TAG: 9D3E862371D2CFE5
crypto/cipher/test/aes_256_gcm_siv_tests.txt
-235
View File
@@ -1,235 +0,0 @@
# Test vectors from
# https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02#appendix-B
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN:
AD:
CT:
TAG: eb7ccf36eeff369241379c87cc08e4f0
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000
AD:
CT: ab3f382a6f0fb4c3
TAG: a0a69e07b73281f5cdfd034f646cfa08
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000
AD:
CT: be8d81f033ca23b953da2197
TAG: cdf3ba70da9c7cbd45f5140ba0cca9f1
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000
AD:
CT: 46e05b7116dbe27aaeffe99892194072
TAG: be19d78991c62130cf97f628c37c3eaa
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000000000000000000002000000000000000000000000000000
AD:
CT: 23ddbe9ef342b03003f56d6b4a2e8aff035c7d7cfd705e1ab4502904254bb67a
TAG: 16c5944034050657af7c0fec7efbc40f
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000
AD:
CT: b104c8945f280e75b52c05c45a63d1872c7f0552b1501968d9913d71207d0433f978f1a3eecdf782016b77e8c9d3ff53
TAG: abedb4841c20f3b05e61e0fd1fcaf3d0
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD:
CT: e3f2bd14f4c80c9cea4c90c81f0e4d7eedb87eb19a7c0cf5a5a95cd3e441a71083b1191d115e9a9ff008b93feeb5a86d012a3e0adb89de2d1e3225479022292f
TAG: 3ced67f5e03bb476a738c1343926dc19
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000
AD: 01
CT: 4dca2c16c3b0413c
TAG: ac9b952c76a6f8b5df315f88126daa1c
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000
AD: 01
CT: ee0ca9068b5b85dfe115a660
TAG: 756d6155927271077d790a05390ecb71
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000
AD: 01
CT: 590edb785c0cb89d19f031fa7e7d4f91
TAG: ac2c8f711c86dbecc8c7b663c5fbc1ea
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000000000000000000003000000000000000000000000000000
AD: 01
CT: dcf2024f5f98d463b82a8673c47dd82159748cac8bcc7c76b8cfa26029cb333c
TAG: a9b406643e190e602fb104fbb842a1ac
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD: 01
CT: 79216506b1ddadfe16366e4ec886d10dc9400b995259f74c0091f9b5a6add5680a612130f6c31ab833aa76d9b2be86de
TAG: 3ddfe9ad2c350980942638d3f954ac6d
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000
AD: 01
CT: 9535eb67240c49f30a0de5a90670813fa615e71fcb4c522ca79d9a33459a22f8c6a56d650bf0b15eecdd706e7689cf6510a281724613fea76b5366b40574b1b9
TAG: abcb59ee31d25ee8889b70d7c36f9a41
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000
AD: 010000000000000000000000
CT: 9611baa0
TAG: 53daf2bc5916f7a6750f2432068dabee
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0300000000000000000000000000000004000000
AD: 010000000000000000000000000000000200
CT: 78e3a1b54daa6547f775f30c38a45e887aea5c87
TAG: f65187d8c28adba364d659b627b16431
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 030000000000000000000000000000000400
AD: 0100000000000000000000000000000002000000
CT: c6d3d28704bf20067d62e1a3872d40dda44b
TAG: 6ac0135a4379dbc67967ff55fd4d1f2f
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN:
AD:
CT:
TAG: eb7ccf36eeff369241379c87cc08e4f0
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000
AD:
CT: ab3f382a6f0fb4c3
TAG: a0a69e07b73281f5cdfd034f646cfa08
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000
AD:
CT: be8d81f033ca23b953da2197
TAG: cdf3ba70da9c7cbd45f5140ba0cca9f1
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000
AD:
CT: 46e05b7116dbe27aaeffe99892194072
TAG: be19d78991c62130cf97f628c37c3eaa
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0100000000000000000000000000000002000000000000000000000000000000
AD:
CT: 23ddbe9ef342b03003f56d6b4a2e8aff035c7d7cfd705e1ab4502904254bb67a
TAG: 16c5944034050657af7c0fec7efbc40f
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 010000000000000000000000000000000200000000000000000000000000000003000000000000000000000000000000
AD:
CT: b104c8945f280e75b52c05c45a63d1872c7f0552b1501968d9913d71207d0433f978f1a3eecdf782016b77e8c9d3ff53
TAG: abedb4841c20f3b05e61e0fd1fcaf3d0
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 01000000000000000000000000000000020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD:
CT: e3f2bd14f4c80c9cea4c90c81f0e4d7eedb87eb19a7c0cf5a5a95cd3e441a71083b1191d115e9a9ff008b93feeb5a86d012a3e0adb89de2d1e3225479022292f
TAG: 3ced67f5e03bb476a738c1343926dc19
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000
AD: 01
CT: 4dca2c16c3b0413c
TAG: ac9b952c76a6f8b5df315f88126daa1c
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000
AD: 01
CT: ee0ca9068b5b85dfe115a660
TAG: 756d6155927271077d790a05390ecb71
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000
AD: 01
CT: 590edb785c0cb89d19f031fa7e7d4f91
TAG: ac2c8f711c86dbecc8c7b663c5fbc1ea
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0200000000000000000000000000000003000000000000000000000000000000
AD: 01
CT: dcf2024f5f98d463b82a8673c47dd82159748cac8bcc7c76b8cfa26029cb333c
TAG: a9b406643e190e602fb104fbb842a1ac
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 020000000000000000000000000000000300000000000000000000000000000004000000000000000000000000000000
AD: 01
CT: 79216506b1ddadfe16366e4ec886d10dc9400b995259f74c0091f9b5a6add5680a612130f6c31ab833aa76d9b2be86de
TAG: 3ddfe9ad2c350980942638d3f954ac6d
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000000000000000000000000000030000000000000000000000000000000400000000000000000000000000000005000000000000000000000000000000
AD: 01
CT: 9535eb67240c49f30a0de5a90670813fa615e71fcb4c522ca79d9a33459a22f8c6a56d650bf0b15eecdd706e7689cf6510a281724613fea76b5366b40574b1b9
TAG: abcb59ee31d25ee8889b70d7c36f9a41
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 02000000
AD: 010000000000000000000000
CT: 9611baa0
TAG: 53daf2bc5916f7a6750f2432068dabee
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 0300000000000000000000000000000004000000
