From e05513b5aec24f88012b6e3034115b6bc915356a Mon Sep 17 00:00:00 2001 From: Tim Condon <0xTim@users.noreply.github.com> Date: Wed, 21 Feb 2024 12:11:05 +0000 Subject: [PATCH] Update BoringSSL (#134) * Update vend script * Fix ASM script * Update BoringSSL * Update RSA key * Adjust whitespace and add explicit access modifier * Update README header --------- Co-authored-by: Paul --- Package.swift | 15 +- README.md | 34 +- .../CJWTKitBoringSSL/crypto/asn1/a_gentm.c | 12 +- .../CJWTKitBoringSSL/crypto/asn1/a_mbstr.c | 18 +- .../CJWTKitBoringSSL/crypto/asn1/a_strex.c | 43 +- .../CJWTKitBoringSSL/crypto/asn1/a_strnid.c | 10 +- Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c | 37 +- Sources/CJWTKitBoringSSL/crypto/asn1/a_type.c | 20 +- .../CJWTKitBoringSSL/crypto/asn1/a_utctm.c | 17 +- .../CJWTKitBoringSSL/crypto/asn1/asn1_lib.c | 14 +- .../CJWTKitBoringSSL/crypto/asn1/internal.h | 13 +- .../CJWTKitBoringSSL/crypto/asn1/posix_time.c | 91 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_dec.c | 6 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_enc.c | 7 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_new.c | 17 +- .../CJWTKitBoringSSL/crypto/base64/base64.c | 7 +- Sources/CJWTKitBoringSSL/crypto/bio/bio.c | 41 +- Sources/CJWTKitBoringSSL/crypto/bio/bio_mem.c | 15 +- Sources/CJWTKitBoringSSL/crypto/bio/connect.c | 19 +- .../crypto/{x509/x_info.c => bio/errno.c} | 66 +- Sources/CJWTKitBoringSSL/crypto/bio/fd.c | 54 +- Sources/CJWTKitBoringSSL/crypto/bio/file.c | 31 +- .../CJWTKitBoringSSL/crypto/bio/internal.h | 22 +- Sources/CJWTKitBoringSSL/crypto/bio/pair.c | 5 +- Sources/CJWTKitBoringSSL/crypto/bio/socket.c | 8 +- .../crypto/bio/socket_helper.c | 13 +- .../crypto/bn_extra/convert.c | 8 + Sources/CJWTKitBoringSSL/crypto/buf/buf.c | 12 +- .../CJWTKitBoringSSL/crypto/bytestring/ber.c | 15 +- .../CJWTKitBoringSSL/crypto/bytestring/cbb.c | 54 +- .../CJWTKitBoringSSL/crypto/bytestring/cbs.c | 2 +- .../crypto/bytestring/internal.h | 22 - .../crypto/bytestring/unicode.c | 18 +- .../crypto/chacha/chacha-armv4-ios.ios.arm.S | 87 +- .../chacha/chacha-armv4-linux.linux.arm.S | 87 +- .../chacha/chacha-armv8-ios.ios.aarch64.S | 46 +- .../chacha/chacha-armv8-linux.linux.aarch64.S | 54 +- .../chacha/chacha-x86-linux.linux.x86.S | 17 +- .../chacha/chacha-x86_64-linux.linux.x86_64.S | 88 +- .../chacha/chacha-x86_64-mac.mac.x86_64.S | 71 +- .../CJWTKitBoringSSL/crypto/chacha/chacha.c | 55 +- .../CJWTKitBoringSSL/crypto/chacha/internal.h | 61 +- .../aes128gcmsiv-x86_64-linux.linux.x86_64.S | 101 +- .../aes128gcmsiv-x86_64-mac.mac.x86_64.S | 101 +- .../chacha20_poly1305_armv8-ios.ios.aarch64.S | 18 +- ...cha20_poly1305_armv8-linux.linux.aarch64.S | 18 +- ...cha20_poly1305_x86_64-linux.linux.x86_64.S | 25 +- .../chacha20_poly1305_x86_64-mac.mac.x86_64.S | 25 +- .../crypto/cipher_extra/e_aesgcmsiv.c | 72 +- .../crypto/cipher_extra/e_des.c | 43 +- Sources/CJWTKitBoringSSL/crypto/conf/conf.c | 193 +- .../CJWTKitBoringSSL/crypto/conf/internal.h | 6 +- .../crypto/cpu_aarch64_apple.c | 2 - .../crypto/cpu_aarch64_freebsd.c | 62 - .../crypto/cpu_aarch64_fuchsia.c | 1 - .../crypto/cpu_aarch64_linux.c | 2 - .../crypto/cpu_aarch64_openbsd.c | 1 - .../crypto/cpu_aarch64_sysreg.c | 93 + .../CJWTKitBoringSSL/crypto/cpu_aarch64_win.c | 2 +- Sources/CJWTKitBoringSSL/crypto/cpu_arm.c | 38 - .../CJWTKitBoringSSL/crypto/cpu_arm_freebsd.c | 1 - .../CJWTKitBoringSSL/crypto/cpu_arm_linux.c | 2 - Sources/CJWTKitBoringSSL/crypto/cpu_intel.c | 6 +- Sources/CJWTKitBoringSSL/crypto/crypto.c | 11 + .../crypto/curve25519/asm/x25519-asm-arm.S | 18 +- .../crypto/curve25519/curve25519.c | 95 +- .../curve25519/curve25519_64_adx.c} | 8 +- .../crypto/curve25519/curve25519_tables.h | 10226 +++++----------- .../crypto/curve25519/internal.h | 32 +- .../crypto/curve25519/spake25519.c | 3 +- Sources/CJWTKitBoringSSL/crypto/des/des.c | 213 +- .../CJWTKitBoringSSL/crypto/des/internal.h | 119 +- .../crypto/dh_extra/dh_asn1.c | 4 + .../CJWTKitBoringSSL/crypto/dh_extra/params.c | 5 + Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c | 17 +- .../CJWTKitBoringSSL/crypto/dsa/internal.h | 20 + .../crypto/ec_extra/ec_asn1.c | 182 +- .../crypto/ec_extra/ec_derive.c | 7 +- .../crypto/ec_extra/hash_to_curve.c | 52 +- .../crypto/ec_extra/internal.h | 10 +- .../CJWTKitBoringSSL/crypto/engine/engine.c | 10 +- Sources/CJWTKitBoringSSL/crypto/err/err.c | 44 +- .../CJWTKitBoringSSL/crypto/err/err_data.c | 585 +- Sources/CJWTKitBoringSSL/crypto/evp/evp.c | 53 +- Sources/CJWTKitBoringSSL/crypto/evp/evp_ctx.c | 7 +- Sources/CJWTKitBoringSSL/crypto/evp/p_ec.c | 11 +- .../CJWTKitBoringSSL/crypto/evp/p_ec_asn1.c | 10 +- Sources/CJWTKitBoringSSL/crypto/evp/p_hkdf.c | 3 +- Sources/CJWTKitBoringSSL/crypto/evp/p_rsa.c | 4 +- Sources/CJWTKitBoringSSL/crypto/evp/pbkdf.c | 6 +- Sources/CJWTKitBoringSSL/crypto/evp/print.c | 13 +- Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c | 4 +- Sources/CJWTKitBoringSSL/crypto/ex_data.c | 6 +- .../aesni-gcm-x86_64-linux.linux.x86_64.S | 27 +- .../aesni-gcm-x86_64-mac.mac.x86_64.S | 25 +- .../fipsmodule/aesni-x86-linux.linux.x86.S | 17 +- .../aesni-x86_64-linux.linux.x86_64.S | 216 +- .../fipsmodule/aesni-x86_64-mac.mac.x86_64.S | 216 +- .../fipsmodule/aesv8-armv7-ios.ios.arm.S | 18 +- .../fipsmodule/aesv8-armv7-linux.linux.arm.S | 18 +- .../fipsmodule/aesv8-armv8-ios.ios.aarch64.S | 18 +- .../aesv8-armv8-linux.linux.aarch64.S | 18 +- .../aesv8-gcm-armv8-ios.ios.aarch64.S | 18 +- .../aesv8-gcm-armv8-linux.linux.aarch64.S | 18 +- .../fipsmodule/armv4-mont-ios.ios.arm.S | 67 +- .../fipsmodule/armv4-mont-linux.linux.arm.S | 61 +- .../fipsmodule/armv8-mont-ios.ios.aarch64.S | 18 +- .../armv8-mont-linux.linux.aarch64.S | 18 +- .../fipsmodule/bn-586-linux.linux.x86.S | 17 +- .../fipsmodule/bn-armv8-ios.ios.aarch64.S | 18 +- .../fipsmodule/bn-armv8-linux.linux.aarch64.S | 18 +- .../crypto/fipsmodule/bn/add.c | 10 +- .../crypto/fipsmodule/bn/bn.c | 2 +- .../crypto/fipsmodule/bn/bytes.c | 43 +- .../crypto/fipsmodule/bn/ctx.c | 2 +- .../crypto/fipsmodule/bn/div.c | 17 +- .../crypto/fipsmodule/bn/exponentiation.c | 6 +- .../crypto/fipsmodule/bn/gcd.c | 42 +- .../crypto/fipsmodule/bn/generic.c | 51 +- .../crypto/fipsmodule/bn/internal.h | 69 +- .../crypto/fipsmodule/bn/montgomery.c | 61 +- .../crypto/fipsmodule/bn/montgomery_inv.c | 67 +- .../crypto/fipsmodule/bn/mul.c | 8 +- .../crypto/fipsmodule/bn/prime.c | 9 +- .../crypto/fipsmodule/bn/random.c | 10 +- .../crypto/fipsmodule/bn/rsaz_exp.c | 14 +- .../fipsmodule/bsaes-armv7-ios.ios.arm.S | 19 +- .../fipsmodule/bsaes-armv7-linux.linux.arm.S | 19 +- .../crypto/fipsmodule/cipher/cipher.c | 13 +- .../crypto/fipsmodule/cipher/e_aes.c | 35 +- .../crypto/fipsmodule/cipher/e_aesccm.c | 93 +- .../fipsmodule/co-586-linux.linux.x86.S | 17 +- .../crypto/fipsmodule/delocate.h | 11 +- .../crypto/fipsmodule/dh/check.c | 45 +- .../crypto/fipsmodule/dh/dh.c | 65 +- .../crypto/fipsmodule/dh/internal.h | 9 + .../crypto/fipsmodule/digest/digest.c | 4 + .../crypto/fipsmodule/ec/builtin_curves.h | 277 + .../crypto/fipsmodule/ec/ec.c | 577 +- .../crypto/fipsmodule/ec/ec_key.c | 31 +- .../crypto/fipsmodule/ec/ec_montgomery.c | 76 +- .../crypto/fipsmodule/ec/felem.c | 30 +- .../crypto/fipsmodule/ec/internal.h | 101 +- .../crypto/fipsmodule/ec/oct.c | 35 +- .../crypto/fipsmodule/ec/p224-64.c | 16 +- .../crypto/fipsmodule/ec/p256-nistz.c | 30 +- .../crypto/fipsmodule/ec/p256.c | 15 +- .../crypto/fipsmodule/ec/scalar.c | 48 +- .../crypto/fipsmodule/ec/simple.c | 38 +- .../crypto/fipsmodule/ec/simple_mul.c | 16 +- .../crypto/fipsmodule/ec/wnaf.c | 17 +- .../crypto/fipsmodule/ecdsa/ecdsa.c | 2 +- .../fipsmodule/ghash-armv4-ios.ios.arm.S | 18 +- .../fipsmodule/ghash-armv4-linux.linux.arm.S | 18 +- .../ghash-neon-armv8-ios.ios.aarch64.S | 18 +- .../ghash-neon-armv8-linux.linux.aarch64.S | 18 +- .../ghash-ssse3-x86-linux.linux.x86.S | 17 +- .../ghash-ssse3-x86_64-linux.linux.x86_64.S | 21 +- .../ghash-ssse3-x86_64-mac.mac.x86_64.S | 21 +- .../fipsmodule/ghash-x86-linux.linux.x86.S | 17 +- .../ghash-x86_64-linux.linux.x86_64.S | 39 +- .../fipsmodule/ghash-x86_64-mac.mac.x86_64.S | 38 +- .../fipsmodule/ghashv8-armv7-ios.ios.arm.S | 18 +- .../ghashv8-armv7-linux.linux.arm.S | 18 +- .../ghashv8-armv8-ios.ios.aarch64.S | 18 +- .../ghashv8-armv8-linux.linux.aarch64.S | 18 +- .../fipsmodule/md5-586-linux.linux.x86.S | 17 +- .../md5-x86_64-linux.linux.x86_64.S | 18 +- .../fipsmodule/md5-x86_64-mac.mac.x86_64.S | 18 +- .../p256-armv8-asm-ios.ios.aarch64.S | 18 +- .../p256-armv8-asm-linux.linux.aarch64.S | 18 +- .../p256-x86_64-asm-linux.linux.x86_64.S | 84 +- .../p256-x86_64-asm-mac.mac.x86_64.S | 84 +- .../p256_beeu-armv8-asm-ios.ios.aarch64.S | 18 +- .../p256_beeu-armv8-asm-linux.linux.aarch64.S | 18 +- .../p256_beeu-x86_64-asm-linux.linux.x86_64.S | 18 +- .../p256_beeu-x86_64-asm-mac.mac.x86_64.S | 18 +- .../crypto/fipsmodule/rand/fork_detect.c | 84 +- .../crypto/fipsmodule/rand/fork_detect.h | 17 + .../crypto/fipsmodule/rand/internal.h | 28 +- .../crypto/fipsmodule/rand/rand.c | 29 +- .../crypto/fipsmodule/rand/urandom.c | 31 +- .../rdrand-x86_64-linux.linux.x86_64.S | 23 +- .../fipsmodule/rdrand-x86_64-mac.mac.x86_64.S | 23 +- .../crypto/fipsmodule/rsa/blinding.c | 3 +- .../crypto/fipsmodule/rsa/internal.h | 55 + .../crypto/fipsmodule/rsa/rsa.c | 4 +- .../crypto/fipsmodule/rsa/rsa_impl.c | 92 +- .../fipsmodule/rsaz-avx2-linux.linux.x86_64.S | 33 +- .../fipsmodule/rsaz-avx2-mac.mac.x86_64.S | 33 +- .../crypto/fipsmodule/self_check/fips.c | 3 +- .../crypto/fipsmodule/self_check/self_check.c | 66 +- .../service_indicator/service_indicator.c | 11 +- .../crypto/fipsmodule/sha/internal.h | 159 +- .../crypto/fipsmodule/sha/sha1.c | 94 +- .../crypto/fipsmodule/sha/sha256.c | 44 +- .../crypto/fipsmodule/sha/sha512.c | 37 +- .../fipsmodule/sha1-586-linux.linux.x86.S | 17 +- .../fipsmodule/sha1-armv4-large-ios.ios.arm.S | 79 +- .../sha1-armv4-large-linux.linux.arm.S | 75 +- .../fipsmodule/sha1-armv8-ios.ios.aarch64.S | 39 +- .../sha1-armv8-linux.linux.aarch64.S | 47 +- .../sha1-x86_64-linux.linux.x86_64.S | 80 +- .../fipsmodule/sha1-x86_64-mac.mac.x86_64.S | 77 +- .../fipsmodule/sha256-586-linux.linux.x86.S | 17 +- .../fipsmodule/sha256-armv4-ios.ios.arm.S | 209 +- .../fipsmodule/sha256-armv4-linux.linux.arm.S | 209 +- .../fipsmodule/sha256-armv8-ios.ios.aarch64.S | 43 +- .../sha256-armv8-linux.linux.aarch64.S | 51 +- .../sha256-x86_64-linux.linux.x86_64.S | 67 +- .../fipsmodule/sha256-x86_64-mac.mac.x86_64.S | 64 +- .../fipsmodule/sha512-586-linux.linux.x86.S | 17 +- .../fipsmodule/sha512-armv4-ios.ios.arm.S | 70 +- .../fipsmodule/sha512-armv4-linux.linux.arm.S | 68 +- .../fipsmodule/sha512-armv8-ios.ios.aarch64.S | 44 +- .../sha512-armv8-linux.linux.aarch64.S | 52 +- .../sha512-x86_64-linux.linux.x86_64.S | 45 +- .../fipsmodule/sha512-x86_64-mac.mac.x86_64.S | 44 +- .../fipsmodule/vpaes-armv7-ios.ios.arm.S | 18 +- .../fipsmodule/vpaes-armv7-linux.linux.arm.S | 18 +- .../fipsmodule/vpaes-armv8-ios.ios.aarch64.S | 18 +- .../vpaes-armv8-linux.linux.aarch64.S | 18 +- .../fipsmodule/vpaes-x86-linux.linux.x86.S | 17 +- .../vpaes-x86_64-linux.linux.x86_64.S | 51 +- .../fipsmodule/vpaes-x86_64-mac.mac.x86_64.S | 51 +- .../fipsmodule/x86-mont-linux.linux.x86.S | 17 +- .../x86_64-mont-linux.linux.x86_64.S | 74 +- .../fipsmodule/x86_64-mont-mac.mac.x86_64.S | 75 +- .../x86_64-mont5-linux.linux.x86_64.S | 43 +- .../fipsmodule/x86_64-mont5-mac.mac.x86_64.S | 43 +- Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c | 7 + .../crypto/hrss/asm/poly_rq_mul.S | 11 +- Sources/CJWTKitBoringSSL/crypto/internal.h | 470 +- .../CJWTKitBoringSSL/crypto/keccak/internal.h | 70 + .../crypto/{kyber => keccak}/keccak.c | 173 +- .../CJWTKitBoringSSL/crypto/kyber/internal.h | 47 +- Sources/CJWTKitBoringSSL/crypto/kyber/kyber.c | 68 +- Sources/CJWTKitBoringSSL/crypto/lhash/lhash.c | 9 +- Sources/CJWTKitBoringSSL/crypto/mem.c | 65 +- Sources/CJWTKitBoringSSL/crypto/obj/obj.c | 121 +- Sources/CJWTKitBoringSSL/crypto/obj/obj_dat.h | 3 - .../CJWTKitBoringSSL/crypto/pem/pem_info.c | 31 + .../crypto/pkcs7/pkcs7_x509.c | 6 +- .../CJWTKitBoringSSL/crypto/pkcs8/internal.h | 6 +- .../CJWTKitBoringSSL/crypto/pkcs8/p5_pbev2.c | 6 +- Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c | 20 +- .../crypto/pkcs8/pkcs8_x509.c | 35 +- .../crypto/poly1305/poly1305_arm_asm.S | 18 +- .../CJWTKitBoringSSL/crypto/pool/internal.h | 1 + Sources/CJWTKitBoringSSL/crypto/pool/pool.c | 9 +- .../crypto/rand_extra/deterministic.c | 13 +- .../crypto/rand_extra/forkunsafe.c | 4 + .../crypto/rand_extra/getentropy.c | 52 + .../crypto/rand_extra/{fuchsia.c => ios.c} | 16 +- .../trusty.c} | 27 +- .../crypto/rand_extra/windows.c | 60 +- Sources/CJWTKitBoringSSL/crypto/refcount.c | 1 - .../crypto/rsa_extra/rsa_crypt.c | 4 +- Sources/CJWTKitBoringSSL/crypto/spx/address.c | 101 + Sources/CJWTKitBoringSSL/crypto/spx/address.h | 50 + Sources/CJWTKitBoringSSL/crypto/spx/fors.c | 133 + Sources/CJWTKitBoringSSL/crypto/spx/fors.h | 54 + .../CJWTKitBoringSSL/crypto/spx/internal.h | 79 + Sources/CJWTKitBoringSSL/crypto/spx/merkle.c | 150 + Sources/CJWTKitBoringSSL/crypto/spx/merkle.h | 61 + Sources/CJWTKitBoringSSL/crypto/spx/params.h | 71 + Sources/CJWTKitBoringSSL/crypto/spx/spx.c | 139 + .../CJWTKitBoringSSL/crypto/spx/spx_util.c | 53 + .../CJWTKitBoringSSL/crypto/spx/spx_util.h | 44 + Sources/CJWTKitBoringSSL/crypto/spx/thash.c | 136 + Sources/CJWTKitBoringSSL/crypto/spx/thash.h | 70 + Sources/CJWTKitBoringSSL/crypto/spx/wots.c | 135 + Sources/CJWTKitBoringSSL/crypto/spx/wots.h | 45 + Sources/CJWTKitBoringSSL/crypto/stack/stack.c | 222 +- Sources/CJWTKitBoringSSL/crypto/thread_none.c | 8 - .../CJWTKitBoringSSL/crypto/thread_pthread.c | 41 +- Sources/CJWTKitBoringSSL/crypto/thread_win.c | 31 +- .../crypto/trust_token/pmbtoken.c | 64 +- .../crypto/trust_token/trust_token.c | 9 +- .../crypto/trust_token/voprf.c | 245 +- .../CJWTKitBoringSSL/crypto/x509/algorithm.c | 3 +- .../CJWTKitBoringSSL/crypto/x509/asn1_gen.c | 2 - Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c | 46 +- .../CJWTKitBoringSSL/crypto/x509/by_file.c | 57 +- .../crypto/{x509v3 => x509}/ext_dat.h | 0 .../CJWTKitBoringSSL/crypto/x509/internal.h | 278 +- Sources/CJWTKitBoringSSL/crypto/x509/policy.c | 8 +- .../CJWTKitBoringSSL/crypto/x509/rsa_pss.c | 8 +- Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c | 2 +- Sources/CJWTKitBoringSSL/crypto/x509/t_req.c | 5 +- Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c | 4 +- .../crypto/{x509v3 => x509}/v3_akey.c | 2 +- .../crypto/{x509v3 => x509}/v3_akeya.c | 4 +- .../crypto/{x509v3 => x509}/v3_alt.c | 16 +- .../crypto/{x509v3 => x509}/v3_bcons.c | 2 +- .../crypto/{x509v3 => x509}/v3_bitst.c | 2 +- .../crypto/{x509v3 => x509}/v3_conf.c | 2 - .../crypto/{x509v3 => x509}/v3_cpols.c | 2 +- .../crypto/{x509v3 => x509}/v3_crld.c | 3 +- .../crypto/{x509v3 => x509}/v3_enum.c | 1 + .../crypto/{x509v3 => x509}/v3_extku.c | 2 +- .../crypto/{x509v3 => x509}/v3_genn.c | 24 +- .../crypto/{x509v3 => x509}/v3_ia5.c | 2 +- .../crypto/{x509v3 => x509}/v3_info.c | 10 +- .../crypto/{x509v3 => x509}/v3_int.c | 2 +- .../crypto/{x509v3 => x509}/v3_lib.c | 5 +- .../crypto/{x509v3 => x509}/v3_ncons.c | 4 +- .../crypto/{x509v3 => x509}/v3_ocsp.c | 2 +- .../crypto/{x509v3 => x509}/v3_pcons.c | 2 +- .../crypto/{x509v3 => x509}/v3_pmaps.c | 2 +- .../crypto/{x509v3 => x509}/v3_prn.c | 7 +- .../crypto/{x509v3 => x509}/v3_purp.c | 433 +- .../crypto/{x509v3 => x509}/v3_skey.c | 3 +- .../crypto/{x509v3 => x509}/v3_utl.c | 38 +- .../CJWTKitBoringSSL/crypto/x509/x509_att.c | 67 +- .../CJWTKitBoringSSL/crypto/x509/x509_cmp.c | 103 +- .../CJWTKitBoringSSL/crypto/x509/x509_d2.c | 4 +- .../CJWTKitBoringSSL/crypto/x509/x509_ext.c | 1 - .../CJWTKitBoringSSL/crypto/x509/x509_lu.c | 363 +- .../CJWTKitBoringSSL/crypto/x509/x509_req.c | 52 +- .../CJWTKitBoringSSL/crypto/x509/x509_trs.c | 177 +- .../CJWTKitBoringSSL/crypto/x509/x509_v3.c | 1 - .../CJWTKitBoringSSL/crypto/x509/x509_vfy.c | 1280 +- .../CJWTKitBoringSSL/crypto/x509/x509_vpm.c | 308 +- .../CJWTKitBoringSSL/crypto/x509/x509name.c | 34 +- .../CJWTKitBoringSSL/crypto/x509/x509spki.c | 2 +- Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c | 174 +- Sources/CJWTKitBoringSSL/crypto/x509/x_name.c | 15 +- Sources/CJWTKitBoringSSL/crypto/x509/x_pkey.c | 111 - .../CJWTKitBoringSSL/crypto/x509/x_pubkey.c | 96 +- Sources/CJWTKitBoringSSL/crypto/x509/x_spki.c | 2 + Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c | 5 +- .../CJWTKitBoringSSL/crypto/x509/x_x509a.c | 12 +- .../CJWTKitBoringSSL/crypto/x509v3/internal.h | 197 - Sources/CJWTKitBoringSSL/hash.txt | 2 +- .../include/CJWTKitBoringSSL.h | 20 +- .../include/CJWTKitBoringSSL_arm_arch.h | 144 +- .../include/CJWTKitBoringSSL_asm_base.h | 206 + .../include/CJWTKitBoringSSL_asn1.h | 5 + .../include/CJWTKitBoringSSL_base.h | 128 +- .../include/CJWTKitBoringSSL_bio.h | 42 +- .../include/CJWTKitBoringSSL_bn.h | 19 +- ...JWTKitBoringSSL_boringssl_prefix_symbols.h | 708 +- ...itBoringSSL_boringssl_prefix_symbols_asm.h | 234 +- .../include/CJWTKitBoringSSL_bytestring.h | 22 + .../include/CJWTKitBoringSSL_chacha.h | 6 + .../include/CJWTKitBoringSSL_cipher.h | 1 + .../include/CJWTKitBoringSSL_conf.h | 5 +- .../include/CJWTKitBoringSSL_curve25519.h | 4 +- .../include/CJWTKitBoringSSL_des.h | 13 - .../include/CJWTKitBoringSSL_dh.h | 5 +- .../include/CJWTKitBoringSSL_dsa.h | 21 - .../include/CJWTKitBoringSSL_ec.h | 83 +- .../include/CJWTKitBoringSSL_ec_key.h | 25 +- .../include/CJWTKitBoringSSL_evp.h | 20 +- .../include/CJWTKitBoringSSL_ex_data.h | 9 +- .../include/CJWTKitBoringSSL_hpke.h | 8 +- .../include/CJWTKitBoringSSL_kyber.h | 44 +- .../include/CJWTKitBoringSSL_mem.h | 19 +- .../include/CJWTKitBoringSSL_obj.h | 6 +- .../include/CJWTKitBoringSSL_opensslconf.h | 1 + .../include/CJWTKitBoringSSL_pem.h | 24 +- .../include/CJWTKitBoringSSL_posix_time.h | 51 + .../include/CJWTKitBoringSSL_rand.h | 32 +- .../include/CJWTKitBoringSSL_rsa.h | 90 +- .../include/CJWTKitBoringSSL_sha.h | 23 +- .../include/CJWTKitBoringSSL_span.h | 86 +- .../include/CJWTKitBoringSSL_stack.h | 446 +- .../include/CJWTKitBoringSSL_target.h | 226 + .../include/CJWTKitBoringSSL_thread.h | 28 - .../include/CJWTKitBoringSSL_time.h | 25 +- .../include/CJWTKitBoringSSL_x509.h | 3757 ++++-- .../include/CJWTKitBoringSSL_x509v3.h | 1062 +- .../include/CJWTKitBoringSSL_x509v3_errors.h | 124 + .../include/boringssl_prefix_symbols_nasm.inc | 468 +- .../fiat/asm/fiat_curve25519_adx_mul.S | 183 + .../fiat/asm/fiat_curve25519_adx_square.S | 151 + .../third_party/fiat/asm/fiat_p256_adx_mul.S | 183 + .../third_party/fiat/asm/fiat_p256_adx_sqr.S | 172 + .../third_party/fiat/curve25519_64_adx.h | 693 ++ .../third_party/fiat/p256_64.h | 21 + Sources/JWTKit/RSA/RSAKey.swift | 16 +- scripts/build-asm.py | 9 +- scripts/vendor-boringssl.sh | 56 +- 384 files changed, 17283 insertions(+), 19874 deletions(-) rename Sources/CJWTKitBoringSSL/crypto/{x509/x_info.c => bio/errno.c} (79%) delete mode 100644 Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_freebsd.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_sysreg.c delete mode 100644 Sources/CJWTKitBoringSSL/crypto/cpu_arm.c rename Sources/CJWTKitBoringSSL/{include/CJWTKitBoringSSL_dtls1.h => crypto/curve25519/curve25519_64_adx.c} (82%) create mode 100644 Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/builtin_curves.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/keccak/internal.h rename Sources/CJWTKitBoringSSL/crypto/{kyber => keccak}/keccak.c (66%) create mode 100644 Sources/CJWTKitBoringSSL/crypto/rand_extra/getentropy.c rename Sources/CJWTKitBoringSSL/crypto/rand_extra/{fuchsia.c => ios.c} (79%) rename Sources/CJWTKitBoringSSL/crypto/{cpu_arm_openbsd.c => rand_extra/trusty.c} (61%) create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/address.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/address.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/fors.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/fors.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/internal.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/merkle.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/merkle.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/params.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/spx.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/spx_util.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/spx_util.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/thash.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/thash.h create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/wots.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/spx/wots.h rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/ext_dat.h (100%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_akey.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_akeya.c (98%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_alt.c (97%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_bcons.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_bitst.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_conf.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_cpols.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_crld.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_enum.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_extku.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_genn.c (94%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_ia5.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_info.c (97%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_int.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_lib.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_ncons.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_ocsp.c (98%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_pcons.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_pmaps.c (99%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_prn.c (97%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_purp.c (63%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_skey.c (98%) rename Sources/CJWTKitBoringSSL/crypto/{x509v3 => x509}/v3_utl.c (97%) delete mode 100644 Sources/CJWTKitBoringSSL/crypto/x509/x_pkey.c delete mode 100644 Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h create mode 100644 Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asm_base.h create mode 100644 Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_posix_time.h create mode 100644 Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_target.h create mode 100644 Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3_errors.h create mode 100644 Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_mul.S create mode 100644 Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_square.S create mode 100644 Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S create mode 100644 Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S create mode 100644 Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64_adx.h diff --git a/Package.swift b/Package.swift index b0c9985a..e774c719 100644 --- a/Package.swift +++ b/Package.swift @@ -1,13 +1,22 @@ // swift-tools-version:5.6 import PackageDescription +// This package contains a vendored copy of BoringSSL. For ease of tracking +// down problems with the copy of BoringSSL in use, we include a copy of the +// commit hash of the revision of BoringSSL included in the given release. +// This is also reproduced in a file called hash.txt in the +// Sources/CCryptoBoringSSL directory. The source repository is at +// https://boringssl.googlesource.com/boringssl. +// +// BoringSSL Commit: 58a318edc892a595a5b043359a5d441869158699 + let package = Package( name: "jwt-kit", platforms: [ .macOS(.v10_15), .iOS(.v13), .tvOS(.v13), - .watchOS(.v6) + .watchOS(.v6), ], products: [ .library(name: "JWTKit", targets: ["JWTKit"]), @@ -16,7 +25,7 @@ let package = Package( MANGLE_END */ ], dependencies: [ - .package(url: "https://github.com/apple/swift-crypto.git", "2.0.0" ..< "4.0.0") + .package(url: "https://github.com/apple/swift-crypto.git", "2.0.0" ..< "4.0.0"), ], targets: [ .target(name: "CJWTKitBoringSSL"), @@ -28,5 +37,5 @@ let package = Package( .target(name: "JWTKit"), ]), ], - cxxLanguageStandard: .cxx11 + cxxLanguageStandard: .cxx11 ) diff --git a/README.md b/README.md index 0bef7035..6e72253b 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,19 @@

- JWTKit - - Documentation - - - Team Chat - - - MIT License - - - CI - - - Swift 5.6 - + + + + JWTKit + +
+
+Documentation +Team Chat +MIT License +Continuous Integration + +

+ +


diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_gentm.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_gentm.c index bbe04fb7..a4d1b564 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_gentm.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_gentm.c @@ -58,8 +58,9 @@ #include #include #include -#include +#include +#include #include #include @@ -123,9 +124,12 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, } char buf[16]; - BIO_snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02dZ", - data.tm_year + 1900, data.tm_mon + 1, data.tm_mday, data.tm_hour, - data.tm_min, data.tm_sec); + int ret = snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02dZ", + data.tm_year + 1900, data.tm_mon + 1, data.tm_mday, + data.tm_hour, data.tm_min, data.tm_sec); + if (ret != (int)(sizeof(buf) - 1)) { + abort(); // |snprintf| should neither truncate nor write fewer bytes. + } int free_s = 0; if (s == NULL) { diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c index cc163ff1..efc0b6c6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c @@ -97,22 +97,22 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int error; switch (inform) { case MBSTRING_BMP: - decode_func = cbs_get_ucs2_be; + decode_func = CBS_get_ucs2_be; error = ASN1_R_INVALID_BMPSTRING; break; case MBSTRING_UNIV: - decode_func = cbs_get_utf32_be; + decode_func = CBS_get_utf32_be; error = ASN1_R_INVALID_UNIVERSALSTRING; break; case MBSTRING_UTF8: - decode_func = cbs_get_utf8; + decode_func = CBS_get_utf8; error = ASN1_R_INVALID_UTF8STRING; break; case MBSTRING_ASC: - decode_func = cbs_get_latin1; + decode_func = CBS_get_latin1; error = ERR_R_INTERNAL_ERROR; // Latin-1 inputs are never invalid. break; @@ -162,7 +162,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, } nchar++; - utf8_len += cbb_get_utf8_len(c); + utf8_len += CBB_get_utf8_len(c); if (maxsize > 0 && nchar > (size_t)maxsize) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG); ERR_add_error_dataf("maxsize=%zu", (size_t)maxsize); @@ -178,7 +178,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, // Now work out output format and string type int str_type; - int (*encode_func)(CBB *, uint32_t) = cbb_add_latin1; + int (*encode_func)(CBB *, uint32_t) = CBB_add_latin1; size_t size_estimate = nchar; int outform = MBSTRING_ASC; if (mask & B_ASN1_PRINTABLESTRING) { @@ -190,17 +190,17 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, } else if (mask & B_ASN1_BMPSTRING) { str_type = V_ASN1_BMPSTRING; outform = MBSTRING_BMP; - encode_func = cbb_add_ucs2_be; + encode_func = CBB_add_ucs2_be; size_estimate = 2 * nchar; } else if (mask & B_ASN1_UNIVERSALSTRING) { str_type = V_ASN1_UNIVERSALSTRING; - encode_func = cbb_add_utf32_be; + encode_func = CBB_add_utf32_be; size_estimate = 4 * nchar; outform = MBSTRING_UNIV; } else if (mask & B_ASN1_UTF8STRING) { str_type = V_ASN1_UTF8STRING; outform = MBSTRING_UTF8; - encode_func = cbb_add_utf8; + encode_func = CBB_add_utf8; size_estimate = utf8_len; } else { OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS); diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c index 7b44a9ab..df2982d0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c @@ -68,6 +68,7 @@ #include #include "../bytestring/internal.h" +#include "../internal.h" #include "internal.h" @@ -89,18 +90,18 @@ static int do_esc_char(uint32_t c, unsigned long flags, char *do_quotes, char buf[16]; // Large enough for "\\W01234567". unsigned char u8 = (unsigned char)c; if (c > 0xffff) { - BIO_snprintf(buf, sizeof(buf), "\\W%08" PRIX32, c); + snprintf(buf, sizeof(buf), "\\W%08" PRIX32, c); } else if (c > 0xff) { - BIO_snprintf(buf, sizeof(buf), "\\U%04" PRIX32, c); + snprintf(buf, sizeof(buf), "\\U%04" PRIX32, c); } else if ((flags & ASN1_STRFLGS_ESC_MSB) && c > 0x7f) { - BIO_snprintf(buf, sizeof(buf), "\\%02X", c); + snprintf(buf, sizeof(buf), "\\%02X", c); } else if ((flags & ASN1_STRFLGS_ESC_CTRL) && is_control_character(c)) { - BIO_snprintf(buf, sizeof(buf), "\\%02X", c); + snprintf(buf, sizeof(buf), "\\%02X", c); } else if (flags & ASN1_STRFLGS_ESC_2253) { // See RFC 2253, sections 2.4 and 4. if (c == '\\' || c == '"') { // Quotes and backslashes are always escaped, quoted or not. - BIO_snprintf(buf, sizeof(buf), "\\%c", (int)c); + snprintf(buf, sizeof(buf), "\\%c", (int)c); } else if (c == ',' || c == '+' || c == '<' || c == '>' || c == ';' || (is_first && (c == ' ' || c == '#')) || (is_last && (c == ' '))) { @@ -111,13 +112,13 @@ static int do_esc_char(uint32_t c, unsigned long flags, char *do_quotes, } return maybe_write(out, &u8, 1) ? 1 : -1; } - BIO_snprintf(buf, sizeof(buf), "\\%c", (int)c); + snprintf(buf, sizeof(buf), "\\%c", (int)c); } else { return maybe_write(out, &u8, 1) ? 1 : -1; } } else if ((flags & ESC_FLAGS) && c == '\\') { // If any escape flags are set, also escape backslashes. - BIO_snprintf(buf, sizeof(buf), "\\%c", (int)c); + snprintf(buf, sizeof(buf), "\\%c", (int)c); } else { return maybe_write(out, &u8, 1) ? 1 : -1; } @@ -137,19 +138,19 @@ static int do_buf(const unsigned char *buf, int buflen, int encoding, int get_char_error; switch (encoding) { case MBSTRING_UNIV: - get_char = cbs_get_utf32_be; + get_char = CBS_get_utf32_be; get_char_error = ASN1_R_INVALID_UNIVERSALSTRING; break; case MBSTRING_BMP: - get_char = cbs_get_ucs2_be; + get_char = CBS_get_ucs2_be; get_char_error = ASN1_R_INVALID_BMPSTRING; break; case MBSTRING_ASC: - get_char = cbs_get_latin1; + get_char = CBS_get_latin1; get_char_error = ERR_R_INTERNAL_ERROR; // Should not be possible. break; case MBSTRING_UTF8: - get_char = cbs_get_utf8; + get_char = CBS_get_utf8; get_char_error = ASN1_R_INVALID_UTF8STRING; break; default: @@ -172,7 +173,7 @@ static int do_buf(const unsigned char *buf, int buflen, int encoding, uint8_t utf8_buf[6]; CBB utf8_cbb; CBB_init_fixed(&utf8_cbb, utf8_buf, sizeof(utf8_buf)); - if (!cbb_add_utf8(&utf8_cbb, c)) { + if (!CBB_add_utf8(&utf8_cbb, c)) { OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR); return 1; } @@ -238,22 +239,8 @@ static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) { // Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding // to readily obtained. ASN1_TYPE t; - t.type = str->type; - // Negative INTEGER and ENUMERATED values are the only case where - // |ASN1_STRING| and |ASN1_TYPE| types do not match. - // - // TODO(davidben): There are also some type fields which, in |ASN1_TYPE|, do - // not correspond to |ASN1_STRING|. It is unclear whether those are allowed - // in |ASN1_STRING| at all, or what the space of allowed types is. - // |ASN1_item_ex_d2i| will never produce such a value so, for now, we say - // this is an invalid input. But this corner of the library in general - // should be more robust. - if (t.type == V_ASN1_NEG_INTEGER) { - t.type = V_ASN1_INTEGER; - } else if (t.type == V_ASN1_NEG_ENUMERATED) { - t.type = V_ASN1_ENUMERATED; - } - t.value.asn1_string = (ASN1_STRING *)str; + OPENSSL_memset(&t, 0, sizeof(ASN1_TYPE)); + asn1_type_set0_string(&t, (ASN1_STRING *)str); unsigned char *der_buf = NULL; int der_len = i2d_ASN1_TYPE(&t, &der_buf); if (der_len < 0) { diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c index 5a2c85cd..5643c0de 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c @@ -72,7 +72,7 @@ DEFINE_LHASH_OF(ASN1_STRING_TABLE) static LHASH_OF(ASN1_STRING_TABLE) *string_tables = NULL; -static struct CRYPTO_STATIC_MUTEX string_tables_lock = CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX string_tables_lock = CRYPTO_MUTEX_INIT; void ASN1_STRING_set_default_mask(unsigned long mask) {} @@ -176,11 +176,11 @@ static const ASN1_STRING_TABLE *asn1_string_table_get(int nid) { return tbl; } - CRYPTO_STATIC_MUTEX_lock_read(&string_tables_lock); + CRYPTO_MUTEX_lock_read(&string_tables_lock); if (string_tables != NULL) { tbl = lh_ASN1_STRING_TABLE_retrieve(string_tables, &key); } - CRYPTO_STATIC_MUTEX_unlock_read(&string_tables_lock); + CRYPTO_MUTEX_unlock_read(&string_tables_lock); // Note returning |tbl| without the lock is only safe because // |ASN1_STRING_TABLE_add| cannot modify or delete existing entries. If we // wish to support that, this function must copy the result under a lock. @@ -196,7 +196,7 @@ int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, } int ret = 0; - CRYPTO_STATIC_MUTEX_lock_write(&string_tables_lock); + CRYPTO_MUTEX_lock_write(&string_tables_lock); if (string_tables == NULL) { string_tables = lh_ASN1_STRING_TABLE_new(table_hash, table_cmp); @@ -232,7 +232,7 @@ int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, ret = 1; err: - CRYPTO_STATIC_MUTEX_unlock_write(&string_tables_lock); + CRYPTO_MUTEX_unlock_write(&string_tables_lock); return ret; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c index 56b2c50b..2fff03ef 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c @@ -55,12 +55,13 @@ * [including the GNU Public Licence.] */ #include -#include +#include #include #include #include +#include #include #include @@ -82,6 +83,10 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t time) { return ASN1_TIME_adj(s, time, 0, 0); } +static int fits_in_utc_time(const struct tm *tm) { + return 50 <= tm->tm_year && tm->tm_year < 150; +} + ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, int64_t posix_time, int offset_day, long offset_sec) { struct tm tm; @@ -95,7 +100,7 @@ ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, int64_t posix_time, int offset_day, return NULL; } } - if ((tm.tm_year >= 50) && (tm.tm_year < 150)) { + if (fits_in_utc_time(&tm)) { return ASN1_UTCTIME_adj(s, posix_time, offset_day, offset_sec); } return ASN1_GENERALIZEDTIME_adj(s, posix_time, offset_day, offset_sec); @@ -171,6 +176,34 @@ int ASN1_TIME_set_string(ASN1_TIME *s, const char *str) { ASN1_GENERALIZEDTIME_set_string(s, str); } +int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str) { + CBS cbs; + CBS_init(&cbs, (const uint8_t*)str, strlen(str)); + int type; + struct tm tm; + if (CBS_parse_utc_time(&cbs, /*out_tm=*/NULL, + /*allow_timezone_offset=*/0)) { + type = V_ASN1_UTCTIME; + } else if (CBS_parse_generalized_time(&cbs, &tm, + /*allow_timezone_offset=*/0)) { + type = V_ASN1_GENERALIZEDTIME; + if (fits_in_utc_time(&tm)) { + type = V_ASN1_UTCTIME; + CBS_skip(&cbs, 2); + } + } else { + return 0; + } + + if (s != NULL) { + if (!ASN1_STRING_set(s, CBS_data(&cbs), CBS_len(&cbs))) { + return 0; + } + s->type = type; + } + return 1; +} + static int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *t, int allow_timezone_offset) { if (t == NULL) { diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_type.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_type.c index 223554bc..69a7f6ad 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_type.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_type.c @@ -56,7 +56,8 @@ #include -#include +#include + #include #include #include @@ -89,6 +90,23 @@ const void *asn1_type_value_as_pointer(const ASN1_TYPE *a) { } } +void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) { + // |ASN1_STRING| types are almost the same as |ASN1_TYPE| types, except that + // the negative flag is not reflected into |ASN1_TYPE|. + int type = str->type; + if (type == V_ASN1_NEG_INTEGER) { + type = V_ASN1_INTEGER; + } else if (type == V_ASN1_NEG_ENUMERATED) { + type = V_ASN1_ENUMERATED; + } + + // These types are not |ASN1_STRING| types and use a different + // representation when stored in |ASN1_TYPE|. + assert(type != V_ASN1_NULL && type != V_ASN1_OBJECT && + type != V_ASN1_BOOLEAN); + ASN1_TYPE_set(a, type, str); +} + void asn1_type_cleanup(ASN1_TYPE *a) { switch (a->type) { case V_ASN1_NULL: diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_utctm.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_utctm.c index a59ea6d6..f9ee96f2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_utctm.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_utctm.c @@ -58,8 +58,9 @@ #include #include #include -#include +#include +#include #include #include @@ -83,11 +84,14 @@ int ASN1_UTCTIME_check(const ASN1_UTCTIME *d) { } int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str) { + // Although elsewhere we allow timezone offsets with UTCTime, to be compatible + // with some existing misissued certificates, this function is used to + // construct new certificates and can be stricter. size_t len = strlen(str); CBS cbs; CBS_init(&cbs, (const uint8_t *)str, len); if (!CBS_parse_utc_time(&cbs, /*out_tm=*/NULL, - /*allow_timezone_offset=*/1)) { + /*allow_timezone_offset=*/0)) { return 0; } if (s != NULL) { @@ -121,9 +125,12 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, int64_t posix_time, int offset_d } char buf[14]; - BIO_snprintf(buf, sizeof(buf), "%02d%02d%02d%02d%02d%02dZ", - data.tm_year % 100, data.tm_mon + 1, data.tm_mday, data.tm_hour, - data.tm_min, data.tm_sec); + int ret = snprintf(buf, sizeof(buf), "%02d%02d%02d%02d%02d%02dZ", + data.tm_year % 100, data.tm_mon + 1, data.tm_mday, + data.tm_hour, data.tm_min, data.tm_sec); + if (ret != (int)(sizeof(buf) - 1)) { + abort(); // |snprintf| should neither truncate nor write fewer bytes. + } int free_s = 0; if (s == NULL) { diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c b/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c index 69aeda04..d34f1eed 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c @@ -102,6 +102,15 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE) +// Limit |ASN1_STRING|s to 64 MiB of data. Most of this module, as well as +// downstream code, does not correctly handle overflow. We cap string fields +// more tightly than strictly necessary to fit in |int|. This is not expected to +// impact real world uses of this field. +// +// In particular, this limit is small enough that the bit count of a BIT STRING +// comfortably fits in an |int|, with room for arithmetic. +#define ASN1_STRING_MAX (64 * 1024 * 1024) + static void asn1_put_length(unsigned char **pp, int length); int ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag, @@ -273,9 +282,8 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, ossl_ssize_t len_s) { len = (size_t)len_s; } - // |ASN1_STRING| cannot represent strings that exceed |int|, and we must - // reserve space for a trailing NUL below. - if (len > INT_MAX || len + 1 < len) { + static_assert(ASN1_STRING_MAX < INT_MAX, "len will not overflow int"); + if (len > ASN1_STRING_MAX) { OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h b/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h index aa247893..d9c358b0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h @@ -76,18 +76,12 @@ extern "C" { // returned. On failure NULL is returned. OPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result); -// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to -// a time_t value in |out|. One is returned on success, zero is returned on -// failure. It is a failure if the converted time can not be represented in a -// time_t, or if the tm contains out of range values. -OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out); - // OPENSSL_gmtime_adj returns one on success, and updates |tm| by adding // |offset_day| days and |offset_sec| seconds. It returns zero on failure. |tm| // must be in the range of year 0000 to 9999 both before and after the update or // a failure will be returned. OPENSSL_EXPORT int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, - long offset_sec); + int64_t offset_sec); // OPENSSL_gmtime_diff calculates the difference between |from| and |to|. It // returns one, and outputs the difference as a number of days and seconds in @@ -210,6 +204,10 @@ void asn1_encoding_clear(ASN1_ENCODING *enc); // a pointer. const void *asn1_type_value_as_pointer(const ASN1_TYPE *a); +// asn1_type_set0_string sets |a|'s value to the object represented by |str| and +// takes ownership of |str|. +void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str); + // asn1_type_cleanup releases memory associated with |a|'s value, without // freeing |a| itself. void asn1_type_cleanup(ASN1_TYPE *a); @@ -256,7 +254,6 @@ typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it); typedef struct ASN1_EXTERN_FUNCS_st { ASN1_ex_new_func *asn1_ex_new; ASN1_ex_free_func *asn1_ex_free; - ASN1_ex_free_func *asn1_ex_clear; ASN1_ex_d2i *asn1_ex_d2i; ASN1_ex_i2d *asn1_ex_i2d; } ASN1_EXTERN_FUNCS; diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/posix_time.c b/Sources/CJWTKitBoringSSL/crypto/asn1/posix_time.c index 3fd00166..3deaf582 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/posix_time.