AD: 010000000000000000000000000000000200
CT: 78e3a1b54daa6547f775f30c38a45e887aea5c87
TAG: f65187d8c28adba364d659b627b16431
KEY: 0100000000000000000000000000000000000000000000000000000000000000
NONCE: 03000000000000000000000000000000
IN: 030000000000000000000000000000000400
AD: 0100000000000000000000000000000002000000
CT: c6d3d28704bf20067d62e1a3872d40dda44b
TAG: 6ac0135a4379dbc67967ff55fd4d1f2f
# Sample large random test vector.
KEY: 83475d5042f8baedf4ca779088abfab17d35416a767d8c42c2a650cc597e5004
NONCE: 7df5a22c91e6b6f37594dfef54847bd9
IN: 5d90037e677666fbc0215305096301d852609e1380992d8c2e3594344a7f9a0521fdeda53de07d3184d590667fc7151a93ba097f20c67da0b1da8c23bd05887a4b66ab50333874819035eafd775fcfa86b380968f15d8cd46483d418b2c074f0dc18407108f63abe89c5448e83d064b6544a275dd75a21dd0241dafa086beb8446f398f6c1b2b117ad6f2cdb04031640852b5e15560d39b8d9088824f728ae66b2214e4cd70f60174313a5f0286741caeb4b66d0513b63c4a1325306f79f1f79bb28ccf6448fa3160876eefd85ca03c196a3e5568b0f3c818e7cf9d661423ed6a50a6911d52217a1b81e94ba040f336e74ac71b33964c3a7d960a32c255e22fcb7dcc41b9b136815b784ce4015b61b55e305e2ab1f96d17b561eb0281476cbaec54e942a186fbf3df92358960182c3c034066364e80fa492b36d36ee68f2738220f249a69f24405fe9995dab0b0b338ee68d85f0e59870903ca9d02f32ee6a24efc85434610586470b938daa9d14206c360339f7ec50857f4e5075a29bb51720d9a6f399f7b8bd45b402b0eed8f6e427d5dd358a0c3f10a58582be8934ebd7903497cc6622a977d6045f97a58f5ed7a3470583ebf88f71150499047e4b624f8018cffaca0d5a9db7f73da2db6770c98cd628d2d6682a4c41d584f37ea0ff7e8763616a548027e29cb3ec3e02a82eab205f7af46b6c9b02a15de54fc301a9845d50396cf3826b23296c360fafbaf65e5f48c4998085d7dac07736b106a8bb1e8e69dca15464d1bf156a5f84b62170f680826dcca7bf1c126cdb70dc872a005806d423cee46ab0d84d2d8d490c8eaec8b17b12913d4856c59f5348c6956c96a32595eef8c89ee5ae99706c92e748714dae4ae45685710261cd66d3ef93ed01bb862bfeb3b4fb5074ffec5517c8845173fde2774cd3b5a25cc1dc11d833c29614b7272bf213aeb19f83603aee97a9bc43e8b88c8789c520f634028cce2b0be343e74c8c341a153a36f797f38a4ebb53589e45f1e64299fedd2e9bbdeb9ad9ab4e2eccb4bd2b57000a5d7b064e6b6fb5cb9c743d6afe697bac549ade238c7a3a094e799e9c7e6cef6e6d4b8c8f1d862bc8ab9b96238c7d5393b2f684c5b4826df6c5f48cadb43fd6d6cb189ca56125bfee9dd44d22a2e28d7a9e63565321c9ecad96b3ae7376c984c44cab978002ff78d947230fe15918b3a73232ff5c05586c4b0e2e0d737be6abef80414b008ad2deea1944a4248f02063500a9276217ceabeca39ec4d6af647395a9c91401dcbe8f9645ef97eca5624029f942cc9979fd31636d65ed181a65763c5c16e65f8673a3cc6143ede8144d894559dedfac3000e8d86590b0ced25dd8666d71f237fd3511d7f8a20dbb4e95e3aca9807a2351bf705a7eec5a80f2b390ef9df496c5cd7ca9f5d8846df291025beb9781c793613efe7798
AD: 4b7531e0a946b20c80f70dea4d437833f3dd26ae6f6dc37b7b99e82122acf2b7975f6d8efcb7ec4c6ff3c0ce4a5864adba0e658aeb8d9b839f3509f033827bc69a1ab080a0a1cc63559b00a3a259c53c145b0282f5e56930fc35b11c83b6564f2e80f186c2ef2e8886641fe6c4966dc9f86c567e73902d1a8fc33be1551e8359aa585bd2b8da83c0cd78a086cdebf8904d1b66a2fee176fa19714f062b752653d75a0e441ff7fba0c5a0cb6ded48f68b38af82faa985f9d97ba3c0978e1d23d8eb8899072fbec9379ca5f2b91293cb57eac81a6d711f9cccb36ff16b0de86d27d62e136ddbc1a2be38d5a1284e4620f4f9ab1f16729630e16dd2901f24f5ad6e
CT: 30b73374cc093ffaad4be2088142b08ed1b0d2914f96d90e0279aeb3a6547807b9b3bbfe2cd880e8f3a9f3b6e42da1ef53d78a6c63da686498b61523ac4c82caa01d31afe1ec00e80349df969684b060299aa86e4b7a38c643987889eab5a0a0996d18b2350439c7162d566dbb0d55f0f50a81d982df5e2047a23800a418b5adf42d8ff26cfd961527347439e76fbb2c2da08c1dd1a5fddf149d47eaf571498e23c3104c6b2dffb8e5d5e5f90e50eae9146f48b19a6e2d49cd170654a0041096f4f57aff5054dbf784e7748b3ddfdb9c447ed86681bcfb8055407fcec320990609089c3b51845f8e9bcb21382421a2f8634e1ad8739795202ade68aa47ab10026031cb3bfd94adc70702c31760753af4a2bb852581519e91cce5b1e0e49d028a1a03b915917d1011a4a7c04b46e1d8434663aa9473d1ad135966ab18145caf825f4a04d47b953989e188d21ec9f3858623fe16c413d2caa73761ec9dab8bf4e6dcdb997a503168487b67d1b3a9768a1887c292b9f39d40a404b8ffd011150490ed2e751ccbe4f7661785d8c5b778a21aa7e6efc132afe81765cc4ef32b5959e19ca97a4c37601257b8484fab234760242db6fd140ed1cfaff1d11cfad836171b42a164671c178164bbdb14815376f4eed1fbbb95f8e4614ff23de5cc9a0642a228d6bce19fbeea0e661b14696c6eb4aca97ac2cbe838578e7033703e2b551f7ef5dae4a68cdc58daac41eddc07b38ea7c4de1262ce04fb16f75870bbf41c95acbce6eb86dc3452a0d177aef3bc1e39878788d4a2680feb5d888debe62ec64fd72290c0cf8b9105c365c7305d994b28a2b32b88fdd11c3879dc1e005d6a2aa99daa926b18338f0980cdf0d8275e190bb9b8da9a63ff332bb5f5b654414a110b9d6128d0984d015c2a0a100985733fd400be0829f57e72655bfcd10c20341cd24cad0705647363ec0a3d678f30f7a1e85bc1a2dd133fcef5f25852eb6d81d7b4b531aff4e655285375f1b1ceee0d58a63f85f21f6525e3ad43f76a8fef16c785047778e1eccfe8e3c7cb34f2e037a61e3f01af88874b30911df60664e5ca65d6836166ff796e6b710af474add57957c2139b24257bcee287090f1ca1f91c95cc2c9348689aa7b95dfcedb02e68e38c1cd75ef966f0d33c4e09c40e2e58d30f6d0771d11debf01e57f342f3fffa34a1ed2bf10035c1607f3fd79423c0164dd6c171d8046edaed9b7b2a75bc11e1e8417c4550795aab6f106a95b5dda022e512269e8b2937b1d5601cfec1dba8b763707b97bc786ac94e38cd368cadeb1b48a3e068b614fc7b06430db80d46889027ca3d228d87c6eb00531e8d913734e3af987b104d052bbd63564184cd9dc803e6948d70575c9606a704245ef6136f707ddba8a00f288199867774c6e7487311c29aada3f607fc904f88be90cae49789a5163a4c
TAG: 37db916a9c13afd36e39ce5d01665067
crypto/cipher/test/aes_256_key_wrap_tests.txt
+23
View File
@@ -0,0 +1,23 @@
# These test vectors have been taken from
# http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
KEY: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
NONCE:
IN: 00112233445566778899AABBCCDDEEFF
AD:
CT: 64E8C3F9CE0F5BA263E9777905818A2A
TAG: 93C8191E7D6E8AE7
KEY: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
NONCE:
IN: 00112233445566778899AABBCCDDEEFF0001020304050607
AD:
CT: A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB895
TAG: 8CD5D17D6B254DA1
KEY: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
NONCE:
IN: 00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F
AD:
CT: 28C9F404C4B810F4CBCCB35CFB87F8263F5786E2D80ED326CBC7F0E71A99F43B
TAG: FB988B9B7A02DD21
crypto/cipher/test/cipher_tests.txt
-8
View File
@@ -214,14 +214,6 @@ Operation = ENCRYPT
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223
Ciphertext = EB6C52821D0BBBF7CE7594462ACA4FAAB407DF866569FD07F48CC0B583D6071F1EC0E6B8
# Regression test for https://github.com/openssl/openssl/issues/1916.
Cipher = AES-128-CTR
Key = 7E24067817FAE0D743D6CE1F32539163
IV = 00000000000000007FFFFFFFFFFFFFFF
Operation = ENCRYPT
Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
Ciphertext = A2D459477E6432BD74184B1B5370D2243CDC202BC43583B2A55D288CDBBD1E03
# AES GCM test vectors from http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
Cipher = AES-128-GCM
crypto/cipher/tls_cbc.c
+112 -41
View File
@@ -133,32 +133,107 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
/* mac_end is the index of |in| just after the end of the MAC. */
unsigned mac_end = in_len;
unsigned mac_start = mac_end - md_size;
/* scan_start contains the number of bytes that we can ignore because
* the MAC's position can only vary by 255 bytes. */
unsigned scan_start = 0;
unsigned i, j;
unsigned rotate_offset;
assert(orig_len >= in_len);
assert(in_len >= md_size);
assert(md_size <= EVP_MAX_MD_SIZE);
/* scan_start contains the number of bytes that we can ignore because
* the MAC's position can only vary by 255 bytes. */
unsigned scan_start = 0;
/* This information is public so it's safe to branch based on it. */
if (orig_len > md_size + 255 + 1) {
scan_start = orig_len - (md_size + 255 + 1);
}
unsigned rotate_offset = 0;
uint8_t mac_started = 0;
OPENSSL_memset(rotated_mac, 0, md_size);
for (unsigned i = scan_start, j = 0; i < orig_len; i++, j++) {
if (j >= md_size) {
j -= md_size;
}
unsigned is_mac_start = constant_time_eq(i, mac_start);
mac_started |= is_mac_start;
/* Ideally the next statement would be:
*
* rotate_offset = (mac_start - scan_start) % md_size;
*
* However, division is not a constant-time operation (at least on Intel
* chips). Thus we enumerate the possible values of md_size and handle each
* separately. The value of |md_size| is public information (it's determined
* by the cipher suite in the ServerHello) so our timing can vary based on
* its value. */
rotate_offset = mac_start - scan_start;
/* rotate_offset can be, at most, 255 (bytes of padding) + 1 (padding length)
* + md_size = 256 + 48 (since SHA-384 is the largest hash) = 304. */
assert(rotate_offset <= 304);
/* Below is an SMT-LIB2 verification that the Barrett reductions below are
* correct within this range:
*
* (define-fun barrett (
* (x (_ BitVec 32))
* (mul (_ BitVec 32))
* (shift (_ BitVec 32))
* (divisor (_ BitVec 32)) ) (_ BitVec 32)
* (let ((q (bvsub x (bvmul divisor (bvlshr (bvmul x mul) shift))) ))
* (ite (bvuge q divisor)
* (bvsub q divisor)
* q)))
*
* (declare-fun x () (_ BitVec 32))
*
* (assert (or
* (let (
* (divisor (_ bv20 32))
* (mul (_ bv25 32))
* (shift (_ bv9 32))
* (limit (_ bv853 32)))
*
* (and (bvule x limit) (not (= (bvurem x divisor)
* (barrett x mul shift divisor)))))
*
* (let (
* (divisor (_ bv48 32))
* (mul (_ bv10 32))
* (shift (_ bv9 32))
* (limit (_ bv768 32)))
*
* (and (bvule x limit) (not (= (bvurem x divisor)
* (barrett x mul shift divisor)))))
* ))
*
* (check-sat)
* (get-model)
*/
if (md_size == 16) {
rotate_offset &= 15;
} else if (md_size == 20) {
/* 1/20 is approximated as 25/512 and then Barrett reduction is used.
* Analytically, this is correct for 0 <= rotate_offset <= 853. */
unsigned q = (rotate_offset * 25) >> 9;
rotate_offset -= q * 20;
rotate_offset -=
constant_time_select(constant_time_ge(rotate_offset, 20), 20, 0);
} else if (md_size == 32) {
rotate_offset &= 31;
} else if (md_size == 48) {
/* 1/48 is approximated as 10/512 and then Barrett reduction is used.