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/posix_time.c @@ -15,7 +15,7 @@ // Time conversion to/from POSIX time_t and struct tm, with no support // for time zones other than UTC -#include +#include #include #include @@ -26,12 +26,12 @@ #include "internal.h" #define SECS_PER_HOUR (60 * 60) -#define SECS_PER_DAY (24 * SECS_PER_HOUR) +#define SECS_PER_DAY (INT64_C(24) * SECS_PER_HOUR) // Is a year/month/day combination valid, in the range from year 0000 // to 9999? -static int is_valid_date(int year, int month, int day) { +static int is_valid_date(int64_t year, int64_t month, int64_t day) { if (day < 1 || month < 1 || year < 0 || year > 9999) { return 0; } @@ -62,7 +62,7 @@ static int is_valid_date(int year, int month, int day) { // Is a time valid? Leap seconds of 60 are not considered valid, as // the POSIX time in seconds does not include them. -static int is_valid_time(int hours, int minutes, int seconds) { +static int is_valid_time(int64_t hours, int64_t minutes, int64_t seconds) { if (hours < 0 || minutes < 0 || seconds < 0 || hours > 23 || minutes > 59 || seconds > 59) { return 0; @@ -70,17 +70,22 @@ static int is_valid_time(int hours, int minutes, int seconds) { return 1; } -// Is a int64 time representing a time within our expected range? -static int is_valid_epoch_time(int64_t time) { - // 0000-01-01 00:00:00 UTC to 9999-12-31 23:59:59 UTC - return (int64_t)-62167219200 <= time && time <= (int64_t)253402300799; +// 0000-01-01 00:00:00 UTC +#define MIN_POSIX_TIME INT64_C(-62167219200) +// 9999-12-31 23:59:59 UTC +#define MAX_POSIX_TIME INT64_C(253402300799) + +// Is an int64 time within our expected range? +static int is_valid_posix_time(int64_t time) { + return MIN_POSIX_TIME <= time && time <= MAX_POSIX_TIME; } // Inspired by algorithms presented in // https://howardhinnant.github.io/date_algorithms.html // (Public Domain) -static int posix_time_from_utc(int year, int month, int day, int hours, - int minutes, int seconds, int64_t *out_time) { +static int posix_time_from_utc(int64_t year, int64_t month, int64_t day, + int64_t hours, int64_t minutes, int64_t seconds, + int64_t *out_time) { if (!is_valid_date(year, month, day) || !is_valid_time(hours, minutes, seconds)) { return 0; @@ -108,7 +113,7 @@ static int posix_time_from_utc(int year, int month, int day, int hours, static int utc_from_posix_time(int64_t time, int *out_year, int *out_month, int *out_day, int *out_hours, int *out_minutes, int *out_seconds) { - if (!is_valid_epoch_time(time)) { + if (!is_valid_posix_time(time)) { return 0; } int64_t days = time / SECS_PER_DAY; @@ -143,19 +148,21 @@ static int utc_from_posix_time(int64_t time, int *out_year, int *out_month, } int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out) { - return posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec, out); + return posix_time_from_utc(tm->tm_year + INT64_C(1900), + tm->tm_mon + INT64_C(1), tm->tm_mday, tm->tm_hour, + tm->tm_min, tm->tm_sec, out); } int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm) { - memset(out_tm, 0, sizeof(struct tm)); - if (!utc_from_posix_time(time, &out_tm->tm_year, &out_tm->tm_mon, - &out_tm->tm_mday, &out_tm->tm_hour, &out_tm->tm_min, - &out_tm->tm_sec)) { + struct tm tmp_tm = {0}; + if (!utc_from_posix_time(time, &tmp_tm.tm_year, &tmp_tm.tm_mon, + &tmp_tm.tm_mday, &tmp_tm.tm_hour, &tmp_tm.tm_min, + &tmp_tm.tm_sec)) { return 0; } - out_tm->tm_year -= 1900; - out_tm->tm_mon -= 1; + tmp_tm.tm_year -= 1900; + tmp_tm.tm_mon -= 1; + *out_tm = tmp_tm; return 1; } @@ -187,43 +194,47 @@ struct tm *OPENSSL_gmtime(const time_t *time, struct tm *out_tm) { return out_tm; } -int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) { +int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec) { int64_t posix_time; - if (!posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec, &posix_time)) { + if (!OPENSSL_tm_to_posix(tm, &posix_time)) { + return 0; + } + static_assert(INT_MAX <= INT64_MAX / SECS_PER_DAY, + "day offset in seconds cannot overflow"); + static_assert(MAX_POSIX_TIME <= INT64_MAX - INT_MAX * SECS_PER_DAY, + "addition cannot overflow"); + static_assert(MIN_POSIX_TIME >= INT64_MIN - INT_MIN * SECS_PER_DAY, + "addition cannot underflow"); + posix_time += offset_day * SECS_PER_DAY; + if (posix_time > 0 && offset_sec > INT64_MAX - posix_time) { return 0; } - if (!utc_from_posix_time( - posix_time + (int64_t)off_day * SECS_PER_DAY + offset_sec, - &tm->tm_year, &tm->tm_mon, &tm->tm_mday, &tm->tm_hour, &tm->tm_min, - &tm->tm_sec)) { + if (posix_time < 0 && offset_sec < INT64_MIN - posix_time) { + return 0; + } + posix_time += offset_sec; + + if (!OPENSSL_posix_to_tm(posix_time, tm)) { return 0; } - tm->tm_year -= 1900; - tm->tm_mon -= 1; return 1; } int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from, const struct tm *to) { - int64_t time_to; - if (!posix_time_from_utc(to->tm_year + 1900, to->tm_mon + 1, to->tm_mday, - to->tm_hour, to->tm_min, to->tm_sec, &time_to)) { - return 0; - } - int64_t time_from; - if (!posix_time_from_utc(from->tm_year + 1900, from->tm_mon + 1, - from->tm_mday, from->tm_hour, from->tm_min, - from->tm_sec, &time_from)) { + int64_t time_to, time_from; + if (!OPENSSL_tm_to_posix(to, &time_to) || + !OPENSSL_tm_to_posix(from, &time_from)) { return 0; } + // Times are in range, so these calculations can not overflow. + static_assert(SECS_PER_DAY <= INT_MAX, "seconds per day does not fit in int"); + static_assert((MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX, + "range of valid POSIX times, in days, does not fit in int"); int64_t timediff = time_to - time_from; int64_t daydiff = timediff / SECS_PER_DAY; timediff %= SECS_PER_DAY; - if (daydiff > INT_MAX || daydiff < INT_MIN) { - return 0; - } *out_secs = (int)timediff; *out_days = (int)daydiff; return 1; diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c index cea065e5..f086174c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c @@ -850,7 +850,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, if (utype == V_ASN1_BMPSTRING) { while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_ucs2_be(&cbs, &c)) { + if (!CBS_get_ucs2_be(&cbs, &c)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING); goto err; } @@ -859,7 +859,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, if (utype == V_ASN1_UNIVERSALSTRING) { while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf32_be(&cbs, &c)) { + if (!CBS_get_utf32_be(&cbs, &c)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING); goto err; } @@ -868,7 +868,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, if (utype == V_ASN1_UTF8STRING) { while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&cbs, &c)) { + if (!CBS_get_utf8(&cbs, &c)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UTF8STRING); goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c index afdcf228..dc7760dd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c @@ -452,14 +452,9 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, return 1; } - if (sk_ASN1_VALUE_num(sk) > ((size_t)-1) / sizeof(DER_ENC)) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; unsigned char *const buf = OPENSSL_malloc(skcontlen); - DER_ENC *encoded = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*encoded)); + DER_ENC *encoded = OPENSSL_calloc(sk_ASN1_VALUE_num(sk), sizeof(*encoded)); if (encoded == NULL || buf == NULL) { goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c index ee7c7ec9..7176d85d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c @@ -127,11 +127,10 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { return 1; } } - *pval = OPENSSL_malloc(it->size); + *pval = OPENSSL_zalloc(it->size); if (!*pval) { goto memerr; } - OPENSSL_memset(*pval, 0, it->size); asn1_set_choice_selector(pval, -1, it); if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) { goto auxerr2; @@ -151,11 +150,10 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { return 1; } } - *pval = OPENSSL_malloc(it->size); + *pval = OPENSSL_zalloc(it->size); if (!*pval) { goto memerr; } - OPENSSL_memset(*pval, 0, it->size); asn1_refcount_set_one(pval, it); asn1_enc_init(pval, it); for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { @@ -185,16 +183,9 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { } static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) { - const ASN1_EXTERN_FUNCS *ef; - switch (it->itype) { case ASN1_ITYPE_EXTERN: - ef = it->funcs; - if (ef && ef->asn1_ex_clear) { - ef->asn1_ex_clear(pval, it); - } else { - *pval = NULL; - } + *pval = NULL; break; case ASN1_ITYPE_PRIMITIVE: @@ -276,7 +267,7 @@ static int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { } switch (utype) { case V_ASN1_OBJECT: - *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef); + *pval = (ASN1_VALUE *)OBJ_get_undef(); return 1; case V_ASN1_BOOLEAN: diff --git a/Sources/CJWTKitBoringSSL/crypto/base64/base64.c b/Sources/CJWTKitBoringSSL/crypto/base64/base64.c index c22f0ba0..ad345d70 100644 --- a/Sources/CJWTKitBoringSSL/crypto/base64/base64.c +++ b/Sources/CJWTKitBoringSSL/crypto/base64/base64.c @@ -121,12 +121,7 @@ int EVP_EncodedLength(size_t *out_len, size_t len) { } EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) { - EVP_ENCODE_CTX *ret = OPENSSL_malloc(sizeof(EVP_ENCODE_CTX)); - if (ret == NULL) { - return NULL; - } - OPENSSL_memset(ret, 0, sizeof(EVP_ENCODE_CTX)); - return ret; + return OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX)); } void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/bio.c b/Sources/CJWTKitBoringSSL/crypto/bio/bio.c index a1353e59..05c491c7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/bio.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/bio.c @@ -69,16 +69,19 @@ #include "../internal.h" +static CRYPTO_EX_DATA_CLASS g_ex_data_class = + CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; + BIO *BIO_new(const BIO_METHOD *method) { - BIO *ret = OPENSSL_malloc(sizeof(BIO)); + BIO *ret = OPENSSL_zalloc(sizeof(BIO)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BIO)); ret->method = method; ret->shutdown = 1; ret->references = 1; + CRYPTO_new_ex_data(&ret->ex_data); if (method->create != NULL && !method->create(ret)) { OPENSSL_free(ret); @@ -102,6 +105,7 @@ int BIO_free(BIO *bio) { bio->method->destroy(bio); } + CRYPTO_free_ex_data(&g_ex_data_class, bio, &bio->ex_data); OPENSSL_free(bio); } return 1; @@ -341,11 +345,11 @@ int BIO_set_close(BIO *bio, int close_flag) { return (int)BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL); } -OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) { +OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio) { return bio->num_read; } -OPENSSL_EXPORT size_t BIO_number_written(const BIO *bio) { +OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio) { return bio->num_write; } @@ -628,23 +632,22 @@ void BIO_set_retry_special(BIO *bio) { int BIO_set_write_buffer_size(BIO *bio, int buffer_size) { return 0; } -static struct CRYPTO_STATIC_MUTEX g_index_lock = CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX g_index_lock = CRYPTO_MUTEX_INIT; static int g_index = BIO_TYPE_START; int BIO_get_new_index(void) { - CRYPTO_STATIC_MUTEX_lock_write(&g_index_lock); + CRYPTO_MUTEX_lock_write(&g_index_lock); // If |g_index| exceeds 255, it will collide with the flags bits. int ret = g_index > 255 ? -1 : g_index++; - CRYPTO_STATIC_MUTEX_unlock_write(&g_index_lock); + CRYPTO_MUTEX_unlock_write(&g_index_lock); return ret; } BIO_METHOD *BIO_meth_new(int type, const char *name) { - BIO_METHOD *method = OPENSSL_malloc(sizeof(BIO_METHOD)); + BIO_METHOD *method = OPENSSL_zalloc(sizeof(BIO_METHOD)); if (method == NULL) { return NULL; } - OPENSSL_memset(method, 0, sizeof(BIO_METHOD)); method->type = type; method->name = name; return method; @@ -706,3 +709,23 @@ int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) { // Ignore the parameter. We implement |BIO_puts| using |BIO_write|. return 1; } + +int BIO_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func) { + int index; + if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, + free_func)) { + return -1; + } + return index; +} + +int BIO_set_ex_data(BIO *bio, int idx, void *data) { + return CRYPTO_set_ex_data(&bio->ex_data, idx, data); +} + +void *BIO_get_ex_data(const BIO *bio, int idx) { + return CRYPTO_get_ex_data(&bio->ex_data, idx); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/bio_mem.c b/Sources/CJWTKitBoringSSL/crypto/bio/bio_mem.c index 8e1e6385..695b3f3a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/bio_mem.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/bio_mem.c @@ -206,7 +206,6 @@ static int mem_gets(BIO *bio, char *buf, int size) { static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) { long ret = 1; - char **pptr; BUF_MEM *b = (BUF_MEM *)bio->ptr; @@ -232,8 +231,8 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) { case BIO_CTRL_INFO: ret = (long)b->length; if (ptr != NULL) { - pptr = (char **)ptr; - *pptr = (char *)&b->data[0]; + char **pptr = ptr; + *pptr = b->data; } break; case BIO_C_SET_BUF_MEM: @@ -243,8 +242,8 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) { break; case BIO_C_GET_BUF_MEM_PTR: if (ptr != NULL) { - pptr = (char **)ptr; - *pptr = (char *)b; + BUF_MEM **pptr = ptr; + *pptr = b; } break; case BIO_CTRL_GET_CLOSE: @@ -294,15 +293,15 @@ int BIO_mem_contents(const BIO *bio, const uint8_t **out_contents, } long BIO_get_mem_data(BIO *bio, char **contents) { - return BIO_ctrl(bio, BIO_CTRL_INFO, 0, (char *) contents); + return BIO_ctrl(bio, BIO_CTRL_INFO, 0, contents); } int BIO_get_mem_ptr(BIO *bio, BUF_MEM **out) { - return (int)BIO_ctrl(bio, BIO_C_GET_BUF_MEM_PTR, 0, (char *) out); + return (int)BIO_ctrl(bio, BIO_C_GET_BUF_MEM_PTR, 0, out); } int BIO_set_mem_buf(BIO *bio, BUF_MEM *b, int take_ownership) { - return (int)BIO_ctrl(bio, BIO_C_SET_BUF_MEM, take_ownership, (char *) b); + return (int)BIO_ctrl(bio, BIO_C_SET_BUF_MEM, take_ownership, b); } int BIO_set_mem_eof_return(BIO *bio, int eof_value) { diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/connect.c b/Sources/CJWTKitBoringSSL/crypto/bio/connect.c index 8301c553..83ea556d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/connect.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/connect.c @@ -56,7 +56,7 @@ #include -#if !defined(OPENSSL_TRUSTY) +#if !defined(OPENSSL_NO_SOCK) #include #include @@ -233,7 +233,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { BIO_clear_retry_flags(bio); ret = connect(bio->num, (struct sockaddr*) &c->them, c->them_length); if (ret < 0) { - if (bio_fd_should_retry(ret)) { + if (bio_socket_should_retry(ret)) { BIO_set_flags(bio, (BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY)); c->state = BIO_CONN_S_BLOCKED_CONNECT; bio->retry_reason = BIO_RR_CONNECT; @@ -252,7 +252,7 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { case BIO_CONN_S_BLOCKED_CONNECT: i = bio_sock_error(bio->num); if (i) { - if (bio_fd_should_retry(ret)) { + if (bio_socket_should_retry(ret)) { BIO_set_flags(bio, (BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY)); c->state = BIO_CONN_S_BLOCKED_CONNECT; bio->retry_reason = BIO_RR_CONNECT; @@ -296,13 +296,10 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { } static BIO_CONNECT *BIO_CONNECT_new(void) { - BIO_CONNECT *ret = OPENSSL_malloc(sizeof(BIO_CONNECT)); - + BIO_CONNECT *ret = OPENSSL_zalloc(sizeof(BIO_CONNECT)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BIO_CONNECT)); - ret->state = BIO_CONN_S_BEFORE; return ret; } @@ -366,7 +363,7 @@ static int conn_read(BIO *bio, char *out, int out_len) { ret = (int)recv(bio->num, out, out_len, 0); BIO_clear_retry_flags(bio); if (ret <= 0) { - if (bio_fd_should_retry(ret)) { + if (bio_socket_should_retry(ret)) { BIO_set_retry_read(bio); } } @@ -390,7 +387,7 @@ static int conn_write(BIO *bio, const char *in, int in_len) { ret = (int)send(bio->num, in, in_len, 0); BIO_clear_retry_flags(bio); if (ret <= 0) { - if (bio_fd_should_retry(ret)) { + if (bio_socket_should_retry(ret)) { BIO_set_retry_write(bio); } } @@ -532,7 +529,7 @@ int BIO_set_conn_port(BIO *bio, const char *port_str) { int BIO_set_conn_int_port(BIO *bio, const int *port) { char buf[DECIMAL_SIZE(int) + 1]; - BIO_snprintf(buf, sizeof(buf), "%d", *port); + snprintf(buf, sizeof(buf), "%d", *port); return BIO_set_conn_port(bio, buf); } @@ -544,4 +541,4 @@ int BIO_do_connect(BIO *bio) { return (int)BIO_ctrl(bio, BIO_C_DO_STATE_MACHINE, 0, NULL); } -#endif // OPENSSL_TRUSTY +#endif // OPENSSL_NO_SOCK diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_info.c b/Sources/CJWTKitBoringSSL/crypto/bio/errno.c similarity index 79% rename from Sources/CJWTKitBoringSSL/crypto/x509/x_info.c rename to Sources/CJWTKitBoringSSL/crypto/bio/errno.c index 2c09033b..5fdb4e01 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_info.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/errno.c @@ -54,47 +54,39 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -#include +#include -#include -#include -#include -#include +#include -X509_INFO *X509_INFO_new(void) { - X509_INFO *ret = NULL; +#include "internal.h" - ret = (X509_INFO *)OPENSSL_malloc(sizeof(X509_INFO)); - if (ret == NULL) { - return NULL; - } - - ret->enc_cipher.cipher = NULL; - ret->enc_len = 0; - ret->enc_data = NULL; - - ret->x509 = NULL; - ret->crl = NULL; - ret->x_pkey = NULL; - return ret; -} -void X509_INFO_free(X509_INFO *x) { - if (x == NULL) { - return; +int bio_errno_should_retry(int return_value) { + if (return_value != -1) { + return 0; } - if (x->x509 != NULL) { - X509_free(x->x509); - } - if (x->crl != NULL) { - X509_CRL_free(x->crl); - } - if (x->x_pkey != NULL) { - X509_PKEY_free(x->x_pkey); - } - if (x->enc_data != NULL) { - OPENSSL_free(x->enc_data); - } - OPENSSL_free(x); + return +#ifdef EWOULDBLOCK + errno == EWOULDBLOCK || +#endif +#ifdef ENOTCONN + errno == ENOTCONN || +#endif +#ifdef EINTR + errno == EINTR || +#endif +#ifdef EAGAIN + errno == EAGAIN || +#endif +#ifdef EPROTO + errno == EPROTO || +#endif +#ifdef EINPROGRESS + errno == EINPROGRESS || +#endif +#ifdef EALREADY + errno == EALREADY || +#endif + 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/fd.c b/Sources/CJWTKitBoringSSL/crypto/bio/fd.c index 5cae4ce9..5bd52b6a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/fd.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/fd.c @@ -56,7 +56,7 @@ #include -#if !defined(OPENSSL_TRUSTY) +#if !defined(OPENSSL_NO_POSIX_IO) #include #include @@ -65,9 +65,6 @@ #include #else #include -OPENSSL_MSVC_PRAGMA(warning(push, 3)) -#include -OPENSSL_MSVC_PRAGMA(warning(pop)) #endif #include @@ -77,59 +74,18 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #include "../internal.h" -static int bio_fd_non_fatal_error(int err) { - if ( -#ifdef EWOULDBLOCK - err == EWOULDBLOCK || -#endif -#ifdef WSAEWOULDBLOCK - err == WSAEWOULDBLOCK || -#endif -#ifdef ENOTCONN - err == ENOTCONN || -#endif -#ifdef EINTR - err == EINTR || -#endif -#ifdef EAGAIN - err == EAGAIN || -#endif -#ifdef EPROTO - err == EPROTO || -#endif -#ifdef EINPROGRESS - err == EINPROGRESS || -#endif -#ifdef EALREADY - err == EALREADY || -#endif - 0) { - return 1; - } - return 0; -} - #if defined(OPENSSL_WINDOWS) - #define BORINGSSL_ERRNO (int)GetLastError() #define BORINGSSL_CLOSE _close #define BORINGSSL_LSEEK _lseek #define BORINGSSL_READ _read #define BORINGSSL_WRITE _write #else - #define BORINGSSL_ERRNO errno #define BORINGSSL_CLOSE close #define BORINGSSL_LSEEK lseek #define BORINGSSL_READ read #define BORINGSSL_WRITE write #endif -int bio_fd_should_retry(int i) { - if (i == -1) { - return bio_fd_non_fatal_error(BORINGSSL_ERRNO); - } - return 0; -} - BIO *BIO_new_fd(int fd, int close_flag) { BIO *ret = BIO_new(BIO_s_fd()); if (ret == NULL) { @@ -161,7 +117,7 @@ static int fd_read(BIO *b, char *out, int outl) { ret = (int)BORINGSSL_READ(b->num, out, outl); BIO_clear_retry_flags(b); if (ret <= 0) { - if (bio_fd_should_retry(ret)) { + if (bio_errno_should_retry(ret)) { BIO_set_retry_read(b); } } @@ -173,7 +129,7 @@ static int fd_write(BIO *b, const char *in, int inl) { int ret = (int)BORINGSSL_WRITE(b->num, in, inl); BIO_clear_retry_flags(b); if (ret <= 0) { - if (bio_fd_should_retry(ret)) { + if (bio_errno_should_retry(ret)) { BIO_set_retry_write(b); } } @@ -268,6 +224,8 @@ static const BIO_METHOD methods_fdp = { const BIO_METHOD *BIO_s_fd(void) { return &methods_fdp; } +#endif // OPENSSL_NO_POSIX_IO + int BIO_set_fd(BIO *bio, int fd, int close_flag) { return (int)BIO_int_ctrl(bio, BIO_C_SET_FD, close_flag, fd); } @@ -275,5 +233,3 @@ int BIO_set_fd(BIO *bio, int fd, int close_flag) { int BIO_get_fd(BIO *bio, int *out_fd) { return (int)BIO_ctrl(bio, BIO_C_GET_FD, 0, (char *) out_fd); } - -#endif // OPENSSL_TRUSTY diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/file.c b/Sources/CJWTKitBoringSSL/crypto/bio/file.c index 0bd15df5..d1e3dc8e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/file.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/file.c @@ -73,8 +73,6 @@ #include -#if !defined(OPENSSL_TRUSTY) - #include #include #include @@ -89,11 +87,20 @@ #define BIO_FP_WRITE 0x04 #define BIO_FP_APPEND 0x08 +#if !defined(OPENSSL_NO_FILESYSTEM) +#define fopen_if_available fopen +#else +static FILE *fopen_if_available(const char *path, const char *mode) { + errno = ENOENT; + return NULL; +} +#endif + BIO *BIO_new_file(const char *filename, const char *mode) { BIO *ret; FILE *file; - file = fopen(filename, mode); + file = fopen_if_available(filename, mode); if (file == NULL) { OPENSSL_PUT_SYSTEM_ERROR(); @@ -172,7 +179,6 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret = 1; FILE *fp = (FILE *)b->ptr; FILE **fpp; - char p[4]; switch (cmd) { case BIO_CTRL_RESET: @@ -197,27 +203,28 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) { case BIO_C_SET_FILENAME: file_free(b); b->shutdown = (int)num & BIO_CLOSE; + const char *mode; if (num & BIO_FP_APPEND) { if (num & BIO_FP_READ) { - OPENSSL_strlcpy(p, "a+", sizeof(p)); + mode = "a+"; } else { - OPENSSL_strlcpy(p, "a", sizeof(p)); + mode = "a"; } } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) { - OPENSSL_strlcpy(p, "r+", sizeof(p)); + mode = "r+"; } else if (num & BIO_FP_WRITE) { - OPENSSL_strlcpy(p, "w", sizeof(p)); + mode = "w"; } else if (num & BIO_FP_READ) { - OPENSSL_strlcpy(p, "r", sizeof(p)); + mode = "r"; } else { OPENSSL_PUT_ERROR(BIO, BIO_R_BAD_FOPEN_MODE); ret = 0; break; } - fp = fopen(ptr, p); + fp = fopen_if_available(ptr, mode); if (fp == NULL) { OPENSSL_PUT_SYSTEM_ERROR(); - ERR_add_error_data(5, "fopen('", ptr, "','", p, "')"); + ERR_add_error_data(5, "fopen('", ptr, "','", mode, "')"); OPENSSL_PUT_ERROR(BIO, ERR_R_SYS_LIB); ret = 0; break; @@ -310,5 +317,3 @@ long BIO_tell(BIO *bio) { return BIO_ctrl(bio, BIO_C_FILE_TELL, 0, NULL); } long BIO_seek(BIO *bio, long offset) { return BIO_ctrl(bio, BIO_C_FILE_SEEK, offset, NULL); } - -#endif // OPENSSL_TRUSTY diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/internal.h b/Sources/CJWTKitBoringSSL/crypto/bio/internal.h index 41fed663..883da413 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/bio/internal.h @@ -59,6 +59,7 @@ #include +#if !defined(OPENSSL_NO_SOCK) #if !defined(OPENSSL_WINDOWS) #if defined(OPENSSL_PNACL) // newlib uses u_short in socket.h without defining it. @@ -72,13 +73,16 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3)) OPENSSL_MSVC_PRAGMA(warning(pop)) typedef int socklen_t; #endif +#endif // !OPENSSL_NO_SOCK #if defined(__cplusplus) extern "C" { #endif -// BIO_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr| +#if !defined(OPENSSL_NO_SOCK) + +// bio_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr| // and |*out_addr_length| with the correct values for connecting to |hostname| // on |port_str|. It returns one on success or zero on error. int bio_ip_and_port_to_socket_and_addr(int *out_sock, @@ -87,21 +91,27 @@ int bio_ip_and_port_to_socket_and_addr(int *out_sock, const char *hostname, const char *port_str); -// BIO_socket_nbio sets whether |sock| is non-blocking. It returns one on +// bio_socket_nbio sets whether |sock| is non-blocking. It returns one on // success and zero otherwise. int bio_socket_nbio(int sock, int on); -// BIO_clear_socket_error clears the last system socket error. +// bio_clear_socket_error clears the last system socket error. // // TODO(fork): remove all callers of this. void bio_clear_socket_error(void); -// BIO_sock_error returns the last socket error on |sock|. +// bio_sock_error returns the last socket error on |sock|. int bio_sock_error(int sock); -// BIO_fd_should_retry returns non-zero if |return_value| indicates an error +// bio_socket_should_retry returns non-zero if |return_value| indicates an error +// and the last socket error indicates that it's non-fatal. +int bio_socket_should_retry(int return_value); + +#endif // !OPENSSL_NO_SOCK + +// bio_errno_should_retry returns non-zero if |return_value| indicates an error // and |errno| indicates that it's non-fatal. -int bio_fd_should_retry(int return_value); +int bio_errno_should_retry(int return_value); #if defined(__cplusplus) diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/pair.c b/Sources/CJWTKitBoringSSL/crypto/bio/pair.c index 1dbf9953..3473881d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/pair.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/pair.c @@ -81,13 +81,10 @@ struct bio_bio_st { }; static int bio_new(BIO *bio) { - struct bio_bio_st *b; - - b = OPENSSL_malloc(sizeof *b); + struct bio_bio_st *b = OPENSSL_zalloc(sizeof *b); if (b == NULL) { return 0; } - OPENSSL_memset(b, 0, sizeof(struct bio_bio_st)); b->size = 17 * 1024; // enough for one TLS record (just a default) bio->ptr = b; diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/socket.c b/Sources/CJWTKitBoringSSL/crypto/bio/socket.c index c5ad850f..cccd218b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/socket.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/socket.c @@ -56,7 +56,7 @@ #include -#if !defined(OPENSSL_TRUSTY) +#if !defined(OPENSSL_NO_SOCK) #include #include @@ -104,7 +104,7 @@ static int sock_read(BIO *b, char *out, int outl) { #endif BIO_clear_retry_flags(b); if (ret <= 0) { - if (bio_fd_should_retry(ret)) { + if (bio_socket_should_retry(ret)) { BIO_set_retry_read(b); } } @@ -120,7 +120,7 @@ static int sock_write(BIO *b, const char *in, int inl) { #endif BIO_clear_retry_flags(b); if (ret <= 0) { - if (bio_fd_should_retry(ret)) { + if (bio_socket_should_retry(ret)) { BIO_set_retry_write(b); } } @@ -186,4 +186,4 @@ BIO *BIO_new_socket(int fd, int close_flag) { return ret; } -#endif // OPENSSL_TRUSTY +#endif // OPENSSL_NO_SOCK diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/socket_helper.c b/Sources/CJWTKitBoringSSL/crypto/bio/socket_helper.c index 3ed79ada..31b48839 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/socket_helper.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/socket_helper.c @@ -20,7 +20,7 @@ #include #include -#if !defined(OPENSSL_TRUSTY) +#if !defined(OPENSSL_NO_SOCK) #include #include @@ -121,4 +121,13 @@ int bio_sock_error(int sock) { return error; } -#endif // OPENSSL_TRUSTY +int bio_socket_should_retry(int return_value) { +#if defined(OPENSSL_WINDOWS) + return return_value == -1 && WSAGetLastError() == WSAEWOULDBLOCK; +#else + // On POSIX platforms, sockets and fds are the same. + return bio_errno_should_retry(return_value); +#endif +} + +#endif // OPENSSL_NO_SOCK diff --git a/Sources/CJWTKitBoringSSL/crypto/bn_extra/convert.c b/Sources/CJWTKitBoringSSL/crypto/bn_extra/convert.c index 3dcfbeeb..6f9b4ac7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bn_extra/convert.c +++ b/Sources/CJWTKitBoringSSL/crypto/bn_extra/convert.c @@ -455,3 +455,11 @@ int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len) { } return len; } + +int BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len) { + if (len < 0 || + !BN_bn2le_padded(out, (size_t)len, in)) { + return -1; + } + return len; +} diff --git a/Sources/CJWTKitBoringSSL/crypto/buf/buf.c b/Sources/CJWTKitBoringSSL/crypto/buf/buf.c index fcc5ffb5..97b03d6a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/buf/buf.c +++ b/Sources/CJWTKitBoringSSL/crypto/buf/buf.c @@ -64,17 +64,7 @@ #include "../internal.h" -BUF_MEM *BUF_MEM_new(void) { - BUF_MEM *ret; - - ret = OPENSSL_malloc(sizeof(BUF_MEM)); - if (ret == NULL) { - return NULL; - } - - OPENSSL_memset(ret, 0, sizeof(BUF_MEM)); - return ret; -} +BUF_MEM *BUF_MEM_new(void) { return OPENSSL_zalloc(sizeof(BUF_MEM)); } void BUF_MEM_free(BUF_MEM *buf) { if (buf == NULL) { diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c index bccb61ab..50fd125b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c @@ -18,13 +18,10 @@ #include #include "internal.h" -#include "../internal.h" -// kMaxDepth is a just a sanity limit. The code should be such that the length -// of the input being processes always decreases. None the less, a very large -// input could otherwise cause the stack to overflow. -static const uint32_t kMaxDepth = 2048; +// kMaxDepth limits the recursion depth to avoid overflowing the stack. +static const uint32_t kMaxDepth = 128; // is_string_type returns one if |tag| is a string type and zero otherwise. It // ignores the constructed bit. @@ -56,13 +53,11 @@ static int is_string_type(CBS_ASN1_TAG tag) { // found. The value of |orig_in| is not changed. It returns one on success (i.e. // |*ber_found| was set) and zero on error. static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { - CBS in; - if (depth > kMaxDepth) { return 0; } - CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); + CBS in = *orig_in; *ber_found = 0; while (CBS_len(&in) > 0) { @@ -87,6 +82,10 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { !cbs_find_ber(&contents, ber_found, depth + 1)) { return 0; } + if (*ber_found) { + // We already found BER. No need to continue parsing. + return 1; + } } } diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c index 4f6daec3..6a7a7472 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c @@ -155,6 +155,29 @@ static struct cbb_buffer_st *cbb_get_base(CBB *cbb) { return &cbb->u.base; } +static void cbb_on_error(CBB *cbb) { + // Due to C's lack of destructors and |CBB|'s auto-flushing API, a failing + // |CBB|-taking function may leave a dangling pointer to a child |CBB|. As a + // result, the convention is callers may not write to |CBB|s that have failed. + // But, as a safety measure, we lock the |CBB| into an error state. Once the + // error bit is set, |cbb->child| will not be read. + // + // TODO(davidben): This still isn't quite ideal. A |CBB| function *outside* + // this file may originate an error while the |CBB| points to a local child. + // In that case we don't set the error bit and are reliant on the error + // convention. Perhaps we allow |CBB_cleanup| on child |CBB|s and make every + // child's |CBB_cleanup| set the error bit if unflushed. That will be + // convenient for C++ callers, but very tedious for C callers. So C callers + // perhaps should get a |CBB_on_error| function that can be, less tediously, + // stuck in a |goto err| block. + cbb_get_base(cbb)->error = 1; + + // Clearing the pointer is not strictly necessary, but GCC's dangling pointer + // warning does not know |cbb->child| will not be read once |error| is set + // above. + cbb->child = NULL; +} + // CBB_flush recurses and then writes out any pending length prefix. The // current length of the underlying base is taken to be the length of the // length-prefixed data. @@ -244,7 +267,7 @@ int CBB_flush(CBB *cbb) { return 1; err: - base->error = 1; + cbb_on_error(cbb); return 0; } @@ -420,7 +443,7 @@ static int cbb_add_u(CBB *cbb, uint64_t v, size_t len_len) { // |v| must fit in |len_len| bytes. if (v != 0) { - cbb_get_base(cbb)->error = 1; + cbb_on_error(cbb); return 0; } @@ -479,7 +502,7 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) { int CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value, CBS_ASN1_TAG tag) { CBB child; if (!CBB_add_asn1(cbb, &child, tag)) { - return 0; + goto err; } int started = 0; @@ -493,21 +516,25 @@ int CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value, CBS_ASN1_TAG tag) { // If the high bit is set, add a padding byte to make it // unsigned. if ((byte & 0x80) && !CBB_add_u8(&child, 0)) { - return 0; + goto err; } started = 1; } if (!CBB_add_u8(&child, byte)) { - return 0; + goto err; } } // 0 is encoded as a single 0, not the empty string. if (!started && !CBB_add_u8(&child, 0)) { - return 0; + goto err; } return CBB_flush(cbb); + +err: + cbb_on_error(cbb); + return 0; } int CBB_add_asn1_int64(CBB *cbb, int64_t value) { @@ -529,14 +556,18 @@ int CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value, CBS_ASN1_TAG tag) { CBB child; if (!CBB_add_asn1(cbb, &child, tag)) { - return 0; + goto err; } for (int i = start; i >= 0; i--) { if (!CBB_add_u8(&child, bytes[i])) { - return 0; + goto err; } } return CBB_flush(cbb); + +err: + cbb_on_error(cbb); + return 0; } int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) { @@ -544,6 +575,7 @@ int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) { if (!CBB_add_asn1(cbb, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child, data, data_len) || !CBB_flush(cbb)) { + cbb_on_error(cbb); return 0; } @@ -555,6 +587,7 @@ int CBB_add_asn1_bool(CBB *cbb, int value) { if (!CBB_add_asn1(cbb, &child, CBS_ASN1_BOOLEAN) || !CBB_add_u8(&child, value != 0 ? 0xff : 0) || !CBB_flush(cbb)) { + cbb_on_error(cbb); return 0; } @@ -649,16 +682,13 @@ int CBB_flush_asn1_set_of(CBB *cbb) { if (num_children < 2) { return 1; // Nothing to do. This is the common case for X.509. } - if (num_children > ((size_t)-1) / sizeof(CBS)) { - return 0; // Overflow. - } // Parse out the children and sort. We alias them into a copy of so they // remain valid as we rewrite |cbb|. int ret = 0; size_t buf_len = CBB_len(cbb); uint8_t *buf = OPENSSL_memdup(CBB_data(cbb), buf_len); - CBS *children = OPENSSL_malloc(num_children * sizeof(CBS)); + CBS *children = OPENSSL_calloc(num_children, sizeof(CBS)); if (buf == NULL || children == NULL) { goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c index 8c2ca0ee..2ca3c562 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c @@ -694,7 +694,7 @@ int CBS_is_unsigned_asn1_integer(const CBS *cbs) { static int add_decimal(CBB *out, uint64_t v) { char buf[DECIMAL_SIZE(uint64_t) + 1]; - BIO_snprintf(buf, sizeof(buf), "%" PRIu64, v); + snprintf(buf, sizeof(buf), "%" PRIu64, v); return CBB_add_bytes(out, (const uint8_t *)buf, strlen(buf)); } diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/internal.h b/Sources/CJWTKitBoringSSL/crypto/bytestring/internal.h index 17652cf5..a417fbc1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/internal.h @@ -67,28 +67,6 @@ OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out, int CBB_finish_i2d(CBB *cbb, uint8_t **outp); -// Unicode utilities. - -// The following functions read one Unicode code point from |cbs| with the -// corresponding encoding and store it in |*out|. They return one on success and -// zero on error. -OPENSSL_EXPORT int cbs_get_utf8(CBS *cbs, uint32_t *out); -OPENSSL_EXPORT int cbs_get_latin1(CBS *cbs, uint32_t *out); -OPENSSL_EXPORT int cbs_get_ucs2_be(CBS *cbs, uint32_t *out); -OPENSSL_EXPORT int cbs_get_utf32_be(CBS *cbs, uint32_t *out); - -// cbb_get_utf8_len returns the number of bytes needed to represent |u| in -// UTF-8. -OPENSSL_EXPORT size_t cbb_get_utf8_len(uint32_t u); - -// The following functions encode |u| to |cbb| with the corresponding -// encoding. They return one on success and zero on error. -OPENSSL_EXPORT int cbb_add_utf8(CBB *cbb, uint32_t u); -OPENSSL_EXPORT int cbb_add_latin1(CBB *cbb, uint32_t u); -OPENSSL_EXPORT int cbb_add_ucs2_be(CBB *cbb, uint32_t u); -OPENSSL_EXPORT int cbb_add_utf32_be(CBB *cbb, uint32_t u); - - #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/unicode.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/unicode.c index 683edf77..1f12378b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/unicode.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/unicode.c @@ -38,7 +38,7 @@ static int is_valid_code_point(uint32_t v) { // TOP_BITS returns a byte with the top |n| bits set. #define TOP_BITS(n) ((uint8_t)~BOTTOM_BITS(8 - (n))) -int cbs_get_utf8(CBS *cbs, uint32_t *out) { +int CBS_get_utf8(CBS *cbs, uint32_t *out) { uint8_t c; if (!CBS_get_u8(cbs, &c)) { return 0; @@ -80,7 +80,7 @@ int cbs_get_utf8(CBS *cbs, uint32_t *out) { return 1; } -int cbs_get_latin1(CBS *cbs, uint32_t *out) { +int CBS_get_latin1(CBS *cbs, uint32_t *out) { uint8_t c; if (!CBS_get_u8(cbs, &c)) { return 0; @@ -89,7 +89,7 @@ int cbs_get_latin1(CBS *cbs, uint32_t *out) { return 1; } -int cbs_get_ucs2_be(CBS *cbs, uint32_t *out) { +int CBS_get_ucs2_be(CBS *cbs, uint32_t *out) { // Note UCS-2 (used by BMPString) does not support surrogates. uint16_t c; if (!CBS_get_u16(cbs, &c) || @@ -100,11 +100,11 @@ int cbs_get_ucs2_be(CBS *cbs, uint32_t *out) { return 1; } -int cbs_get_utf32_be(CBS *cbs, uint32_t *out) { +int CBS_get_utf32_be(CBS *cbs, uint32_t *out) { return CBS_get_u32(cbs, out) && is_valid_code_point(*out); } -size_t cbb_get_utf8_len(uint32_t u) { +size_t CBB_get_utf8_len(uint32_t u) { if (u <= 0x7f) { return 1; } @@ -117,7 +117,7 @@ size_t cbb_get_utf8_len(uint32_t u) { return 4; } -int cbb_add_utf8(CBB *cbb, uint32_t u) { +int CBB_add_utf8(CBB *cbb, uint32_t u) { if (!is_valid_code_point(u)) { return 0; } @@ -142,14 +142,14 @@ int cbb_add_utf8(CBB *cbb, uint32_t u) { return 0; } -int cbb_add_latin1(CBB *cbb, uint32_t u) { +int CBB_add_latin1(CBB *cbb, uint32_t u) { return u <= 0xff && CBB_add_u8(cbb, (uint8_t)u); } -int cbb_add_ucs2_be(CBB *cbb, uint32_t u) { +int CBB_add_ucs2_be(CBB *cbb, uint32_t u) { return u <= 0xffff && is_valid_code_point(u) && CBB_add_u16(cbb, (uint16_t)u); } -int cbb_add_utf32_be(CBB *cbb, uint32_t u) { +int CBB_add_utf32_be(CBB *cbb, uint32_t u) { return is_valid_code_point(u) && CBB_add_u32(cbb, u); } diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S index 40890f0e..56cbd4cc 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) #include @ Silence ARMv8 deprecated IT instruction warnings. This file is used by both @@ -39,49 +31,19 @@ Lsigma: .