* Analytically, this is correct for 0 <= rotate_offset <= 768. */
unsigned q = (rotate_offset * 10) >> 9;
rotate_offset -= q * 48;
rotate_offset -=
constant_time_select(constant_time_ge(rotate_offset, 48), 48, 0);
} else {
/* This should be impossible therefore this path doesn't run in constant
* time. */
assert(0);
rotate_offset = rotate_offset % md_size;
}
memset(rotated_mac, 0, md_size);
for (i = scan_start, j = 0; i < orig_len; i++) {
uint8_t mac_started = constant_time_ge_8(i, mac_start);
uint8_t mac_ended = constant_time_ge_8(i, mac_end);
rotated_mac[j] |= in[i] & mac_started & ~mac_ended;
/* Save the offset that |mac_start| is mapped to. */
rotate_offset |= j & is_mac_start;
uint8_t b = in[i];
rotated_mac[j++] |= b & mac_started & ~mac_ended;
j &= constant_time_lt(j, md_size);
}
/* Now rotate the MAC. We rotate in log(md_size) steps, one for each bit
@@ -168,7 +243,7 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
/* Rotate by |offset| iff the corresponding bit is set in
* |rotate_offset|, placing the result in |rotated_mac_tmp|. */
const uint8_t skip_rotate = (rotate_offset & 1) - 1;
for (unsigned i = 0, j = offset; i < md_size; i++, j++) {
for (i = 0, j = offset; i < md_size; i++, j++) {
if (j >= md_size) {
j -= md_size;
}
@@ -184,32 +259,28 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, unsigned md_size,
rotated_mac_tmp = tmp;
}
OPENSSL_memcpy(out, rotated_mac, md_size);
memcpy(out, rotated_mac, md_size);
}
/* u32toBE serialises an unsigned, 32-bit number (n) as four bytes at (p) in
* big-endian order. The value of p is advanced by four. */
#define u32toBE(n, p) \
do { \
*((p)++) = (uint8_t)((n) >> 24); \
*((p)++) = (uint8_t)((n) >> 16); \
*((p)++) = (uint8_t)((n) >> 8); \
*((p)++) = (uint8_t)((n)); \
} while (0)
#define u32toBE(n, p) \
(*((p)++)=(uint8_t)(n>>24), \
*((p)++)=(uint8_t)(n>>16), \
*((p)++)=(uint8_t)(n>>8), \
*((p)++)=(uint8_t)(n))
/* u64toBE serialises an unsigned, 64-bit number (n) as eight bytes at (p) in
* big-endian order. The value of p is advanced by eight. */
#define u64toBE(n, p) \
do { \
*((p)++) = (uint8_t)((n) >> 56); \
*((p)++) = (uint8_t)((n) >> 48); \
*((p)++) = (uint8_t)((n) >> 40); \
*((p)++) = (uint8_t)((n) >> 32); \
*((p)++) = (uint8_t)((n) >> 24); \
*((p)++) = (uint8_t)((n) >> 16); \
*((p)++) = (uint8_t)((n) >> 8); \
*((p)++) = (uint8_t)((n)); \
} while (0)
#define u64toBE(n, p) \
(*((p)++)=(uint8_t)(n>>56), \
*((p)++)=(uint8_t)(n>>48), \
*((p)++)=(uint8_t)(n>>40), \
*((p)++)=(uint8_t)(n>>32), \
*((p)++)=(uint8_t)(n>>24), \
*((p)++)=(uint8_t)(n>>16), \
*((p)++)=(uint8_t)(n>>8), \
*((p)++)=(uint8_t)(n))
/* These functions serialize the state of a hash and thus perform the standard
* "final" operation without adding the padding and length that such a function
@@ -382,16 +453,16 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
/* Compute the initial HMAC block. */
bits += 8 * md_block_size;
OPENSSL_memset(hmac_pad, 0, md_block_size);
memset(hmac_pad, 0, md_block_size);
assert(mac_secret_length <= sizeof(hmac_pad));
OPENSSL_memcpy(hmac_pad, mac_secret, mac_secret_length);
memcpy(hmac_pad, mac_secret, mac_secret_length);
for (i = 0; i < md_block_size; i++) {
hmac_pad[i] ^= 0x36;
}
md_transform(md_state.c, hmac_pad);
OPENSSL_memset(length_bytes, 0, md_length_size - 4);
memset(length_bytes, 0, md_length_size - 4);
length_bytes[md_length_size - 4] = (uint8_t)(bits >> 24);
length_bytes[md_length_size - 3] = (uint8_t)(bits >> 16);
length_bytes[md_length_size - 2] = (uint8_t)(bits >> 8);
@@ -399,15 +470,15 @@ int EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,
if (k > 0) {
/* k is a multiple of md_block_size. */
OPENSSL_memcpy(first_block, header, 13);
OPENSSL_memcpy(first_block + 13, data, md_block_size - 13);
memcpy(first_block, header, 13);
memcpy(first_block + 13, data, md_block_size - 13);
md_transform(md_state.c, first_block);
for (i = 1; i < k / md_block_size; i++) {
md_transform(md_state.c, data + md_block_size * i - 13);
}
}
OPENSSL_memset(mac_out, 0, sizeof(mac_out));
memset(mac_out, 0, sizeof(mac_out));
/* We now process the final hash blocks. For each block, we construct
* it in constant time. If the |i==index_a| then we'll include the 0x80
crypto/cmac/cmac.c
+4 -6
View File
@@ -55,8 +55,6 @@
#include <openssl/cipher.h>
#include <openssl/mem.h>
#include "../internal.h"
struct cmac_ctx_st {
EVP_CIPHER_CTX cipher_ctx;
@@ -178,7 +176,7 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
todo = in_len;
}
OPENSSL_memcpy(ctx->block + ctx->block_used, in, todo);
memcpy(ctx->block + ctx->block_used, in, todo);
in += todo;
in_len -= todo;
ctx->block_used += todo;
@@ -208,7 +206,7 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {
in_len -= AES_BLOCK_SIZE;
}
OPENSSL_memcpy(ctx->block, in, in_len);
memcpy(ctx->block, in, in_len);
ctx->block_used = in_len;
return 1;
@@ -226,8 +224,8 @@ int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {
/* If the last block is incomplete, terminate it with a single 'one' bit
* followed by zeros. */
ctx->block[ctx->block_used] = 0x80;
OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,
AES_BLOCK_SIZE - (ctx->block_used + 1));
memset(ctx->block + ctx->block_used + 1, 0,
AES_BLOCK_SIZE - (ctx->block_used + 1));
mask = ctx->k2;
}
crypto/conf/conf.c
+3 -6
View File
@@ -66,7 +66,6 @@
#include "conf_def.h"
#include "internal.h"
#include "../internal.h"
static uint32_t conf_value_hash(const CONF_VALUE *v) {
@@ -119,7 +118,7 @@ CONF_VALUE *CONF_VALUE_new(void) {
OPENSSL_PUT_ERROR(CONF, ERR_R_MALLOC_FAILURE);
return NULL;
}
OPENSSL_memset(v, 0, sizeof(CONF_VALUE));
memset(v, 0, sizeof(CONF_VALUE));
return v;
}
@@ -354,7 +353,7 @@ err:
static CONF_VALUE *get_section(const CONF *conf, const char *section) {
CONF_VALUE template;
OPENSSL_memset(&template, 0, sizeof(template));
memset(&template, 0, sizeof(template));
template.section = (char *) section;
return lh_CONF_VALUE_retrieve(conf->data, &template);
}
@@ -371,7 +370,7 @@ const char *NCONF_get_string(const CONF *conf, const char *section,
const char *name) {
CONF_VALUE template, *value;
OPENSSL_memset(&template, 0, sizeof(template));
memset(&template, 0, sizeof(template));
template.section = (char *) section;
template.name = (char *) name;
value = lh_CONF_VALUE_retrieve(conf->data, &template);
@@ -787,5 +786,3 @@ int CONF_modules_load_file(CONF_MUST_BE_NULL *filename, const char *appname,
void CONF_modules_free(void) {}
void OPENSSL_config(CONF_MUST_BE_NULL *config_name) {}
void OPENSSL_no_config(void) {}
crypto/constant_time_test.cc → crypto/constant_time_test.c
View File
crypto/cpu-arm-linux.c
+2 -2
View File
@@ -161,7 +161,7 @@ typedef struct {
static int STRING_PIECE_equals(const STRING_PIECE *a, const char *b) {
size_t b_len = strlen(b);
return a->len == b_len && OPENSSL_memcmp(a->data, b, b_len) == 0;
return a->len == b_len && memcmp(a->data, b, b_len) == 0;
}
/* STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,
@@ -169,7 +169,7 @@ static int STRING_PIECE_equals(const STRING_PIECE *a, const char *b) {
* returns one if |sep| was found and zero otherwise. */
static int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right,
const STRING_PIECE *in, char sep) {
const char *p = OPENSSL_memchr(in->data, sep, in->len);
const char *p = memchr(in->data, sep, in->len);
if (p == NULL) {
return 0;
}
crypto/curve25519/curve25519.c
+34 -28
View File
@@ -29,7 +29,6 @@
#include <openssl/sha.h>
#include "internal.h"
#include "../internal.h"
static const int64_t kBottom25Bits = INT64_C(0x1ffffff);
@@ -205,15 +204,15 @@ static void fe_tobytes(uint8_t *s, const fe h) {
/* h = f */
static void fe_copy(fe h, const fe f) {
OPENSSL_memmove(h, f, sizeof(int32_t) * 10);
memmove(h, f, sizeof(int32_t) * 10);
}
/* h = 0 */
static void fe_0(fe h) { OPENSSL_memset(h, 0, sizeof(int32_t) * 10); }
static void fe_0(fe h) { memset(h, 0, sizeof(int32_t) * 10); }
/* h = 1 */
static void fe_1(fe h) {
OPENSSL_memset(h, 0, sizeof(int32_t) * 10);
memset(h, 0, sizeof(int32_t) * 10);
h[0] = 1;
}
@@ -641,6 +640,9 @@ static void fe_invert(fe out, const fe z) {
int i;
fe_sq(t0, z);
for (i = 1; i < 1; ++i) {
fe_sq(t0, t0);
}
fe_sq(t1, t0);
for (i = 1; i < 2; ++i) {
fe_sq(t1, t1);
@@ -648,6 +650,9 @@ static void fe_invert(fe out, const fe z) {
fe_mul(t1, z, t1);
fe_mul(t0, t0, t1);
fe_sq(t2, t0);
for (i = 1; i < 1; ++i) {
fe_sq(t2, t2);
}
fe_mul(t1, t1, t2);
fe_sq(t2, t1);
for (i = 1; i < 5; ++i) {
@@ -902,6 +907,9 @@ static void fe_pow22523(fe out, const fe z) {
int i;
fe_sq(t0, z);
for (i = 1; i < 1; ++i) {
fe_sq(t0, t0);
}
fe_sq(t1, t0);
for (i = 1; i < 2; ++i) {
fe_sq(t1, t1);
@@ -909,6 +917,9 @@ static void fe_pow22523(fe out, const fe z) {
fe_mul(t1, z, t1);
fe_mul(t0, t0, t1);
fe_sq(t0, t0);
for (i = 1; i < 1; ++i) {
fe_sq(t0, t0);
}
fe_mul(t0, t1, t0);
fe_sq(t1, t0);
for (i = 1; i < 5; ++i) {
@@ -4614,7 +4625,20 @@ static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {
uint8_t seed[32];
RAND_bytes(seed, 32);
ED25519_keypair_from_seed(out_public_key, out_private_key, seed);
uint8_t az[SHA512_DIGEST_LENGTH];
SHA512(seed, 32, az);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
ge_p3 A;
x25519_ge_scalarmult_base(&A, az);
ge_p3_tobytes(out_public_key, &A);
memcpy(out_private_key, seed, 32);
memmove(out_private_key + 32, out_public_key, 32);
}
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
@@ -4663,11 +4687,11 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
fe_neg(A.T, A.T);
uint8_t pkcopy[32];
OPENSSL_memcpy(pkcopy, public_key, 32);
memcpy(pkcopy, public_key, 32);
uint8_t rcopy[32];
OPENSSL_memcpy(rcopy, signature, 32);
memcpy(rcopy, signature, 32);
uint8_t scopy[32];
OPENSSL_memcpy(scopy, signature + 32, 32);
memcpy(scopy, signature + 32, 32);
SHA512_CTX hash_ctx;
SHA512_Init(&hash_ctx);
@@ -4688,24 +4712,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
}
void ED25519_keypair_from_seed(uint8_t out_public_key[32],
uint8_t out_private_key[64],
const uint8_t seed[32]) {
uint8_t az[SHA512_DIGEST_LENGTH];
SHA512(seed, 32, az);
az[0] &= 248;
az[31] &= 63;
az[31] |= 64;
ge_p3 A;
x25519_ge_scalarmult_base(&A, az);
ge_p3_tobytes(out_public_key, &A);
OPENSSL_memcpy(out_private_key, seed, 32);
OPENSSL_memcpy(out_private_key + 32, out_public_key, 32);
}
#if defined(BORINGSSL_X25519_X86_64)
@@ -4801,7 +4807,7 @@ static void x25519_scalar_mult_generic(uint8_t out[32],
fe x1, x2, z2, x3, z3, tmp0, tmp1;
uint8_t e[32];
OPENSSL_memcpy(e, scalar, 32);
memcpy(e, scalar, 32);
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
@@ -4917,7 +4923,7 @@ void X25519_public_from_private(uint8_t out_public_value[32],