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 @ endian-neutral Lone: .long 1,0,0,0 -#if __ARM_MAX_ARCH__>=7 -LOPENSSL_armcap: -.word OPENSSL_armcap_P-LChaCha20_ctr32 -#else -.word -1 -#endif -.globl _ChaCha20_ctr32 -.private_extern _ChaCha20_ctr32 +.globl _ChaCha20_ctr32_nohw +.private_extern _ChaCha20_ctr32_nohw #ifdef __thumb2__ -.thumb_func _ChaCha20_ctr32 +.thumb_func _ChaCha20_ctr32_nohw #endif .align 5 -_ChaCha20_ctr32: -LChaCha20_ctr32: +_ChaCha20_ctr32_nohw: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -#if __ARM_ARCH__<7 && !defined(__thumb2__) - sub r14,pc,#16 @ _ChaCha20_ctr32 -#else - adr r14,LChaCha20_ctr32 -#endif - cmp r2,#0 @ len==0? -#ifdef __thumb2__ - itt eq -#endif - addeq sp,sp,#4*3 - beq Lno_data -#if __ARM_MAX_ARCH__>=7 - cmp r2,#192 @ test len - bls Lshort - ldr r4,[r14,#-32] - ldr r4,[r14,r4] -# ifdef __APPLE__ - ldr r4,[r4] -# endif - tst r4,#ARMV7_NEON - bne LChaCha20_neon -Lshort: -#endif + adr r14,Lsigma ldmia r12,{r4,r5,r6,r7} @ load counter and nonce sub sp,sp,#4*(16) @ off-load area - sub r14,r14,#64 @ Lsigma stmdb sp!,{r4,r5,r6,r7} @ copy counter and nonce ldmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} @ load key ldmia r14,{r0,r1,r2,r3} @ load sigma @@ -242,8 +204,8 @@ Loop: ldr r8,[sp,#4*(0)] @ load key material ldr r9,[sp,#4*(1)] -#if __ARM_ARCH__>=6 || !defined(__ARMEB__) -# if __ARM_ARCH__<7 +#if __ARM_ARCH>=6 || !defined(__ARMEB__) +# if __ARM_ARCH<7 orr r10,r12,r14 tst r10,#3 @ are input and output aligned? ldr r10,[sp,#4*(2)] @@ -269,7 +231,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -306,7 +268,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -351,7 +313,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -393,7 +355,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -424,7 +386,7 @@ Loop: bhi Loop_outer beq Ldone -# if __ARM_ARCH__<7 +# if __ARM_ARCH<7 b Ltail .align 4 @@ -432,7 +394,7 @@ Lunaligned:@ unaligned endian-neutral path cmp r11,#64 @ restore flags # endif #endif -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldr r11,[sp,#4*(3)] add r0,r0,r8 @ accumulate key material add r1,r1,r9 @@ -808,21 +770,21 @@ Loop_tail: Ldone: add sp,sp,#4*(32+3) -Lno_data: ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} #if __ARM_MAX_ARCH__>=7 +.globl _ChaCha20_ctr32_neon +.private_extern _ChaCha20_ctr32_neon #ifdef __thumb2__ -.thumb_func ChaCha20_neon +.thumb_func _ChaCha20_ctr32_neon #endif .align 5 -ChaCha20_neon: +_ChaCha20_ctr32_neon: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -LChaCha20_neon: adr r14,Lsigma vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI spec says so stmdb sp!,{r0,r1,r2,r3} @@ -1491,17 +1453,8 @@ Ldone_neon: add sp,sp,#4*(16+3) ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S index 25b94f8f..80f9f36b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) #include @ Silence ARMv8 deprecated IT instruction warnings. This file is used by both @@ -39,47 +31,17 @@ .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 @ endian-neutral .Lone: .long 1,0,0,0 -#if __ARM_MAX_ARCH__>=7 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.LChaCha20_ctr32 -#else -.word -1 -#endif -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,%function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,%function .align 5 -ChaCha20_ctr32: -.LChaCha20_ctr32: +ChaCha20_ctr32_nohw: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -#if __ARM_ARCH__<7 && !defined(__thumb2__) - sub r14,pc,#16 @ ChaCha20_ctr32 -#else - adr r14,.LChaCha20_ctr32 -#endif - cmp r2,#0 @ len==0? -#ifdef __thumb2__ - itt eq -#endif - addeq sp,sp,#4*3 - beq .Lno_data -#if __ARM_MAX_ARCH__>=7 - cmp r2,#192 @ test len - bls .Lshort - ldr r4,[r14,#-32] - ldr r4,[r14,r4] -# ifdef __APPLE__ - ldr r4,[r4] -# endif - tst r4,#ARMV7_NEON - bne .LChaCha20_neon -.Lshort: -#endif + adr r14,.Lsigma ldmia r12,{r4,r5,r6,r7} @ load counter and nonce sub sp,sp,#4*(16) @ off-load area - sub r14,r14,#64 @ .Lsigma stmdb sp!,{r4,r5,r6,r7} @ copy counter and nonce ldmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} @ load key ldmia r14,{r0,r1,r2,r3} @ load sigma @@ -240,8 +202,8 @@ ChaCha20_ctr32: ldr r8,[sp,#4*(0)] @ load key material ldr r9,[sp,#4*(1)] -#if __ARM_ARCH__>=6 || !defined(__ARMEB__) -# if __ARM_ARCH__<7 +#if __ARM_ARCH>=6 || !defined(__ARMEB__) +# if __ARM_ARCH<7 orr r10,r12,r14 tst r10,#3 @ are input and output aligned? ldr r10,[sp,#4*(2)] @@ -267,7 +229,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -304,7 +266,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -349,7 +311,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -391,7 +353,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -422,7 +384,7 @@ ChaCha20_ctr32: bhi .Loop_outer beq .Ldone -# if __ARM_ARCH__<7 +# if __ARM_ARCH<7 b .Ltail .align 4 @@ -430,7 +392,7 @@ ChaCha20_ctr32: cmp r11,#64 @ restore flags # endif #endif -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldr r11,[sp,#4*(3)] add r0,r0,r8 @ accumulate key material add r1,r1,r9 @@ -806,19 +768,19 @@ ChaCha20_ctr32: .Ldone: add sp,sp,#4*(32+3) -.Lno_data: ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} -.size ChaCha20_ctr32,.-ChaCha20_ctr32 +.size ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon -.type ChaCha20_neon,%function +.globl ChaCha20_ctr32_neon +.hidden ChaCha20_ctr32_neon +.type ChaCha20_ctr32_neon,%function .align 5 -ChaCha20_neon: +ChaCha20_ctr32_neon: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -.LChaCha20_neon: adr r14,.Lsigma vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI spec says so stmdb sp!,{r0,r1,r2,r3} @@ -1486,14 +1448,9 @@ ChaCha20_neon: vldmia sp,{d8,d9,d10,d11,d12,d13,d14,d15} add sp,sp,#4*(16+3) ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} -.size ChaCha20_neon,.-ChaCha20_neon -.comm OPENSSL_armcap_P,4,4 -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits +.size ChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon #endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S index e61082da..bcbc0fe8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S @@ -3,22 +3,11 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include - -.private_extern _OPENSSL_armcap_P - .section __TEXT,__const .align 5 @@ -31,25 +20,11 @@ Lone: .text -.globl _ChaCha20_ctr32 -.private_extern _ChaCha20_ctr32 +.globl _ChaCha20_ctr32_nohw +.private_extern _ChaCha20_ctr32_nohw .align 5 -_ChaCha20_ctr32: - AARCH64_VALID_CALL_TARGET - cbz x2,Labort -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x5,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x5,_OPENSSL_armcap_P@PAGE -#endif - cmp x2,#192 - b.lo Lshort - ldr w17,[x5,_OPENSSL_armcap_P@PAGEOFF] - tst w17,#ARMV7_NEON - b.ne ChaCha20_neon - -Lshort: +_ChaCha20_ctr32_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -264,7 +239,6 @@ Loop: ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER -Labort: ret .align 4 @@ -324,9 +298,11 @@ Loop_tail: ret +.globl _ChaCha20_ctr32_neon +.private_extern _ChaCha20_ctr32_neon .align 5 -ChaCha20_neon: +_ChaCha20_ctr32_neon: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1991,11 +1967,7 @@ Ldone_512_neon: AARCH64_VALIDATE_LINK_REGISTER ret -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S index 389e545a..cb282cf4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S @@ -3,22 +3,11 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include - -.hidden OPENSSL_armcap_P - .section .rodata .align 5 @@ -31,25 +20,11 @@ .text -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,%function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,%function .align 5 -ChaCha20_ctr32: - AARCH64_VALID_CALL_TARGET - cbz x2,.Labort -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x5,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x5,OPENSSL_armcap_P -#endif - cmp x2,#192 - b.lo .Lshort - ldr w17,[x5,:lo12:OPENSSL_armcap_P] - tst w17,#ARMV7_NEON - b.ne ChaCha20_neon - -.Lshort: +ChaCha20_ctr32_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -264,7 +239,6 @@ ChaCha20_ctr32: ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER -.Labort: ret .align 4 @@ -322,11 +296,13 @@ ChaCha20_ctr32: ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER ret -.size ChaCha20_ctr32,.-ChaCha20_ctr32 +.size ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw -.type ChaCha20_neon,%function +.globl ChaCha20_ctr32_neon +.hidden ChaCha20_ctr32_neon +.type ChaCha20_ctr32_neon,%function .align 5 -ChaCha20_neon: +ChaCha20_ctr32_neon: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -820,7 +796,7 @@ ChaCha20_neon: ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER ret -.size ChaCha20_neon,.-ChaCha20_neon +.size ChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon .type ChaCha20_512_neon,%function .align 5 ChaCha20_512_neon: @@ -1991,11 +1967,7 @@ ChaCha20_512_neon: AARCH64_VALIDATE_LINK_REGISTER ret .size ChaCha20_512_neon,.-ChaCha20_512_neon -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S index c3aeca53..5f906df7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl ChaCha20_ctr32 .hidden ChaCha20_ctr32 @@ -979,11 +972,7 @@ ChaCha20_ssse3: .byte 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 .byte 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 .byte 114,103,62,0 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S index 3a0c66a0..88e7df37 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S @@ -3,21 +3,11 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P - .section .rodata .align 64 .Lzero: @@ -49,18 +39,13 @@ .long 16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16 .byte 67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,@function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,@function .align 64 -ChaCha20_ctr32: +ChaCha20_ctr32_nohw: .cfi_startproc - cmpq $0,%rdx - je .Lno_data - movq OPENSSL_ia32cap_P+4(%rip),%r10 - testl $512,%r10d - jnz .LChaCha20_ssse3 - +_CET_ENDBR pushq %rbx .cfi_adjust_cfa_offset 8 .cfi_offset rbx,-16 @@ -335,20 +320,18 @@ ChaCha20_ctr32: leaq (%rsi),%rsp .cfi_adjust_cfa_offset -136 .Lno_data: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size ChaCha20_ctr32,.-ChaCha20_ctr32 -.type ChaCha20_ssse3,@function +.size ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw +.globl ChaCha20_ctr32_ssse3 +.hidden ChaCha20_ctr32_ssse3 +.type ChaCha20_ctr32_ssse3,@function .align 32 -ChaCha20_ssse3: -.LChaCha20_ssse3: +ChaCha20_ctr32_ssse3: .cfi_startproc +_CET_ENDBR movq %rsp,%r9 .cfi_def_cfa_register r9 - cmpq $128,%rdx - ja .LChaCha20_4x - -.Ldo_sse3_after_all: subq $64+8,%rsp movdqa .Lsigma(%rip),%xmm0 movdqu (%rcx),%xmm1 @@ -472,28 +455,19 @@ ChaCha20_ssse3: leaq (%r9),%rsp .cfi_def_cfa_register rsp .Lssse3_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size ChaCha20_ssse3,.-ChaCha20_ssse3 -.type ChaCha20_4x,@function +.size ChaCha20_ctr32_ssse3,.-ChaCha20_ctr32_ssse3 +.globl ChaCha20_ctr32_ssse3_4x +.hidden ChaCha20_ctr32_ssse3_4x +.type ChaCha20_ctr32_ssse3_4x,@function .align 32 -ChaCha20_4x: -.LChaCha20_4x: +ChaCha20_ctr32_ssse3_4x: .cfi_startproc +_CET_ENDBR movq %rsp,%r9 .cfi_def_cfa_register r9 movq %r10,%r11 - shrq $32,%r10 - testq $32,%r10 - jnz .LChaCha20_8x - cmpq $192,%rdx - ja .Lproceed4x - - andq $71303168,%r11 - cmpq $4194304,%r11 - je .Ldo_sse3_after_all - -.Lproceed4x: subq $0x140+8,%rsp movdqa .Lsigma(%rip),%xmm11 movdqu (%rcx),%xmm15 @@ -1024,14 +998,16 @@ ChaCha20_4x: leaq (%r9),%rsp .cfi_def_cfa_register rsp .L4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size ChaCha20_4x,.-ChaCha20_4x -.type ChaCha20_8x,@function +.size ChaCha20_ctr32_ssse3_4x,.-ChaCha20_ctr32_ssse3_4x +.globl ChaCha20_ctr32_avx2 +.hidden ChaCha20_ctr32_avx2 +.type ChaCha20_ctr32_avx2,@function .align 32 -ChaCha20_8x: -.LChaCha20_8x: +ChaCha20_ctr32_avx2: .cfi_startproc +_CET_ENDBR movq %rsp,%r9 .cfi_def_cfa_register r9 subq $0x280+8,%rsp @@ -1630,13 +1606,9 @@ ChaCha20_8x: leaq (%r9),%rsp .cfi_def_cfa_register rsp .L8x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size ChaCha20_8x,.-ChaCha20_8x -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits +.size ChaCha20_ctr32_avx2,.-ChaCha20_ctr32_avx2 #endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S index a88d6375..959944d9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S @@ -3,20 +3,11 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - - .section __DATA,__const .p2align 6 L$zero: @@ -48,18 +39,13 @@ L$sixteen: .long 16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16 .byte 67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text -.globl _ChaCha20_ctr32 -.private_extern _ChaCha20_ctr32 +.globl _ChaCha20_ctr32_nohw +.private_extern _ChaCha20_ctr32_nohw .p2align 6 -_ChaCha20_ctr32: - - cmpq $0,%rdx - je L$no_data - movq _OPENSSL_ia32cap_P+4(%rip),%r10 - testl $512,%r10d - jnz L$ChaCha20_ssse3 +_ChaCha20_ctr32_nohw: +_CET_ENDBR pushq %rbx pushq %rbp @@ -328,20 +314,18 @@ L$done: leaq (%rsi),%rsp L$no_data: - .byte 0xf3,0xc3 + ret +.globl _ChaCha20_ctr32_ssse3 +.private_extern _ChaCha20_ctr32_ssse3 .p2align 5 -ChaCha20_ssse3: -L$ChaCha20_ssse3: +_ChaCha20_ctr32_ssse3: +_CET_ENDBR movq %rsp,%r9 - cmpq $128,%rdx - ja L$ChaCha20_4x - -L$do_sse3_after_all: subq $64+8,%rsp movdqa L$sigma(%rip),%xmm0 movdqu (%rcx),%xmm1 @@ -465,28 +449,19 @@ L$done_ssse3: leaq (%r9),%rsp L$ssse3_epilogue: - .byte 0xf3,0xc3 + ret +.globl _ChaCha20_ctr32_ssse3_4x +.private_extern _ChaCha20_ctr32_ssse3_4x .p2align 5 -ChaCha20_4x: -L$ChaCha20_4x: +_ChaCha20_ctr32_ssse3_4x: +_CET_ENDBR movq %rsp,%r9 movq %r10,%r11 - shrq $32,%r10 - testq $32,%r10 - jnz L$ChaCha20_8x - cmpq $192,%rdx - ja L$proceed4x - - andq $71303168,%r11 - cmpq $4194304,%r11 - je L$do_sse3_after_all - -L$proceed4x: subq $0x140+8,%rsp movdqa L$sigma(%rip),%xmm11 movdqu (%rcx),%xmm15 @@ -1017,14 +992,16 @@ L$done4x: leaq (%r9),%rsp L$4x_epilogue: - .byte 0xf3,0xc3 + ret +.globl _ChaCha20_ctr32_avx2 +.private_extern _ChaCha20_ctr32_avx2 .p2align 5 -ChaCha20_8x: -L$ChaCha20_8x: +_ChaCha20_ctr32_avx2: +_CET_ENDBR movq %rsp,%r9 subq $0x280+8,%rsp @@ -1623,13 +1600,9 @@ L$done8x: leaq (%r9),%rsp L$8x_epilogue: - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c index 54359688..3bbd6500 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c @@ -60,7 +60,40 @@ void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], OPENSSL_memcpy(&out[16], &x[12], sizeof(uint32_t) * 4); } -#if defined(CHACHA20_ASM) +#if defined(CHACHA20_ASM_NOHW) +static void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]) { +#if defined(CHACHA20_ASM_NEON) + if (ChaCha20_ctr32_neon_capable(in_len)) { + ChaCha20_ctr32_neon(out, in, in_len, key, counter); + return; + } +#endif +#if defined(CHACHA20_ASM_AVX2) + if (ChaCha20_ctr32_avx2_capable(in_len)) { + ChaCha20_ctr32_avx2(out, in, in_len, key, counter); + return; + } +#endif +#if defined(CHACHA20_ASM_SSSE3_4X) + if (ChaCha20_ctr32_ssse3_4x_capable(in_len)) { + ChaCha20_ctr32_ssse3_4x(out, in, in_len, key, counter); + return; + } +#endif +#if defined(CHACHA20_ASM_SSSE3) + if (ChaCha20_ctr32_ssse3_capable(in_len)) { + ChaCha20_ctr32_ssse3(out, in, in_len, key, counter); + return; + } +#endif + if (in_len > 0) { + ChaCha20_ctr32_nohw(out, in, in_len, key, counter); + } +} +#endif + +#if defined(CHACHA20_ASM) || defined(CHACHA20_ASM_NOHW) void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t key[32], const uint8_t nonce[12], @@ -91,7 +124,25 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, } #endif - ChaCha20_ctr32(out, in, in_len, key_ptr, counter_nonce); + while (in_len > 0) { + // The assembly functions do not have defined overflow behavior. While + // overflow is almost always a bug in the caller, we prefer our functions to + // behave the same across platforms, so divide into multiple calls to avoid + // this case. + uint64_t todo = 64 * ((UINT64_C(1) << 32) - counter_nonce[0]); + if (todo > in_len) { + todo = in_len; + } + + ChaCha20_ctr32(out, in, (size_t)todo, key_ptr, counter_nonce); + in += todo; + out += todo; + in_len -= todo; + + // We're either done and will next break out of the loop, or we stopped at + // the wraparound point and the counter should continue at zero. + counter_nonce[0] = 0; + } } #else diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/internal.h b/Sources/CJWTKitBoringSSL/crypto/chacha/internal.h index 367378cc..7c401cd0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/internal.h @@ -17,6 +17,8 @@ #include +#include "../internal.h" + #if defined(__cplusplus) extern "C" { #endif @@ -27,16 +29,67 @@ extern "C" { void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], const uint8_t nonce[16]); -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ - defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) + #define CHACHA20_ASM -// ChaCha20_ctr32 is defined in asm/chacha-*.pl. +#elif !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) + +#define CHACHA20_ASM_NOHW + +#define CHACHA20_ASM_NEON +OPENSSL_INLINE int ChaCha20_ctr32_neon_capable(size_t len) { + return (len >= 192) && CRYPTO_is_NEON_capable(); +} +void ChaCha20_ctr32_neon(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) +#define CHACHA20_ASM_NOHW + +#define CHACHA20_ASM_AVX2 +OPENSSL_INLINE int ChaCha20_ctr32_avx2_capable(size_t len) { + return (len > 128) && CRYPTO_is_AVX2_capable(); +} +void ChaCha20_ctr32_avx2(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); + +#define CHACHA20_ASM_SSSE3_4X +OPENSSL_INLINE int ChaCha20_ctr32_ssse3_4x_capable(size_t len) { + int capable = (len > 128) && CRYPTO_is_SSSE3_capable(); + int faster = (len > 192) || !CRYPTO_cpu_perf_is_like_silvermont(); + return capable && faster; +} +void ChaCha20_ctr32_ssse3_4x(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); + +#define CHACHA20_ASM_SSSE3 +OPENSSL_INLINE int ChaCha20_ctr32_ssse3_capable(size_t len) { + return (len > 128) && CRYPTO_is_SSSE3_capable(); +} +void ChaCha20_ctr32_ssse3(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); +#endif + +#if defined(CHACHA20_ASM) +// ChaCha20_ctr32 encrypts |in_len| bytes from |in| and writes the result to +// |out|. If |in| and |out| alias, they must be equal. +// +// |counter[0]| is the initial 32-bit block counter, and the remainder is the +// 96-bit nonce. If the counter overflows, the output is undefined. The function +// will produce output, but the output may vary by machine and may not be +// self-consistent. (On some architectures, the assembly implements a mix of +// 64-bit and 32-bit counters.) void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len, const uint32_t key[8], const uint32_t counter[4]); #endif +#if defined(CHACHA20_ASM_NOHW) +// ChaCha20_ctr32_nohw is like |ChaCha20_ctr32| except |in_len| must be nonzero. +void ChaCha20_ctr32_nohw(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); +#endif + #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S index 8a454ee5..9d72b5d4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .section .rodata .align 16 @@ -71,7 +64,7 @@ GFMUL: vpxor %xmm4,%xmm3,%xmm2 vpxor %xmm5,%xmm2,%xmm0 - .byte 0xf3,0xc3 + ret .cfi_endproc .size GFMUL, .-GFMUL .globl aesgcmsiv_htable_init @@ -80,6 +73,7 @@ GFMUL: .align 16 aesgcmsiv_htable_init: .cfi_startproc +_CET_ENDBR vmovdqa (%rsi),%xmm0 vmovdqa %xmm0,%xmm1 vmovdqa %xmm0,(%rdi) @@ -97,7 +91,7 @@ aesgcmsiv_htable_init: vmovdqa %xmm0,96(%rdi) call GFMUL vmovdqa %xmm0,112(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_htable_init, .-aesgcmsiv_htable_init .globl aesgcmsiv_htable6_init @@ -106,6 +100,7 @@ aesgcmsiv_htable_init: .align 16 aesgcmsiv_htable6_init: .cfi_startproc +_CET_ENDBR vmovdqa (%rsi),%xmm0 vmovdqa %xmm0,%xmm1 vmovdqa %xmm0,(%rdi) @@ -119,7 +114,7 @@ aesgcmsiv_htable6_init: vmovdqa %xmm0,64(%rdi) call GFMUL vmovdqa %xmm0,80(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_htable6_init, .-aesgcmsiv_htable6_init .globl aesgcmsiv_htable_polyval @@ -128,9 +123,10 @@ aesgcmsiv_htable6_init: .align 16 aesgcmsiv_htable_polyval: .cfi_startproc +_CET_ENDBR testq %rdx,%rdx jnz .Lhtable_polyval_start - .byte 0xf3,0xc3 + ret .Lhtable_polyval_start: vzeroall @@ -336,7 +332,7 @@ aesgcmsiv_htable_polyval: vmovdqu %xmm1,(%rcx) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_htable_polyval,.-aesgcmsiv_htable_polyval .globl aesgcmsiv_polyval_horner @@ -345,9 +341,10 @@ aesgcmsiv_htable_polyval: .align 16 aesgcmsiv_polyval_horner: .cfi_startproc +_CET_ENDBR testq %rcx,%rcx jnz .Lpolyval_horner_start - .byte 0xf3,0xc3 + ret .Lpolyval_horner_start: @@ -369,7 +366,7 @@ aesgcmsiv_polyval_horner: vmovdqa %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_polyval_horner,.-aesgcmsiv_polyval_horner .globl aes128gcmsiv_aes_ks @@ -378,6 +375,7 @@ aesgcmsiv_polyval_horner: .align 16 aes128gcmsiv_aes_ks: .cfi_startproc +_CET_ENDBR vmovdqu (%rdi),%xmm1 vmovdqa %xmm1,(%rsi) @@ -425,7 +423,7 @@ aes128gcmsiv_aes_ks: vpxor %xmm3,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_aes_ks,.-aes128gcmsiv_aes_ks .globl aes256gcmsiv_aes_ks @@ -434,6 +432,7 @@ aes128gcmsiv_aes_ks: .align 16 aes256gcmsiv_aes_ks: .cfi_startproc +_CET_ENDBR vmovdqu (%rdi),%xmm1 vmovdqu 16(%rdi),%xmm3 vmovdqa %xmm1,(%rsi) @@ -473,7 +472,7 @@ aes256gcmsiv_aes_ks: vpxor %xmm4,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .globl aes128gcmsiv_aes_ks_enc_x1 .hidden aes128gcmsiv_aes_ks_enc_x1 @@ -481,6 +480,7 @@ aes256gcmsiv_aes_ks: .align 16 aes128gcmsiv_aes_ks_enc_x1: .cfi_startproc +_CET_ENDBR vmovdqa (%rcx),%xmm1 vmovdqa 0(%rdi),%xmm4 @@ -614,7 +614,7 @@ aes128gcmsiv_aes_ks_enc_x1: vmovdqa %xmm4,0(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_aes_ks_enc_x1,.-aes128gcmsiv_aes_ks_enc_x1 .globl aes128gcmsiv_kdf @@ -623,6 +623,7 @@ aes128gcmsiv_aes_ks_enc_x1: .align 16 aes128gcmsiv_kdf: .cfi_startproc +_CET_ENDBR @@ -707,7 +708,7 @@ aes128gcmsiv_kdf: vmovdqa %xmm10,16(%rsi) vmovdqa %xmm11,32(%rsi) vmovdqa %xmm12,48(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_kdf,.-aes128gcmsiv_kdf .globl aes128gcmsiv_enc_msg_x4 @@ -716,9 +717,10 @@ aes128gcmsiv_kdf: .align 16 aes128gcmsiv_enc_msg_x4: .cfi_startproc +_CET_ENDBR testq %r8,%r8 jnz .L128_enc_msg_x4_start - .byte 0xf3,0xc3 + ret .L128_enc_msg_x4_start: pushq %r12 @@ -886,7 +888,7 @@ aes128gcmsiv_enc_msg_x4: popq %r12 .cfi_adjust_cfa_offset -8 .cfi_restore %r12 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_enc_msg_x4,.-aes128gcmsiv_enc_msg_x4 .globl aes128gcmsiv_enc_msg_x8 @@ -895,9 +897,10 @@ aes128gcmsiv_enc_msg_x4: .align 16 aes128gcmsiv_enc_msg_x8: .cfi_startproc +_CET_ENDBR testq %r8,%r8 jnz .L128_enc_msg_x8_start - .byte 0xf3,0xc3 + ret .L128_enc_msg_x8_start: pushq %r12 @@ -1147,7 +1150,7 @@ aes128gcmsiv_enc_msg_x8: popq %r12 .cfi_adjust_cfa_offset -8 .cfi_restore %r12 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_enc_msg_x8,.-aes128gcmsiv_enc_msg_x8 .globl aes128gcmsiv_dec @@ -1156,21 +1159,23 @@ aes128gcmsiv_enc_msg_x8: .align 16 aes128gcmsiv_dec: .cfi_startproc +_CET_ENDBR testq $~15,%r9 jnz .L128_dec_start - .byte 0xf3,0xc3 + ret .L128_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -1639,7 +1644,7 @@ aes128gcmsiv_dec: .L128_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_dec, .-aes128gcmsiv_dec .globl aes128gcmsiv_ecb_enc_block @@ -1648,6 +1653,7 @@ aes128gcmsiv_dec: .align 16 aes128gcmsiv_ecb_enc_block: .cfi_startproc +_CET_ENDBR vmovdqa (%rdi),%xmm1 vpxor (%rdx),%xmm1,%xmm1 @@ -1664,7 +1670,7 @@ aes128gcmsiv_ecb_enc_block: vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_ecb_enc_block,.-aes128gcmsiv_ecb_enc_block .globl aes256gcmsiv_aes_ks_enc_x1 @@ -1673,6 +1679,7 @@ aes128gcmsiv_ecb_enc_block: .align 16 aes256gcmsiv_aes_ks_enc_x1: .cfi_startproc +_CET_ENDBR vmovdqa con1(%rip),%xmm0 vmovdqa mask(%rip),%xmm15 vmovdqa (%rdi),%xmm8 @@ -1847,7 +1854,7 @@ aes256gcmsiv_aes_ks_enc_x1: vmovdqu %xmm1,224(%rdx) vmovdqa %xmm8,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_aes_ks_enc_x1,.-aes256gcmsiv_aes_ks_enc_x1 .globl aes256gcmsiv_ecb_enc_block @@ -1856,6 +1863,7 @@ aes256gcmsiv_aes_ks_enc_x1: .align 16 aes256gcmsiv_ecb_enc_block: .cfi_startproc +_CET_ENDBR vmovdqa (%rdi),%xmm1 vpxor (%rdx),%xmm1,%xmm1 vaesenc 16(%rdx),%xmm1,%xmm1 @@ -1873,7 +1881,7 @@ aes256gcmsiv_ecb_enc_block: vaesenc 208(%rdx),%xmm1,%xmm1 vaesenclast 224(%rdx),%xmm1,%xmm1 vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_ecb_enc_block,.-aes256gcmsiv_ecb_enc_block .globl aes256gcmsiv_enc_msg_x4 @@ -1882,9 +1890,10 @@ aes256gcmsiv_ecb_enc_block: .align 16 aes256gcmsiv_enc_msg_x4: .cfi_startproc +_CET_ENDBR testq %r8,%r8 jnz .L256_enc_msg_x4_start - .byte 0xf3,0xc3 + ret .L256_enc_msg_x4_start: movq %r8,%r10 @@ -2074,7 +2083,7 @@ aes256gcmsiv_enc_msg_x4: jne .L256_enc_msg_x4_loop2 .L256_enc_msg_x4_out: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_enc_msg_x4,.-aes256gcmsiv_enc_msg_x4 .globl aes256gcmsiv_enc_msg_x8 @@ -2083,9 +2092,10 @@ aes256gcmsiv_enc_msg_x4: .align 16 aes256gcmsiv_enc_msg_x8: .cfi_startproc +_CET_ENDBR testq %r8,%r8 jnz .L256_enc_msg_x8_start - .byte 0xf3,0xc3 + ret .L256_enc_msg_x8_start: @@ -2362,7 +2372,7 @@ aes256gcmsiv_enc_msg_x8: jnz .L256_enc_msg_x8_loop2 .L256_enc_msg_x8_out: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_enc_msg_x8,.-aes256gcmsiv_enc_msg_x8 @@ -2372,21 +2382,23 @@ aes256gcmsiv_enc_msg_x8: .align 16 aes256gcmsiv_dec: .cfi_startproc +_CET_ENDBR testq $~15,%r9 jnz .L256_dec_start - .byte 0xf3,0xc3 + ret .L256_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -2923,7 +2935,7 @@ aes256gcmsiv_dec: .L256_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_dec, .-aes256gcmsiv_dec .globl aes256gcmsiv_kdf @@ -2932,6 +2944,7 @@ aes256gcmsiv_dec: .align 16 aes256gcmsiv_kdf: .cfi_startproc +_CET_ENDBR @@ -3074,14 +3087,10 @@ aes256gcmsiv_kdf: vmovdqa %xmm11,48(%rsi) vmovdqa %xmm12,64(%rsi) vmovdqa %xmm13,80(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_kdf, .-aes256gcmsiv_kdf #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S index efc3ae7a..b320a6c5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .section __DATA,__const .p2align 4 @@ -71,7 +64,7 @@ GFMUL: vpxor %xmm4,%xmm3,%xmm2 vpxor %xmm5,%xmm2,%xmm0 - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_htable_init @@ -80,6 +73,7 @@ GFMUL: .p2align 4 _aesgcmsiv_htable_init: +_CET_ENDBR vmovdqa (%rsi),%xmm0 vmovdqa %xmm0,%xmm1 vmovdqa %xmm0,(%rdi) @@ -97,7 +91,7 @@ _aesgcmsiv_htable_init: vmovdqa %xmm0,96(%rdi) call GFMUL vmovdqa %xmm0,112(%rdi) - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_htable6_init @@ -106,6 +100,7 @@ _aesgcmsiv_htable_init: .p2align 4 _aesgcmsiv_htable6_init: +_CET_ENDBR vmovdqa (%rsi),%xmm0 vmovdqa %xmm0,%xmm1 vmovdqa %xmm0,(%rdi) @@ -119,7 +114,7 @@ _aesgcmsiv_htable6_init: vmovdqa %xmm0,64(%rdi) call GFMUL vmovdqa %xmm0,80(%rdi) - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_htable_polyval @@ -128,9 +123,10 @@ _aesgcmsiv_htable6_init: .p2align 4 _aesgcmsiv_htable_polyval: +_CET_ENDBR testq %rdx,%rdx jnz L$htable_polyval_start - .byte 0xf3,0xc3 + ret L$htable_polyval_start: vzeroall @@ -336,7 +332,7 @@ L$htable_polyval_out: vmovdqu %xmm1,(%rcx) vzeroupper - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_polyval_horner @@ -345,9 +341,10 @@ L$htable_polyval_out: .p2align 4 _aesgcmsiv_polyval_horner: +_CET_ENDBR testq %rcx,%rcx jnz L$polyval_horner_start - .byte 0xf3,0xc3 + ret L$polyval_horner_start: @@ -369,7 +366,7 @@ L$polyval_horner_loop: vmovdqa %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_aes_ks @@ -378,6 +375,7 @@ L$polyval_horner_loop: .p2align 4 _aes128gcmsiv_aes_ks: +_CET_ENDBR vmovdqu (%rdi),%xmm1 vmovdqa %xmm1,(%rsi) @@ -425,7 +423,7 @@ L$ks128_loop: vpxor %xmm3,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_aes_ks @@ -434,6 +432,7 @@ L$ks128_loop: .p2align 4 _aes256gcmsiv_aes_ks: +_CET_ENDBR vmovdqu (%rdi),%xmm1 vmovdqu 16(%rdi),%xmm3 vmovdqa %xmm1,(%rsi) @@ -473,7 +472,7 @@ L$ks256_loop: vpxor %xmm4,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_aes_ks_enc_x1 .private_extern _aes128gcmsiv_aes_ks_enc_x1 @@ -481,6 +480,7 @@ L$ks256_loop: .p2align 4 _aes128gcmsiv_aes_ks_enc_x1: +_CET_ENDBR vmovdqa (%rcx),%xmm1 vmovdqa 0(%rdi),%xmm4 @@ -614,7 +614,7 @@ _aes128gcmsiv_aes_ks_enc_x1: vmovdqa %xmm4,0(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_kdf @@ -623,6 +623,7 @@ _aes128gcmsiv_aes_ks_enc_x1: .p2align 4 _aes128gcmsiv_kdf: +_CET_ENDBR @@ -707,7 +708,7 @@ _aes128gcmsiv_kdf: vmovdqa %xmm10,16(%rsi) vmovdqa %xmm11,32(%rsi) vmovdqa %xmm12,48(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_enc_msg_x4 @@ -716,9 +717,10 @@ _aes128gcmsiv_kdf: .p2align 4 _aes128gcmsiv_enc_msg_x4: +_CET_ENDBR testq %r8,%r8 jnz L$128_enc_msg_x4_start - .byte 0xf3,0xc3 + ret L$128_enc_msg_x4_start: pushq %r12 @@ -882,7 +884,7 @@ L$128_enc_msg_x4_out: popq %r12 - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_enc_msg_x8 @@ -891,9 +893,10 @@ L$128_enc_msg_x4_out: .p2align 4 _aes128gcmsiv_enc_msg_x8: +_CET_ENDBR testq %r8,%r8 jnz L$128_enc_msg_x8_start - .byte 0xf3,0xc3 + ret L$128_enc_msg_x8_start: pushq %r12 @@ -1137,7 +1140,7 @@ L$128_enc_msg_x8_out: popq %r12 - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_dec @@ -1146,21 +1149,23 @@ L$128_enc_msg_x8_out: .p2align 4 _aes128gcmsiv_dec: +_CET_ENDBR testq $~15,%r9 jnz L$128_dec_start - .byte 0xf3,0xc3 + ret L$128_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -1629,7 +1634,7 @@ L$128_dec_loop2: L$128_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_ecb_enc_block @@ -1638,6 +1643,7 @@ L$128_dec_out: .p2align 4 _aes128gcmsiv_ecb_enc_block: +_CET_ENDBR vmovdqa (%rdi),%xmm1 vpxor (%rdx),%xmm1,%xmm1 @@ -1654,7 +1660,7 @@ _aes128gcmsiv_ecb_enc_block: vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_aes_ks_enc_x1 @@ -1663,6 +1669,7 @@ _aes128gcmsiv_ecb_enc_block: .p2align 4 _aes256gcmsiv_aes_ks_enc_x1: +_CET_ENDBR vmovdqa con1(%rip),%xmm0 vmovdqa mask(%rip),%xmm15 vmovdqa (%rdi),%xmm8 @@ -1837,7 +1844,7 @@ _aes256gcmsiv_aes_ks_enc_x1: vmovdqu %xmm1,224(%rdx) vmovdqa %xmm8,(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_ecb_enc_block @@ -1846,6 +1853,7 @@ _aes256gcmsiv_aes_ks_enc_x1: .p2align 4 _aes256gcmsiv_ecb_enc_block: +_CET_ENDBR vmovdqa (%rdi),%xmm1 vpxor (%rdx),%xmm1,%xmm1 vaesenc 16(%rdx),%xmm1,%xmm1 @@ -1863,7 +1871,7 @@ _aes256gcmsiv_ecb_enc_block: vaesenc 208(%rdx),%xmm1,%xmm1 vaesenclast 224(%rdx),%xmm1,%xmm1 vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_enc_msg_x4 @@ -1872,9 +1880,10 @@ _aes256gcmsiv_ecb_enc_block: .p2align 4 _aes256gcmsiv_enc_msg_x4: +_CET_ENDBR testq %r8,%r8 jnz L$256_enc_msg_x4_start - .byte 0xf3,0xc3 + ret L$256_enc_msg_x4_start: movq %r8,%r10 @@ -2064,7 +2073,7 @@ L$256_enc_msg_x4_loop2: jne L$256_enc_msg_x4_loop2 L$256_enc_msg_x4_out: - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_enc_msg_x8 @@ -2073,9 +2082,10 @@ L$256_enc_msg_x4_out: .p2align 4 _aes256gcmsiv_enc_msg_x8: +_CET_ENDBR testq %r8,%r8 jnz L$256_enc_msg_x8_start - .byte 0xf3,0xc3 + ret L$256_enc_msg_x8_start: @@ -2352,7 +2362,7 @@ L$256_enc_msg_x8_loop2: jnz L$256_enc_msg_x8_loop2 L$256_enc_msg_x8_out: - .byte 0xf3,0xc3 + ret @@ -2362,21 +2372,23 @@ L$256_enc_msg_x8_out: .p2align 4 _aes256gcmsiv_dec: +_CET_ENDBR testq $~15,%r9 jnz L$256_dec_start - .byte 0xf3,0xc3 + ret L$256_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -2913,7 +2925,7 @@ L$256_dec_loop2: L$256_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_kdf @@ -2922,6 +2934,7 @@ L$256_dec_out: .p2align 4 _aes256gcmsiv_kdf: +_CET_ENDBR @@ -3064,13 +3077,9 @@ _aes256gcmsiv_kdf: vmovdqa %xmm11,48(%rsi) vmovdqa %xmm12,64(%rsi) vmovdqa %xmm13,80(%rsi) - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S index 64433052..1bf3e6ed 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include .section __TEXT,__const @@ -3016,11 +3008,7 @@ Lopen_128_hash_64: b Lopen_128_hash_64 .cfi_endproc -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S index 4d5cd208..d6b708d7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include .section .rodata @@ -3016,11 +3008,7 @@ chacha20_poly1305_open: b .Lopen_128_hash_64 .cfi_endproc .size chacha20_poly1305_open,.-chacha20_poly1305_open -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S index 89d6abdd..ce54f9cf 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .extern OPENSSL_ia32cap_P .hidden OPENSSL_ia32cap_P @@ -113,7 +106,7 @@ poly_hash_ad_internal: adcq %r9,%r11 adcq $0,%r12 - .byte 0xf3,0xc3 + ret .Lhash_ad_loop: cmpq $16,%r8 @@ -222,7 +215,7 @@ poly_hash_ad_internal: .Lhash_ad_done: - .byte 0xf3,0xc3 + ret .cfi_endproc .size poly_hash_ad_internal, .-poly_hash_ad_internal @@ -232,6 +225,7 @@ poly_hash_ad_internal: .align 64 chacha20_poly1305_open: .cfi_startproc +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -1870,7 +1864,7 @@ chacha20_poly1305_open: popq %rbp .cfi_adjust_cfa_offset -8 .cfi_restore %rbp - .byte 0xf3,0xc3 + ret .Lopen_sse_128: .cfi_restore_state @@ -2117,6 +2111,7 @@ chacha20_poly1305_open: .align 64 chacha20_poly1305_seal: .cfi_startproc +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -3935,7 +3930,7 @@ process_extra_in_trailer: popq %rbp .cfi_adjust_cfa_offset -8 .cfi_restore %rbp - .byte 0xf3,0xc3 + ret .Lseal_sse_128: .cfi_restore_state @@ -8923,10 +8918,6 @@ chacha20_poly1305_seal_avx2: .cfi_endproc .size chacha20_poly1305_seal_avx2, .-chacha20_poly1305_seal_avx2 #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S index 300770d6..cdf80d5c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -112,7 +105,7 @@ L$poly_fast_tls_ad: adcq %r9,%r11 adcq $0,%r12 - .byte 0xf3,0xc3 + ret L$hash_ad_loop: cmpq $16,%r8 @@ -221,7 +214,7 @@ L$hash_ad_tail_loop: L$hash_ad_done: - .byte 0xf3,0xc3 + ret @@ -231,6 +224,7 @@ L$hash_ad_done: .p2align 6 _chacha20_poly1305_open: +_CET_ENDBR pushq %rbp pushq %rbx @@ -1855,7 +1849,7 @@ L$open_sse_finalize: popq %rbp - .byte 0xf3,0xc3 + ret L$open_sse_128: @@ -2102,6 +2096,7 @@ L$open_sse_128_xor_hash: .p2align 6 _chacha20_poly1305_seal: +_CET_ENDBR pushq %rbp pushq %rbx @@ -3906,7 +3901,7 @@ L$do_length_block: popq %rbp - .byte 0xf3,0xc3 + ret L$seal_sse_128: @@ -8879,10 +8874,6 @@ L$seal_avx2_exit: jmp L$seal_sse_tail_16 -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c index 6450c453..2cce1bde 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c @@ -126,16 +126,16 @@ extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8], uint8_t in_out_poly[16]); // aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to -// |in|. (The full value of |in_len| is still used to find the authentication -// tag appended to the ciphertext, however, so must not be pre-masked.) +// |in|. |in| and |out| may be equal, but must not otherwise alias. // -// |in| and |out| may be equal, but must not otherwise overlap. +// |in_out_calculated_tag_and_scratch|, on entry, must contain: +// 1. The current value of the calculated tag, which will be updated during +// decryption and written back to the beginning of this buffer on exit. +// 2. The claimed tag, which is needed to derive counter values. // -// While decrypting, it updates the POLYVAL value found at the beginning of -// |in_out_calculated_tag_and_scratch| and writes the updated value back before -// return. During executation, it may use the whole of this space for other -// purposes. In order to decrypt and update the POLYVAL value, it uses the -// expanded key from |key| and the table of powers in |htable|. +// While decrypting, the whole of |in_out_calculated_tag_and_scratch| may be +// used for other purposes. In order to decrypt and update the POLYVAL value, it +// uses the expanded key from |key| and the table of powers in |htable|. extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out, uint8_t in_out_calculated_tag_and_scratch[16 * 8], const uint8_t htable[16 * 6], @@ -393,14 +393,10 @@ static int aead_aes_gcm_siv_asm_seal_scatter( return 1; } -// TODO(martinkr): Add aead_aes_gcm_siv_asm_open_gather. N.B. aes128gcmsiv_dec -// expects ciphertext and tag in a contiguous buffer. - -static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, - size_t *out_len, size_t max_out_len, - const uint8_t *nonce, size_t nonce_len, - const uint8_t *in, size_t in_len, - const uint8_t *ad, size_t ad_len) { +static int aead_aes_gcm_siv_asm_open_gather( + const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, + size_t in_tag_len, const uint8_t *ad, size_t ad_len) { const uint64_t ad_len_64 = ad_len; if (ad_len_64 >= (UINT64_C(1) << 61)) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); @@ -408,8 +404,8 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } const uint64_t in_len_64 = in_len; - if (in_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN || - in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) { + if (in_len_64 > UINT64_C(1) << 36 || + in_tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -420,13 +416,6 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx); - const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN; - const uint8_t *const given_tag = in + plaintext_len; - - if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); - return 0; - } alignas(16) uint64_t record_auth_key[2]; alignas(16) uint64_t record_enc_key[4]; @@ -459,27 +448,27 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, alignas(16) uint8_t htable[16 * 6]; aesgcmsiv_htable6_init(htable, (const uint8_t *)record_auth_key); + // aes[128|256]gcmsiv_dec needs access to the claimed tag. So it's put into + // its scratch space. + memcpy(calculated_tag + 16, in_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN); if (gcm_siv_ctx->is_128_bit) { - aes128gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, - plaintext_len); + aes128gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, in_len); } else { - aes256gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, - plaintext_len); + aes256gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, in_len); } - if (plaintext_len & 15) { + if (in_len & 15) { aead_aes_gcm_siv_asm_crypt_last_block(gcm_siv_ctx->is_128_bit, out, in, - plaintext_len, given_tag, - &expanded_key); + in_len, in_tag, &expanded_key); OPENSSL_memset(scratch, 0, sizeof(scratch)); - OPENSSL_memcpy(scratch, out + (plaintext_len & ~15), plaintext_len & 15); + OPENSSL_memcpy(scratch, out + (in_len & ~15), in_len & 15); aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, scratch, 1); } uint8_t length_block[16]; CRYPTO_store_u64_le(length_block, ad_len * 8); - CRYPTO_store_u64_le(length_block + 8, plaintext_len * 8); + CRYPTO_store_u64_le(length_block + 8, in_len * 8); aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, length_block, 1); @@ -495,13 +484,12 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, aes256gcmsiv_ecb_enc_block(calculated_tag, calculated_tag, &expanded_key); } - if (CRYPTO_memcmp(calculated_tag, given_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN) != + if (CRYPTO_memcmp(calculated_tag, in_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN) != 0) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } - *out_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN; return 1; } @@ -515,9 +503,9 @@ static const EVP_AEAD aead_aes_128_gcm_siv_asm = { aead_aes_gcm_siv_asm_init, NULL /* init_with_direction */, aead_aes_gcm_siv_asm_cleanup, - aead_aes_gcm_siv_asm_open, + NULL /* open */, aead_aes_gcm_siv_asm_seal_scatter, - NULL /* open_gather */, + aead_aes_gcm_siv_asm_open_gather, NULL /* get_iv */, NULL /* tag_len */, }; @@ -532,9 +520,9 @@ static const EVP_AEAD aead_aes_256_gcm_siv_asm = { aead_aes_gcm_siv_asm_init, NULL /* init_with_direction */, aead_aes_gcm_siv_asm_cleanup, - aead_aes_gcm_siv_asm_open, + NULL /* open */, aead_aes_gcm_siv_asm_seal_scatter, - NULL /* open_gather */, + aead_aes_gcm_siv_asm_open_gather, NULL /* get_iv */, NULL /* tag_len */, }; @@ -647,8 +635,8 @@ static void gcm_siv_polyval( } uint8_t length_block[16]; - CRYPTO_store_u64_le(length_block, ad_len * 8); - CRYPTO_store_u64_le(length_block + 8, in_len * 8); + CRYPTO_store_u64_le(length_block, ((uint64_t) ad_len) * 8); + CRYPTO_store_u64_le(length_block + 8, ((uint64_t) in_len) * 8); CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block, sizeof(length_block)); diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c index 76b0998a..dbefb571 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c @@ -58,6 +58,7 @@ #include #include +#include "../des/internal.h" #include "../fipsmodule/cipher/internal.h" #include "internal.h" @@ -71,20 +72,15 @@ typedef struct { static int des_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *)key; EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; - - DES_set_key(deskey, &dat->ks.ks); + DES_set_key_ex(key, &dat->ks.ks); return 1; } static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; - - DES_ncbc_encrypt(in, out, in_len, &dat->ks.ks, (DES_cblock *)ctx->iv, - ctx->encrypt); - + DES_ncbc_encrypt_ex(in, out, in_len, &dat->ks.ks, ctx->iv, ctx->encrypt); return 1; } @@ -113,8 +109,7 @@ static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), - &dat->ks.ks, ctx->encrypt); + DES_ecb_encrypt_ex(in + i, out + i, &dat->ks.ks, ctx->encrypt); } return 1; } @@ -144,23 +139,18 @@ typedef struct { static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *)key; DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; - - DES_set_key(&deskey[0], &dat->ks.ks[0]); - DES_set_key(&deskey[1], &dat->ks.ks[1]); - DES_set_key(&deskey[2], &dat->ks.ks[2]); - + DES_set_key_ex(key, &dat->ks.ks[0]); + DES_set_key_ex(key + 8, &dat->ks.ks[1]); + DES_set_key_ex(key + 16, &dat->ks.ks[2]); return 