#endif
uint8_t e[32];
OPENSSL_memcpy(e, private_key, 32);
memcpy(e, private_key, 32);
e[0] &= 248;
e[31] &= 127;
e[31] |= 64;
crypto/curve25519/ed25519_test.cc
+1 -21
View File
@@ -17,7 +17,6 @@
#include <openssl/curve25519.h>
#include "../internal.h"
#include "../test/file_test.h"
@@ -54,30 +53,11 @@ static bool TestSignature(FileTest *t, void *arg) {
return true;
}
static bool TestKeypairFromSeed() {
uint8_t public_key1[32], private_key1[64];
ED25519_keypair(public_key1, private_key1);
uint8_t seed[32];
OPENSSL_memcpy(seed, private_key1, sizeof(seed));
uint8_t public_key2[32], private_key2[64];
ED25519_keypair_from_seed(public_key2, private_key2, seed);
if (OPENSSL_memcmp(public_key1, public_key2, sizeof(public_key1)) != 0 ||
OPENSSL_memcmp(private_key1, private_key2, sizeof(private_key1)) != 0) {
fprintf(stderr, "TestKeypairFromSeed: resulting keypairs did not match.\n");
return false;
}
return true;
}
int main(int argc, char **argv) {
if (argc != 2) {
fprintf(stderr, "%s <test input.txt>\n", argv[0]);
return 1;
}
return TestKeypairFromSeed() && FileTestMain(TestSignature, nullptr, argv[1]);
return FileTestMain(TestSignature, nullptr, argv[1]);
}
crypto/curve25519/spake25519.c
+6 -7
View File
@@ -22,7 +22,6 @@
#include <openssl/sha.h>
#include "internal.h"
#include "../internal.h"
/* The following precomputation tables are for the following
@@ -292,7 +291,7 @@ SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role,
return NULL;
}
OPENSSL_memset(ctx, 0, sizeof(SPAKE2_CTX));
memset(ctx, 0, sizeof(SPAKE2_CTX));
ctx->my_role = my_role;
CBS my_name_cbs, their_name_cbs;
@@ -347,7 +346,7 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,
/* Multiply by the cofactor (eight) so that we'll clear it when operating on
* the peer's point later in the protocol. */
left_shift_3(private_tmp);
OPENSSL_memcpy(ctx->private_key, private_tmp, sizeof(ctx->private_key));
memcpy(ctx->private_key, private_tmp, sizeof(ctx->private_key));
ge_p3 P;
x25519_ge_scalarmult_base(&P, ctx->private_key);
@@ -355,9 +354,9 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,
/* mask = h(password) * <N or M>. */
uint8_t password_tmp[SHA512_DIGEST_LENGTH];
SHA512(password, password_len, password_tmp);
OPENSSL_memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash));
memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash));
x25519_sc_reduce(password_tmp);
OPENSSL_memcpy(ctx->password_scalar, password_tmp, sizeof(ctx->password_scalar));
memcpy(ctx->password_scalar, password_tmp, sizeof(ctx->password_scalar));
ge_p3 mask;
x25519_ge_scalarmult_small_precomp(&mask, ctx->password_scalar,
@@ -376,7 +375,7 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,
x25519_ge_p1p1_to_p2(&Pstar_proj, &Pstar);
x25519_ge_tobytes(ctx->my_msg, &Pstar_proj);
OPENSSL_memcpy(out, ctx->my_msg, sizeof(ctx->my_msg));
memcpy(out, ctx->my_msg, sizeof(ctx->my_msg));
*out_len = sizeof(ctx->my_msg);
ctx->state = spake2_state_msg_generated;
@@ -457,7 +456,7 @@ int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, size_t *out_key_len,
if (to_copy > sizeof(key)) {
to_copy = sizeof(key);
}
OPENSSL_memcpy(out_key, key, to_copy);
memcpy(out_key, key, to_copy);
*out_key_len = to_copy;
ctx->state = spake2_state_key_generated;
crypto/curve25519/spake25519_test.cc
+1 -3
View File
@@ -20,8 +20,6 @@
#include <openssl/curve25519.h>
#include "../internal.h"
struct SPAKE2Run {
bool Run() {
@@ -73,7 +71,7 @@ struct SPAKE2Run {
}
key_matches_ = (alice_key_len == bob_key_len &&
OPENSSL_memcmp(alice_key, bob_key, alice_key_len) == 0);
memcmp(alice_key, bob_key, alice_key_len) == 0);
return true;
}
crypto/curve25519/x25519-x86_64.c
+1 -2
View File
@@ -23,7 +23,6 @@
#include <string.h>
#include "../internal.h"
#include "internal.h"
@@ -229,7 +228,7 @@ static void mladder(fe25519 *xr, fe25519 *zr, const uint8_t s[32]) {
void x25519_x86_64(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]) {
uint8_t e[32];
OPENSSL_memcpy(e, scalar, sizeof(e));
memcpy(e, scalar, sizeof(e));
e[0] &= 248;
e[31] &= 127;
crypto/curve25519/x25519_test.cc
+6 -8
View File
@@ -18,8 +18,6 @@
#include <openssl/curve25519.h>
#include "../internal.h"
static bool TestX25519() {
/* Taken from https://tools.ietf.org/html/rfc7748#section-5.2 */
@@ -42,7 +40,7 @@ static bool TestX25519() {
0x4d, 0xf2, 0x8d, 0x08, 0x4f, 0x32, 0xec, 0xcf, 0x03, 0x49, 0x1c,
0x71, 0xf7, 0x54, 0xb4, 0x07, 0x55, 0x77, 0xa2, 0x85, 0x52,
};
if (OPENSSL_memcmp(kExpected1, out, sizeof(out)) != 0) {
if (memcmp(kExpected1, out, sizeof(out)) != 0) {
fprintf(stderr, "X25519 test one failed.\n");
return false;
}
@@ -65,7 +63,7 @@ static bool TestX25519() {
0x5c, 0xb4, 0xb8, 0x73, 0xf8, 0x8b, 0x59, 0x5a, 0x68, 0x79, 0x9f,
0xa1, 0x52, 0xe6, 0xf8, 0xf7, 0x64, 0x7a, 0xac, 0x79, 0x57,
};
if (OPENSSL_memcmp(kExpected2, out, sizeof(out)) != 0) {
if (memcmp(kExpected2, out, sizeof(out)) != 0) {
fprintf(stderr, "X25519 test two failed.\n");
return false;
}
@@ -81,7 +79,7 @@ static bool TestX25519SmallOrder() {
};
uint8_t out[32], private_key[32];
OPENSSL_memset(private_key, 0x11, sizeof(private_key));
memset(private_key, 0x11, sizeof(private_key));
if (X25519(out, private_key, kSmallOrderPoint)) {
fprintf(stderr, "X25519 returned success with a small-order input.\n");