1; } static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; - - DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1], - &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt); - + DES_ede3_cbc_encrypt_ex(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1], + &dat->ks.ks[2], ctx->iv, ctx->encrypt); return 1; } @@ -182,13 +172,11 @@ const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &evp_des_ede3_cbc; } static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *)key; DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; - - DES_set_key(&deskey[0], &dat->ks.ks[0]); - DES_set_key(&deskey[1], &dat->ks.ks[1]); - DES_set_key(&deskey[0], &dat->ks.ks[2]); - + // 2-DES is 3-DES with the first key used twice. + DES_set_key_ex(key, &dat->ks.ks[0]); + DES_set_key_ex(key + 8, &dat->ks.ks[1]); + DES_set_key_ex(key, &dat->ks.ks[2]); return 1; } @@ -217,9 +205,8 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb3_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), - &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], - ctx->encrypt); + DES_ecb3_encrypt_ex(in + i, out + i, &dat->ks.ks[0], &dat->ks.ks[1], + &dat->ks.ks[2], ctx->encrypt); } return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/conf/conf.c b/Sources/CJWTKitBoringSSL/crypto/conf/conf.c index a0c17ac8..4d9768ba 100644 --- a/Sources/CJWTKitBoringSSL/crypto/conf/conf.c +++ b/Sources/CJWTKitBoringSSL/crypto/conf/conf.c @@ -70,126 +70,117 @@ #include "../internal.h" +struct conf_section_st { + char *name; + // values contains non-owning pointers to the values in the section. + STACK_OF(CONF_VALUE) *values; +}; + static const char kDefaultSectionName[] = "default"; +static uint32_t conf_section_hash(const CONF_SECTION *s) { + return OPENSSL_strhash(s->name); +} + +static int conf_section_cmp(const CONF_SECTION *a, const CONF_SECTION *b) { + return strcmp(a->name, b->name); +} + static uint32_t conf_value_hash(const CONF_VALUE *v) { - const uint32_t section_hash = v->section ? OPENSSL_strhash(v->section) : 0; - const uint32_t name_hash = v->name ? OPENSSL_strhash(v->name) : 0; + const uint32_t section_hash = OPENSSL_strhash(v->section); + const uint32_t name_hash = OPENSSL_strhash(v->name); return (section_hash << 2) ^ name_hash; } static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b) { - int i; - - if (a->section != b->section) { - i = strcmp(a->section, b->section); - if (i) { - return i; - } + int cmp = strcmp(a->section, b->section); + if (cmp != 0) { + return cmp; } - if (a->name != NULL && b->name != NULL) { - return strcmp(a->name, b->name); - } else if (a->name == b->name) { - return 0; - } else { - return (a->name == NULL) ? -1 : 1; - } + return strcmp(a->name, b->name); } CONF *NCONF_new(void *method) { - CONF *conf; - if (method != NULL) { return NULL; } - conf = OPENSSL_malloc(sizeof(CONF)); + CONF *conf = OPENSSL_malloc(sizeof(CONF)); if (conf == NULL) { return NULL; } - conf->data = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp); - if (conf->data == NULL) { - OPENSSL_free(conf); + conf->sections = lh_CONF_SECTION_new(conf_section_hash, conf_section_cmp); + conf->values = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp); + if (conf->sections == NULL || conf->values == NULL) { + NCONF_free(conf); return NULL; } return conf; } -CONF_VALUE *CONF_VALUE_new(void) { - CONF_VALUE *v = OPENSSL_malloc(sizeof(CONF_VALUE)); - if (!v) { - return NULL; - } - OPENSSL_memset(v, 0, sizeof(CONF_VALUE)); - return v; -} +CONF_VALUE *CONF_VALUE_new(void) { return OPENSSL_zalloc(sizeof(CONF_VALUE)); } -static void value_free_contents(CONF_VALUE *value) { - OPENSSL_free(value->section); - if (value->name) { - OPENSSL_free(value->name); - OPENSSL_free(value->value); - } else { - // TODO(davidben): When |value->name| is NULL, |CONF_VALUE| is actually an - // entirely different structure. This is fragile and confusing. Make a - // proper |CONF_SECTION| type that doesn't require this. - sk_CONF_VALUE_free((STACK_OF(CONF_VALUE) *)value->value); +static void value_free(CONF_VALUE *value) { + if (value == NULL) { + return; } + OPENSSL_free(value->section); + OPENSSL_free(value->name); + OPENSSL_free(value->value); + OPENSSL_free(value); } -static void value_free(CONF_VALUE *value) { - if (value != NULL) { - value_free_contents(value); - OPENSSL_free(value); +static void section_free(CONF_SECTION *section) { + if (section == NULL) { + return; } + OPENSSL_free(section->name); + sk_CONF_VALUE_free(section->values); + OPENSSL_free(section); } static void value_free_arg(CONF_VALUE *value, void *arg) { value_free(value); } +static void section_free_arg(CONF_SECTION *section, void *arg) { + section_free(section); +} + void NCONF_free(CONF *conf) { - if (conf == NULL || conf->data == NULL) { + if (conf == NULL) { return; } - lh_CONF_VALUE_doall_arg(conf->data, value_free_arg, NULL); - lh_CONF_VALUE_free(conf->data); + lh_CONF_SECTION_doall_arg(conf->sections, section_free_arg, NULL); + lh_CONF_SECTION_free(conf->sections); + lh_CONF_VALUE_doall_arg(conf->values, value_free_arg, NULL); + lh_CONF_VALUE_free(conf->values); OPENSSL_free(conf); } -static CONF_VALUE *NCONF_new_section(const CONF *conf, const char *section) { - STACK_OF(CONF_VALUE) *sk = NULL; - int ok = 0; - CONF_VALUE *v = NULL, *old_value; - - sk = sk_CONF_VALUE_new_null(); - v = CONF_VALUE_new(); - if (sk == NULL || v == NULL) { - goto err; +static CONF_SECTION *NCONF_new_section(const CONF *conf, const char *section) { + CONF_SECTION *s = OPENSSL_malloc(sizeof(CONF_SECTION)); + if (!s) { + return NULL; } - v->section = OPENSSL_strdup(section); - if (v->section == NULL) { + s->name = OPENSSL_strdup(section); + s->values = sk_CONF_VALUE_new_null(); + if (s->name == NULL || s->values == NULL) { goto err; } - v->name = NULL; - v->value = (char *)sk; - - if (!lh_CONF_VALUE_insert(conf->data, &old_value, v)) { + CONF_SECTION *old_section; + if (!lh_CONF_SECTION_insert(conf->sections, &old_section, s)) { goto err; } - value_free(old_value); - ok = 1; + section_free(old_section); + return s; err: - if (!ok) { - sk_CONF_VALUE_free(sk); - OPENSSL_free(v); - v = NULL; - } - return v; + section_free(s); + return NULL; } static int str_copy(CONF *conf, char *section, char **pto, char *from) { @@ -261,21 +252,20 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) { return 0; } -static CONF_VALUE *get_section(const CONF *conf, const char *section) { - CONF_VALUE template; - +static CONF_SECTION *get_section(const CONF *conf, const char *section) { + CONF_SECTION template; OPENSSL_memset(&template, 0, sizeof(template)); - template.section = (char *) section; - return lh_CONF_VALUE_retrieve(conf->data, &template); + template.name = (char *) section; + return lh_CONF_SECTION_retrieve(conf->sections, &template); } const STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, const char *section) { - const CONF_VALUE *section_value = get_section(conf, section); - if (section_value == NULL) { + const CONF_SECTION *section_obj = get_section(conf, section); + if (section_obj == NULL) { return NULL; } - return (STACK_OF(CONF_VALUE)*) section_value->value; + return section_obj->values; } const char *NCONF_get_string(const CONF *conf, const char *section, @@ -287,30 +277,35 @@ const char *NCONF_get_string(const CONF *conf, const char *section, } OPENSSL_memset(&template, 0, sizeof(template)); - template.section = (char *) section; - template.name = (char *) name; - value = lh_CONF_VALUE_retrieve(conf->data, &template); + template.section = (char *)section; + template.name = (char *)name; + value = lh_CONF_VALUE_retrieve(conf->values, &template); if (value == NULL) { return NULL; } return value->value; } -static int add_string(const CONF *conf, CONF_VALUE *section, +static int add_string(const CONF *conf, CONF_SECTION *section, CONF_VALUE *value) { - STACK_OF(CONF_VALUE) *section_stack = (STACK_OF(CONF_VALUE)*) section->value; - CONF_VALUE *old_value; + value->section = OPENSSL_strdup(section->name); + if (value->section == NULL) { + return 0; + } - value->section = OPENSSL_strdup(section->section); - if (!sk_CONF_VALUE_push(section_stack, value)) { + if (!sk_CONF_VALUE_push(section->values, value)) { return 0; } - if (!lh_CONF_VALUE_insert(conf->data, &old_value, value)) { + CONF_VALUE *old_value; + if (!lh_CONF_VALUE_insert(conf->values, &old_value, value)) { + // Remove |value| from |section->values|, so we do not leave a dangling + // pointer. + sk_CONF_VALUE_pop(section->values); return 0; } if (old_value != NULL) { - (void)sk_CONF_VALUE_delete_ptr(section_stack, old_value); + (void)sk_CONF_VALUE_delete_ptr(section->values, old_value); value_free(old_value); } @@ -387,7 +382,7 @@ static void clear_comments(CONF *conf, char *p) { } } -static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) { +int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { static const size_t CONFBUFSIZE = 512; int bufnum = 0, i, ii; BUF_MEM *buff = NULL; @@ -395,8 +390,8 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) { int again; long eline = 0; char btmp[DECIMAL_SIZE(eline) + 1]; - CONF_VALUE *v = NULL, *tv; - CONF_VALUE *sv = NULL; + CONF_VALUE *v = NULL; + CONF_SECTION *sv = NULL; char *section = NULL, *buf; char *start, *psection, *pname; @@ -547,6 +542,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) { goto err; } + CONF_SECTION *tv; if (strcmp(psection, section) != 0) { if ((tv = get_section(conf, psection)) == NULL) { tv = NCONF_new_section(conf, psection); @@ -574,14 +570,9 @@ static int def_load_bio(CONF *conf, BIO *in, long *out_error_line) { if (out_error_line != NULL) { *out_error_line = eline; } - BIO_snprintf(btmp, sizeof btmp, "%ld", eline); + snprintf(btmp, sizeof btmp, "%ld", eline); ERR_add_error_data(2, "line ", btmp); - - if (v != NULL) { - OPENSSL_free(v->name); - OPENSSL_free(v->value); - OPENSSL_free(v); - } + value_free(v); return 0; } @@ -594,16 +585,12 @@ int NCONF_load(CONF *conf, const char *filename, long *out_error_line) { return 0; } - ret = def_load_bio(conf, in, out_error_line); + ret = NCONF_load_bio(conf, in, out_error_line); BIO_free(in); return ret; } -int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line) { - return def_load_bio(conf, bio, out_error_line); -} - int CONF_parse_list(const char *list, char sep, int remove_whitespace, int (*list_cb)(const char *elem, size_t len, void *usr), void *arg) { diff --git a/Sources/CJWTKitBoringSSL/crypto/conf/internal.h b/Sources/CJWTKitBoringSSL/crypto/conf/internal.h index 8c2c8915..e3de0e3e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/conf/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/conf/internal.h @@ -24,10 +24,14 @@ extern "C" { #endif +typedef struct conf_section_st CONF_SECTION; + +DEFINE_LHASH_OF(CONF_SECTION) DEFINE_LHASH_OF(CONF_VALUE) struct conf_st { - LHASH_OF(CONF_VALUE) *data; + LHASH_OF(CONF_VALUE) *values; + LHASH_OF(CONF_SECTION) *sections; }; // CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|. diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c index d302bc86..a44a8ee0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c @@ -23,8 +23,6 @@ #include -extern uint32_t OPENSSL_armcap_P; - static int has_hw_feature(const char *name) { int value; size_t len = sizeof(value); diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_freebsd.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_freebsd.c deleted file mode 100644 index 6e242a03..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_freebsd.c +++ /dev/null @@ -1,62 +0,0 @@ -/* Copyright (c) 2022, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include "internal.h" - -#if defined(OPENSSL_AARCH64) && defined(OPENSSL_FREEBSD) && \ - !defined(OPENSSL_STATIC_ARMCAP) - -#include -#include - -#include - -extern uint32_t OPENSSL_armcap_P; - -// ID_AA64ISAR0_*_VAL are defined starting FreeBSD 13.0. When FreeBSD -// 12.x is out of support, these compatibility macros can be removed. - -#ifndef ID_AA64ISAR0_AES_VAL -#define ID_AA64ISAR0_AES_VAL ID_AA64ISAR0_AES -#endif -#ifndef ID_AA64ISAR0_SHA1_VAL -#define ID_AA64ISAR0_SHA1_VAL ID_AA64ISAR0_SHA1 -#endif -#ifndef ID_AA64ISAR0_SHA2_VAL -#define ID_AA64ISAR0_SHA2_VAL ID_AA64ISAR0_SHA2 -#endif - -void OPENSSL_cpuid_setup(void) { - uint64_t id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); - - OPENSSL_armcap_P |= ARMV7_NEON; - - if (ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE) { - OPENSSL_armcap_P |= ARMV8_AES; - } - if (ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_PMULL) { - OPENSSL_armcap_P |= ARMV8_PMULL; - } - if (ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA1_BASE) { - OPENSSL_armcap_P |= ARMV8_SHA1; - } - if (ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE) { - OPENSSL_armcap_P |= ARMV8_SHA256; - } - if (ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_512) { - OPENSSL_armcap_P |= ARMV8_SHA512; - } -} - -#endif // OPENSSL_AARCH64 && OPENSSL_FREEBSD && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c index 1f3b31a3..7763b4dc 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c @@ -23,7 +23,6 @@ #include -extern uint32_t OPENSSL_armcap_P; void OPENSSL_cpuid_setup(void) { uint32_t hwcap; diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c index 9389d8c2..6cf8a9fa 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c @@ -22,8 +22,6 @@ #include -extern uint32_t OPENSSL_armcap_P; - void OPENSSL_cpuid_setup(void) { unsigned long hwcap = getauxval(AT_HWCAP); diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_openbsd.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_openbsd.c index 19441ea2..5c6c99ee 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_openbsd.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_openbsd.c @@ -25,7 +25,6 @@ #include "internal.h" -extern uint32_t OPENSSL_armcap_P; void OPENSSL_cpuid_setup(void) { int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_sysreg.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_sysreg.c new file mode 100644 index 00000000..1f1aed42 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_sysreg.c @@ -0,0 +1,93 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include "internal.h" + +// While Arm system registers are normally not available to userspace, FreeBSD +// expects userspace to simply read them. It traps the reads and fills in CPU +// capabilities. +#if defined(OPENSSL_AARCH64) && !defined(OPENSSL_STATIC_ARMCAP) && \ + (defined(ANDROID_BAREMETAL) || defined(OPENSSL_FREEBSD)) + +#include + +#define ID_AA64PFR0_EL1_ADVSIMD 5 + +#define ID_AA64ISAR0_EL1_AES 1 +#define ID_AA64ISAR0_EL1_SHA1 2 +#define ID_AA64ISAR0_EL1_SHA2 3 + +#define NBITS_ID_FIELD 4 + +#define READ_SYSREG(name) \ + ({ \ + uint64_t _r; \ + __asm__("mrs %0, " name : "=r"(_r)); \ + _r; \ + }) + +static unsigned get_id_field(uint64_t reg, unsigned field) { + return (reg >> (field * NBITS_ID_FIELD)) & ((1 << NBITS_ID_FIELD) - 1); +} + +static int get_signed_id_field(uint64_t reg, unsigned field) { + unsigned value = get_id_field(reg, field); + if (value & (1 << (NBITS_ID_FIELD - 1))) { + return (int)(value | (UINT64_MAX << NBITS_ID_FIELD)); + } else { + return (int)value; + } +} + +static uint32_t read_armcap(void) { + uint32_t armcap = ARMV7_NEON; + + uint64_t id_aa64pfr0_el1 = READ_SYSREG("id_aa64pfr0_el1"); + + if (get_signed_id_field(id_aa64pfr0_el1, ID_AA64PFR0_EL1_ADVSIMD) < 0) { + // If AdvSIMD ("NEON") is missing, don't report other features either. + // This matches OpenSSL. + return 0; + } + + uint64_t id_aa64isar0_el1 = READ_SYSREG("id_aa64isar0_el1"); + + unsigned aes = get_id_field(id_aa64isar0_el1, ID_AA64ISAR0_EL1_AES); + if (aes > 0) { + armcap |= ARMV8_AES; + } + if (aes > 1) { + armcap |= ARMV8_PMULL; + } + + unsigned sha1 = get_id_field(id_aa64isar0_el1, ID_AA64ISAR0_EL1_SHA1); + if (sha1 > 0) { + armcap |= ARMV8_SHA1; + } + + unsigned sha2 = get_id_field(id_aa64isar0_el1, ID_AA64ISAR0_EL1_SHA2); + if (sha2 > 0) { + armcap |= ARMV8_SHA256; + } + if (sha2 > 1) { + armcap |= ARMV8_SHA512; + } + + return armcap; +} + +void OPENSSL_cpuid_setup(void) { OPENSSL_armcap_P |= read_armcap(); } + +#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP && + // (ANDROID_BAREMETAL || OPENSSL_FREEBSD) diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c index a67ff364..8a510e33 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c @@ -22,7 +22,7 @@ #include -extern uint32_t OPENSSL_armcap_P; + void OPENSSL_cpuid_setup(void) { // We do not need to check for the presence of NEON, as Armv8-A always has it OPENSSL_armcap_P |= ARMV7_NEON; diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_arm.c b/Sources/CJWTKitBoringSSL/crypto/cpu_arm.c deleted file mode 100644 index 1d1b5867..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_arm.c +++ /dev/null @@ -1,38 +0,0 @@ -/* Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include "internal.h" - -#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_STATIC_ARMCAP) - -#include - - -extern uint32_t OPENSSL_armcap_P; - -int CRYPTO_is_NEON_capable_at_runtime(void) { - return (OPENSSL_armcap_P & ARMV7_NEON) != 0; -} - -int CRYPTO_is_ARMv8_AES_capable_at_runtime(void) { - return (OPENSSL_armcap_P & ARMV8_AES) != 0; -} - -int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void) { - return (OPENSSL_armcap_P & ARMV8_PMULL) != 0; -} - -#endif /* (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && - !defined(OPENSSL_STATIC_ARMCAP) */ diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_arm_freebsd.c b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_freebsd.c index 6e31b740..08241e7f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_arm_freebsd.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_freebsd.c @@ -22,7 +22,6 @@ #include #include -extern uint32_t OPENSSL_armcap_P; void OPENSSL_cpuid_setup(void) { unsigned long hwcap = 0, hwcap2 = 0; diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c index 360985a4..d5013c52 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c @@ -95,8 +95,6 @@ static int read_file(char **out_ptr, size_t *out_len, const char *path) { return ret; } -extern uint32_t OPENSSL_armcap_P; - static int g_needs_hwcap2_workaround; void OPENSSL_cpuid_setup(void) { diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_intel.c b/Sources/CJWTKitBoringSSL/crypto/cpu_intel.c index c061e57e..50915bbe 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_intel.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_intel.c @@ -211,7 +211,8 @@ void OPENSSL_cpuid_setup(void) { // Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables // some Silvermont-specific codepaths which perform better. See OpenSSL - // commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. + // commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f and + // |CRYPTO_cpu_perf_is_like_silvermont|. if ((eax & 0x0fff0ff0) == 0x00050670 /* Knights Landing */ || (eax & 0x0fff0ff0) == 0x00080650 /* Knights Mill (per SDE) */) { ecx &= ~(1u << 26); @@ -238,7 +239,8 @@ void OPENSSL_cpuid_setup(void) { // Clear AVX2 and AVX512* bits. // // TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream - // doesn't clear those. + // doesn't clear those. See the comments in + // |CRYPTO_hardware_supports_XSAVE|. extended_features[0] &= ~((1u << 5) | (1u << 16) | (1u << 21) | (1u << 30) | (1u << 31)); } diff --git a/Sources/CJWTKitBoringSSL/crypto/crypto.c b/Sources/CJWTKitBoringSSL/crypto/crypto.c index 6796db7a..7c4d275d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/crypto.c +++ b/Sources/CJWTKitBoringSSL/crypto/crypto.c @@ -78,6 +78,11 @@ HIDDEN uint8_t BORINGSSL_function_hit[7] = {0}; // This value must be explicitly initialized to zero. See similar comment above. HIDDEN uint32_t OPENSSL_ia32cap_P[4] = {0}; +uint32_t OPENSSL_get_ia32cap(int idx) { + CRYPTO_library_init(); + return OPENSSL_ia32cap_P[idx]; +} + #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) #include @@ -116,10 +121,16 @@ HIDDEN uint32_t OPENSSL_armcap_P = HIDDEN uint32_t OPENSSL_armcap_P = 0; uint32_t *OPENSSL_get_armcap_pointer_for_test(void) { + CRYPTO_library_init(); return &OPENSSL_armcap_P; } #endif +uint32_t OPENSSL_get_armcap(void) { + CRYPTO_library_init(); + return OPENSSL_armcap_P; +} + #endif #if defined(BORINGSSL_FIPS) diff --git a/Sources/CJWTKitBoringSSL/crypto/curve25519/asm/x25519-asm-arm.S b/Sources/CJWTKitBoringSSL/crypto/curve25519/asm/x25519-asm-arm.S index 80eee79d..e84cc8f8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/curve25519/asm/x25519-asm-arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/asm/x25519-asm-arm.S @@ -19,17 +19,9 @@ * domain licensed but the standard ISC license is included above to keep * licensing simple. */ -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif - -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) +#include -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) .fpu neon .text @@ -2131,11 +2123,7 @@ mov sp,r12 vpop {q4,q5,q6,q7} bx lr -#endif /* !OPENSSL_NO_ASM && __ARMEL__ && __ELF__ */ - -#if defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif +#endif /* !OPENSSL_NO_ASM && OPENSSL_ARM && __ELF__ */ #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c index 2a7ff6db..785267de 100644 --- a/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c @@ -19,8 +19,6 @@ // // The field functions are shared by Ed25519 and X25519 where possible. -#include - #include #include @@ -31,7 +29,6 @@ #include "internal.h" #include "../internal.h" - // Various pre-computed constants. #include "./curve25519_tables.h" @@ -315,11 +312,6 @@ static void fe_copy_lt(fe_loose *h, const fe *f) { static_assert(sizeof(fe_loose) == sizeof(fe), "fe and fe_loose mismatch"); OPENSSL_memmove(h, f, sizeof(fe)); } -#if !defined(OPENSSL_SMALL) -static void fe_copy_ll(fe_loose *h, const fe_loose *f) { - OPENSSL_memmove(h, f, sizeof(fe_loose)); -} -#endif // !defined(OPENSSL_SMALL) static void fe_loose_invert(fe *out, const fe_loose *z) { fe t0; @@ -698,16 +690,6 @@ void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { fe_add(&r->T, &trZ, &trT); } -static uint8_t equal(signed char b, signed char c) { - uint8_t ub = b; - uint8_t uc = c; - uint8_t x = ub ^ uc; // 0: yes; 1..255: no - uint32_t y = x; // 0: yes; 1..255: no - y -= 1; // 4294967295: yes; 0..254: no - y >>= 31; // 1: yes; 0: no - return y; -} - static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) { fe_cmov(&t->yplusx, &u->yplusx, b); fe_cmov(&t->yminusx, &u->yminusx, b); @@ -754,7 +736,7 @@ void x25519_ge_scalarmult_small_precomp( ge_precomp_0(&e); for (j = 1; j < 16; j++) { - cmov(&e, &multiples[j-1], equal(index, j)); + cmov(&e, &multiples[j-1], 1&constant_time_eq_w(index, j)); } ge_cached cached; @@ -776,35 +758,36 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) { #else -static uint8_t negative(signed char b) { - uint32_t x = b; - x >>= 31; // 1: yes; 0: no - return x; -} +static void table_select(ge_precomp *t, const int pos, const signed char b) { + uint8_t bnegative = constant_time_msb_w(b); + uint8_t babs = b - ((bnegative & b) << 1); -static void table_select(ge_precomp *t, int pos, signed char b) { - ge_precomp minust; - uint8_t bnegative = negative(b); - uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1); + uint8_t t_bytes[3][32] = { + {constant_time_is_zero_w(b) & 1}, {constant_time_is_zero_w(b) & 1}, {0}}; +#if defined(__clang__) // materialize for vectorization, 6% speedup + __asm__("" : "+m" (t_bytes) : /*no inputs*/); +#endif + static_assert(sizeof(t_bytes) == sizeof(k25519Precomp[pos][0]), ""); + for (int i = 0; i < 8; i++) { + constant_time_conditional_memxor(t_bytes, k25519Precomp[pos][i], + sizeof(t_bytes), + constant_time_eq_w(babs, 1 + i)); + } - ge_precomp_0(t); - cmov(t, &k25519Precomp[pos][0], equal(babs, 1)); - cmov(t, &k25519Precomp[pos][1], equal(babs, 2)); - cmov(t, &k25519Precomp[pos][2], equal(babs, 3)); - cmov(t, &k25519Precomp[pos][3], equal(babs, 4)); - cmov(t, &k25519Precomp[pos][4], equal(babs, 5)); - cmov(t, &k25519Precomp[pos][5], equal(babs, 6)); - cmov(t, &k25519Precomp[pos][6], equal(babs, 7)); - cmov(t, &k25519Precomp[pos][7], equal(babs, 8)); - fe_copy_ll(&minust.yplusx, &t->yminusx); - fe_copy_ll(&minust.yminusx, &t->yplusx); + fe yplusx, yminusx, xy2d; + fe_frombytes_strict(&yplusx, t_bytes[0]); + fe_frombytes_strict(&yminusx, t_bytes[1]); + fe_frombytes_strict(&xy2d, t_bytes[2]); - // NOTE: the input table is canonical, but types don't encode it - fe tmp; - fe_carry(&tmp, &t->xy2d); - fe_neg(&minust.xy2d, &tmp); + fe_copy_lt(&t->yplusx, &yplusx); + fe_copy_lt(&t->yminusx, &yminusx); + fe_copy_lt(&t->xy2d, &xy2d); - cmov(t, &minust, bnegative); + ge_precomp minust; + fe_copy_lt(&minust.yplusx, &yminusx); + fe_copy_lt(&minust.yminusx, &yplusx); + fe_neg(&minust.xy2d, &xy2d); + cmov(t, &minust, bnegative>>7); } // h = a * B @@ -814,6 +797,18 @@ static void table_select(ge_precomp *t, int pos, signed char b) { // Preconditions: // a[31] <= 127 void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) { +#if defined(BORINGSSL_FE25519_ADX) + if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_ADX_capable()) { + uint8_t t[4][32]; + x25519_ge_scalarmult_base_adx(t, a); + fiat_25519_from_bytes(h->X.v, t[0]); + fiat_25519_from_bytes(h->Y.v, t[1]); + fiat_25519_from_bytes(h->Z.v, t[2]); + fiat_25519_from_bytes(h->T.v, t[3]); + return; + } +#endif signed char e[64]; signed char carry; ge_p1p1 r; @@ -916,7 +911,7 @@ void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) { ge_cached selected; ge_cached_0(&selected); for (j = 0; j < 16; j++) { - cmov_cached(&selected, &Ai[j], equal(j, index)); + cmov_cached(&selected, &Ai[j], 1&constant_time_eq_w(index, j)); } x25519_ge_add(&t, &u, &selected); @@ -1911,6 +1906,8 @@ int ED25519_sign(uint8_t out_sig[64], const uint8_t *message, x25519_sc_reduce(hram); sc_muladd(out_sig + 32, hram, az, nonce); + // The signature is computed from the private key, but is public. + CONSTTIME_DECLASSIFY(out_sig, 64); return 1; } @@ -1988,6 +1985,8 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32], ge_p3 A; x25519_ge_scalarmult_base(&A, az); ge_p3_tobytes(out_public_key, &A); + // The public key is derived from the private key, but it is public. + CONSTTIME_DECLASSIFY(out_public_key, 32); OPENSSL_memcpy(out_private_key, seed, 32); OPENSSL_memcpy(out_private_key + 32, out_public_key, 32); @@ -2083,6 +2082,12 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32], x25519_NEON(out, scalar, point); return; } +#elif defined(BORINGSSL_FE25519_ADX) + if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_ADX_capable()) { + x25519_scalar_mult_adx(out, scalar, point); + return; + } #endif x25519_scalar_mult_generic(out, scalar, point); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dtls1.h b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_64_adx.c similarity index 82% rename from Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dtls1.h rename to Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_64_adx.c index 38ca801c..27689896 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dtls1.h +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_64_adx.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2015, Google Inc. +/* Copyright (c) 2023, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -12,5 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* This header is provided in order to make compiling against code that expects - OpenSSL easier. */ +#include "internal.h" +#if defined(BORINGSSL_FE25519_ADX) +#include "../../third_party/fiat/curve25519_64_adx.h" +#endif diff --git a/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_tables.h b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_tables.h index ad1f036a..6636a36a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_tables.h +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519_tables.h @@ -142,7493 +142,2885 @@ static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = { #else // k25519Precomp[i][j] = (j+1)*256^i*B -static const ge_precomp k25519Precomp[32][8] = { +const uint8_t k25519Precomp[32][8][3][32] = { { { - {{ -#if defined(OPENSSL_64_BIT) - 1288382639258501, 245678601348599, 269427782077623, - 1462984067271730, 137412439391563 -#else - 25967493, 19198397, 29566455, 3660896, 54414519, 4014786, - 27544626, 21800161, 61029707, 2047604 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 62697248952638, 204681361388450, 631292143396476, - 338455783676468, 1213667448819585 -#else - 54563134, 934261, 64385954, 3049989, 66381436, 9406985, - 12720692, 5043384, 19500929, 18085054 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 301289933810280, 1259582250014073, 1422107436869536, - 796239922652654, 1953934009299142 -#else - 58370664, 4489569, 9688441, 18769238, 10184608, 21191052, - 29287918, 11864899, 42594502, 29115885 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1380971894829527, 790832306631236, 2067202295274102, - 1995808275510000, 1566530869037010 -#else - 54292951, 20578084, 45527620, 11784319, 41753206, 30803714, - 55390960, 29739860, 66750418, 23343128 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 463307831301544, 432984605774163, 1610641361907204, - 750899048855000, 1894842303421586 -#else - 45405608, 6903824, 27185491, 6451973, 37531140, 24000426, - 51492312, 11189267, 40279186, 28235350 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 748439484463711, 1033211726465151, 1396005112841647, - 1611506220286469, 1972177495910992 -#else - 26966623, 11152617, 32442495, 15396054, 14353839, 20802097, - 63980037, 24013313, 51636816, 29387734 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1601611775252272, 1720807796594148, 1132070835939856, - 1260455018889551, 2147779492816911 -#else - 15636272, 23865875, 24204772, 25642034, 616976, 16869170, - 27787599, 18782243, 28944399, 32004408 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 316559037616741, 2177824224946892, 1459442586438991, - 1461528397712656, 751590696113597 -#else - 16568933, 4717097, 55552716, 32452109, 15682895, 21747389, - 16354576, 21778470, 7689661, 11199574 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1850748884277385, 1200145853858453, 1068094770532492, - 672251375690438, 1586055907191707 -#else - 30464137, 27578307, 55329429, 17883566, 23220364, 15915852, - 7512774, 10017326, 49359771, 23634074 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 934282339813791, 1846903124198670, 1172395437954843, - 1007037127761661, 1830588347719256 -#else - 50071967, 13921891, 10945806, 27521001, 27105051, 17470053, - 38182653, 15006022, 3284568, 27277892 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1694390458783935, 1735906047636159, 705069562067493, - 648033061693059, 696214010414170 -#else - 23599295, 25248385, 55915199, 25867015, 13236773, 10506355, - 7464579, 9656445, 13059162, 10374397 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1121406372216585, 192876649532226, 190294192191717, - 1994165897297032, 2245000007398739 -#else - 7798537, 16710257, 3033922, 2874086, 28997861, 2835604, - 32406664, 29715387, 66467155, 33453106 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 769950342298419, 132954430919746, 844085933195555, - 974092374476333, 726076285546016 -#else - 10861363, 11473154, 27284546, 1981175, 37044515, 12577860, - 32867885, 14515107, 51670560, 10819379 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 425251763115706, 608463272472562, 442562545713235, - 837766094556764, 374555092627893 -#else - 4708026, 6336745, 20377586, 9066809, 55836755, 6594695, - 41455196, 12483687, 54440373, 5581305 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1086255230780037, 274979815921559, 1960002765731872, - 929474102396301, 1190409889297339 -#else - 19563141, 16186464, 37722007, 4097518, 10237984, 29206317, - 28542349, 13850243, 43430843, 17738489 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1388594989461809, 316767091099457, 394298842192982, - 1230079486801005, 1440737038838979 -#else - 51736881, 20691677, 32573249, 4720197, 40672342, 5875510, - 47920237, 18329612, 57289923, 21468654 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 7380825640100, 146210432690483, 304903576448906, - 1198869323871120, 997689833219095 -#else - 58559652, 109982, 15149363, 2178705, 22900618, 4543417, 3044240, - 17864545, 1762327, 14866737 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1181317918772081, 114573476638901, 262805072233344, - 265712217171332, 294181933805782 -#else - 48909169, 17603008, 56635573, 1707277, 49922944, 3916100, - 38872452, 3959420, 27914454, 4383652 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 665000864555967, 2065379846933859, 370231110385876, - 350988370788628, 1233371373142985 -#else - 5153727, 9909285, 1723747, 30776558, 30523604, 5516873, - 19480852, 5230134, 43156425, 18378665 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2019367628972465, 676711900706637, 110710997811333, - 1108646842542025, 517791959672113 -#else - 36839857, 30090922, 7665485, 10083793, 28475525, 1649722, - 20654025, 16520125, 30598449, 7715701 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 965130719900578, 247011430587952, 526356006571389, - 91986625355052, 2157223321444601 -#else - 28881826, 14381568, 9657904, 3680757, 46927229, 7843315, - 35708204, 1370707, 29794553, 32145132 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2068619540119183, 1966274918058806, 957728544705549, - 729906502578991, 159834893065166 -#else - 14499471, 30824833, 33917750, 29299779, 28494861, 14271267, - 30290735, 10876454, 33954766, 2381725 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2073601412052185, 31021124762708, 264500969797082, - 248034690651703, 1030252227928288 -#else - 59913433, 30899068, 52378708, 462250, 39384538, 3941371, - 60872247, 3696004, 34808032, 15351954 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 551790716293402, 1989538725166328, 801169423371717, - 2052451893578887, 678432056995012 -#else - 27431194, 8222322, 16448760, 29646437, 48401861, 11938354, - 34147463, 30583916, 29551812, 10109425 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1368953770187805, 790347636712921, 437508475667162, - 2142576377050580, 1932081720066286 -#else - 53451805, 20399000, 35825113, 11777097, 21447386, 6519384, - 64730580, 31926875, 10092782, 28790261 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 953638594433374, 1092333936795051, 1419774766716690, - 805677984380077, 859228993502513 -#else - 27939166, 14210322, 4677035, 16277044, 44144402, 21156292, - 34600109, 12005537, 49298737, 12803509 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1200766035879111, 20142053207432, 1465634435977050, - 1645256912097844, 295121984874596 -#else - 17228999, 17892808, 65875336, 300139, 65883994, 21839654, - 30364212, 24516238, 18016356, 4397660 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1735718747031557, 1248237894295956, 1204753118328107, - 976066523550493, 65943769534592 -#else - 56150021, 25864224, 4776340, 18600194, 27850027, 17952220, - 40489757, 14544524, 49631360, 982638 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1060098822528990, 1586825862073490, 212301317240126, - 1975302711403555, 666724059764335 -#else - 29253598, 15796703, 64244882, 23645547, 10057022, 3163536, - 7332899, 29434304, 46061167, 9934962 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1091990273418756, 1572899409348578, 80968014455247, - 306009358661350, 1520450739132526 -#else - 5793284, 16271923, 42977250, 23438027, 29188559, 1206517, - 52360934, 4559894, 36984942, 22656481 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1480517209436112, 1511153322193952, 1244343858991172, - 304788150493241, 369136856496443 -#else - 39464912, 22061425, 16282656, 22517939, 28414020, 18542168, - 24191033, 4541697, 53770555, 5500567 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2151330273626164, 762045184746182, 1688074332551515, - 823046109005759, 907602769079491 -#else - 12650548, 32057319, 9052870, 11355358, 49428827, 25154267, - 49678271, 12264342, 10874051, 13524335 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2047386910586836, 168470092900250, 1552838872594810, - 340951180073789, 360819374702533 -#else - 25556948, 30508442, 714650, 2510400, 23394682, 23139102, - 33119037, 5080568, 44580805, 5376627 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1982622644432056, 2014393600336956, 128909208804214, - 1617792623929191, 105294281913815 -#else - 41020600, 29543379, 50095164, 30016803, 60382070, 1920896, - 44787559, 24106988, 4535767, 1569007 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 980234343912898, 1712256739246056, 588935272190264, - 204298813091998, 841798321043288 -#else - 64853442, 14606629, 45416424, 25514613, 28430648, 8775819, - 36614302, 3044289, 31848280, 12543772 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 197561292938973, 454817274782871, 1963754960082318, - 2113372252160468, 971377527342673 -#else - 45080285, 2943892, 35251351, 6777305, 13784462, 29262229, - 39731668, 31491700, 7718481, 14474653 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 164699448829328, 3127451757672, 1199504971548753, - 1766155447043652, 1899238924683527 -#else - 2385296, 2454213, 44477544, 46602, 62670929, 17874016, 656964, - 26317767, 24316167, 28300865 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 732262946680281, 1674412764227063, 2182456405662809, - 1350894754474250, 558458873295247 -#else - 13741529, 10911568, 33875447, 24950694, 46931033, 32521134, - 33040650, 20129900, 46379407, 8321685 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2103305098582922, 1960809151316468, 715134605001343, - 1454892949167181, 40827143824949 -#else - 21060490, 31341688, 15712756, 29218333, 1639039, 10656336, - 23845965, 21679594, 57124405, 608371 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1239289043050212, 1744654158124578, 758702410031698, - 1796762995074688, 1603056663766 -#else - 53436132, 18466845, 56219170, 25997372, 61071954, 11305546, - 1123968, 26773855, 27229398, 23887 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2232056027107988, 987343914584615, 2115594492994461, - 1819598072792159, 1119305654014850 -#else - 43864724, 33260226, 55364135, 14712570, 37643165, 31524814, - 12797023, 27114124, 65475458, 16678953 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 320153677847348, 939613871605645, 641883205761567, - 1930009789398224, 329165806634126 -#else - 37608244, 4770661, 51054477, 14001337, 7830047, 9564805, - 65600720, 28759386, 49939598, 4904952 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 980930490474130, 1242488692177893, 1251446316964684, - 1086618677993530, 1961430968465772 -#else - 24059538, 14617003, 19037157, 18514524, 19766092, 18648003, - 5169210, 16191880, 2128236, 29227599 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 276821765317453, 1536835591188030, 1305212741412361, - 61473904210175, 2051377036983058 -#else - 50127693, 4124965, 58568254, 22900634, 30336521, 19449185, - 37302527, 916032, 60226322, 30567899 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 833449923882501, 1750270368490475, 1123347002068295, - 185477424765687, 278090826653186 -#else - 44477957, 12419371, 59974635, 26081060, 50629959, 16739174, - 285431, 2763829, 15736322, 4143876 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 794524995833413, 1849907304548286, 53348672473145, - 1272368559505217, 1147304168324779 -#else - 2379333, 11839345, 62998462, 27565766, 11274297, 794957, 212801, - 18959769, 23527083, 17096164 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1504846112759364, 1203096289004681, 562139421471418, - 274333017451844, 1284344053775441 -#else - 33431108, 22423954, 49269897, 17927531, 8909498, 8376530, - 34483524, 4087880, 51919953, 19138217 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 483048732424432, 2116063063343382, 30120189902313, - 292451576741007, 1156379271702225 -#else - 1767664, 7197987, 53903638, 31531796, 54017513, 448825, 5799055, - 4357868, 62334673, 17231393 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 928372153029038, 2147692869914564, 1455665844462196, - 1986737809425946, 185207050258089 -#else - 6721966, 13833823, 43585476, 32003117, 26354292, 21691111, - 23365146, 29604700, 7390889, 2759800 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 137732961814206, 706670923917341, 1387038086865771, - 1965643813686352, 1384777115696347 -#else - 4409022, 2052381, 23373853, 10530217, 7676779, 20668478, - 21302352, 29290375, 1244379, 20634787 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 481144981981577, 2053319313589856, 2065402289827512, - 617954271490316, 1106602634668125 -#else - 62687625, 7169618, 4982368, 30596842, 30256824, 30776892, - 14086412, 9208236, 15886429, 16489664 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 696298019648792, 893299659040895, 1148636718636009, - 26734077349617, 2203955659340681 -#else - 1996056, 10375649, 14346367, 13311202, 60234729, 17116020, - 53415665, 398368, 36502409, 32841498 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 657390353372855, 998499966885562, 991893336905797, - 810470207106761, 343139804608786 -#else - 41801399, 9795879, 64331450, 14878808, 33577029, 14780362, - 13348553, 12076947, 36272402, 5113181 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 791736669492960, 934767652997115, 824656780392914, - 1759463253018643, 361530362383518 -#else - 49338080, 11797795, 31950843, 13929123, 41220562, 12288343, - 36767763, 26218045, 13847710, 5387222 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2022541353055597, 2094700262587466, 1551008075025686, - 242785517418164, 695985404963562 -#else - 48526701, 30138214, 17824842, 31213466, 22744342, 23111821, - 8763060, 3617786, 47508202, 10370990 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1287487199965223, 2215311941380308, 1552928390931986, - 1664859529680196, 1125004975265243 -#else - 20246567, 19185054, 22358228, 33010720, 18507282, 23140436, - 14554436, 24808340, 32232923, 16763880 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 677434665154918, 989582503122485, 1817429540898386, - 1052904935475344, 1143826298169798 -#else - 9648486, 10094563, 26416693, 14745928, 36734546, 27081810, - 11094160, 15689506, 3140038, 17044340 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 367266328308408, 318431188922404, 695629353755355, - 634085657580832, 24581612564426 -#else - 50948792, 5472694, 31895588, 4744994, 8823515, 10365685, - 39884064, 9448612, 38334410, 366294 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 773360688841258, 1815381330538070, 363773437667376, - 539629987070205, 783280434248437 -#else - 19153450, 11523972, 56012374, 27051289, 42461232, 5420646, - 28344573, 8041113, 719605, 11671788 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 180820816194166, 168937968377394, 748416242794470, - 1227281252254508, 1567587861004268 -#else - 8678006, 2694440, 60300850, 2517371, 4964326, 11152271, - 51675948, 18287915, 27000812, 23358879 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 478775558583645, 2062896624554807, 699391259285399, - 358099408427873, 1277310261461761 -#else - 51950941, 7134311, 8639287, 30739555, 59873175, 10421741, - 564065, 5336097, 6750977, 19033406 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1984740906540026, 1079164179400229, 1056021349262661, - 1659958556483663, 1088529069025527 -#else - 11836410, 29574944, 26297893, 16080799, 23455045, 15735944, - 1695823, 24735310, 8169719, 16220347 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 580736401511151, 1842931091388998, 1177201471228238, - 2075460256527244, 1301133425678027 -#else - 48993007, 8653646, 17578566, 27461813, 59083086, 17541668, - 55964556, 30926767, 61118155, 19388398 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1515728832059182, 1575261009617579, 1510246567196186, - 191078022609704, 116661716289141 -#else - 43800366, 22586119, 15213227, 23473218, 36255258, 22504427, - 27884328, 2847284, 2655861, 1738395 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1295295738269652, 1714742313707026, 545583042462581, - 2034411676262552, 1513248090013606 -#else - 39571412, 19301410, 41772562, 25551651, 57738101, 8129820, - 21651608, 30315096, 48021414, 22549153 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 230710545179830, 30821514358353, 760704303452229, - 390668103790604, 573437871383156 -#else - 1533110, 3437855, 23735889, 459276, 29970501, 11335377, - 26030092, 5821408, 10478196, 8544890 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1169380107545646, 263167233745614, 2022901299054448, - 819900753251120, 2023898464874585 -#else - 32173102, 17425121, 24896206, 3921497, 22579056, 30143578, - 19270448, 12217473, 17789017, 30158437 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2102254323485823, 1570832666216754, 34696906544624, - 1993213739807337, 70638552271463 -#else - 36555903, 31326030, 51530034, 23407230, 13243888, 517024, - 15479401, 29701199, 30460519, 1052596 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 894132856735058, 548675863558441, 845349339503395, - 1942269668326667, 1615682209874691 -#else - 55493970, 13323617, 32618793, 8175907, 51878691, 12596686, - 27491595, 28942073, 3179267, 24075541 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1287670217537834, 1222355136884920, 1846481788678694, - 1150426571265110, 1613523400722047 -#else - 31947050, 19187781, 62468280, 18214510, 51982886, 27514722, - 52352086, 17142691, 19072639, 24043372 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 793388516527298, 1315457083650035, 1972286999342417, - 1901825953052455, 338269477222410 -#else - 11685058, 11822410, 3158003, 19601838, 33402193, 29389366, - 5977895, 28339415, 473098, 5040608 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 550201530671806, 778605267108140, 2063911101902983, - 115500557286349, 2041641272971022 -#else - 46817982, 8198641, 39698732, 11602122, 1290375, 30754672, - 28326861, 1721092, 47550222, 30422825 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 717255318455100, 519313764361315, 2080406977303708, - 541981206705521, 774328150311600 -#else - 7881532, 10687937, 7578723, 7738378, 48157852, 31000479, - 21820785, 8076149, 39240368, 11538388 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 261715221532238, 1795354330069993, 1496878026850283, - 499739720521052, 389031152673770 -#else - 47173198, 3899860, 18283497, 26752864, 51380203, 22305220, - 8754524, 7446702, 61432810, 5797015 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1997217696294013, 1717306351628065, 1684313917746180, - 1644426076011410, 1857378133465451 -#else - 55813245, 29760862, 51326753, 25589858, 12708868, 25098233, - 2014098, 24503858, 64739691, 27677090 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1475434724792648, 76931896285979, 1116729029771667, - 2002544139318042, 725547833803938 -#else - 44636488, 21985690, 39426843, 1146374, 18956691, 16640559, - 1192730, 29840233, 15123618, 10811505 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2022306639183567, 726296063571875, 315345054448644, - 1058733329149221, 1448201136060677 -#else - 14352079, 30134717, 48166819, 10822654, 32750596, 4699007, - 67038501, 15776355, 38222085, 21579878 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1710065158525665, 1895094923036397, 123988286168546, - 1145519900776355, 1607510767693874 -#else - 38867681, 25481956, 62129901, 28239114, 29416930, 1847569, - 46454691, 17069576, 4714546, 23953777 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 561605375422540, 1071733543815037, 131496498800990, - 1946868434569999, 828138133964203 -#else - 15200332, 8368572, 19679101, 15970074, 35236190, 1959450, - 24611599, 29010600, 55362987, 12340219 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1548495173745801, 442310529226540, 998072547000384, - 553054358385281, 644824326376171 -#else - 12876937, 23074376, 33134380, 6590940, 60801088, 14872439, - 9613953, 8241152, 15370987, 9608631 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1445526537029440, 2225519789662536, 914628859347385, - 1064754194555068, 1660295614401091 -#else - 62965568, 21540023, 8446280, 33162829, 4407737, 13629032, - 59383996, 15866073, 38898243, 24740332 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1199690223111956, 24028135822341, 66638289244341, - 57626156285975, 565093967979607 -#else - 26660628, 17876777, 8393733, 358047, 59707573, 992987, 43204631, - 858696, 20571223, 8420556 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 876926774220824, 554618976488214, 1012056309841565, - 839961821554611, 1414499340307677 -#else - 14620696, 13067227, 51661590, 8264466, 14106269, 15080814, - 33531827, 12516406, 45534429, 21077682 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 703047626104145, 1266841406201770, 165556500219173, - 486991595001879, 1011325891650656 -#else - 236881, 10476226, 57258, 18877408, 6472997, 2466984, 17258519, - 7256740, 8791136, 15069930 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1622861044480487, 1156394801573634, 1869132565415504, - 327103985777730, 2095342781472284 -#else - 1276391, 24182514, 22949634, 17231625, 43615824, 27852245, - 14711874, 4874229, 36445724, 31223040 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 334886927423922, 489511099221528, 129160865966726, - 1720809113143481, 619700195649254 -#else - 5855666, 4990204, 53397016, 7294283, 59304582, 1924646, - 65685689, 25642053, 34039526, 9234252 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1646545795166119, 1758370782583567, 714746174550637, - 1472693650165135, 898994790308209 -#else - 20590503, 24535444, 31529743, 26201766, 64402029, 10650547, - 31559055, 21944845, 18979185, 13396066 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 333403773039279, 295772542452938, 1693106465353610, - 912330357530760, 471235657950362 -#else - 24474287, 4968103, 22267082, 4407354, 24063882, 25229252, - 48291976, 13594781, 33514650, 7021958 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1811196219982022, 1068969825533602, 289602974833439, - 1988956043611592, 863562343398367 -#else - 55541958, 26988926, 45743778, 15928891, 40950559, 4315420, - 41160136, 29637754, 45628383, 12868081 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 906282429780072, 2108672665779781, 432396390473936, - 150625823801893, 1708930497638539 -#else - 38473832, 13504660, 19988037, 31421671, 21078224, 6443208, - 45662757, 2244499, 54653067, 25465048 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 925664675702328, 21416848568684, 1831436641861340, - 601157008940113, 371818055044496 -#else - 36513336, 13793478, 61256044, 319135, 41385692, 27290532, - 33086545, 8957937, 51875216, 5540520 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1479786007267725, 1738881859066675, 68646196476567, - 2146507056100328, 1247662817535471 -#else - 55478669, 22050529, 58989363, 25911358, 2620055, 1022908, - 43398120, 31985447, 50980335, 18591624 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 52035296774456, 939969390708103, 312023458773250, - 59873523517659, 1231345905848899 -#else - 23152952, 775386, 27395463, 14006635, 57407746, 4649511, - 1689819, 892185, 55595587, 18348483 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 643355106415761, 290186807495774, 2013561737429023, - 319648069511546, 393736678496162 -#else - 9770129, 9586738, 26496094, 4324120, 1556511, 30004408, - 27453818, 4763127, 47929250, 5867133 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 129358342392716, 1932811617704777, 1176749390799681, - 398040349861790, 1170779668090425 -#else - 34343820, 1927589, 31726409, 28801137, 23962433, 17534932, - 27846558, 5931263, 37359161, 17445976 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2051980782668029, 121859921510665, 2048329875753063, - 1235229850149665, 519062146124755 -#else - 27461885, 30576896, 22380809, 1815854, 44075111, 30522493, - 7283489, 18406359, 47582163, 7734628 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1608170971973096, 415809060360428, 1350468408164766, - 2038620059057678, 1026904485989112 -#else - 59098600, 23963614, 55988460, 6196037, 29344158, 20123547, - 7585294, 30377806, 18549496, 15302069 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1837656083115103, 1510134048812070, 906263674192061, - 1821064197805734, 565375124676301 -#else - 34450527, 27383209, 59436070, 22502750, 6258877, 13504381, - 10458790, 27135971, 58236621, 8424745 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 578027192365650, 2034800251375322, 2128954087207123, - 478816193810521, 2196171989962750 -#else - 24687186, 8613276, 36441818, 30320886, 1863891, 31723888, - 19206233, 7134917, 55824382, 32725512 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1633188840273139, 852787172373708, 1548762607215796, - 1266275218902681, 1107218203325133 -#else - 11334899, 24336410, 8025292, 12707519, 17523892, 23078361, - 10243737, 18868971, 62042829, 16498836 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 462189358480054, 1784816734159228, 1611334301651368, - 1303938263943540, 707589560319424 -#else - 8911542, 6887158, 57524604, 26595841, 11145640, 24010752, - 17303924, 19430194, 6536640, 10543906 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1038829280972848, 38176604650029, 753193246598573, - 1136076426528122, 595709990562434 -#else - 38162480, 15479762, 49642029, 568875, 65611181, 11223453, - 64439674, 16928857, 39873154, 8876770 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1408451820859834, 2194984964010833, 2198361797561729, - 1061962440055713, 1645147963442934 -#else - 41365946, 20987567, 51458897, 32707824, 34082177, 32758143, - 33627041, 15824473, 66504438, 24514614 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 4701053362120, 1647641066302348, 1047553002242085, - 1923635013395977, 206970314902065 -#else - 10330056, 70051, 7957388, 24551765, 9764901, 15609756, 27698697, - 28664395, 1657393, 3084098 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1750479161778571, 1362553355169293, 1891721260220598, - 966109370862782, 1024913988299801 -#else - 10477963, 26084172, 12119565, 20303627, 29016246, 28188843, - 31280318, 14396151, 36875289, 15272408 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 212699049131723, 1117950018299775, 1873945661751056, - 1403802921984058, 130896082652698 -#else - 54820555, 3169462, 28813183, 16658753, 25116432, 27923966, - 41934906, 20918293, 42094106, 1950503 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 636808533673210, 1262201711667560, 390951380330599, - 1663420692697294, 561951321757406 -#else - 40928506, 9489186, 11053416, 18808271, 36055143, 5825629, - 58724558, 24786899, 15341278, 8373727 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 520731594438141, 1446301499955692, 273753264629267, - 1565101517999256, 1019411827004672 -#else - 28685821, 7759505, 52730348, 21551571, 35137043, 4079241, - 298136, 23321830, 64230656, 15190419 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 926527492029409, 1191853477411379, 734233225181171, - 184038887541270, 1790426146325343 -#else - 34175969, 13806335, 52771379, 17760000, 43104243, 10940927, - 8669718, 2742393, 41075551, 26679428 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1464651961852572, 1483737295721717, 1519450561335517, - 1161429831763785, 405914998179977 -#else - 65528476, 21825014, 41129205, 22109408, 49696989, 22641577, - 9291593, 17306653, 54954121, 6048604 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 996126634382301, 796204125879525, 127517800546509, - 344155944689303, 615279846169038 -#else - 36803549, 14843443, 1539301, 11864366, 20201677, 1900163, - 13934231, 5128323, 11213262, 9168384 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 738724080975276, 2188666632415296, 1961313708559162, - 1506545807547587, 1151301638969740 -#else - 40828332, 11007846, 19408960, 32613674, 48515898, 29225851, - 62020803, 22449281, 20470156, 17155731 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 622917337413835, 1218989177089035, 1284857712846592, - 970502061709359, 351025208117090 -#else - 43972811, 9282191, 14855179, 18164354, 59746048, 19145871, - 44324911, 14461607, 14042978, 5230683 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2067814584765580, 1677855129927492, 2086109782475197, - 235286517313238, 1416314046739645 -#else - 29969548, 30812838, 50396996, 25001989, 9175485, 31085458, - 21556950, 3506042, 61174973, 21104723 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 586844262630358, 307444381952195, 458399356043426, - 602068024507062, 1028548203415243 -#else - 63964118, 8744660, 19704003, 4581278, 46678178, 6830682, - 45824694, 8971512, 38569675, 15326562 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 678489922928203, 2016657584724032, 90977383049628, - 1026831907234582, 615271492942522 -#else - 47644235, 10110287, 49846336, 30050539, 43608476, 1355668, - 51585814, 15300987, 46594746, 9168259 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 301225714012278, 1094837270268560, 1202288391010439, - 644352775178361, 1647055902137983 -#else - 61755510, 4488612, 43305616, 16314346, 7780487, 17915493, - 38160505, 9601604, 33087103, 24543045 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1210746697896478, 1416608304244708, 686487477217856, - 1245131191434135, 1051238336855737 -#else - 47665694, 18041531, 46311396, 21109108, 37284416, 10229460, - 39664535, 18553900, 61111993, 15664671 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1135604073198207, 1683322080485474, 769147804376683, - 2086688130589414, 900445683120379 -#else - 23294591, 16921819, 44458082, 25083453, 27844203, 11461195, - 13099750, 31094076, 18151675, 13417686 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1971518477615628, 401909519527336, 448627091057375, - 1409486868273821, 1214789035034363 -#else - 42385932, 29377914, 35958184, 5988918, 40250079, 6685064, - 1661597, 21002991, 15271675, 18101767 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1364039144731711, 1897497433586190, 2203097701135459, - 145461396811251, 1349844460790699 -#else - 11433023, 20325767, 8239630, 28274915, 65123427, 32828713, - 48410099, 2167543, 60187563, 20114249 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1045230323257973, 818206601145807, 630513189076103, - 1672046528998132, 807204017562437 -#else - 35672693, 15575145, 30436815, 12192228, 44645511, 9395378, - 57191156, 24915434, 12215109, 12028277 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 439961968385997, 386362664488986, 1382706320807688, - 309894000125359, 2207801346498567 -#else - 14098381, 6555944, 23007258, 5757252, 51681032, 20603929, - 30123439, 4617780, 50208775, 32898803 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1229004686397588, 920643968530863, 123975893911178, - 681423993215777, 1400559197080973 -#else - 63082644, 18313596, 11893167, 13718664, 52299402, 1847384, - 51288865, 10154008, 23973261, 20869958 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2003766096898049, 170074059235165, 1141124258967971, - 1485419893480973, 1573762821028725 -#else - 40577025, 29858441, 65199965, 2534300, 35238307, 17004076, - 18341389, 22134481, 32013173, 23450893 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 729905708611432, 1270323270673202, 123353058984288, - 426460209632942, 2195574535456672 -#else - 41629544, 10876442, 55337778, 18929291, 54739296, 1838103, - 21911214, 6354752, 4425632, 32716610 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1271140255321235, 2044363183174497, 52125387634689, - 1445120246694705, 942541986339084 -#else - 56675475, 18941465, 22229857, 30463385, 53917697, 776728, - 49693489, 21533969, 4725004, 14044970 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1761608437466135, 583360847526804, 1586706389685493, - 2157056599579261, 1170692369685772 -#else - 19268631, 26250011, 1555348, 8692754, 45634805, 23643767, - 6347389, 32142648, 47586572, 17444675 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 871476219910823, 1878769545097794, 2241832391238412, - 548957640601001, 690047440233174 -#else - 42244775, 12986007, 56209986, 27995847, 55796492, 33405905, - 19541417, 8180106, 9282262, 10282508 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 297194732135507, 1366347803776820, 1301185512245601, - 561849853336294, 1533554921345731 -#else - 40903763, 4428546, 58447668, 20360168, 4098401, 19389175, - 15522534, 8372215, 5542595, 22851749 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 999628998628371, 1132836708493400, 2084741674517453, - 469343353015612, 678782988708035 -#else - 56546323, 14895632, 26814552, 16880582, 49628109, 31065071, - 64326972, 6993760, 49014979, 10114654 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2189427607417022, 699801937082607, 412764402319267, - 1478091893643349, 2244675696854460 -#else - 47001790, 32625013, 31422703, 10427861, 59998115, 6150668, - 38017109, 22025285, 25953724, 33448274 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1712292055966563, 204413590624874, 1405738637332841, - 408981300829763, 861082219276721 -#else - 62874467, 25515139, 57989738, 3045999, 2101609, 20947138, - 19390019, 6094296, 63793585, 12831124 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 508561155940631, 966928475686665, 2236717801150132, - 424543858577297, 2089272956986143 -#else - 51110167, 7578151, 5310217, 14408357, 33560244, 33329692, - 31575953, 6326196, 7381791, 31132593 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 221245220129925, 1156020201681217, 491145634799213, - 542422431960839, 828100817819207 -#else - 46206085, 3296810, 24736065, 17226043, 18374253, 7318640, - 6295303, 8082724, 51746375, 12339663 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 153756971240384, 1299874139923977, 393099165260502, - 1058234455773022, 996989038681183 -#else - 27724736, 2291157, 6088201, 19369634, 1792726, 5857634, - 13848414, 15768922, 25091167, 14856294 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 559086812798481, 573177704212711, 1629737083816402, - 1399819713462595, 1646954378266038 -#else - 48242193, 8331042, 24373479, 8541013, 66406866, 24284974, - 12927299, 20858939, 44926390, 24541532 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1887963056288059, 228507035730124, 1468368348640282, - 930557653420194, 613513962454686 -#else - 55685435, 28132841, 11632844, 3405020, 30536730, 21880393, - 39848098, 13866389, 30146206, 9142070 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1224529808187553, 1577022856702685, 2206946542980843, - 625883007765001, 279930793512158 -#else - 3924129, 18246916, 53291741, 23499471, 12291819, 32886066, - 39406089, 9326383, 58871006, 4171293 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1076287717051609, 1114455570543035, 187297059715481, - 250446884292121, 1885187512550540 -#else - 51186905, 16037936, 6713787, 16606682, 45496729, 2790943, - 26396185, 3731949, 345228, 28091483 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 902497362940219, 76749815795675, 1657927525633846, - 1420238379745202, 1340321636548352 -#else - 45781307, 13448258, 25284571, 1143661, 20614966, 24705045, - 2031538, 21163201, 50855680, 19972348 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1129576631190784, 1281994010027327, 996844254743018, - 257876363489249, 1150850742055018 -#else - 31016192, 16832003, 26371391, 19103199, 62081514, 14854136, - 17477601, 3842657, 28012650, 17149012 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 628740660038789, 1943038498527841, 467786347793886, - 1093341428303375, 235413859513003 -#else - 62033029, 9368965, 58546785, 28953529, 51858910, 6970559, - 57918991, 16292056, 58241707, 3507939 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 237425418909360, 469614029179605, 1512389769174935, - 1241726368345357, 441602891065214 -#else - 29439664, 3537914, 23333589, 6997794, 49553303, 22536363, - 51899661, 18503164, 57943934, 6580395 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1736417953058555, 726531315520508, 1833335034432527, - 1629442561574747, 624418919286085 -#else - 54923003, 25874643, 16438268, 10826160, 58412047, 27318820, - 17860443, 24280586, 65013061, 9304566 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1960754663920689, 497040957888962, 1909832851283095, - 1271432136996826, 2219780368020940 -#else - 20714545, 29217521, 29088194, 7406487, 11426967, 28458727, - 14792666, 18945815, 5289420, 33077305 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1537037379417136, 1358865369268262, 2130838645654099, - 828733687040705, 1999987652890901 -#else - 50443312, 22903641, 60948518, 20248671, 9192019, 31751970, - 17271489, 12349094, 26939669, 29802138 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 629042105241814, 1098854999137608, 887281544569320, - 1423102019874777, 7911258951561 -#else - 54218966, 9373457, 31595848, 16374215, 21471720, 13221525, - 39825369, 21205872, 63410057, 117886 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1811562332665373, 1501882019007673, 2213763501088999, - 359573079719636, 36370565049116 -#else - 22263325, 26994382, 3984569, 22379786, 51994855, 32987646, - 28311252, 5358056, 43789084, 541963 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 218907117361280, 1209298913016966, 1944312619096112, - 1130690631451061, 1342327389191701 -#else - 16259200, 3261970, 2309254, 18019958, 50223152, 28972515, - 24134069, 16848603, 53771797, 20002236 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1369976867854704, 1396479602419169, 1765656654398856, - 2203659200586299, 998327836117241 -#else - 9378160, 20414246, 44262881, 20809167, 28198280, 26310334, - 64709179, 32837080, 690425, 14876244 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2230701885562825, 1348173180338974, 2172856128624598, - 1426538746123771, 444193481326151 -#else - 24977353, 33240048, 58884894, 20089345, 28432342, 32378079, - 54040059, 21257083, 44727879, 6618998 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 784210426627951, 918204562375674, 1284546780452985, - 1324534636134684, 1872449409642708 -#else - 65570671, 11685645, 12944378, 13682314, 42719353, 19141238, - 8044828, 19737104, 32239828, 27901670 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 319638829540294, 596282656808406, 2037902696412608, - 1557219121643918, 341938082688094 -#else - 48505798, 4762989, 66182614, 8885303, 38696384, 30367116, - 9781646, 23204373, 32779358, 5095274 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1901860206695915, 2004489122065736, 1625847061568236, - 973529743399879, 2075287685312905 -#else - 34100715, 28339925, 34843976, 29869215, 9460460, 24227009, - 42507207, 14506723, 21639561, 30924196 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1371853944110545, 1042332820512553, 1949855697918254, - 1791195775521505, 37487364849293 -#else - 50707921, 20442216, 25239337, 15531969, 3987758, 29055114, - 65819361, 26690896, 17874573, 558605 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 687200189577855, 1082536651125675, 644224940871546, - 340923196057951, 343581346747396 -#else - 53508735, 10240080, 9171883, 16131053, 46239610, 9599699, - 33499487, 5080151, 2085892, 5119761 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2082717129583892, 27829425539422, 145655066671970, - 1690527209845512, 1865260509673478 -#else - 44903700, 31034903, 50727262, 414690, 42089314, 2170429, - 30634760, 25190818, 35108870, 27794547 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1059729620568824, 2163709103470266, 1440302280256872, - 1769143160546397, 869830310425069 -#else - 60263160, 15791201, 8550074, 32241778, 29928808, 21462176, - 27534429, 26362287, 44757485, 12961481 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1609516219779025, 777277757338817, 2101121130363987, - 550762194946473, 1905542338659364 -#else - 42616785, 23983660, 10368193, 11582341, 43711571, 31309144, - 16533929, 8206996, 36914212, 28394793 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2024821921041576, 426948675450149, 595133284085473, - 471860860885970, 600321679413000 -#else - 55987368, 30172197, 2307365, 6362031, 66973409, 8868176, - 50273234, 7031274, 7589640, 8945490 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 598474602406721, 1468128276358244, 1191923149557635, - 1501376424093216, 1281662691293476 -#else - 34956097, 8917966, 6661220, 21876816, 65916803, 17761038, - 7251488, 22372252, 24099108, 19098262 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1721138489890707, 1264336102277790, 433064545421287, - 1359988423149466, 1561871293409447 -#else - 5019539, 25646962, 4244126, 18840076, 40175591, 6453164, - 47990682, 20265406, 60876967, 23273695 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 719520245587143, 393380711632345, 132350400863381, - 1543271270810729, 1819543295798660 -#else - 10853575, 10721687, 26480089, 5861829, 44113045, 1972174, - 65242217, 22996533, 63745412, 27113307 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 396397949784152, 1811354474471839, 1362679985304303, - 2117033964846756, 498041172552279 -#else - 50106456, 5906789, 221599, 26991285, 7828207, 20305514, - 24362660, 31546264, 53242455, 7421391 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1812471844975748, 1856491995543149, 126579494584102, - 1036244859282620, 1975108050082550 -#else - 8139908, 27007935, 32257645, 27663886, 30375718, 1886181, - 45933756, 15441251, 28826358, 29431403 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 650623932407995, 1137551288410575, 2125223403615539, - 1725658013221271, 2134892965117796 -#else - 6267067, 9695052, 7709135, 16950835, 34239795, 31668296, - 14795159, 25714308, 13746020, 31812384 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 522584000310195, 1241762481390450, 1743702789495384, - 2227404127826575, 1686746002148897 -#else - 28584883, 7787108, 60375922, 18503702, 22846040, 25983196, - 63926927, 33190907, 4771361, 25134474 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 427904865186312, 1703211129693455, 1585368107547509, - 1436984488744336, 761188534613978 -#else - 24949256, 6376279, 39642383, 25379823, 48462709, 23623825, - 33543568, 21412737, 3569626, 11342593 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 318101947455002, 248138407995851, 1481904195303927, - 309278454311197, 1258516760217879 -#else - 26514970, 4740088, 27912651, 3697550, 19331575, 22082093, - 6809885, 4608608, 7325975, 18753361 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1275068538599310, 513726919533379, 349926553492294, - 688428871968420, 1702400196000666 -#else - 55490446, 19000001, 42787651, 7655127, 65739590, 5214311, - 39708324, 10258389, 49462170, 25367739 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1061864036265233, 961611260325381, 321859632700838, - 1045600629959517, 1985130202504038 -#else - 11431185, 15823007, 26570245, 14329124, 18029990, 4796082, - 35662685, 15580663, 9280358, 29580745 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1558816436882417, 1962896332636523, 1337709822062152, - 1501413830776938, 294436165831932 -#else - 66948081, 23228174, 44253547, 29249434, 46247496, 19933429, - 34297962, 22372809, 51563772, 4387440 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 818359826554971, 1862173000996177, 626821592884859, - 573655738872376, 1749691246745455 -#else - 46309467, 12194511, 3937617, 27748540, 39954043, 9340369, - 42594872, 8548136, 20617071, 26072431 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1988022651432119, 1082111498586040, 1834020786104821, - 1454826876423687, 692929915223122 -#else - 66170039, 29623845, 58394552, 16124717, 24603125, 27329039, - 53333511, 21678609, 24345682, 10325460 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2146513703733331, 584788900394667, 464965657279958, - 2183973639356127, 238371159456790 -#else - 47253587, 31985546, 44906155, 8714033, 14007766, 6928528, - 16318175, 32543743, 4766742, 3552007 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1129007025494441, 2197883144413266, 265142755578169, - 971864464758890, 1983715884903702 -#else - 45357481, 16823515, 1351762, 32751011, 63099193, 3950934, - 3217514, 14481909, 10988822, 29559670 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1291366624493075, 381456718189114, 1711482489312444, - 1815233647702022, 892279782992467 -#else - 15564307, 19242862, 3101242, 5684148, 30446780, 25503076, - 12677126, 27049089, 58813011, 13296004 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 444548969917454, 1452286453853356, 2113731441506810, - 645188273895859, 810317625309512 -#else - 57666574, 6624295, 36809900, 21640754, 62437882, 31497052, - 31521203, 9614054, 37108040, 12074673 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2242724082797924, 1373354730327868, 1006520110883049, - 2147330369940688, 1151816104883620 -#else - 4771172, 33419193, 14290748, 20464580, 27992297, 14998318, - 65694928, 31997715, 29832612, 17163397 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1745720200383796, 1911723143175317, 2056329390702074, - 355227174309849, 879232794371100 -#else - 7064884, 26013258, 47946901, 28486894, 48217594, 30641695, - 25825241, 5293297, 39986204, 13101589 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 163723479936298, 115424889803150, 1156016391581227, - 1894942220753364, 1970549419986329 -#else - 64810282, 2439669, 59642254, 1719964, 39841323, 17225986, - 32512468, 28236839, 36752793, 29363474 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 681981452362484, 267208874112496, 1374683991933094, - 638600984916117, 646178654558546 -#else - 37102324, 10162315, 33928688, 3981722, 50626726, 20484387, - 14413973, 9515896, 19568978, 9628812 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 13378654854251, 106237307029567, 1944412051589651, - 1841976767925457, 230702819835573 -#else - 33053803, 199357, 15894591, 1583059, 27380243, 28973997, - 49269969, 27447592, 60817077, 3437739 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 260683893467075, 854060306077237, 913639551980112, - 4704576840123, 280254810808712 -#else - 48129987, 3884492, 19469877, 12726490, 15913552, 13614290, - 44147131, 70103, 7463304, 4176122 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 715374893080287, 1173334812210491, 1806524662079626, - 1894596008000979, 398905715033393 -#else - 39984863, 10659916, 11482427, 17484051, 12771466, 26919315, - 34389459, 28231680, 24216881, 5944158 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 500026409727661, 1596431288195371, 1420380351989370, - 985211561521489, 392444930785633 -#else - 8894125, 7450974, 64444715, 23788679, 39028346, 21165316, - 19345745, 14680796, 11632993, 5847885 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2096421546958141, 1922523000950363, 789831022876840, - 427295144688779, 320923973161730 -#else - 26942781, 31239115, 9129563, 28647825, 26024104, 11769399, - 55590027, 6367193, 57381634, 4782139 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1927770723575450, 1485792977512719, 1850996108474547, - 551696031508956, 2126047405475647 -#else - 19916442, 28726022, 44198159, 22140040, 25606323, 27581991, - 33253852, 8220911, 6358847, 31680575 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2112099158080148, 742570803909715, 6484558077432, - 1951119898618916, 93090382703416 -#else - 801428, 31472730, 16569427, 11065167, 29875704, 96627, 7908388, - 29073952, 53570360, 1387154 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 383905201636970, 859946997631870, 855623867637644, - 1017125780577795, 794250831877809 -#else - 19646058, 5720633, 55692158, 12814208, 11607948, 12749789, - 14147075, 15156355, 45242033, 11835259 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 77571826285752, 999304298101753, 487841111777762, - 1038031143212339, 339066367948762 -#else - 19299512, 1155910, 28703737, 14890794, 2925026, 7269399, - 26121523, 15467869, 40548314, 5052482 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 674994775520533, 266035846330789, 826951213393478, - 1405007746162285, 1781791018620876 -#else - 64091413, 10058205, 1980837, 3964243, 22160966, 12322533, - 60677741, 20936246, 12228556, 26550755 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1001412661522686, 348196197067298, 1666614366723946, - 888424995032760, 580747687801357 -#else - 32944382, 14922211, 44263970, 5188527, 21913450, 24834489, - 4001464, 13238564, 60994061, 8653814 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1939560076207777, 1409892634407635, 552574736069277, - 383854338280405, 190706709864139 -#else - 22865569, 28901697, 27603667, 21009037, 14348957, 8234005, - 24808405, 5719875, 28483275, 2841751 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2177087163428741, 1439255351721944, 1208070840382793, - 2230616362004769, 1396886392021913 -#else - 50687877, 32441126, 66781144, 21446575, 21886281, 18001658, - 65220897, 33238773, 19932057, 20815229 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 676962063230039, 1880275537148808, 2046721011602706, - 888463247083003, 1318301552024067 -#else - 55452759, 10087520, 58243976, 28018288, 47830290, 30498519, - 3999227, 13239134, 62331395, 19644223 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1466980508178206, 617045217998949, 652303580573628, - 757303753529064, 207583137376902 -#else - 1382174, 21859713, 17266789, 9194690, 53784508, 9720080, - 20403944, 11284705, 53095046, 3093229 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1511056752906902, 105403126891277, 493434892772846, - 1091943425335976, 1802717338077427 -#else - 16650902, 22516500, 66044685, 1570628, 58779118, 7352752, - 66806440, 16271224, 43059443, 26862581 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1853982405405128, 1878664056251147, 1528011020803992, - 1019626468153565, 1128438412189035 -#else - 45197768, 27626490, 62497547, 27994275, 35364760, 22769138, - 24123613, 15193618, 45456747, 16815042 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1963939888391106, 293456433791664, 697897559513649, - 985882796904380, 796244541237972 -#else - 57172930, 29264984, 41829040, 4372841, 2087473, 10399484, - 31870908, 14690798, 17361620, 11864968 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 416770998629779, 389655552427054, 1314476859406756, - 1749382513022778, 1161905598739491 -#else - 55801235, 6210371, 13206574, 5806320, 38091172, 19587231, - 54777658, 26067830, 41530403, 17313742 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1428358296490651, 1027115282420478, 304840698058337, - 441410174026628, 1819358356278573 -#else - 14668443, 21284197, 26039038, 15305210, 25515617, 4542480, - 10453892, 6577524, 9145645, 27110552 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 204943430200135, 1554861433819175, 216426658514651, - 264149070665950, 2047097371738319 -#else - 5974855, 3053895, 57675815, 23169240, 35243739, 3225008, - 59136222, 3936127, 61456591, 30504127 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1934415182909034, 1393285083565062, 516409331772960, - 1157690734993892, 121039666594268 -#else - 30625386, 28825032, 41552902, 20761565, 46624288, 7695098, - 17097188, 17250936, 39109084, 1803631 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 662035583584445, 286736105093098, 1131773000510616, - 818494214211439, 472943792054479 -#else - 63555773, 9865098, 61880298, 4272700, 61435032, 16864731, - 14911343, 12196514, 45703375, 7047411 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 665784778135882, 1893179629898606, 808313193813106, - 276797254706413, 1563426179676396 -#else - 20093258, 9920966, 55970670, 28210574, 13161586, 12044805, - 34252013, 4124600, 34765036, 23296865 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 945205108984232, 526277562959295, 1324180513733566, - 1666970227868664, 153547609289173 -#else - 46320040, 14084653, 53577151, 7842146, 19119038, 19731827, - 4752376, 24839792, 45429205, 2288037 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2031433403516252, 203996615228162, 170487168837083, - 981513604791390, 843573964916831 -#else - 40289628, 30270716, 29965058, 3039786, 52635099, 2540456, - 29457502, 14625692, 42289247, 12570231 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1476570093962618, 838514669399805, 1857930577281364, - 2017007352225784, 317085545220047 -#else - 66045306, 22002608, 16920317, 12494842, 1278292, 27685323, - 45948920, 30055751, 55134159, 4724942 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1461557121912842, 1600674043318359, 2157134900399597, - 1670641601940616, 127765583803283 -#else - 17960970, 21778898, 62967895, 23851901, 58232301, 32143814, - 54201480, 24894499, 37532563, 1903855 