@@ -98,8 +96,8 @@ static bool TestX25519Iterated() {
unsigned i;
for (i = 0; i < 1000; i++) {
X25519(out, scalar, point);
OPENSSL_memcpy(point, scalar, sizeof(point));
OPENSSL_memcpy(scalar, out, sizeof(scalar));
memcpy(point, scalar, sizeof(point));
memcpy(scalar, out, sizeof(scalar));
}
static const uint8_t kExpected[32] = {
@@ -108,7 +106,7 @@ static bool TestX25519Iterated() {
0xe3, 0x87, 0x5f, 0x2e, 0xb9, 0x4d, 0x99, 0x53, 0x2c, 0x51,
};
if (OPENSSL_memcmp(kExpected, scalar, sizeof(kExpected)) != 0) {
if (memcmp(kExpected, scalar, sizeof(kExpected)) != 0) {
fprintf(stderr, "Iterated X25519 test failed\n");
return false;
}
crypto/des/des.c
+1 -1
View File
@@ -291,7 +291,7 @@ static const uint32_t DES_SPtrans[8][64] = {
#define HPERM_OP(a, t, n, m) \
((t) = ((((a) << (16 - (n))) ^ (a)) & (m)), \
(a) = (a) ^ (t) ^ ((t) >> (16 - (n))))
(a) = (a) ^ (t) ^ (t >> (16 - (n))))
void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) {
static const int shifts2[16] = {0, 0, 1, 1, 1, 1, 1, 1,
crypto/des/internal.h
+45 -57
View File
@@ -64,51 +64,45 @@ extern "C" {
#endif
#define c2l(c, l) \
do { \
(l) = ((uint32_t)(*((c)++))); \
(l) |= ((uint32_t)(*((c)++))) << 8L; \
(l) |= ((uint32_t)(*((c)++))) << 16L; \
(l) |= ((uint32_t)(*((c)++))) << 24L; \
} while (0)
#define c2l(c, l) \
(l = ((uint32_t)(*((c)++))), l |= ((uint32_t)(*((c)++))) << 8L, \
l |= ((uint32_t)(*((c)++))) << 16L, l |= ((uint32_t)(*((c)++))) << 24L)
#define l2c(l, c) \
do { \
*((c)++) = (unsigned char)(((l)) & 0xff); \
*((c)++) = (unsigned char)(((l) >> 8L) & 0xff); \
*((c)++) = (unsigned char)(((l) >> 16L) & 0xff); \
*((c)++) = (unsigned char)(((l) >> 24L) & 0xff); \
} while (0)
#define l2c(l, c) \
(*((c)++) = (unsigned char)(((l)) & 0xff), \
*((c)++) = (unsigned char)(((l) >> 8L) & 0xff), \
*((c)++) = (unsigned char)(((l) >> 16L) & 0xff), \
*((c)++) = (unsigned char)(((l) >> 24L) & 0xff))
/* NOTE - c is not incremented as per c2l */
#define c2ln(c, l1, l2, n) \
do { \
(c) += (n); \
(l1) = (l2) = 0; \
switch (n) { \
case 8: \
(l2) = ((uint32_t)(*(--(c)))) << 24L; \
case 7: \
(l2) |= ((uint32_t)(*(--(c)))) << 16L; \
case 6: \
(l2) |= ((uint32_t)(*(--(c)))) << 8L; \
case 5: \
(l2) |= ((uint32_t)(*(--(c)))); \
case 4: \
(l1) = ((uint32_t)(*(--(c)))) << 24L; \
case 3: \
(l1) |= ((uint32_t)(*(--(c)))) << 16L; \
case 2: \
(l1) |= ((uint32_t)(*(--(c)))) << 8L; \
case 1: \
(l1) |= ((uint32_t)(*(--(c)))); \
} \
} while (0)
#define c2ln(c, l1, l2, n) \
{ \
c += n; \
l1 = l2 = 0; \
switch (n) { \
case 8: \
l2 = ((uint32_t)(*(--(c)))) << 24L; \
case 7: \
l2 |= ((uint32_t)(*(--(c)))) << 16L; \
case 6: \
l2 |= ((uint32_t)(*(--(c)))) << 8L; \
case 5: \
l2 |= ((uint32_t)(*(--(c)))); \
case 4: \
l1 = ((uint32_t)(*(--(c)))) << 24L; \
case 3: \
l1 |= ((uint32_t)(*(--(c)))) << 16L; \
case 2: \
l1 |= ((uint32_t)(*(--(c)))) << 8L; \
case 1: \
l1 |= ((uint32_t)(*(--(c)))); \
} \
}
/* NOTE - c is not incremented as per l2c */
#define l2cn(l1, l2, c, n) \
do { \
(c) += (n); \
{ \
c += n; \
switch (n) { \
case 8: \
*(--(c)) = (unsigned char)(((l2) >> 24L) & 0xff); \
@@ -127,7 +121,7 @@ extern "C" {
case 1: \
*(--(c)) = (unsigned char)(((l1)) & 0xff); \
} \
} while (0)
}
/* IP and FP
* The problem is more of a geometric problem that random bit fiddling.
@@ -166,50 +160,44 @@ When I finally started to think of the problem in 2D
I first got ~42 operations without xors. When I remembered
how to use xors :-) I got it to its final state.
*/
#define PERM_OP(a, b, t, n, m) \
do { \
(t) = ((((a) >> (n)) ^ (b)) & (m)); \
(b) ^= (t); \
(a) ^= ((t) << (n)); \
} while (0)
#define PERM_OP(a, b, t, n, m) \
((t) = ((((a) >> (n)) ^ (b)) & (m)), (b) ^= (t), (a) ^= ((t) << (n)))
#define IP(l, r) \
do { \
{ \
uint32_t tt; \
PERM_OP(r, l, tt, 4, 0x0f0f0f0fL); \
PERM_OP(l, r, tt, 16, 0x0000ffffL); \
PERM_OP(r, l, tt, 2, 0x33333333L); \
PERM_OP(l, r, tt, 8, 0x00ff00ffL); \
PERM_OP(r, l, tt, 1, 0x55555555L); \
} while (0)
}
#define FP(l, r) \
do { \
{ \
uint32_t tt; \
PERM_OP(l, r, tt, 1, 0x55555555L); \
PERM_OP(r, l, tt, 8, 0x00ff00ffL); \
PERM_OP(l, r, tt, 2, 0x33333333L); \
PERM_OP(r, l, tt, 16, 0x0000ffffL); \
PERM_OP(l, r, tt, 4, 0x0f0f0f0fL); \
} while (0)
}
#define LOAD_DATA(ks, R, S, u, t, E0, E1) \
do { \
(u) = (R) ^ (ks)->subkeys[S][0]; \
(t) = (R) ^ (ks)->subkeys[S][1]; \
} while (0)
u = R ^ ks->subkeys[S][0]; \
t = R ^ ks->subkeys[S][1]
#define D_ENCRYPT(ks, LL, R, S) \
do { \
{ \
LOAD_DATA(ks, R, S, u, t, E0, E1); \
t = ROTATE(t, 4); \
(LL) ^= \
LL ^= \
DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \
DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \
DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \
DES_SPtrans[3][(t >> 10L) & 0x3f] ^ \
DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \
} while (0)
}
#define ITERATIONS 16
#define HALF_ITERATIONS 8
crypto/dh/dh.c
+8 -4
View File
@@ -79,7 +79,7 @@ DH *DH_new(void) {
return NULL;
}
OPENSSL_memset(dh, 0, sizeof(DH));
memset(dh, 0, sizeof(DH));
CRYPTO_MUTEX_init(&dh->method_mont_p_lock);
@@ -258,6 +258,7 @@ int DH_generate_key(DH *dh) {
int generate_new_key = 0;
BN_CTX *ctx = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
BIGNUM local_priv;
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);
@@ -316,7 +317,8 @@ int DH_generate_key(DH *dh) {
}
}
if (!BN_mod_exp_mont_consttime(pub_key, dh->g, priv_key, dh->p, ctx,
BN_with_flags(&local_priv, priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp_mont_consttime(pub_key, dh->g, &local_priv, dh->p, ctx,
dh->method_mont_p)) {
goto err;
}
@@ -345,6 +347,7 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
BIGNUM *shared_key;
int ret = -1;
int check_result;
BIGNUM local_priv;
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);
@@ -376,8 +379,9 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) {
goto err;
}
if (!BN_mod_exp_mont_consttime(shared_key, peers_key, dh->priv_key, dh->p,
ctx, dh->method_mont_p)) {
BN_with_flags(&local_priv, dh->priv_key, BN_FLG_CONSTTIME);
if (!BN_mod_exp_mont_consttime(shared_key, peers_key, &local_priv, dh->p, ctx,
dh->method_mont_p)) {
OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);
goto err;
}
crypto/dh/dh_test.cc
+14 -11
View File
@@ -68,8 +68,7 @@
#include <openssl/err.h>
#include <openssl/mem.h>
#include "../internal.h"
namespace bssl {
static bool RunBasicTests();
static bool RunRFC5114Tests();
@@ -77,7 +76,7 @@ static bool TestBadY();
static bool TestASN1();
static bool TestRFC3526();
int main() {
static int Main() {
CRYPTO_library_init();
if (!RunBasicTests() ||
@@ -472,9 +471,9 @@ static bool RunRFC5114Tests() {
}
if (static_cast<size_t>(ret1) != td->Z_len ||
OPENSSL_memcmp(Z1.data(), td->Z, td->Z_len) != 0 ||
memcmp(Z1.data(), td->Z, td->Z_len) != 0 ||
static_cast<size_t>(ret2) != td->Z_len ||
OPENSSL_memcmp(Z2.data(), td->Z, td->Z_len) != 0) {
memcmp(Z2.data(), td->Z, td->Z_len) != 0) {
fprintf(stderr, "Test failed RFC5114 set %u\n", i + 1);
return false;
}
@@ -569,7 +568,7 @@ static bool TestASN1() {
return false;
}
bssl::ScopedCBB cbb;
ScopedCBB cbb;
uint8_t *der;
size_t der_len;
if (!CBB_init(cbb.get(), 0) ||
@@ -578,8 +577,7 @@ static bool TestASN1() {
return false;
}
bssl::UniquePtr<uint8_t> free_der(der);
if (der_len != sizeof(kParams) ||
OPENSSL_memcmp(der, kParams, der_len) != 0) {
if (der_len != sizeof(kParams) || memcmp(der, kParams, der_len) != 0) {
return false;
}
@@ -621,8 +619,7 @@ static bool TestASN1() {
return false;
}
bssl::UniquePtr<uint8_t> free_der2(der);
if (der_len != sizeof(kParamsDSA) ||
OPENSSL_memcmp(der, kParamsDSA, der_len) != 0) {
if (der_len != sizeof(kParamsDSA) || memcmp(der, kParamsDSA, der_len) != 0) {
return false;
}
@@ -657,10 +654,16 @@ static bool TestRFC3526() {
uint8_t buffer[sizeof(kPrime1536)];
if (BN_num_bytes(bn.get()) != sizeof(kPrime1536) ||
BN_bn2bin(bn.get(), buffer) != sizeof(kPrime1536) ||
OPENSSL_memcmp(buffer, kPrime1536, sizeof(kPrime1536)) != 0) {
memcmp(buffer, kPrime1536, sizeof(kPrime1536)) != 0) {
fprintf(stderr, "1536-bit MODP prime did not match.\n");
return false;
}
return true;
}
} // namespace bssl
int main() {
return bssl::Main();
}
crypto/digest/digest.c
+2 -5
View File
@@ -63,7 +63,6 @@
#include <openssl/mem.h>
#include "internal.h"
#include "../internal.h"
int EVP_MD_type(const EVP_MD *md) { return md->type; }
@@ -75,9 +74,7 @@ size_t EVP_MD_size(const EVP_MD *md) { return md->md_size; }
size_t EVP_MD_block_size(const EVP_MD *md) { return md->block_size; }
void EVP_MD_CTX_init(EVP_MD_CTX *ctx) {
OPENSSL_memset(ctx, 0, sizeof(EVP_MD_CTX));
}
void EVP_MD_CTX_init(EVP_MD_CTX *ctx) { memset(ctx, 0, sizeof(EVP_MD_CTX)); }
EVP_MD_CTX *EVP_MD_CTX_create(void) {
EVP_MD_CTX *ctx = OPENSSL_malloc(sizeof(EVP_MD_CTX));
@@ -143,7 +140,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) {
return 0;
}
}
OPENSSL_memcpy(out->md_data, in->md_data, in->digest->ctx_size);
memcpy(out->md_data, in->md_data, in->digest->ctx_size);
}
assert(in->pctx == NULL || in->pctx_ops != NULL);
crypto/digest/digest_test.cc
+13 -14
View File
@@ -23,12 +23,13 @@
#include <openssl/err.h>
#include <openssl/md4.h>
#include <openssl/md5.h>
#include <openssl/nid.h>
#include <openssl/sha.h>
#include "../internal.h"
namespace bssl {
struct MD {
// name is the name of the digest.
const char* name;
@@ -160,7 +161,7 @@ static bool CompareDigest(const TestVector *test,
}
static int TestDigest(const TestVector *test) {
bssl::ScopedEVP_MD_CTX ctx;
ScopedEVP_MD_CTX ctx;
// Test the input provided.
if (!EVP_DigestInit_ex(ctx.get(), test->md.func(), NULL)) {
@@ -236,24 +237,16 @@ static int TestDigest(const TestVector *test) {
}
static int TestGetters() {
if (EVP_get_digestbyname("RSA-SHA512") != EVP_sha512() ||
EVP_get_digestbyname("sha512WithRSAEncryption") != EVP_sha512() ||
EVP_get_digestbyname("nonsense") != NULL ||
EVP_get_digestbyname("SHA512") != EVP_sha512() ||
EVP_get_digestbyname("sha512") != EVP_sha512()) {
return false;
}
if (EVP_get_digestbynid(NID_sha512) != EVP_sha512() ||
EVP_get_digestbynid(NID_sha512WithRSAEncryption) != NULL ||
EVP_get_digestbynid(NID_undef) != NULL) {
if (EVP_get_digestbyname("RSA-SHA512") == NULL ||
EVP_get_digestbyname("sha512WithRSAEncryption") == NULL ||
EVP_get_digestbyname("nonsense") != NULL) {
return false;
}
return true;
}
int main() {
static int Main() {
CRYPTO_library_init();
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTestVectors); i++) {
@@ -270,3 +263,9 @@ int main() {
printf("PASS\n");
return 0;
}
} // namespace bssl
int main() {
return bssl::Main();
}

Some files were not shown because too many files have changed in this diff Show More