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1293543509393474, 2143624609202546, 1058361566797508, - 214097127393994, 946888515472729 -#else - 23134274, 19275300, 56426866, 31942495, 20684484, 15770816, - 54119114, 3190295, 26955097, 14109738 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 357067959932916, 1290876214345711, 521245575443703, - 1494975468601005, 800942377643885 -#else - 15308788, 5320727, 36995055, 19235554, 22902007, 7767164, - 29425325, 22276870, 31960941, 11934971 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 566116659100033, 820247422481740, 994464017954148, - 327157611686365, 92591318111744 -#else - 39713153, 8435795, 4109644, 12222639, 42480996, 14818668, - 20638173, 4875028, 10491392, 1379718 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 617256647603209, 1652107761099439, 1857213046645471, - 1085597175214970, 817432759830522 -#else - 53949449, 9197840, 3875503, 24618324, 65725151, 27674630, - 33518458, 16176658, 21432314, 12180697 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 771808161440705, 1323510426395069, 680497615846440, - 851580615547985, 1320806384849017 -#else - 55321537, 11500837, 13787581, 19721842, 44678184, 10140204, - 1465425, 12689540, 56807545, 19681548 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1219260086131915, 647169006596815, 79601124759706, - 2161724213426748, 404861897060198 -#else - 5414091, 18168391, 46101199, 9643569, 12834970, 1186149, - 64485948, 32212200, 26128230, 6032912 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1327968293887866, 1335500852943256, 1401587164534264, - 558137311952440, 1551360549268902 -#else - 40771450, 19788269, 32496024, 19900513, 17847800, 20885276, - 3604024, 8316894, 41233830, 23117073 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 417621685193956, 1429953819744454, 396157358457099, - 1940470778873255, 214000046234152 -#else - 3296484, 6223048, 24680646, 21307972, 44056843, 5903204, - 58246567, 28915267, 12376616, 3188849 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1268047918491973, 2172375426948536, 1533916099229249, - 1761293575457130, 1590622667026765 -#else - 29190469, 18895386, 27549112, 32370916, 3520065, 22857131, - 32049514, 26245319, 50999629, 23702124 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1627072914981959, 2211603081280073, 1912369601616504, - 1191770436221309, 2187309757525860 -#else - 52364359, 24245275, 735817, 32955454, 46701176, 28496527, - 25246077, 17758763, 18640740, 32593455 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1149147819689533, 378692712667677, 828475842424202, - 2218619146419342, 70688125792186 -#else - 60180029, 17123636, 10361373, 5642961, 4910474, 12345252, - 35470478, 33060001, 10530746, 1053335 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1299739417079761, 1438616663452759, 1536729078504412, - 2053896748919838, 1008421032591246 -#else - 37842897, 19367626, 53570647, 21437058, 47651804, 22899047, - 35646494, 30605446, 24018830, 15026644 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2040723824657366, 399555637875075, 632543375452995, - 872649937008051, 1235394727030233 -#else - 44516310, 30409154, 64819587, 5953842, 53668675, 9425630, - 25310643, 13003497, 64794073, 18408815 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2211311599327900, 2139787259888175, 938706616835350, - 12609661139114, 2081897930719789 -#else - 39688860, 32951110, 59064879, 31885314, 41016598, 13987818, - 39811242, 187898, 43942445, 31022696 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1324994503390450, 336982330582631, 1183998925654177, - 1091654665913274, 48727673971319 -#else - 45364466, 19743956, 1844839, 5021428, 56674465, 17642958, - 9716666, 16266922, 62038647, 726098 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1845522914617879, 1222198248335542, 150841072760134, - 1927029069940982, 1189913404498011 -#else - 29370903, 27500434, 7334070, 18212173, 9385286, 2247707, - 53446902, 28714970, 30007387, 17731091 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1079559557592645, 2215338383666441, 1903569501302605, - 49033973033940, 305703433934152 -#else - 66172485, 16086690, 23751945, 33011114, 65941325, 28365395, - 9137108, 730663, 9835848, 4555336 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 94653405416909, 1386121349852999, 1062130477891762, - 36553947479274, 833669648948846 -#else - 43732429, 1410445, 44855111, 20654817, 30867634, 15826977, - 17693930, 544696, 55123566, 12422645 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1432015813136298, 440364795295369, 1395647062821501, - 1976874522764578, 934452372723352 -#else - 31117226, 21338698, 53606025, 6561946, 57231997, 20796761, - 61990178, 29457725, 29120152, 13924425 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1296625309219774, 2068273464883862, 1858621048097805, - 1492281814208508, 2235868981918946 -#else - 49707966, 19321222, 19675798, 30819676, 56101901, 27695611, - 57724924, 22236731, 7240930, 33317044 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1490330266465570, 1858795661361448, 1436241134969763, - 294573218899647, 1208140011028933 -#else - 35747106, 22207651, 52101416, 27698213, 44655523, 21401660, - 1222335, 4389483, 3293637, 18002689 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1282462923712748, 741885683986255, 2027754642827561, - 518989529541027, 1826610009555945 -#else - 50424044, 19110186, 11038543, 11054958, 53307689, 30215898, - 42789283, 7733546, 12796905, 27218610 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1525827120027511, 723686461809551, 1597702369236987, - 244802101764964, 1502833890372311 -#else - 58349431, 22736595, 41689999, 10783768, 36493307, 23807620, - 38855524, 3647835, 3222231, 22393970 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 113622036244513, 1233740067745854, 674109952278496, - 2114345180342965, 166764512856263 -#else - 18606113, 1693100, 41660478, 18384159, 4112352, 10045021, - 23603893, 31506198, 59558087, 2484984 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2041668749310338, 2184405322203901, 1633400637611036, - 2110682505536899, 2048144390084644 -#else - 9255298, 30423235, 54952701, 32550175, 13098012, 24339566, - 16377219, 31451620, 47306788, 30519729 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 503058759232932, 760293024620937, 2027152777219493, - 666858468148475, 1539184379870952 -#else - 44379556, 7496159, 61366665, 11329248, 19991973, 30206930, - 35390715, 9936965, 37011176, 22935634 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1916168475367211, 915626432541343, 883217071712575, - 363427871374304, 1976029821251593 -#else - 21878571, 28553135, 4338335, 13643897, 64071999, 13160959, - 19708896, 5415497, 59748361, 29445138 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 678039535434506, 570587290189340, 1605302676614120, - 2147762562875701, 1706063797091704 -#else - 27736842, 10103576, 12500508, 8502413, 63695848, 23920873, - 10436917, 32004156, 43449720, 25422331 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1439489648586438, 2194580753290951, 832380563557396, - 561521973970522, 584497280718389 -#else - 19492550, 21450067, 37426887, 32701801, 63900692, 12403436, - 30066266, 8367329, 13243957, 8709688 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 187989455492609, 681223515948275, 1933493571072456, - 1872921007304880, 488162364135671 -#else - 12015105, 2801261, 28198131, 10151021, 24818120, 28811299, - 55914672, 27908697, 5150967, 7274186 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1413466089534451, 410844090765630, 1397263346404072, - 408227143123410, 1594561803147811 -#else - 2831347, 21062286, 1478974, 6122054, 23825128, 20820846, - 31097298, 6083058, 31021603, 23760822 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2102170800973153, 719462588665004, 1479649438510153, - 1097529543970028, 1302363283777685 -#else - 64578913, 31324785, 445612, 10720828, 53259337, 22048494, - 43601132, 16354464, 15067285, 19406725 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 942065717847195, 1069313679352961, 2007341951411051, - 70973416446291, 1419433790163706 -#else - 7840923, 14037873, 33744001, 15934015, 66380651, 29911725, - 21403987, 1057586, 47729402, 21151211 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1146565545556377, 1661971299445212, 406681704748893, - 564452436406089, 1109109865829139 -#else - 915865, 17085158, 15608284, 24765302, 42751837, 6060029, - 49737545, 8410996, 59888403, 16527024 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2214421081775077, 1165671861210569, 1890453018796184, - 3556249878661, 442116172656317 -#else - 32922597, 32997445, 20336073, 17369864, 10903704, 28169945, - 16957573, 52992, 23834301, 6588044 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 753830546620811, 1666955059895019, 1530775289309243, - 1119987029104146, 2164156153857580 -#else - 32752011, 11232950, 3381995, 24839566, 22652987, 22810329, - 17159698, 16689107, 46794284, 32248439 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 615171919212796, 1523849404854568, 854560460547503, - 2067097370290715, 1765325848586042 -#else - 62419196, 9166775, 41398568, 22707125, 11576751, 12733943, - 7924251, 30802151, 1976122, 26305405 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1094538949313667, 1796592198908825, 870221004284388, - 2025558921863561, 1699010892802384 -#else - 21251203, 16309901, 64125849, 26771309, 30810596, 12967303, - 156041, 30183180, 12331344, 25317235 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1951351290725195, 1916457206844795, 198025184438026, - 1909076887557595, 1938542290318919 -#else - 8651595, 29077400, 51023227, 28557437, 13002506, 2950805, - 29054427, 28447462, 10008135, 28886531 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1014323197538413, 869150639940606, 1756009942696599, - 1334952557375672, 1544945379082874 -#else - 31486061, 15114593, 52847614, 12951353, 14369431, 26166587, - 16347320, 19892343, 8684154, 23021480 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 764055910920305, 1603590757375439, 146805246592357, - 1843313433854297, 954279890114939 -#else - 19443825, 11385320, 24468943, 23895364, 43189605, 2187568, - 40845657, 27467510, 31316347, 14219878 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 80113526615750, 764536758732259, 1055139345100233, - 469252651759390, 617897512431515 -#else - 38514374, 1193784, 32245219, 11392485, 31092169, 15722801, - 27146014, 6992409, 29126555, 9207390 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 74497112547268, 740094153192149, 1745254631717581, - 727713886503130, 1283034364416928 -#else - 32382916, 1110093, 18477781, 11028262, 39697101, 26006320, - 62128346, 10843781, 59151264, 19118701 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 525892105991110, 1723776830270342, 1476444848991936, - 573789489857760, 133864092632978 -#else - 2814918, 7836403, 27519878, 25686276, 46214848, 22000742, - 45614304, 8550129, 28346258, 1994730 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 542611720192581, 1986812262899321, 1162535242465837, - 481498966143464, 544600533583622 -#else - 47530565, 8085544, 53108345, 29605809, 2785837, 17323125, - 47591912, 7174893, 22628102, 8115180 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 64123227344372, 1239927720647794, 1360722983445904, - 222610813654661, 62429487187991 -#else - 36703732, 955510, 55975026, 18476362, 34661776, 20276352, - 41457285, 3317159, 57165847, 930271 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1793193323953132, 91096687857833, 70945970938921, - 2158587638946380, 1537042406482111 -#else - 51805164, 26720662, 28856489, 1357446, 23421993, 1057177, - 24091212, 32165462, 44343487, 22903716 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1895854577604609, 1394895708949416, 1728548428495944, - 1140864900240149, 563645333603061 -#else - 44357633, 28250434, 54201256, 20785565, 51297352, 25757378, - 52269845, 17000211, 65241845, 8398969 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 141358280486863, 91435889572504, 1087208572552643, - 1829599652522921, 1193307020643647 -#else - 35139535, 2106402, 62372504, 1362500, 12813763, 16200670, - 22981545, 27263159, 18009407, 17781660 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1611230858525381, 950720175540785, 499589887488610, - 2001656988495019, 88977313255908 -#else - 49887941, 24009210, 39324209, 14166834, 29815394, 7444469, - 29551787, 29827013, 19288548, 1325865 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1189080501479658, 2184348804772597, 1040818725742319, - 2018318290311834, 1712060030915354 -#else - 15100138, 17718680, 43184885, 32549333, 40658671, 15509407, - 12376730, 30075286, 33166106, 25511682 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 873966876953756, 1090638350350440, 1708559325189137, - 672344594801910, 1320437969700239 -#else - 20909212, 13023121, 57899112, 16251777, 61330449, 25459517, - 12412150, 10018715, 2213263, 19676059 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1508590048271766, 1131769479776094, 101550868699323, - 428297785557897, 561791648661744 -#else - 32529814, 22479743, 30361438, 16864679, 57972923, 1513225, - 22922121, 6382134, 61341936, 8371347 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 756417570499462, 237882279232602, 2136263418594016, - 1701968045454886, 703713185137472 -#else - 9923462, 11271500, 12616794, 3544722, 37110496, 31832805, - 12891686, 25361300, 40665920, 10486143 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1781187809325462, 1697624151492346, 1381393690939988, - 175194132284669, 1483054666415238 -#else - 44511638, 26541766, 8587002, 25296571, 4084308, 20584370, - 361725, 2610596, 43187334, 22099236 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2175517777364616, 708781536456029, 955668231122942, - 1967557500069555, 2021208005604118 -#else - 5408392, 32417741, 62139741, 10561667, 24145918, 14240566, - 31319731, 29318891, 19985174, 30118346 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1115135966606887, 224217372950782, 915967306279222, - 593866251291540, 561747094208006 -#else - 53114407, 16616820, 14549246, 3341099, 32155958, 13648976, - 49531796, 8849296, 65030, 8370684 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1443163092879439, 391875531646162, 2180847134654632, - 464538543018753, 1594098196837178 -#else - 58787919, 21504805, 31204562, 5839400, 46481576, 32497154, - 47665921, 6922163, 12743482, 23753914 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 850858855888869, 319436476624586, 327807784938441, - 740785849558761, 17128415486016 -#else - 64747493, 12678784, 28815050, 4759974, 43215817, 4884716, - 23783145, 11038569, 18800704, 255233 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2132756334090067, 536247820155645, 48907151276867, - 608473197600695, 1261689545022784 -#else - 61839187, 31780545, 13957885, 7990715, 23132995, 728773, - 13393847, 9066957, 19258688, 18800639 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1525176236978354, 974205476721062, 293436255662638, - 148269621098039, 137961998433963 -#else - 64172210, 22726896, 56676774, 14516792, 63468078, 4372540, - 35173943, 2209389, 65584811, 2055793 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1121075518299410, 2071745529082111, 1265567917414828, - 1648196578317805, 496232102750820 -#else - 580882, 16705327, 5468415, 30871414, 36182444, 18858431, - 59905517, 24560042, 37087844, 7394434 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 122321229299801, 1022922077493685, 2001275453369484, - 2017441881607947, 993205880778002 -#else - 23838809, 1822728, 51370421, 15242726, 8318092, 29821328, - 45436683, 30062226, 62287122, 14799920 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 654925550560074, 1168810995576858, 575655959430926, - 905758704861388, 496774564663534 -#else - 13345610, 9759151, 3371034, 17416641, 16353038, 8577942, - 31129804, 13496856, 58052846, 7402517 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1954109525779738, 2117022646152485, 338102630417180, - 1194140505732026, 107881734943492 -#else - 2286874, 29118501, 47066405, 31546095, 53412636, 5038121, - 11006906, 17794080, 8205060, 1607563 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1714785840001267, 2036500018681589, 1876380234251966, - 2056717182974196, 1645855254384642 -#else - 14414067, 25552300, 3331829, 30346215, 22249150, 27960244, - 18364660, 30647474, 30019586, 24525154 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 106431476499341, 62482972120563, 1513446655109411, - 807258751769522, 538491469114 -#else - 39420813, 1585952, 56333811, 931068, 37988643, 22552112, - 52698034, 12029092, 9944378, 8024 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2002850762893643, 1243624520538135, 1486040410574605, - 2184752338181213, 378495998083531 -#else - 4368715, 29844802, 29874199, 18531449, 46878477, 22143727, - 50994269, 32555346, 58966475, 5640029 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 922510868424903, 1089502620807680, 402544072617374, - 1131446598479839, 1290278588136533 -#else - 10299591, 13746483, 11661824, 16234854, 7630238, 5998374, - 9809887, 16859868, 15219797, 19226649 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1867998812076769, 715425053580701, 39968586461416, - 2173068014586163, 653822651801304 -#else - 27425505, 27835351, 3055005, 10660664, 23458024, 595578, - 51710259, 32381236, 48766680, 9742716 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 162892278589453, 182585796682149, 75093073137630, - 497037941226502, 133871727117371 -#else - 6744077, 2427284, 26042789, 2720740, 66260958, 1118973, - 32324614, 7406442, 12420155, 1994844 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1914596576579670, 1608999621851578, 1987629837704609, - 1519655314857977, 1819193753409464 -#else - 14012502, 28529712, 48724410, 23975962, 40623521, 29617992, - 54075385, 22644628, 24319928, 27108099 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1949315551096831, 1069003344994464, 1939165033499916, - 1548227205730856, 1933767655861407 -#else - 16412671, 29047065, 10772640, 15929391, 50040076, 28895810, - 10555944, 23070383, 37006495, 28815383 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1730519386931635, 1393284965610134, 1597143735726030, - 416032382447158, 1429665248828629 -#else - 22397363, 25786748, 57815702, 20761563, 17166286, 23799296, - 39775798, 6199365, 21880021, 21303672 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 360275475604565, 547835731063078, 215360904187529, - 596646739879007, 332709650425085 -#else - 62825557, 5368522, 35991846, 8163388, 36785801, 3209127, - 16557151, 8890729, 8840445, 4957760 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 47602113726801, 1522314509708010, 437706261372925, - 814035330438027, 335930650933545 -#else - 51661137, 709326, 60189418, 22684253, 37330941, 6522331, - 45388683, 12130071, 52312361, 5005756 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1291597595523886, 1058020588994081, 402837842324045, - 1363323695882781, 2105763393033193 -#else - 64994094, 19246303, 23019041, 15765735, 41839181, 6002751, - 10183197, 20315106, 50713577, 31378319 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 109521982566564, 1715257748585139, 1112231216891516, - 2046641005101484, 134249157157013 -#else - 48083108, 1632004, 13466291, 25559332, 43468412, 16573536, - 35094956, 30497327, 22208661, 2000468 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2156991030936798, 2227544497153325, 1869050094431622, - 754875860479115, 1754242344267058 -#else - 3065054, 32141671, 41510189, 33192999, 49425798, 27851016, - 58944651, 11248526, 63417650, 26140247 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1846089562873800, 98894784984326, 1412430299204844, - 171351226625762, 1100604760929008 -#else - 10379208, 27508878, 8877318, 1473647, 37817580, 21046851, - 16690914, 2553332, 63976176, 16400288 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 84172382130492, 499710970700046, 425749630620778, - 1762872794206857, 612842602127960 -#else - 15716668, 1254266, 48636174, 7446273, 58659946, 6344163, - 45011593, 26268851, 26894936, 9132066 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 868309334532756, 1703010512741873, 1952690008738057, - 4325269926064, 2071083554962116 -#else - 24158868, 12938817, 11085297, 25376834, 39045385, 29097348, - 36532400, 64451, 60291780, 30861549 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 523094549451158, 401938899487815, 1407690589076010, - 2022387426254453, 158660516411257 -#else - 13488534, 7794716, 22236231, 5989356, 25426474, 20976224, - 2350709, 30135921, 62420857, 2364225 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 612867287630009, 448212612103814, 571629077419196, - 1466796750919376, 1728478129663858 -#else - 16335033, 9132434, 25640582, 6678888, 1725628, 8517937, - 55301840, 21856974, 15445874, 25756331 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1723848973783452, 2208822520534681, 1718748322776940, - 1974268454121942, 1194212502258141 -#else - 29004188, 25687351, 28661401, 32914020, 54314860, 25611345, - 31863254, 29418892, 66830813, 17795152 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1254114807944608, 977770684047110, 2010756238954993, - 1783628927194099, 1525962994408256 -#else - 60986784, 18687766, 38493958, 14569918, 56250865, 29962602, - 10343411, 26578142, 37280576, 22738620 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 232464058235826, 1948628555342434, 1835348780427694, - 1031609499437291, 64472106918373 -#else - 27081650, 3463984, 14099042, 29036828, 1616302, 27348828, - 29542635, 15372179, 17293797, 960709 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 767338676040683, 754089548318405, 1523192045639075, - 435746025122062, 512692508440385 -#else - 20263915, 11434237, 61343429, 11236809, 13505955, 22697330, - 50997518, 6493121, 47724353, 7639713 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1255955808701983, 1700487367990941, 1166401238800299, - 1175121994891534, 1190934801395380 -#else - 64278047, 18715199, 25403037, 25339236, 58791851, 17380732, - 18006286, 17510682, 29994676, 17746311 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 349144008168292, 1337012557669162, 1475912332999108, - 1321618454900458, 47611291904320 -#else - 9769828, 5202651, 42951466, 19923039, 39057860, 21992807, - 42495722, 19693649, 35924288, 709463 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 877519947135419, 2172838026132651, 272304391224129, - 1655143327559984, 886229406429814 -#else - 12286395, 13076066, 45333675, 32377809, 42105665, 4057651, - 35090736, 24663557, 16102006, 13205847 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 375806028254706, 214463229793940, 572906353144089, - 572168269875638, 697556386112979 -#else - 13733362, 5599946, 10557076, 3195751, 61550873, 8536969, - 41568694, 8525971, 10151379, 10394400 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1168827102357844, 823864273033637, 2071538752104697, - 788062026895924, 599578340743362 -#else - 4024660, 17416881, 22436261, 12276534, 58009849, 30868332, - 19698228, 11743039, 33806530, 8934413 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1948116082078088, 2054898304487796, 2204939184983900, - 210526805152138, 786593586607626 -#else - 51229064, 29029191, 58528116, 30620370, 14634844, 32856154, - 57659786, 3137093, 55571978, 11721157 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1915320147894736, 156481169009469, 655050471180417, - 592917090415421, 2165897438660879 -#else - 17555920, 28540494, 8268605, 2331751, 44370049, 9761012, - 9319229, 8835153, 57903375, 32274386 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1726336468579724, 1119932070398949, 1929199510967666, - 33918788322959, 1836837863503150 -#else - 66647436, 25724417, 20614117, 16688288, 59594098, 28747312, - 22300303, 505429, 6108462, 27371017 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 829996854845988, 217061778005138, 1686565909803640, - 1346948817219846, 1723823550730181 -#else - 62038564, 12367916, 36445330, 3234472, 32617080, 25131790, - 29880582, 20071101, 40210373, 25686972 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 384301494966394, 687038900403062, 2211195391021739, - 254684538421383, 1245698430589680 -#else - 35133562, 5726538, 26934134, 10237677, 63935147, 32949378, - 24199303, 3795095, 7592688, 18562353 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1247567493562688, 1978182094455847, 183871474792955, - 806570235643435, 288461518067916 -#else - 21594432, 18590204, 17466407, 29477210, 32537083, 2739898, - 6407723, 12018833, 38852812, 4298411 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1449077384734201, 38285445457996, 2136537659177832, - 2146493000841573, 725161151123125 -#else - 46458361, 21592935, 39872588, 570497, 3767144, 31836892, - 13891941, 31985238, 13717173, 10805743 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1201928866368855, 800415690605445, 1703146756828343, - 997278587541744, 1858284414104014 -#else - 52432215, 17910135, 15287173, 11927123, 24177847, 25378864, - 66312432, 14860608, 40169934, 27690595 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 356468809648877, 782373916933152, 1718002439402870, - 1392222252219254, 663171266061951 -#else - 12962541, 5311799, 57048096, 11658279, 18855286, 25600231, - 13286262, 20745728, 62727807, 9882021 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 759628738230460, 1012693474275852, 353780233086498, - 246080061387552, 2030378857679162 -#else - 18512060, 11319350, 46985740, 15090308, 18818594, 5271736, - 44380960, 3666878, 43141434, 30255002 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2040672435071076, 888593182036908, 1298443657189359, - 1804780278521327, 354070726137060 -#else - 60319844, 30408388, 16192428, 13241070, 15898607, 19348318, - 57023983, 26893321, 64705764, 5276064 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1894938527423184, 1463213041477277, 474410505497651, - 247294963033299, 877975941029128 -#else - 30169808, 28236784, 26306205, 21803573, 27814963, 7069267, - 7152851, 3684982, 1449224, 13082861 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 207937160991127, 12966911039119, 820997788283092, - 1010440472205286, 1701372890140810 -#else - 10342807, 3098505, 2119311, 193222, 25702612, 12233820, - 23697382, 15056736, 46092426, 25352431 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 218882774543183, 533427444716285, 1233243976733245, - 435054256891319, 1509568989549904 -#else - 33958735, 3261607, 22745853, 7948688, 19370557, 18376767, - 40936887, 6482813, 56808784, 22494330 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1888838535711826, 1052177758340622, 1213553803324135, - 169182009127332, 463374268115872 -#else - 32869458, 28145887, 25609742, 15678670, 56421095, 18083360, - 26112420, 2521008, 44444576, 6904814 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 299137589460312, 1594371588983567, 868058494039073, - 257771590636681, 1805012993142921 -#else - 29506904, 4457497, 3377935, 23757988, 36598817, 12935079, - 1561737, 3841096, 38105225, 26896789 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1806842755664364, 2098896946025095, 1356630998422878, - 1458279806348064, 347755825962072 -#else - 10340844, 26924055, 48452231, 31276001, 12621150, 20215377, - 30878496, 21730062, 41524312, 5181965 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1402334161391744, 1560083671046299, 1008585416617747, - 1147797150908892, 1420416683642459 -#else - 25940096, 20896407, 17324187, 23247058, 58437395, 15029093, - 24396252, 17103510, 64786011, 21165857 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 665506704253369, 273770475169863, 799236974202630, - 848328990077558, 1811448782807931 -#else - 45343161, 9916822, 65808455, 4079497, 66080518, 11909558, - 1782390, 12641087, 20603771, 26992690 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1468412523962641, 771866649897997, 1931766110147832, - 799561180078482, 524837559150077 -#else - 48226577, 21881051, 24849421, 11501709, 13161720, 28785558, - 1925522, 11914390, 4662781, 7820689 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2223212657821850, 630416247363666, 2144451165500328, - 816911130947791, 1024351058410032 -#else - 12241050, 33128450, 8132690, 9393934, 32846760, 31954812, - 29749455, 12172924, 16136752, 15264020 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1266603897524861, 156378408858100, 1275649024228779, - 447738405888420, 253186462063095 -#else - 56758909, 18873868, 58896884, 2330219, 49446315, 19008651, - 10658212, 6671822, 19012087, 3772772 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2022215964509735, 136144366993649, 1800716593296582, - 1193970603800203, 871675847064218 -#else - 3753511, 30133366, 10617073, 2028709, 14841030, 26832768, - 28718731, 17791548, 20527770, 12988982 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1862751661970328, 851596246739884, 1519315554814041, - 1542798466547449, 1417975335901520 -#else - 52286360, 27757162, 63400876, 12689772, 66209881, 22639565, - 42925817, 22989488, 3299664, 21129479 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1228168094547481, 334133883362894, 587567568420081, - 433612590281181, 603390400373205 -#else - 50331161, 18301130, 57466446, 4978982, 3308785, 8755439, - 6943197, 6461331, 41525717, 8991217 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 121893973206505, 1843345804916664, 1703118377384911, - 497810164760654, 101150811654673 -#else - 49882601, 1816361, 65435576, 27467992, 31783887, 25378441, - 34160718, 7417949, 36866577, 1507264 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 458346255946468, 290909935619344, 1452768413850679, - 550922875254215, 1537286854336538 -#else - 29692644, 6829891, 56610064, 4334895, 20945975, 21647936, - 38221255, 8209390, 14606362, 22907359 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 584322311184395, 380661238802118, 114839394528060, - 655082270500073, 2111856026034852 -#else - 63627275, 8707080, 32188102, 5672294, 22096700, 1711240, - 34088169, 9761486, 4170404, 31469107 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 996965581008991, 2148998626477022, 1012273164934654, - 1073876063914522, 1688031788934939 -#else - 55521375, 14855944, 62981086, 32022574, 40459774, 15084045, - 22186522, 16002000, 52832027, 25153633 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 923487018849600, 2085106799623355, 528082801620136, - 1606206360876188, 735907091712524 -#else - 62297408, 13761028, 35404987, 31070512, 63796392, 7869046, - 59995292, 23934339, 13240844, 10965870 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1697697887804317, 1335343703828273, 831288615207040, - 949416685250051, 288760277392022 -#else - 59366301, 25297669, 52340529, 19898171, 43876480, 12387165, - 4498947, 14147411, 29514390, 4302863 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1419122478109648, 1325574567803701, 602393874111094, - 2107893372601700, 1314159682671307 -#else - 53695440, 21146572, 20757301, 19752600, 14785142, 8976368, - 62047588, 31410058, 17846987, 19582505 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 2201150872731804, 2180241023425241, 97663456423163, - 1633405770247824, 848945042443986 -#else - 64864412, 32799703, 62511833, 32488122, 60861691, 1455298, - 45461136, 24339642, 61886162, 12650266 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1173339555550611, 818605084277583, 47521504364289, - 924108720564965, 735423405754506 -#else - 57202067, 17484121, 21134159, 12198166, 40044289, 708125, - 387813, 13770293, 47974538, 10958662 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 830104860549448, 1886653193241086, 1600929509383773, - 1475051275443631, 286679780900937 -#else - 22470984, 12369526, 23446014, 28113323, 45588061, 23855708, - 55336367, 21979976, 42025033, 4271861 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1577111294832995, 1030899169768747, 144900916293530, - 1964672592979567, 568390100955250 -#else - 41939299, 23500789, 47199531, 15361594, 61124506, 2159191, - 75375, 29275903, 34582642, 8469672 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 278388655910247, 487143369099838, 927762205508727, - 181017540174210, 1616886700741287 -#else - 15854951, 4148314, 58214974, 7259001, 11666551, 13824734, - 36577666, 2697371, 24154791, 24093489 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1191033906638969, 940823957346562, 1606870843663445, - 861684761499847, 658674867251089 -#else - 15446137, 17747788, 29759746, 14019369, 30811221, 23944241, - 35526855, 12840103, 24913809, 9815020 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1875032594195546, 1427106132796197, 724736390962158, - 901860512044740, 635268497268760 -#else - 62399578, 27940162, 35267365, 21265538, 52665326, 10799413, - 58005188, 13438768, 18735128, 9466238 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 622869792298357, 1903919278950367, 1922588621661629, - 1520574711600434, 1087100760174640 -#else - 11933045, 9281483, 5081055, 28370608, 64480701, 28648802, - 59381042, 22658328, 44380208, 16199063 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 25465949416618, 1693639527318811, 1526153382657203, - 125943137857169, 145276964043999 -#else - 14576810, 379472, 40322331, 25237195, 37682355, 22741457, - 67006097, 1876698, 30801119, 2164795 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 214739857969358, 920212862967915, 1939901550972269, - 1211862791775221, 85097515720120 -#else - 15995086, 3199873, 13672555, 13712240, 47730029, 28906785, - 54027253, 18058162, 53616056, 1268051 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2006245852772938, 734762734836159, 254642929763427, - 1406213292755966, 239303749517686 -#else - 56818250, 29895392, 63822271, 10948817, 23037027, 3794475, - 63638526, 20954210, 50053494, 3565903 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1619678837192149, 1919424032779215, 1357391272956794, - 1525634040073113, 1310226789796241 -#else - 29210069, 24135095, 61189071, 28601646, 10834810, 20226706, - 50596761, 22733718, 39946641, 19523900 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1040763709762123, 1704449869235352, 605263070456329, - 1998838089036355, 1312142911487502 -#else - 53946955, 15508587, 16663704, 25398282, 38758921, 9019122, - 37925443, 29785008, 2244110, 19552453 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1996723311435669, 1844342766567060, 985455700466044, - 1165924681400960, 311508689870129 -#else - 61955989, 29753495, 57802388, 27482848, 16243068, 14684434, - 41435776, 17373631, 13491505, 4641841 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 43173156290518, 2202883069785309, 1137787467085917, - 1733636061944606, 1394992037553852 -#else - 10813398, 643330, 47920349, 32825515, 30292061, 16954354, - 27548446, 25833190, 14476988, 20787001 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 670078326344559, 555655025059356, 471959386282438, - 2141455487356409, 849015953823125 -#else - 10292079, 9984945, 6481436, 8279905, 59857350, 7032742, - 27282937, 31910173, 39196053, 12651323 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2197214573372804, 794254097241315, 1030190060513737, - 267632515541902, 2040478049202624 -#else - 35923332, 32741048, 22271203, 11835308, 10201545, 15351028, - 17099662, 3988035, 21721536, 30405492 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1812516004670529, 1609256702920783, 1706897079364493, - 258549904773295, 996051247540686 -#else - 10202177, 27008593, 35735631, 23979793, 34958221, 25434748, - 54202543, 3852693, 13216206, 14842320 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1540374301420584, 1764656898914615, 1810104162020396, - 923808779163088, 664390074196579 -#else - 51293224, 22953365, 60569911, 26295436, 60124204, 26972653, - 35608016, 13765823, 39674467, 9900183 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1323460699404750, 1262690757880991, 871777133477900, - 1060078894988977, 1712236889662886 -#else - 14465486, 19721101, 34974879, 18815558, 39665676, 12990491, - 33046193, 15796406, 60056998, 25514317 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1696163952057966, 1391710137550823, 608793846867416, - 1034391509472039, 1780770894075012 -#else - 30924398, 25274812, 6359015, 20738097, 16508376, 9071735, - 41620263, 15413634, 9524356, 26535554 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1367603834210841, 2131988646583224, 890353773628144, - 1908908219165595, 270836895252891 -#else - 12274201, 20378885, 32627640, 31769106, 6736624, 13267305, - 5237659, 28444949, 15663515, 4035784 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 597536315471731, 40375058742586, 1942256403956049, - 1185484645495932, 312666282024145 -#else - 64157555, 8903984, 17349946, 601635, 50676049, 28941875, - 53376124, 17665097, 44850385, 4659090 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1919411405316294, 1234508526402192, 1066863051997083, - 1008444703737597, 1348810787701552 -#else - 50192582, 28601458, 36715152, 18395610, 20774811, 15897498, - 5736189, 15026997, 64930608, 20098846 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 2102881477513865, 1570274565945361, 1573617900503708, - 18662635732583, 2232324307922098 -#else - 58249865, 31335375, 28571665, 23398914, 66634396, 23448733, - 63307367, 278094, 23440562, 33264224 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1853931367696942, 8107973870707, 350214504129299, - 775206934582587, 1752317649166792 -#else - 10226222, 27625730, 15139955, 120818, 52241171, 5218602, - 32937275, 11551483, 50536904, 26111567 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1417148368003523, 721357181628282, 505725498207811, - 373232277872983, 261634707184480 -#else - 17932739, 21117156, 43069306, 10749059, 11316803, 7535897, - 22503767, 5561594, 63462240, 3898660 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2186733281493267, 2250694917008620, 1014829812957440, - 479998161452389, 83566193876474 -#else - 7749907, 32584865, 50769132, 33537967, 42090752, 15122142, - 65535333, 7152529, 21831162, 1245233 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1268116367301224, 560157088142809, 802626839600444, - 2210189936605713, 1129993785579988 -#else - 26958440, 18896406, 4314585, 8346991, 61431100, 11960071, - 34519569, 32934396, 36706772, 16838219 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 615183387352312, 917611676109240, 878893615973325, - 978940963313282, 938686890583575 -#else - 54942968, 9166946, 33491384, 13673479, 29787085, 13096535, - 6280834, 14587357, 44770839, 13987524 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 522024729211672, 1045059315315808, 1892245413707790, - 1907891107684253, 2059998109500714 -#else - 42758936, 7778774, 21116000, 15572597, 62275598, 28196653, - 62807965, 28429792, 59639082, 30696363 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1799679152208884, 912132775900387, 25967768040979, - 432130448590461, 274568990261996 -#else - 9681908, 26817309, 35157219, 13591837, 60225043, 386949, - 31622781, 6439245, 52527852, 4091396 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 98698809797682, 2144627600856209, 1907959298569602, - 811491302610148, 1262481774981493 -#else - 58682418, 1470726, 38999185, 31957441, 3978626, 28430809, - 47486180, 12092162, 29077877, 18812444 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1791451399743152, 1713538728337276, 118349997257490, - 1882306388849954, 158235232210248 -#else - 5269168, 26694706, 53878652, 25533716, 25932562, 1763552, - 61502754, 28048550, 47091016, 2357888 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1217809823321928, 2173947284933160, 1986927836272325, - 1388114931125539, 12686131160169 -#else - 32264008, 18146780, 61721128, 32394338, 65017541, 29607531, - 23104803, 20684524, 5727337, 189038 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1650875518872272, 1136263858253897, 1732115601395988, - 734312880662190, 1252904681142109 -#else - 14609104, 24599962, 61108297, 16931650, 52531476, 25810533, - 40363694, 10942114, 41219933, 18669734 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 372986456113865, 525430915458171, 2116279931702135, - 501422713587815, 1907002872974925 -#else - 20513481, 5557931, 51504251, 7829530, 26413943, 31535028, - 45729895, 7471780, 13913677, 28416557 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 803147181835288, 868941437997146, 316299302989663, - 943495589630550, 571224287904572 -#else - 41534488, 11967825, 29233242, 12948236, 60354399, 4713226, - 58167894, 14059179, 12878652, 8511905 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 227742695588364, 1776969298667369, 628602552821802, - 457210915378118, 2041906378111140 -#else - 41452044, 3393630, 64153449, 26478905, 64858154, 9366907, - 36885446, 6812973, 5568676, 30426776 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 815000523470260, 913085688728307, 1052060118271173, - 1345536665214223, 541623413135555 -#else - 11630004, 12144454, 2116339, 13606037, 27378885, 15676917, - 49700111, 20050058, 52713667, 8070817 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1580216071604333, 1877997504342444, 857147161260913, - 703522726778478, 2182763974211603 -#else - 27117677, 23547054, 35826092, 27984343, 1127281, 12772488, - 37262958, 10483305, 55556115, 32525717 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1870080310923419, 71988220958492, 1783225432016732, - 615915287105016, 1035570475990230 -#else - 10637467, 27866368, 5674780, 1072708, 40765276, 26572129, - 65424888, 9177852, 39615702, 15431202 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 730987750830150, 857613889540280, 1083813157271766, - 1002817255970169, 1719228484436074 -#else - 20525126, 10892566, 54366392, 12779442, 37615830, 16150074, - 38868345, 14943141, 52052074, 25618500 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 377616581647602, 1581980403078513, 804044118130621, - 2034382823044191, 643844048472185 -#else - 37084402, 5626925, 66557297, 23573344, 753597, 11981191, - 25244767, 30314666, 63752313, 9594023 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 176957326463017, 1573744060478586, 528642225008045, - 1816109618372371, 1515140189765006 -#else - 43356201, 2636869, 61944954, 23450613, 585133, 7877383, - 11345683, 27062142, 13352334, 22577348 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1888911448245718, 1387110895611080, 1924503794066429, - 1731539523700949, 2230378382645454 -#else - 65177046, 28146973, 3304648, 20669563, 17015805, 28677341, - 37325013, 25801949, 53893326, 33235227 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 443392177002051, 233793396845137, 2199506622312416, - 1011858706515937, 974676837063129 -#else - 20239939, 6607058, 6203985, 3483793, 48721888, 32775202, - 46385121, 15077869, 44358105, 14523816 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1846351103143623, 1949984838808427, 671247021915253, - 1946756846184401, 1929296930380217 -#else - 27406023, 27512775, 27423595, 29057038, 4996213, 10002360, - 38266833, 29008937, 36936121, 28748764 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 849646212452002, 1410198775302919, 73767886183695, - 1641663456615812, 762256272452411 -#else - 11374242, 12660715, 17861383, 21013599, 10935567, 1099227, - 53222788, 24462691, 39381819, 11358503 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 692017667358279, 723305578826727, 1638042139863265, - 748219305990306, 334589200523901 -#else - 54378055, 10311866, 1510375, 10778093, 64989409, 24408729, - 32676002, 11149336, 40985213, 4985767 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 22893968530686, 2235758574399251, 1661465835630252, - 925707319443452, 1203475116966621 -#else - 48012542, 341146, 60911379, 33315398, 15756972, 24757770, - 66125820, 13794113, 47694557, 17933176 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 801299035785166, 1733292596726131, 1664508947088596, - 467749120991922, 1647498584535623 -#else - 6490062, 11940286, 25495923, 25828072, 8668372, 24803116, - 3367602, 6970005, 65417799, 24549641 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 903105258014366, 427141894933047, 561187017169777, - 1884330244401954, 1914145708422219 -#else - 1656478, 13457317, 15370807, 6364910, 13605745, 8362338, - 47934242, 28078708, 50312267, 28522993 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1344191060517578, 1960935031767890, 1518838929955259, - 1781502350597190, 1564784025565682 -#else - 44835530, 20030007, 67044178, 29220208, 48503227, 22632463, - 46537798, 26546453, 67009010, 23317098 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 673723351748086, 1979969272514923, 1175287312495508, - 1187589090978666, 1881897672213940 -#else - 17747446, 10039260, 19368299, 29503841, 46478228, 17513145, - 31992682, 17696456, 37848500, 28042460 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1917185587363432, 1098342571752737, 5935801044414, - 2000527662351839, 1538640296181569 -#else - 31932008, 28568291, 47496481, 16366579, 22023614, 88450, - 11371999, 29810185, 4882241, 22927527 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2495540013192, 678856913479236, 224998292422872, - 219635787698590, 1972465269000940 -#else - 29796488, 37186, 19818052, 10115756, 55279832, 3352735, - 18551198, 3272828, 61917932, 29392022 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 271413961212179, 1353052061471651, 344711291283483, - 2014925838520662, 2006221033113941 -#else - 12501267, 4044383, 58495907, 20162046, 34678811, 5136598, - 47878486, 30024734, 330069, 29895023 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 194583029968109, 514316781467765, 829677956235672, - 1676415686873082, 810104584395840 -#else - 6384877, 2899513, 17807477, 7663917, 64749976, 12363164, - 25366522, 24980540, 66837568, 12071498 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1980510813313589, 1948645276483975, 152063780665900, - 129968026417582, 256984195613935 -#else - 58743349, 29511910, 25133447, 29037077, 60897836, 2265926, - 34339246, 1936674, 61949167, 3829362 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1860190562533102, 1936576191345085, 461100292705964, - 1811043097042830, 957486749306835 -#else - 28425966, 27718999, 66531773, 28857233, 52891308, 6870929, - 7921550, 26986645, 26333139, 14267664 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 796664815624365, 1543160838872951, 1500897791837765, - 1667315977988401, 599303877030711 -#else - 56041645, 11871230, 27385719, 22994888, 62522949, 22365119, - 10004785, 24844944, 45347639, 8930323 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1151480509533204, 2136010406720455, 738796060240027, - 319298003765044, 1150614464349587 -#else - 45911060, 17158396, 25654215, 31829035, 12282011, 11008919, - 1541940, 4757911, 40617363, 17145491 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1731069268103150, 735642447616087, 1364750481334268, - 417232839982871, 927108269127661 -#else - 13537262, 25794942, 46504023, 10961926, 61186044, 20336366, - 53952279, 6217253, 51165165, 13814989 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1017222050227968, 1987716148359, 2234319589635701, - 621282683093392, 2132553131763026 -#else - 49686272, 15157789, 18705543, 29619, 24409717, 33293956, - 27361680, 9257833, 65152338, 31777517 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1567828528453324, 1017807205202360, 565295260895298, - 829541698429100, 307243822276582 -#else - 42063564, 23362465, 15366584, 15166509, 54003778, 8423555, - 37937324, 12361134, 48422886, 4578289 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 249079270936248, 1501514259790706, 947909724204848, - 944551802437487, 552658763982480 -#else - 24579768, 3711570, 1342322, 22374306, 40103728, 14124955, - 44564335, 14074918, 21964432, 8235257 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2089966982947227, 1854140343916181, 2151980759220007, - 2139781292261749, 158070445864917 -#else - 60580251, 31142934, 9442965, 27628844, 12025639, 32067012, - 64127349, 31885225, 13006805, 2355433 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1338766321464554, 1906702607371284, 1519569445519894, - 115384726262267, 1393058953390992 -#else - 50803946, 19949172, 60476436, 28412082, 16974358, 22643349, - 27202043, 1719366, 1141648, 20758196 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1364621558265400, 1512388234908357, 1926731583198686, - 2041482526432505, 920401122333774 -#else - 54244920, 20334445, 58790597, 22536340, 60298718, 28710537, - 13475065, 30420460, 32674894, 13715045 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1884844597333588, 601480070269079, 620203503079537, - 1079527400117915, 1202076693132015 -#else - 11423316, 28086373, 32344215, 8962751, 24989809, 9241752, - 53843611, 16086211, 38367983, 17912338 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 840922919763324, 727955812569642, 1303406629750194, - 522898432152867, 294161410441865 -#else - 65699196, 12530727, 60740138, 10847386, 19531186, 19422272, - 55399715, 7791793, 39862921, 4383346 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 353760790835310, 1598361541848743, 1122905698202299, - 1922533590158905, 419107700666580 -#else - 38137966, 5271446, 65842855, 23817442, 54653627, 16732598, - 62246457, 28647982, 27193556, 6245191 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 359856369838236, 180914355488683, 861726472646627, - 218807937262986, 575626773232501 -#else - 51914908, 5362277, 65324971, 2695833, 4960227, 12840725, - 23061898, 3260492, 22510453, 8577507 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 755467689082474, 909202735047934, 730078068932500, - 936309075711518, 2007798262842972 -#else - 54476394, 11257345, 34415870, 13548176, 66387860, 10879010, - 31168030, 13952092, 37537372, 29918525 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1609384177904073, 362745185608627, 1335318541768201, - 800965770436248, 547877979267412 -#else - 3877321, 23981693, 32416691, 5405324, 56104457, 19897796, - 3759768, 11935320, 5611860, 8164018 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 984339177776787, 815727786505884, 1645154585713747, - 1659074964378553, 1686601651984156 -#else - 50833043, 14667796, 15906460, 12155291, 44997715, 24514713, - 32003001, 24722143, 5773084, 25132323 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1697863093781930, 599794399429786, 1104556219769607, - 830560774794755, 12812858601017 -#else - 43320746, 25300131, 1950874, 8937633, 18686727, 16459170, - 66203139, 12376319, 31632953, 190926 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1168737550514982, 897832437380552, 463140296333799, - 302564600022547, 2008360505135501 -#else - 42515238, 17415546, 58684872, 13378745, 14162407, 6901328, - 58820115, 4508563, 41767309, 29926903 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1856930662813910, 678090852002597, 1920179140755167, - 1259527833759868, 55540971895511 -#else - 8884438, 27670423, 6023973, 10104341, 60227295, 28612898, - 18722940, 18768427, 65436375, 827624 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1158643631044921, 476554103621892, 178447851439725, - 1305025542653569, 103433927680625 -#else - 34388281, 17265135, 34605316, 7101209, 13354605, 2659080, - 65308289, 19446395, 42230385, 1541285 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2176793111709008, 1576725716350391, 2009350167273523, - 2012390194631546, 2125297410909580 -#else - 2901328, 32436745, 3880375, 23495044, 49487923, 29941650, - 45306746, 29986950, 20456844, 31669399 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 825403285195098, 2144208587560784, 1925552004644643, - 1915177840006985, 1015952128947864 -#else - 27019610, 12299467, 53450576, 31951197, 54247203, 28692960, - 47568713, 28538373, 29439640, 15138866 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1807108316634472, 1534392066433717, 347342975407218, - 1153820745616376, 7375003497471 -#else - 21536104, 26928012, 34661045, 22864223, 44700786, 5175813, - 61688824, 17193268, 7779327, 109896 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 983061001799725, 431211889901241, 2201903782961093, - 817393911064341, 2214616493042167 -#else - 30279725, 14648750, 59063993, 6425557, 13639621, 32810923, - 28698389, 12180118, 23177719, 33000357 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 228567918409756, 865093958780220, 358083886450556, - 159617889659320, 1360637926292598 -#else - 26572828, 3405927, 35407164, 12890904, 47843196, 5335865, - 60615096, 2378491, 4439158, 20275085 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 234147501399755, 2229469128637390, 2175289352258889, - 1397401514549353, 1885288963089922 -#else - 44392139, 3489069, 57883598, 33221678, 18875721, 32414337, - 14819433, 20822905, 49391106, 28092994 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1111762412951562, 252849572507389, 1048714233823341, - 146111095601446, 1237505378776770 -#else - 62052362, 16566550, 15953661, 3767752, 56672365, 15627059, - 66287910, 2177224, 8550082, 18440267 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1113790697840279, 1051167139966244, 1045930658550944, - 2011366241542643, 1686166824620755 -#else - 48635543, 16596774, 66727204, 15663610, 22860960, 15585581, - 39264755, 29971692, 43848403, 25125843 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1054097349305049, 1872495070333352, 182121071220717, - 1064378906787311, 100273572924182 -#else - 34628313, 15707274, 58902952, 27902350, 29464557, 2713815, - 44383727, 15860481, 45206294, 1494192 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1306410853171605, 1627717417672447, 50983221088417, - 1109249951172250, 870201789081392 -#else - 47546773, 19467038, 41524991, 24254879, 13127841, 759709, - 21923482, 16529112, 8742704, 12967017 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 104233794644221, 1548919791188248, 2224541913267306, - 2054909377116478, 1043803389015153 -#else - 38643965, 1553204, 32536856, 23080703, 42417258, 33148257, - 58194238, 30620535, 37205105, 15553882 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 216762189468802, 707284285441622, 190678557969733, - 973969342604308, 1403009538434867 -#else - 21877890, 3230008, 9881174, 10539357, 62311749, 2841331, - 11543572, 14513274, 19375923, 20906471 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1279024291038477, 344776835218310, 273722096017199, - 1834200436811442, 634517197663804 -#else - 8832269, 19058947, 13253510, 5137575, 5037871, 4078777, - 24880818, 27331716, 2862652, 9455043 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 343805853118335, 1302216857414201, 566872543223541, - 2051138939539004, 321428858384280 -#else - 29306751, 5123106, 20245049, 19404543, 9592565, 8447059, - 65031740, 30564351, 15511448, 4789663 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 470067171324852, 1618629234173951, 2000092177515639, - 7307679772789, 1117521120249968 -#else - 46429108, 7004546, 8824831, 24119455, 63063159, 29803695, - 61354101, 108892, 23513200, 16652362 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 278151578291475, 1810282338562947, 1771599529530998, - 1383659409671631, 685373414471841 -#else - 33852691, 4144781, 62632835, 26975308, 10770038, 26398890, - 60458447, 20618131, 48789665, 10212859 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 577009397403102, 1791440261786291, 2177643735971638, - 174546149911960, 1412505077782326 -#else - 2756062, 8598110, 7383731, 26694540, 22312758, 32449420, - 21179800, 2600940, 57120566, 21047965 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 893719721537457, 1201282458018197, 1522349501711173, - 58011597740583, 1130406465887139 -#else - 42463153, 13317461, 36659605, 17900503, 21365573, 22684775, - 11344423, 864440, 64609187, 16844368 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 412607348255453, 1280455764199780, 2233277987330768, - 14180080401665, 331584698417165 -#else - 40676061, 6148328, 49924452, 19080277, 18782928, 33278435, - 44547329, 211299, 2719757, 4940997 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 262483770854550, 990511055108216, 526885552771698, - 571664396646158, 354086190278723 -#else - 65784982, 3911312, 60160120, 14759764, 37081714, 7851206, - 21690126, 8518463, 26699843, 5276295 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1820352417585487, 24495617171480, 1547899057533253, - 10041836186225, 480457105094042 -#else - 53958991, 27125364, 9396248, 365013, 24703301, 23065493, - 1321585, 149635, 51656090, 7159368 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2023310314989233, 637905337525881, 2106474638900687, - 557820711084072, 1687858215057826 -#else - 9987761, 30149673, 17507961, 9505530, 9731535, 31388918, - 22356008, 8312176, 22477218, 25151047 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1144168702609745, 604444390410187, 1544541121756138, - 1925315550126027, 626401428894002 -#else - 18155857, 17049442, 19744715, 9006923, 15154154, 23015456, - 24256459, 28689437, 44560690, 9334108 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1922168257351784, 2018674099908659, 1776454117494445, - 956539191509034, 36031129147635 -#else - 2986088, 28642539, 10776627, 30080588, 10620589, 26471229, - 45695018, 14253544, 44521715, 536905 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 544644538748041, 1039872944430374, 876750409130610, - 710657711326551, 1216952687484972 -#else - 4377737, 8115836, 24567078, 15495314, 11625074, 13064599, - 7390551, 10589625, 10838060, 18134008 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 58242421545916, 2035812695641843, 2118491866122923, - 1191684463816273, 46921517454099 -#else - 47766460, 867879, 9277171, 30335973, 52677291, 31567988, - 19295825, 17757482, 6378259, 699185 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 272268252444639, 1374166457774292, 2230115177009552, - 1053149803909880, 1354288411641016 -#else - 7895007, 4057113, 60027092, 20476675, 49222032, 33231305, - 66392824, 15693154, 62063800, 20180469 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1857910905368338, 1754729879288912, 885945464109877, - 1516096106802166, 1602902393369811 -#else - 59371282, 27685029, 52542544, 26147512, 11385653, 13201616, - 31730678, 22591592, 63190227, 23885106 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1193437069800958, 901107149704790, 999672920611411, - 477584824802207, 364239578697845 -#else - 10188286, 17783598, 59772502, 13427542, 22223443, 14896287, - 30743455, 7116568, 45322357, 5427592 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 886299989548838, 1538292895758047, 1590564179491896, - 1944527126709657, 837344427345298 -#else - 696102, 13206899, 27047647, 22922350, 15285304, 23701253, - 10798489, 28975712, 19236242, 12477404 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 754558365378305, 1712186480903618, 1703656826337531, - 750310918489786, 518996040250900 -#else - 55879425, 11243795, 50054594, 25513566, 66320635, 25386464, - 63211194, 11180503, 43939348, 7733643 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1309847803895382, 1462151862813074, 211370866671570, - 1544595152703681, 1027691798954090 -#else - 17800790, 19518253, 40108434, 21787760, 23887826, 3149671, - 23466177, 23016261, 10322026, 15313801 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 803217563745370, 1884799722343599, 1357706345069218, - 2244955901722095, 730869460037413 -#else - 26246234, 11968874, 32263343, 28085704, 6830754, 20231401, - 51314159, 33452449, 42659621, 10890803 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 689299471295966, 1831210565161071, 1375187341585438, - 1106284977546171, 1893781834054269 -#else - 35743198, 10271362, 54448239, 27287163, 16690206, 20491888, - 52126651, 16484930, 25180797, 28219548 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 696351368613042, 1494385251239250, 738037133616932, - 636385507851544, 927483222611406 -#else - 66522290, 10376443, 34522450, 22268075, 19801892, 10997610, - 2276632, 9482883, 316878, 13820577 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1949114198209333, 1104419699537997, 783495707664463, - 1747473107602770, 2002634765788641 -#else - 57226037, 29044064, 64993357, 16457135, 56008783, 11674995, - 30756178, 26039378, 30696929, 29841583 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1607325776830197, 530883941415333, 1451089452727895, - 1581691157083423, 496100432831154 -#else - 32988917, 23951020, 12499365, 7910787, 56491607, 21622917, - 59766047, 23569034, 34759346, 7392472 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1068900648804224, 2006891997072550, 1134049269345549, - 1638760646180091, 2055396084625778 -#else - 58253184, 15927860, 9866406, 29905021, 64711949, 16898650, - 36699387, 24419436, 25112946, 30627788 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2222475519314561, 1870703901472013, 1884051508440561, - 1344072275216753, 1318025677799069 -#else - 64604801, 33117465, 25621773, 27875660, 15085041, 28074555, - 42223985, 20028237, 5537437, 19640113 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 155711679280656, 681100400509288, 389811735211209, - 2135723811340709, 408733211204125 -#else - 55883280, 2320284, 57524584, 10149186, 33664201, 5808647, - 52232613, 31824764, 31234589, 6090599 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 7813206966729, 194444201427550, 2071405409526507, - 1065605076176312, 1645486789731291 -#else - 57475529, 116425, 26083934, 2897444, 60744427, 30866345, 609720, - 15878753, 60138459, 24519663 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 16625790644959, 1647648827778410, 1579910185572704, - 436452271048548, 121070048451050 -#else - 39351007, 247743, 51914090, 24551880, 23288160, 23542496, - 43239268, 6503645, 20650474, 1804084 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1037263028552531, 568385780377829, 297953104144430, - 1558584511931211, 2238221839292471 -#else - 39519059, 15456423, 8972517, 8469608, 15640622, 4439847, - 3121995, 23224719, 27842615, 33352104 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 190565267697443, 672855706028058, 338796554369226, - 337687268493904, 853246848691734 -#else - 51801891, 2839643, 22530074, 10026331, 4602058, 5048462, - 28248656, 5031932, 55733782, 12714368 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1763863028400139, 766498079432444, 1321118624818005, - 69494294452268, 858786744165651 -#else - 20807691, 26283607, 29286140, 11421711, 39232341, 19686201, - 45881388, 1035545, 47375635, 12796919 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1292056768563024, 1456632109855638, 1100631247050184, - 1386133165675321, 1232898350193752 -#else - 12076880, 19253146, 58323862, 21705509, 42096072, 16400683, - 49517369, 20654993, 3480664, 18371617 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 366253102478259, 525676242508811, 1449610995265438, - 1183300845322183, 185960306491545 -#else - 34747315, 5457596, 28548107, 7833186, 7303070, 21600887, - 42745799, 17632556, 33734809, 2771024 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 28315355815982, 460422265558930, 1799675876678724, - 1969256312504498, 1051823843138725 -#else - 45719598, 421931, 26597266, 6860826, 22486084, 26817260, - 49971378, 29344205, 42556581, 15673396 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 156914999361983, 1606148405719949, 1665208410108430, - 317643278692271, 1383783705665320 -#else - 46924223, 2338215, 19788685, 23933476, 63107598, 24813538, - 46837679, 4733253, 3727144, 20619984 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 54684536365732, 2210010038536222, 1194984798155308, - 535239027773705, 1516355079301361 -#else - 6120100, 814863, 55314462, 32931715, 6812204, 17806661, 2019593, - 7975683, 31123697, 22595451 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1484387703771650, 198537510937949, 2186282186359116, - 617687444857508, 647477376402122 -#else - 30069250, 22119100, 30434653, 2958439, 18399564, 32578143, - 12296868, 9204260, 50676426, 9648164 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2147715541830533, 500032538445817, 646380016884826, - 352227855331122, 1488268620408052 -#else - 32705413, 32003455, 30705657, 7451065, 55303258, 9631812, - 3305266, 5248604, 41100532, 22176930 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 159386186465542, 1877626593362941, 618737197060512, - 1026674284330807, 1158121760792685 -#else - 17219846, 2375039, 35537917, 27978816, 47649184, 9219902, - 294711, 15298639, 2662509, 17257359 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1744544377739822, 1964054180355661, 1685781755873170, - 2169740670377448, 1286112621104591 -#else - 65935918, 25995736, 62742093, 29266687, 45762450, 25120105, - 32087528, 32331655, 32247247, 19164571 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 81977249784993, 1667943117713086, 1668983819634866, - 1605016835177615, 1353960708075544 -#else - 14312609, 1221556, 17395390, 24854289, 62163122, 24869796, - 38911119, 23916614, 51081240, 20175586 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1602253788689063, 439542044889886, 2220348297664483, - 657877410752869, 157451572512238 -#else - 65680039, 23875441, 57873182, 6549686, 59725795, 33085767, - 23046501, 9803137, 17597934, 2346211 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1029287186166717, 65860128430192, 525298368814832, - 1491902500801986, 1461064796385400 -#else - 18510781, 15337574, 26171504, 981392, 44867312, 7827555, - 43617730, 22231079, 3059832, 21771562 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 408216988729246, 2121095722306989, 913562102267595, - 1879708920318308, 241061448436731 -#else - 10141598, 6082907, 17829293, 31606789, 9830091, 13613136, - 41552228, 28009845, 33606651, 3592095 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1185483484383269, 1356339572588553, 584932367316448, - 102132779946470, 1792922621116791 -#else - 33114149, 17665080, 40583177, 20211034, 33076704, 8716171, - 1151462, 1521897, 66126199, 26716628 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1966196870701923, 2230044620318636, 1425982460745905, - 261167817826569, 46517743394330 -#else - 34169699, 29298616, 23947180, 33230254, 34035889, 21248794, - 50471177, 3891703, 26353178, 693168 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 107077591595359, 884959942172345, 27306869797400, - 2224911448949390, 964352058245223 -#else - 30374239, 1595580, 50224825, 13186930, 4600344, 406904, 9585294, - 33153764, 31375463, 14369965 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1730194207717538, 431790042319772, 1831515233279467, - 1372080552768581, 1074513929381760 -#else - 52738210, 25781902, 1510300, 6434173, 48324075, 27291703, - 32732229, 20445593, 17901440, 16011505 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1450880638731607, 1019861580989005, 1229729455116861, - 1174945729836143, 826083146840706 -#else - 18171223, 21619806, 54608461, 15197121, 56070717, 18324396, - 47936623, 17508055, 8764034, 12309598 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1899935429242705, 1602068751520477, 940583196550370, - 82431069053859, 1540863155745696 -#else - 5975889, 28311244, 47649501, 23872684, 55567586, 14015781, - 43443107, 1228318, 17544096, 22960650 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2136688454840028, 2099509000964294, 1690800495246475, - 1217643678575476, 828720645084218 -#else - 5811932, 31839139, 3442886, 31285122, 48741515, 25194890, - 49064820, 18144304, 61543482, 12348899 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 765548025667841, 462473984016099, 998061409979798, - 546353034089527, 2212508972466858 -#else - 35709185, 11407554, 25755363, 6891399, 63851926, 14872273, - 42259511, 8141294, 56476330, 32968952 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 46575283771160, 892570971573071, 1281983193144090, - 1491520128287375, 75847005908304 -#else - 54433560, 694025, 62032719, 13300343, 14015258, 19103038, - 57410191, 22225381, 30944592, 1130208 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1801436127943107, 1734436817907890, 1268728090345068, - 167003097070711, 2233597765834956 -#else - 8247747, 26843490, 40546482, 25845122, 52706924, 18905521, - 4652151, 2488540, 23550156, 33283200 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1997562060465113, 1048700225534011, 7615603985628, - 1855310849546841, 2242557647635213 -#else - 17294297, 29765994, 7026747, 15626851, 22990044, 113481, - 2267737, 27646286, 66700045, 33416712 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1161017320376250, 492624580169043, 2169815802355237, - 976496781732542, 1770879511019629 -#else - 16091066, 17300506, 18599251, 7340678, 2137637, 32332775, - 63744702, 14550935, 3260525, 26388161 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1357044908364776, 729130645262438, 1762469072918979, - 1365633616878458, 181282906404941 -#else - 62198760, 20221544, 18550886, 10864893, 50649539, 26262835, - 44079994, 20349526, 54360141, 2701325 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1080413443139865, 1155205815510486, 1848782073549786, - 622566975152580, 124965574467971 -#else - 58534169, 16099414, 4629974, 17213908, 46322650, 27548999, - 57090500, 9276970, 11329923, 1862132 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1184526762066993, 247622751762817, 692129017206356, - 820018689412496, 2188697339828085 -#else - 14763057, 17650824, 36190593, 3689866, 3511892, 10313526, - 45157776, 12219230, 58070901, 32614131 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2020536369003019, 202261491735136, 1053169669150884, - 2056531979272544, 778165514694311 -#else - 8894987, 30108338, 6150752, 3013931, 301220, 15693451, 35127648, - 30644714, 51670695, 11595569 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 237404399610207, 1308324858405118, 1229680749538400, - 720131409105291, 1958958863624906 -#else - 15214943, 3537601, 40870142, 19495559, 4418656, 18323671, - 13947275, 10730794, 53619402, 29190761 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 515583508038846, 17656978857189, 1717918437373989, - 1568052070792483, 46975803123923 -#else - 64570558, 7682792, 32759013, 263109, 37124133, 25598979, - 44776739, 23365796, 977107, 699994 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 281527309158085, 36970532401524, 866906920877543, - 2222282602952734, 1289598729589882 -#else - 54642373, 4195083, 57897332, 550903, 51543527, 12917919, - 19118110, 33114591, 36574330, 19216518 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1278207464902042, 494742455008756, 1262082121427081, - 1577236621659884, 1888786707293291 -#else - 31788442, 19046775, 4799988, 7372237, 8808585, 18806489, - 9408236, 23502657, 12493931, 28145115 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 353042527954210, 1830056151907359, 1111731275799225, - 174960955838824, 404312815582675 -#else - 41428258, 5260743, 47873055, 27269961, 63412921, 16566086, - 27218280, 2607121, 29375955, 6024730 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2064251142068628, 1666421603389706, 1419271365315441, - 468767774902855, 191535130366583 -#else - 842132, 30759739, 62345482, 24831616, 26332017, 21148791, - 11831879, 6985184, 57168503, 2854095 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1716987058588002, 1859366439773457, 1767194234188234, - 64476199777924, 1117233614485261 -#else - 62261602, 25585100, 2516241, 27706719, 9695690, 26333246, - 16512644, 960770, 12121869, 16648078 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 984292135520292, 135138246951259, 2220652137473167, - 1722843421165029, 190482558012909 -#else - 51890212, 14667095, 53772635, 2013716, 30598287, 33090295, - 35603941, 25672367, 20237805, 2838411 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 298845952651262, 1166086588952562, 1179896526238434, - 1347812759398693, 1412945390096208 -#else - 47820798, 4453151, 15298546, 17376044, 22115042, 17581828, - 12544293, 20083975, 1068880, 21054527 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1143239552672925, 906436640714209, 2177000572812152, - 2075299936108548, 325186347798433 -#else - 57549981, 17035596, 33238497, 13506958, 30505848, 32439836, - 58621956, 30924378, 12521377, 4845654 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 721024854374772, 684487861263316, 1373438744094159, - 2193186935276995, 1387043709851261 -#else - 38910324, 10744107, 64150484, 10199663, 7759311, 20465832, - 3409347, 32681032, 60626557, 20668561 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 418098668140962, 715065997721283, 1471916138376055, - 2168570337288357, 937812682637044 -#else - 43547042, 6230155, 46726851, 10655313, 43068279, 21933259, - 10477733, 32314216, 63995636, 13974497 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1043584187226485, 2143395746619356, 2209558562919611, - 482427979307092, 847556718384018 -#else - 12966261, 15550616, 35069916, 31939085, 21025979, 32924988, - 5642324, 7188737, 18895762, 12629579 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1248731221520759, 1465200936117687, 540803492710140, - 52978634680892, 261434490176109 -#else - 14741879, 18607545, 22177207, 21833195, 1279740, 8058600, - 11758140, 789443, 32195181, 3895677 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1057329623869501, 620334067429122, 461700859268034, - 2012481616501857, 297268569108938 -#else - 10758205, 15755439, 62598914, 9243697, 62229442, 6879878, - 64904289, 29988312, 58126794, 4429646 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1055352180870759, 1553151421852298, 1510903185371259, - 1470458349428097, 1226259419062731 -#else - 64654951, 15725972, 46672522, 23143759, 61304955, 22514211, - 59972993, 21911536, 18047435, 18272689 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1492988790301668, 790326625573331, 1190107028409745, - 1389394752159193, 1620408196604194 -#else - 41935844, 22247266, 29759955, 11776784, 44846481, 17733976, - 10993113, 20703595, 49488162, 24145963 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 47000654413729, 1004754424173864, 1868044813557703, - 173236934059409, 588771199737015 -#else - 21987233, 700364, 42603816, 14972007, 59334599, 27836036, - 32155025, 2581431, 37149879, 8773374 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 30498470091663, 1082245510489825, 576771653181956, - 806509986132686, 1317634017056939 -#else - 41540495, 454462, 53896929, 16126714, 25240068, 8594567, - 20656846, 12017935, 59234475, 19634276 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 420308055751555, 1493354863316002, 165206721528088, - 1884845694919786, 2065456951573059 -#else - 6028163, 6263078, 36097058, 22252721, 66289944, 2461771, - 35267690, 28086389, 65387075, 30777706 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1115636332012334, 1854340990964155, 83792697369514, - 1972177451994021, 457455116057587 -#else - 54829870, 16624276, 987579, 27631834, 32908202, 1248608, - 7719845, 29387734, 28408819, 6816612 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1698968457310898, 1435137169051090, 1083661677032510, - 938363267483709, 340103887207182 -#else - 56750770, 25316602, 19549650, 21385210, 22082622, 16147817, - 20613181, 13982702, 56769294, 5067942 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1995325341336574, 911500251774648, 164010755403692, - 855378419194762, 1573601397528842 -#else - 36602878, 29732664, 12074680, 13582412, 47230892, 2443950, - 47389578, 12746131, 5331210, 23448488 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 241719380661528, 310028521317150, 1215881323380194, - 1408214976493624, 2141142156467363 -#else - 30528792, 3601899, 65151774, 4619784, 39747042, 18118043, - 24180792, 20984038, 27679907, 31905504 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1315157046163473, 727368447885818, 1363466668108618, - 1668921439990361, 1398483384337907 -#else - 9402385, 19597367, 32834042, 10838634, 40528714, 20317236, - 26653273, 24868867, 22611443, 20839026 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 75029678299646, 1015388206460473, 1849729037055212, - 1939814616452984, 444404230394954 -#else - 22190590, 1118029, 22736441, 15130463, 36648172, 27563110, - 19189624, 28905490, 4854858, 6622139 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2053597130993710, 2024431685856332, 2233550957004860, - 2012407275509545, 872546993104440 -#else - 58798126, 30600981, 58846284, 30166382, 56707132, 33282502, - 13424425, 29987205, 26404408, 13001963 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1217269667678610, 599909351968693, 1390077048548598, - 1471879360694802, 739586172317596 -#else - 35867026, 18138731, 64114613, 8939345, 11562230, 20713762, - 41044498, 21932711, 51703708, 11020692 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1718318639380794, 1560510726633958, 904462881159922, - 1418028351780052, 94404349451937 -#else - 1866042, 25604943, 59210214, 23253421, 12483314, 13477547, - 3175636, 21130269, 28761761, 1406734 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2132502667405250, 214379346175414, 1502748313768060, - 1960071701057800, 1353971822643138 -#else - 66660290, 31776765, 13018550, 3194501, 57528444, 22392694, - 24760584, 29207344, 25577410, 20175752 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 319394212043702, 2127459436033571, 717646691535162, - 663366796076914, 318459064945314 -#else - 42818486, 4759344, 66418211, 31701615, 2066746, 10693769, - 37513074, 9884935, 57739938, 4745409 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 405989424923593, 1960452633787083, 667349034401665, - 1492674260767112, 1451061489880787 -#else - 57967561, 6049713, 47577803, 29213020, 35848065, 9944275, - 51646856, 22242579, 10931923, 21622501 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 947085906234007, 323284730494107, 1485778563977200, - 728576821512394, 901584347702286 -#else - 50547351, 14112679, 59096219, 4817317, 59068400, 22139825, - 44255434, 10856640, 46638094, 13434653 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1575783124125742, 2126210792434375, 1569430791264065, - 1402582372904727, 1891780248341114 -#else - 22759470, 23480998, 50342599, 31683009, 13637441, 23386341, - 1765143, 20900106, 28445306, 28189722 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 838432205560695, 1997703511451664, 1018791879907867, - 1662001808174331, 78328132957753 -#else - 29875063, 12493613, 2795536, 29768102, 1710619, 15181182, - 56913147, 24765756, 9074233, 1167180 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 739152638255629, 2074935399403557, 505483666745895, - 1611883356514088, 628654635394878 -#else - 40903181, 11014232, 57266213, 30918946, 40200743, 7532293, - 48391976, 24018933, 3843902, 9367684 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1822054032121349, 643057948186973, 7306757352712, - 577249257962099, 284735863382083 -#else - 56139269, 27150720, 9591133, 9582310, 11349256, 108879, - 16235123, 8601684, 66969667, 4242894 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1366558556363930, 1448606567552086, 1478881020944768, - 165803179355898, 1115718458123498 -#else - 22092954, 20363309, 65066070, 21585919, 32186752, 22037044, - 60534522, 2470659, 39691498, 16625500 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 204146226972102, 1630511199034723, 2215235214174763, - 174665910283542, 956127674017216 -#else - 56051142, 3042015, 13770083, 24296510, 584235, 33009577, - 59338006, 2602724, 39757248, 14247412 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1562934578796716, 1070893489712745, 11324610642270, - 958989751581897, 2172552325473805 -#else - 6314156, 23289540, 34336361, 15957556, 56951134, 168749, - 58490057, 14290060, 27108877, 32373552 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1770564423056027, 735523631664565, 1326060113795289, - 1509650369341127, 65892421582684 -#else - 58522267, 26383465, 13241781, 10960156, 34117849, 19759835, - 33547975, 22495543, 39960412, 981873 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 623682558650637, 1337866509471512, 990313350206649, - 1314236615762469, 1164772974270275 -#else - 22833421, 9293594, 34459416, 19935764, 57971897, 14756818, - 44180005, 19583651, 56629059, 17356469 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 223256821462517, 723690150104139, 1000261663630601, - 933280913953265, 254872671543046 -#else - 59340277, 3326785, 38997067, 10783823, 19178761, 14905060, - 22680049, 13906969, 51175174, 3797898 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1969087237026041, 624795725447124, 1335555107635969, - 2069986355593023, 1712100149341902 -#else - 21721337, 29341686, 54902740, 9310181, 63226625, 19901321, - 23740223, 30845200, 20491982, 25512280 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1236103475266979, 1837885883267218, 1026072585230455, - 1025865513954973, 1801964901432134 -#else - 9209251, 18419377, 53852306, 27386633, 66377847, 15289672, - 25947805, 15286587, 30997318, 26851369 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1115241013365517, 1712251818829143, 2148864332502771, - 2096001471438138, 2235017246626125 -#else - 7392013, 16618386, 23946583, 25514540, 53843699, 32020573, - 52911418, 31232855, 17649997, 33304352 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1299268198601632, 2047148477845621, 2165648650132450, - 1612539282026145, 514197911628890 -#else - 57807776, 19360604, 30609525, 30504889, 41933794, 32270679, - 51867297, 24028707, 64875610, 7662145 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 118352772338543, 1067608711804704, 1434796676193498, - 1683240170548391, 230866769907437 -#else - 49550191, 1763593, 33994528, 15908609, 37067994, 21380136, - 7335079, 25082233, 63934189, 3440182 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1850689576796636, 1601590730430274, 1139674615958142, - 1954384401440257, 76039205311 -#else - 47219164, 27577423, 42997570, 23865561, 10799742, 16982475, - 40449, 29122597, 4862399, 1133 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1723387471374172, 997301467038410, 533927635123657, - 20928644693965, 1756575222802513 -#else - 34252636, 25680474, 61686474, 14860949, 50789833, 7956141, - 7258061, 311861, 36513873, 26175010 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2146711623855116, 503278928021499, 625853062251406, - 1109121378393107, 1033853809911861 -#else - 63335436, 31988495, 28985339, 7499440, 24445838, 9325937, - 29727763, 16527196, 18278453, 15405622 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 571005965509422, 2005213373292546, 1016697270349626, - 56607856974274, 914438579435146 -#else - 62726958, 8508651, 47210498, 29880007, 61124410, 15149969, - 53795266, 843522, 45233802, 13626196 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1346698876211176, 2076651707527589, 1084761571110205, - 265334478828406, 1068954492309671 -#else - 2281448, 20067377, 56193445, 30944521, 1879357, 16164207, - 56324982, 3953791, 13340839, 15928663 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1769967932677654, 1695893319756416, 1151863389675920, - 1781042784397689, 400287774418285 -#else - 31727126, 26374577, 48671360, 25270779, 2875792, 17164102, - 41838969, 26539605, 43656557, 5964752 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1851867764003121, 403841933237558, 820549523771987, - 761292590207581, 1743735048551143 -#else - 4100401, 27594980, 49929526, 6017713, 48403027, 12227140, - 40424029, 11344143, 2538215, 25983677 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 410915148140008, 2107072311871739, 1004367461876503, - 99684895396761, 1180818713503224 -#else - 57675240, 6123112, 11159803, 31397824, 30016279, 14966241, - 46633881, 1485420, 66479608, 17595569 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 285945406881439, 648174397347453, 1098403762631981, - 1366547441102991, 1505876883139217 -#else - 40304287, 4260918, 11851389, 9658551, 35091757, 16367491, - 46903439, 20363143, 11659921, 22439314 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 672095903120153, 1675918957959872, 636236529315028, - 1569297300327696, 2164144194785875 -#else - 26180377, 10015009, 36264640, 24973138, 5418196, 9480663, - 2231568, 23384352, 33100371, 32248261 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1902708175321798, 1035343530915438, 1178560808893263, - 301095684058146, 1280977479761118 -#else - 15121094, 28352561, 56718958, 15427820, 39598927, 17561924, - 21670946, 4486675, 61177054, 19088051 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1615357281742403, 404257611616381, 2160201349780978, - 1160947379188955, 1578038619549541 -#else - 16166467, 24070699, 56004733, 6023907, 35182066, 32189508, - 2340059, 17299464, 56373093, 23514607 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2013087639791217, 822734930507457, 1785668418619014, - 1668650702946164, 389450875221715 -#else - 28042865, 29997343, 54982337, 12259705, 63391366, 26608532, - 6766452, 24864833, 18036435, 5803270 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 453918449698368, 106406819929001, 2072540975937135, - 308588860670238, 1304394580755385 -#else - 66291264, 6763911, 11803561, 1585585, 10958447, 30883267, - 23855390, 4598332, 60949433, 19436993 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1295082798350326, 2091844511495996, 1851348972587817, - 3375039684596, 789440738712837 -#else - 36077558, 19298237, 17332028, 31170912, 31312681, 27587249, - 696308, 50292, 47013125, 11763583 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2083069137186154, 848523102004566, 993982213589257, - 1405313299916317, 1532824818698468 -#else - 66514282, 31040148, 34874710, 12643979, 12650761, 14811489, - 665117, 20940800, 47335652, 22840869 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1495961298852430, 1397203457344779, 1774950217066942, - 139302743555696, 66603584342787 -#else - 30464590, 22291560, 62981387, 20819953, 19835326, 26448819, - 42712688, 2075772, 50088707, 992470 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1782411379088302, 1096724939964781, 27593390721418, - 542241850291353, 1540337798439873 -#else - 18357166, 26559999, 7766381, 16342475, 37783946, 411173, - 14578841, 8080033, 55534529, 22952821 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 693543956581437, 171507720360750, 1557908942697227, - 1074697073443438, 1104093109037196 -#else - 19598397, 10334610, 12555054, 2555664, 18821899, 23214652, - 21873262, 16014234, 26224780, 16452269 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 345288228393419, 1099643569747172, 134881908403743, - 1740551994106740, 248212179299770 -#else - 36884939, 5145195, 5944548, 16385966, 3976735, 2009897, - 55731060, 25936245, 46575034, 3698649 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 231429562203065, 1526290236421172, 2021375064026423, - 1520954495658041, 806337791525116 -#else - 14187449, 3448569, 56472628, 22743496, 44444983, 30120835, - 7268409, 22663988, 27394300, 12015369 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1079623667189886, 872403650198613, 766894200588288, - 2163700860774109, 2023464507911816 -#else - 19695742, 16087646, 28032085, 12999827, 6817792, 11427614, - 20244189, 32241655, 53849736, 30151970 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 854645372543796, 1936406001954827, 151460662541253, - 825325739271555, 1554306377287556 -#else - 30860084, 12735208, 65220619, 28854697, 50133957, 2256939, - 58942851, 12298311, 58558340, 23160969 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1497138821904622, 1044820250515590, 1742593886423484, - 1237204112746837, 849047450816987 -#else - 61389038, 22309106, 65198214, 15569034, 26642876, 25966672, - 61319509, 18435777, 62132699, 12651792 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 667962773375330, 1897271816877105, 1399712621683474, - 1143302161683099, 2081798441209593 -#else - 64260450, 9953420, 11531313, 28271553, 26895122, 20857343, - 53990043, 17036529, 9768697, 31021214 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 127147851567005, 1936114012888110, 1704424366552046, - 856674880716312, 716603621335359 -#else - 42389405, 1894650, 66821166, 28850346, 15348718, 25397902, - 32767512, 12765450, 4940095, 10678226 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1072409664800960, 2146937497077528, 1508780108920651, - 935767602384853, 1112800433544068 -#else - 18860224, 15980149, 48121624, 31991861, 40875851, 22482575, - 59264981, 13944023, 42736516, 16582018 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 333549023751292, 280219272863308, 2104176666454852, - 1036466864875785, 536135186520207 -#else - 51604604, 4970267, 37215820, 4175592, 46115652, 31354675, - 55404809, 15444559, 56105103, 7989036 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 373666279883137, 146457241530109, 304116267127857, - 416088749147715, 1258577131183391 -#else - 31490433, 5568061, 64696061, 2182382, 34772017, 4531685, - 35030595, 6200205, 47422751, 18754260 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1186115062588401, 2251609796968486, 1098944457878953, - 1153112761201374, 1791625503417267 -#else - 49800177, 17674491, 35586086, 33551600, 34221481, 16375548, - 8680158, 17182719, 28550067, 26697300 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1870078460219737, 2129630962183380, 852283639691142, - 292865602592851, 401904317342226 -#else - 38981977, 27866340, 16837844, 31733974, 60258182, 12700015, - 37068883, 4364037, 1155602, 5988841 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1361070124828035, 815664541425524, 1026798897364671, - 1951790935390647, 555874891834790 -#else - 21890435, 20281525, 54484852, 12154348, 59276991, 15300495, - 23148983, 29083951, 24618406, 8283181 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1546301003424277, 459094500062839, 1097668518375311, - 1780297770129643, 720763293687608 -#else - 33972757, 23041680, 9975415, 6841041, 35549071, 16356535, - 3070187, 26528504, 1466168, 10740210 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1212405311403990, 1536693382542438, 61028431067459, - 1863929423417129, 1223219538638038 -#else - 65599446, 18066246, 53605478, 22898515, 32799043, 909394, - 53169961, 27774712, 34944214, 18227391 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1294303766540260, 1183557465955093, 882271357233093, - 63854569425375, 2213283684565087 -#else - 3960804, 19286629, 39082773, 17636380, 47704005, 13146867, - 15567327, 951507, 63848543, 32980496 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 339050984211414, 601386726509773, 413735232134068, - 966191255137228, 1839475899458159 -#else - 24740822, 5052253, 37014733, 8961360, 25877428, 6165135, - 42740684, 14397371, 59728495, 27410326 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 235605972169408, 2174055643032978, 1538335001838863, - 1281866796917192, 1815940222628465 -#else - 38220480, 3510802, 39005586, 32395953, 55870735, 22922977, - 51667400, 19101303, 65483377, 27059617 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1632352921721536, 1833328609514701, 2092779091951987, - 1923956201873226, 2210068022482919 -#else - 793280, 24323954, 8836301, 27318725, 39747955, 31184838, - 33152842, 28669181, 57202663, 32932579 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 35271216625062, 1712350667021807, 983664255668860, - 98571260373038, 1232645608559836 -#else - 5666214, 525582, 20782575, 25516013, 42570364, 14657739, - 16099374, 1468826, 60937436, 18367850 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1998172393429622, 1798947921427073, 784387737563581, - 1589352214827263, 1589861734168180 -#else - 62249590, 29775088, 64191105, 26806412, 7778749, 11688288, - 36704511, 23683193, 65549940, 23690785 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1733739258725305, 31715717059538, 201969945218860, - 992093044556990, 1194308773174556 -#else - 10896313, 25834728, 824274, 472601, 47648556, 3009586, 25248958, - 14783338, 36527388, 17796587 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 846415389605137, 746163495539180, 829658752826080, - 592067705956946, 957242537821393 -#else - 10566929, 12612572, 35164652, 11118702, 54475488, 12362878, - 21752402, 8822496, 24003793, 14264025 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1758148849754419, 619249044817679, 168089007997045, - 1371497636330523, 1867101418880350 -#else - 27713843, 26198459, 56100623, 9227529, 27050101, 2504721, - 23886875, 20436907, 13958494, 27821979 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 326633984209635, 261759506071016, 1700682323676193, - 1577907266349064, 1217647663383016 -#else - 43627235, 4867225, 39861736, 3900520, 29838369, 25342141, - 35219464, 23512650, 7340520, 18144364 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1714182387328607, 1477856482074168, 574895689942184, - 2159118410227270, 1555532449716575 -#else - 4646495, 25543308, 44342840, 22021777, 23184552, 8566613, - 31366726, 32173371, 52042079, 23179239 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 853828206885131, 998498946036955, 1835887550391235, - 207627336608048, 258363815956050 -#else - 49838347, 12723031, 50115803, 14878793, 21619651, 27356856, - 27584816, 3093888, 58265170, 3849920 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 141141474651677, 1236728744905256, 643101419899887, - 1646615130509173, 1208239602291765 -#else - 58043933, 2103171, 25561640, 18428694, 61869039, 9582957, - 32477045, 24536477, 5002293, 18004173 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1501663228068911, 1354879465566912, 1444432675498247, - 897812463852601, 855062598754348 -#else - 55051311, 22376525, 21115584, 20189277, 8808711, 21523724, - 16489529, 13378448, 41263148, 12741425 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 714380763546606, 1032824444965790, 1774073483745338, - 1063840874947367, 1738680636537158 -#else - 61162478, 10645102, 36197278, 15390283, 63821882, 26435754, - 24306471, 15852464, 28834118, 25908360 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1640635546696252, 633168953192112, 2212651044092396, - 30590958583852, 368515260889378 -#else - 49773116, 24447374, 42577584, 9434952, 58636780, 32971069, - 54018092, 455840, 20461858, 5491305 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1171650314802029, 1567085444565577, 1453660792008405, - 757914533009261, 1619511342778196 -#else - 13669229, 17458950, 54626889, 23351392, 52539093, 21661233, - 42112877, 11293806, 38520660, 24132599 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 420958967093237, 971103481109486, 2169549185607107, - 1301191633558497, 1661514101014240 -#else - 28497909, 6272777, 34085870, 14470569, 8906179, 32328802, - 18504673, 19389266, 29867744, 24758489 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 907123651818302, 1332556122804146, 1824055253424487, - 1367614217442959, 1982558335973172 -#else - 50901822, 13517195, 39309234, 19856633, 24009063, 27180541, - 60741263, 20379039, 22853428, 29542421 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1121533090144639, 1021251337022187, 110469995947421, - 1511059774758394, 2110035908131662 -#else - 24191359, 16712145, 53177067, 15217830, 14542237, 1646131, - 18603514, 22516545, 12876622, 31441985 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 303213233384524, 2061932261128138, 352862124777736, - 40828818670255, 249879468482660 -#else - 17902668, 4518229, 66697162, 30725184, 26878216, 5258055, - 54248111, 608396, 16031844, 3723494 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 856559257852200, 508517664949010, 1378193767894916, - 1723459126947129, 1962275756614521 -#else - 38476072, 12763727, 46662418, 7577503, 33001348, 20536687, - 17558841, 25681542, 23896953, 29240187 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1445691340537320, 40614383122127, 402104303144865, - 485134269878232, 1659439323587426 -#else - 47103464, 21542479, 31520463, 605201, 2543521, 5991821, - 64163800, 7229063, 57189218, 24727572 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 20057458979482, 1183363722525800, 2140003847237215, - 2053873950687614, 2112017736174909 -#else - 28816026, 298879, 38943848, 17633493, 19000927, 31888542, - 54428030, 30605106, 49057085, 31471516 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2228654250927986, 1483591363415267, 1368661293910956, - 1076511285177291, 526650682059608 -#else - 16000882, 33209536, 3493091, 22107234, 37604268, 20394642, - 12577739, 16041268, 47393624, 7847706 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 709481497028540, 531682216165724, 316963769431931, - 1814315888453765, 258560242424104 -#else - 10151868, 10572098, 27312476, 7922682, 14825339, 4723128, - 34252933, 27035413, 57088296, 3852847 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1053447823660455, 1955135194248683, 1010900954918985, - 1182614026976701, 1240051576966610 -#else - 55678375, 15697595, 45987307, 29133784, 5386313, 15063598, - 16514493, 17622322, 29330898, 18478208 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 1957943897155497, 1788667368028035, 137692910029106, - 1039519607062, 826404763313028 -#else - 41609129, 29175637, 51885955, 26653220, 16615730, 2051784, - 3303702, 15490, 39560068, 12314390 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1848942433095597, 1582009882530495, 1849292741020143, - 1068498323302788, 2001402229799484 -#else - 15683501, 27551389, 18109119, 23573784, 15337967, 27556609, - 50391428, 15921865, 16103996, 29823217 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1528282417624269, 2142492439828191, 2179662545816034, - 362568973150328, 1591374675250271 -#else - 43939021, 22773182, 13588191, 31925625, 63310306, 32479502, - 47835256, 5402698, 37293151, 23713330 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 160026679434388, 232341189218716, 2149181472355545, - 598041771119831, 183859001910173 -#else - 23190676, 2384583, 34394524, 3462153, 37205209, 32025299, - 55842007, 8911516, 41903005, 2739712 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2013278155187349, 662660471354454, 793981225706267, - 411706605985744, 804490933124791 -#else - 21374101, 30000182, 33584214, 9874410, 15377179, 11831242, - 33578960, 6134906, 4931255, 11987849 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2051892037280204, 488391251096321, 2230187337030708, - 930221970662692, 679002758255210 -#else - 67101132, 30575573, 50885377, 7277596, 105524, 33232381, - 35628324, 13861387, 37032554, 10117929 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1530723630438670, 875873929577927, 341560134269988, - 449903119530753, 1055551308214179 -#else - 37607694, 22809559, 40945095, 13051538, 41483300, 5089642, - 60783361, 6704078, 12890019, 15728940 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1461835919309432, 1955256480136428, 180866187813063, - 1551979252664528, 557743861963950 -#else - 45136504, 21783052, 66157804, 29135591, 14704839, 2695116, - 903376, 23126293, 12885166, 8311031 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 359179641731115, 1324915145732949, 902828372691474, - 294254275669987, 1887036027752957 -#else - 49592363, 5352193, 10384213, 19742774, 7506450, 13453191, - 26423267, 4384730, 1888765, 28119028 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2043271609454323, 2038225437857464, 1317528426475850, - 1398989128982787, 2027639881006861 -#else - 41291507, 30447119, 53614264, 30371925, 30896458, 19632703, - 34857219, 20846562, 47644429, 30214188 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2072902725256516, 312132452743412, 309930885642209, - 996244312618453, 1590501300352303 -#else - 43500868, 30888657, 66582772, 4651135, 5765089, 4618330, - 6092245, 14845197, 17151279, 23700316 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1397254305160710, 695734355138021, 2233992044438756, - 1776180593969996, 1085588199351115 -#else - 42278406, 20820711, 51942885, 10367249, 37577956, 33289075, - 22825804, 26467153, 50242379, 16176524 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 440567051331029, 254894786356681, 493869224930222, - 1556322069683366, 1567456540319218 -#else - 43525589, 6564960, 20063689, 3798228, 62368686, 7359224, - 2006182, 23191006, 38362610, 23356922 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1950722461391320, 1907845598854797, 1822757481635527, - 2121567704750244, 73811931471221 -#else - 56482264, 29068029, 53788301, 28429114, 3432135, 27161203, - 23632036, 31613822, 32808309, 1099883 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 387139307395758, 2058036430315676, 1220915649965325, - 1794832055328951, 1230009312169328 -#else - 15030958, 5768825, 39657628, 30667132, 60681485, 18193060, - 51830967, 26745081, 2051440, 18328567 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1765973779329517, 659344059446977, 19821901606666, - 1301928341311214, 1116266004075885 -#else - 63746541, 26315059, 7517889, 9824992, 23555850, 295369, 5148398, - 19400244, 44422509, 16633659 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1127572801181483, 1224743760571696, 1276219889847274, - 1529738721702581, 1589819666871853 -#else - 4577067, 16802144, 13249840, 18250104, 19958762, 19017158, - 18559669, 22794883, 8402477, 23690159 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2181229378964934, 2190885205260020, 1511536077659137, - 1246504208580490, 668883326494241 -#else - 38702534, 32502850, 40318708, 32646733, 49896449, 22523642, - 9453450, 18574360, 17983009, 9967138 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 437866655573314, 669026411194768, 81896997980338, - 523874406393178, 245052060935236 -#else - 41346370, 6524721, 26585488, 9969270, 24709298, 1220360, - 65430874, 7806336, 17507396, 3651560 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1975438052228868, 1071801519999806, 594652299224319, - 1877697652668809, 1489635366987285 -#else - 56688388, 29436320, 14584638, 15971087, 51340543, 8861009, - 26556809, 27979875, 48555541, 22197296 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 958592545673770, 233048016518599, 851568750216589, - 567703851596087, 1740300006094761 -#else - 2839082, 14284142, 4029895, 3472686, 14402957, 12689363, - 40466743, 8459446, 61503401, 25932490 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2014540178270324, 192672779514432, 213877182641530, - 2194819933853411, 1716422829364835 -#else - 62269556, 30018987, 9744960, 2871048, 25113978, 3187018, - 41998051, 32705365, 17258083, 25576693 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1540769606609725, 2148289943846077, 1597804156127445, - 1230603716683868, 815423458809453 -#else - 18164541, 22959256, 49953981, 32012014, 19237077, 23809137, - 23357532, 18337424, 26908269, 12150756 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1738560251245018, 1779576754536888, 1783765347671392, - 1880170990446751, 1088225159617541 -#else - 36843994, 25906566, 5112248, 26517760, 65609056, 26580174, - 43167, 28016731, 34806789, 16215818 -#endif - }}, - }, - }, - { - { - {{ -#if defined(OPENSSL_64_BIT) - 659303913929492, 1956447718227573, 1830568515922666, - 841069049744408, 1669607124206368 -#else - 60209940, 9824393, 54804085, 29153342, 35711722, 27277596, - 32574488, 12532905, 59605792, 24879084 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1143465490433355, 1532194726196059, 1093276745494697, - 481041706116088, 2121405433561163 -#else - 39765323, 17038963, 39957339, 22831480, 946345, 16291093, - 254968, 7168080, 21676107, 31611404 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1686424298744462, 1451806974487153, 266296068846582, - 1834686947542675, 1720762336132256 -#else - 21260942, 25129680, 50276977, 21633609, 43430902, 3968120, - 63456915, 27338965, 63552672, 25641356 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 889217026388959, 1043290623284660, 856125087551909, - 1669272323124636, 1603340330827879 -#else - 16544735, 13250366, 50304436, 15546241, 62525861, 12757257, - 64646556, 24874095, 48201831, 23891632 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1206396181488998, 333158148435054, 1402633492821422, - 1120091191722026, 1945474114550509 -#else - 64693606, 17976703, 18312302, 4964443, 51836334, 20900867, - 26820650, 16690659, 25459437, 28989823 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 766720088232571, 1512222781191002, 1189719893490790, - 2091302129467914, 2141418006894941 -#else - 41964155, 11425019, 28423002, 22533875, 60963942, 17728207, - 9142794, 31162830, 60676445, 31909614 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 419663647306612, 1998875112167987, 1426599870253707, - 1154928355379510, 486538532138187 -#else - 44004212, 6253475, 16964147, 29785560, 41994891, 21257994, - 39651638, 17209773, 6335691, 7249989 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 938160078005954, 1421776319053174, 1941643234741774, - 180002183320818, 1414380336750546 -#else - 36775618, 13979674, 7503222, 21186118, 55152142, 28932738, - 36836594, 2682241, 25993170, 21075909 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 398001940109652, 1577721237663248, 1012748649830402, - 1540516006905144, 1011684812884559 -#else - 4364628, 5930691, 32304656, 23509878, 59054082, 15091130, - 22857016, 22955477, 31820367, 15075278 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1653276489969630, 6081825167624, 1921777941170836, - 1604139841794531, 861211053640641 -#else - 31879134, 24635739, 17258760, 90626, 59067028, 28636722, - 24162787, 23903546, 49138625, 12833044 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 996661541407379, 1455877387952927, 744312806857277, - 139213896196746, 1000282908547789 -#else - 19073683, 14851414, 42705695, 21694263, 7625277, 11091125, - 47489674, 2074448, 57694925, 14905376 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1450817495603008, 1476865707053229, 1030490562252053, - 620966950353376, 1744760161539058 -#else - 24483648, 21618865, 64589997, 22007013, 65555733, 15355505, - 41826784, 9253128, 27628530, 25998952 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 559728410002599, 37056661641185, 2038622963352006, - 1637244893271723, 1026565352238948 -#else - 17597607, 8340603, 19355617, 552187, 26198470, 30377849, - 4593323, 24396850, 52997988, 15297015 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 962165956135846, 1116599660248791, 182090178006815, - 1455605467021751, 196053588803284 -#else - 510886, 14337390, 35323607, 16638631, 6328095, 2713355, - 46891447, 21690211, 8683220, 2921426 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 796863823080135, 1897365583584155, 420466939481601, - 2165972651724672, 932177357788289 -#else - 18606791, 11874196, 27155355, 28272950, 43077121, 6265445, - 41930624, 32275507, 4674689, 13890525 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 877047233620632, 1375632631944375, 643773611882121, - 660022738847877, 19353932331831 -#else - 13609624, 13069022, 39736503, 20498523, 24360585, 9592974, - 14977157, 9835105, 4389687, 288396 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2216943882299338, 394841323190322, 2222656898319671, - 558186553950529, 1077236877025190 -#else - 9922506, 33035038, 13613106, 5883594, 48350519, 33120168, - 54804801, 8317627, 23388070, 16052080 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 801118384953213, 1914330175515892, 574541023311511, - 1471123787903705, 1526158900256288 -#else - 12719997, 11937594, 35138804, 28525742, 26900119, 8561328, - 46953177, 21921452, 52354592, 22741539 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 949617889087234, 2207116611267331, 912920039141287, - 501158539198789, 62362560771472 -#else - 15961858, 14150409, 26716931, 32888600, 44314535, 13603568, - 11829573, 7467844, 38286736, 929274 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1474518386765335, 1760793622169197, 1157399790472736, - 1622864308058898, 165428294422792 -#else - 11038231, 21972036, 39798381, 26237869, 56610336, 17246600, - 43629330, 24182562, 45715720, 2465073 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1961673048027128, 102619413083113, 1051982726768458, - 1603657989805485, 1941613251499678 -#else - 20017144, 29231206, 27915241, 1529148, 12396362, 15675764, - 13817261, 23896366, 2463390, 28932292 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1401939116319266, 335306339903072, 72046196085786, - 862423201496006, 850518754531384 -#else - 50749986, 20890520, 55043680, 4996453, 65852442, 1073571, - 9583558, 12851107, 4003896, 12673717 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1234706593321979, 1083343891215917, 898273974314935, - 1640859118399498, 157578398571149 -#else - 65377275, 18398561, 63845933, 16143081, 19294135, 13385325, - 14741514, 24450706, 7903885, 2348101 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1143483057726416, 1992614991758919, 674268662140796, - 1773370048077526, 674318359920189 -#else - 24536016, 17039225, 12715591, 29692277, 1511292, 10047386, - 63266518, 26425272, 38731325, 10048126 -#endif - }}, + {0x85, 0x3b, 0x8c, 0xf5, 0xc6, 0x93, 0xbc, 0x2f, 0x19, 0xe, 0x8c, + 0xfb, 0xc6, 0x2d, 0x93, 0xcf, 0xc2, 0x42, 0x3d, 0x64, 0x98, 0x48, + 0xb, 0x27, 0x65, 0xba, 0xd4, 0x33, 0x3a, 0x9d, 0xcf, 0x7}, + {0x3e, 0x91, 0x40, 0xd7, 0x5, 0x39, 0x10, 0x9d, 0xb3, 0xbe, 0x40, + 0xd1, 0x5, 0x9f, 0x39, 0xfd, 0x9, 0x8a, 0x8f, 0x68, 0x34, 0x84, + 0xc1, 0xa5, 0x67, 0x12, 0xf8, 0x98, 0x92, 0x2f, 0xfd, 0x44}, + {0x68, 0xaa, 0x7a, 0x87, 0x5, 0x12, 0xc9, 0xab, 0x9e, 0xc4, 0xaa, + 0xcc, 0x23, 0xe8, 0xd9, 0x26, 0x8c, 0x59, 0x43, 0xdd, 0xcb, 0x7d, + 0x1b, 0x5a, 0xa8, 0x65, 0xc, 0x9f, 0x68, 0x7b, 0x11, 0x6f}, + }, + { + {0xd7, 0x71, 0x3c, 0x93, 0xfc, 0xe7, 0x24, 0x92, 0xb5, 0xf5, 0xf, + 0x7a, 0x96, 0x9d, 0x46, 0x9f, 0x2, 0x7, 0xd6, 0xe1, 0x65, 0x9a, + 0xa6, 0x5a, 0x2e, 0x2e, 0x7d, 0xa8, 0x3f, 0x6, 0xc, 0x59}, + {0xa8, 0xd5, 0xb4, 0x42, 0x60, 0xa5, 0x99, 0x8a, 0xf6, 0xac, 0x60, + 0x4e, 0xc, 0x81, 0x2b, 0x8f, 0xaa, 0x37, 0x6e, 0xb1, 0x6b, 0x23, + 0x9e, 0xe0, 0x55, 0x25, 0xc9, 0x69, 0xa6, 0x95, 0xb5, 0x6b}, + {0x5f, 0x7a, 0x9b, 0xa5, 0xb3, 0xa8, 0xfa, 0x43, 0x78, 0xcf, 0x9a, + 0x5d, 0xdd, 0x6b, 0xc1, 0x36, 0x31, 0x6a, 0x3d, 0xb, 0x84, 0xa0, + 0xf, 0x50, 0x73, 0xb, 0xa5, 0x3e, 0xb1, 0xf5, 0x1a, 0x70}, + }, + { + {0x30, 0x97, 0xee, 0x4c, 0xa8, 0xb0, 0x25, 0xaf, 0x8a, 0x4b, 0x86, + 0xe8, 0x30, 0x84, 0x5a, 0x2, 0x32, 0x67, 0x1, 0x9f, 0x2, 0x50, + 0x1b, 0xc1, 0xf4, 0xf8, 0x80, 0x9a, 0x1b, 0x4e, 0x16, 0x7a}, + {0x65, 0xd2, 0xfc, 0xa4, 0xe8, 0x1f, 0x61, 0x56, 0x7d, 0xba, 0xc1, + 0xe5, 0xfd, 0x53, 0xd3, 0x3b, 0xbd, 0xd6, 0x4b, 0x21, 0x1a, 0xf3, + 0x31, 0x81, 0x62, 0xda, 0x5b, 0x55, 0x87, 0x15, 0xb9, 0x2a}, + {0x89, 0xd8, 0xd0, 0xd, 0x3f, 0x93, 0xae, 0x14, 0x62, 0xda, 0x35, + 0x1c, 0x22, 0x23, 0x94, 0x58, 0x4c, 0xdb, 0xf2, 0x8c, 0x45, 0xe5, + 0x70, 0xd1, 0xc6, 0xb4, 0xb9, 0x12, 0xaf, 0x26, 0x28, 0x5a}, + }, + { + {0x9f, 0x9, 0xfc, 0x8e, 0xb9, 0x51, 0x73, 0x28, 0x38, 0x25, 0xfd, + 0x7d, 0xf4, 0xc6, 0x65, 0x67, 0x65, 0x92, 0xa, 0xfb, 0x3d, 0x8d, + 0x34, 0xca, 0x27, 0x87, 0xe5, 0x21, 0x3, 0x91, 0xe, 0x68}, + {0xbf, 0x18, 0x68, 0x5, 0xa, 0x5, 0xfe, 0x95, 0xa9, 0xfa, 0x60, + 0x56, 0x71, 0x89, 0x7e, 0x32, 0x73, 0x50, 0xa0, 0x6, 0xcd, 0xe3, + 0xe8, 0xc3, 0x9a, 0xa4, 0x45, 0x74, 0x4c, 0x3f, 0x93, 0x27}, + {0x9, 0xff, 0x76, 0xc4, 0xe9, 0xfb, 0x13, 0x5a, 0x72, 0xc1, 0x5c, + 0x7b, 0x45, 0x39, 0x9e, 0x6e, 0x94, 0x44, 0x2b, 0x10, 0xf9, 0xdc, + 0xdb, 0x5d, 0x2b, 0x3e, 0x55, 0x63, 0xbf, 0xc, 0x9d, 0x7f}, + }, + { + {0x33, 0xbb, 0xa5, 0x8, 0x44, 0xbc, 0x12, 0xa2, 0x2, 0xed, 0x5e, + 0xc7, 0xc3, 0x48, 0x50, 0x8d, 0x44, 0xec, 0xbf, 0x5a, 0xc, 0xeb, + 0x1b, 0xdd, 0xeb, 0x6, 0xe2, 0x46, 0xf1, 0xcc, 0x45, 0x29}, + {0xba, 0xd6, 0x47, 0xa4, 0xc3, 0x82, 0x91, 0x7f, 0xb7, 0x29, 0x27, + 0x4b, 0xd1, 0x14, 0x0, 0xd5, 0x87, 0xa0, 0x64, 0xb8, 0x1c, 0xf1, + 0x3c, 0xe3, 0xf3, 0x55, 0x1b, 0xeb, 0x73, 0x7e, 0x4a, 0x15}, + {0x85, 0x82, 0x2a, 0x81, 0xf1, 0xdb, 0xbb, 0xbc, 0xfc, 0xd1, 0xbd, + 0xd0, 0x7, 0x8, 0xe, 0x27, 0x2d, 0xa7, 0xbd, 0x1b, 0xb, 0x67, + 0x1b, 0xb4, 0x9a, 0xb6, 0x3b, 0x6b, 0x69, 0xbe, 0xaa, 0x43}, + }, + { + {0x31, 0x71, 0x15, 0x77, 0xeb, 0xee, 0xc, 0x3a, 0x88, 0xaf, 0xc8, + 0x0, 0x89, 0x15, 0x27, 0x9b, 0x36, 0xa7, 0x59, 0xda, 0x68, 0xb6, + 0x65, 0x80, 0xbd, 0x38, 0xcc, 0xa2, 0xb6, 0x7b, 0xe5, 0x51}, + {0xa4, 0x8c, 0x7d, 0x7b, 0xb6, 0x6, 0x98, 0x49, 0x39, 0x27, 0xd2, + 0x27, 0x84, 0xe2, 0x5b, 0x57, 0xb9, 0x53, 0x45, 0x20, 0xe7, 0x5c, + 0x8, 0xbb, 0x84, 0x78, 0x41, 0xae, 0x41, 0x4c, 0xb6, 0x38}, + {0x71, 0x4b, 0xea, 0x2, 0x67, 0x32, 0xac, 0x85, 0x1, 0xbb, 0xa1, + 0x41, 0x3, 0xe0, 0x70, 0xbe, 0x44, 0xc1, 0x3b, 0x8, 0x4b, 0xa2, + 0xe4, 0x53, 0xe3, 0x61, 0xd, 0x9f, 0x1a, 0xe9, 0xb8, 0x10}, + }, + { + {0xbf, 0xa3, 0x4e, 0x94, 0xd0, 0x5c, 0x1a, 0x6b, 0xd2, 0xc0, 0x9d, + 0xb3, 0x3a, 0x35, 0x70, 0x74, 0x49, 0x2e, 0x54, 0x28, 0x82, 0x52, + 0xb2, 0x71, 0x7e, 0x92, 0x3c, 0x28, 0x69, 0xea, 0x1b, 0x46}, + {0xb1, 0x21, 0x32, 0xaa, 0x9a, 0x2c, 0x6f, 0xba, 0xa7, 0x23, 0xba, + 0x3b, 0x53, 0x21, 0xa0, 0x6c, 0x3a, 0x2c, 0x19, 0x92, 0x4f, 0x76, + 0xea, 0x9d, 0xe0, 0x17, 0x53, 0x2e, 0x5d, 0xdd, 0x6e, 0x1d}, + {0xa2, 0xb3, 0xb8, 0x1, 0xc8, 0x6d, 0x83, 0xf1, 0x9a, 0xa4, 0x3e, + 0x5, 0x47, 0x5f, 0x3, 0xb3, 0xf3, 0xad, 0x77, 0x58, 0xba, 0x41, + 0x9c, 0x52, 0xa7, 0x90, 0xf, 0x6a, 0x1c, 0xbb, 0x9f, 0x7a}, + }, + { + {0x8f, 0x3e, 0xdd, 0x4, 0x66, 0x59, 0xb7, 0x59, 0x2c, 0x70, 0x88, + 0xe2, 0x77, 0x3, 0xb3, 0x6c, 0x23, 0xc3, 0xd9, 0x5e, 0x66, 0x9c, + 0x33, 0xb1, 0x2f, 0xe5, 0xbc, 0x61, 0x60, 0xe7, 0x15, 0x9}, + {0xd9, 0x34, 0x92, 0xf3, 0xed, 0x5d, 0xa7, 0xe2, 0xf9, 0x58, 0xb5, + 0xe1, 0x80, 0x76, 0x3d, 0x96, 0xfb, 0x23, 0x3c, 0x6e, 0xac, 0x41, + 0x27, 0x2c, 0xc3, 0x1, 0xe, 0x32, 0xa1, 0x24, 0x90, 0x3a}, + {0x1a, 0x91, 0xa2, 0xc9, 0xd9, 0xf5, 0xc1, 0xe7, 0xd7, 0xa7, 0xcc, + 0x8b, 0x78, 0x71, 0xa3, 0xb8, 0x32, 0x2a, 0xb6, 0xe, 0x19, 0x12, + 0x64, 0x63, 0x95, 0x4e, 0xcc, 0x2e, 0x5c, 0x7c, 0x90, 0x26}, }, }, { { - {{ -#if defined(OPENSSL_64_BIT) - 1835401379538542, 173900035308392, 818247630716732, - 1762100412152786, 1021506399448291 -#else - 54486638, 27349611, 30718824, 2591312, 56491836, 12192839, - 18873298, 26257342, 34811107, 15221631 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1506632088156630, 2127481795522179, 513812919490255, - 140643715928370, 442476620300318 -#else - 40630742, 22450567, 11546243, 31701949, 9180879, 7656409, - 45764914, 2095754, 29769758, 6593415 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2056683376856736, 219094741662735, 2193541883188309, - 1841182310235800, 556477468664293 -#else - 35114656, 30646970, 4176911, 3264766, 12538965, 32686321, - 26312344, 27435754, 30958053, 8292160 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1315019427910827, 1049075855992603, 2066573052986543, - 266904467185534, 2040482348591520 -#else - 31429803, 19595316, 29173531, 15632448, 12174511, 30794338, - 32808830, 3977186, 26143136, 30405556 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 94096246544434, 922482381166992, 24517828745563, - 2139430508542503, 2097139044231004 -#else - 22648882, 1402143, 44308880, 13746058, 7936347, 365344, - 58440231, 31879998, 63350620, 31249806 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 537697207950515, 1399352016347350, 1563663552106345, - 2148749520888918, 549922092988516 -#else - 51616947, 8012312, 64594134, 20851969, 43143017, 23300402, - 65496150, 32018862, 50444388, 8194477 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1747985413252434, 680511052635695, 1809559829982725, - 594274250930054, 201673170745982 -#else - 27338066, 26047012, 59694639, 10140404, 48082437, 26964542, - 27277190, 8855376, 28572286, 3005164 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 323583936109569, 1973572998577657, 1192219029966558, - 79354804385273, 1374043025560347 -#else - 26287105, 4821776, 25476601, 29408529, 63344350, 17765447, - 49100281, 1182478, 41014043, 20474836 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 213277331329947, 416202017849623, 1950535221091783, - 1313441578103244, 2171386783823658 -#else - 59937691, 3178079, 23970071, 6201893, 49913287, 29065239, - 45232588, 19571804, 32208682, 32356184 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 189088804229831, 993969372859110, 895870121536987, - 1547301535298256, 1477373024911350 -#else - 50451143, 2817642, 56822502, 14811297, 6024667, 13349505, - 39793360, 23056589, 39436278, 22014573 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1620578418245010, 541035331188469, 2235785724453865, - 2154865809088198, 1974627268751826 -#else - 15941010, 24148500, 45741813, 8062054, 31876073, 33315803, - 51830470, 32110002, 15397330, 29424239 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1346805451740245, 1350981335690626, 942744349501813, - 2155094562545502, 1012483751693409 -#else - 8934485, 20068965, 43822466, 20131190, 34662773, 14047985, - 31170398, 32113411, 39603297, 15087183 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2107080134091762, 1132567062788208, 1824935377687210, - 769194804343737, 1857941799971888 -#else - 48751602, 31397940, 24524912, 16876564, 15520426, 27193656, - 51606457, 11461895, 16788528, 27685490 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1074666112436467, 249279386739593, 1174337926625354, - 1559013532006480, 1472287775519121 -#else - 65161459, 16013772, 21750665, 3714552, 49707082, 17498998, - 63338576, 23231111, 31322513, 21938797 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1872620123779532, 1892932666768992, 1921559078394978, - 1270573311796160, 1438913646755037 -#else - 21426636, 27904214, 53460576, 28206894, 38296674, 28633461, - 48833472, 18933017, 13040861, 21441484 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 837390187648199, 1012253300223599, 989780015893987, - 1351393287739814, 328627746545550 -#else - 11293895, 12478086, 39972463, 15083749, 37801443, 14748871, - 14555558, 20137329, 1613710, 4896935 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1028328827183114, 1711043289969857, 1350832470374933, - 1923164689604327, 1495656368846911 -#else - 41213962, 15323293, 58619073, 25496531, 25967125, 20128972, - 2825959, 28657387, 43137087, 22287016 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1900828492104143, 430212361082163, 687437570852799, - 832514536673512, 1685641495940794 -#else - 51184079, 28324551, 49665331, 6410663, 3622847, 10243618, - 20615400, 12405433, 43355834, 25118015 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 842632847936398, 605670026766216, 290836444839585, - 163210774892356, 2213815011799645 -#else - 60017550, 12556207, 46917512, 9025186, 50036385, 4333800, - 4378436, 2432030, 23097949, 32988414 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1176336383453996, 1725477294339771, 12700622672454, - 678015708818208, 162724078519879 -#else - 4565804, 17528778, 20084411, 25711615, 1724998, 189254, - 24767264, 10103221, 48596551, 2424777 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1448049969043497, 1789411762943521, 385587766217753, - 90201620913498, 832999441066823 -#else - 366633, 21577626, 8173089, 26664313, 30788633, 5745705, - 59940186, 1344108, 63466311, 12412658 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 516086333293313, 2240508292484616, 1351669528166508, - 1223255565316488, 750235824427138 -#else - 43107073, 7690285, 14929416, 33386175, 34898028, 20141445, - 24162696, 18227928, 63967362, 11179384 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1263624896582495, 1102602401673328, 526302183714372, - 2152015839128799, 1483839308490010 -#else - 18289503, 18829478, 8056944, 16430056, 45379140, 7842513, - 61107423, 32067534, 48424218, 22110928 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 442991718646863, 1599275157036458, 1925389027579192, - 899514691371390, 350263251085160 -#else - 476239, 6601091, 60956074, 23831056, 17503544, 28690532, - 27672958, 13403813, 11052904, 5219329 -#endif - }}, + {0x1d, 0x9c, 0x2f, 0x63, 0xe, 0xdd, 0xcc, 0x2e, 0x15, 0x31, 0x89, + 0x76, 0x96, 0xb6, 0xd0, 0x51, 0x58, 0x7a, 0x63, 0xa8, 0x6b, 0xb7, + 0xdf, 0x52, 0x39, 0xef, 0xe, 0xa0, 0x49, 0x7d, 0xd3, 0x6d}, + {0x5e, 0x51, 0xaa, 0x49, 0x54, 0x63, 0x5b, 0xed, 0x3a, 0x82, 0xc6, + 0xb, 0x9f, 0xc4, 0x65, 0xa8, 0xc4, 0xd1, 0x42, 0x5b, 0xe9, 0x1f, + 0xc, 0x85, 0xb9, 0x15, 0xd3, 0x3, 0x6f, 0x6d, 0xd7, 0x30}, + {0xc7, 0xe4, 0x6, 0x21, 0x17, 0x44, 0x44, 0x6c, 0x69, 0x7f, 0x8d, + 0x92, 0x80, 0xd6, 0x53, 0xfb, 0x26, 0x3f, 0x4d, 0x69, 0xa4, 0x9e, + 0x73, 0xb4, 0xb0, 0x4b, 0x86, 0x2e, 0x11, 0x97, 0xc6, 0x10}, + }, + { + {0x5, 0xc8, 0x58, 0x83, 0xa0, 0x2a, 0xa6, 0xc, 0x47, 0x42, 0x20, + 0x7a, 0xe3, 0x4a, 0x3d, 0x6a, 0xdc, 0xed, 0x11, 0x3b, 0xa6, 0xd3, + 0x64, 0x74, 0xef, 0x6, 0x8, 0x55, 0xaf, 0x9b, 0xbf, 0x3}, + {0xde, 0x5f, 0xbe, 0x7d, 0x27, 0xc4, 0x93, 0x64, 0xa2, 0x7e, 0xad, + 0x19, 0xad, 0x4f, 0x5d, 0x26, 0x90, 0x45, 0x30, 0x46, 0xc8, 0xdf, + 0x0, 0xe, 0x9, 0xfe, 0x66, 0xed, 0xab, 0x1c, 0xe6, 0x25}, + {0x4, 0x66, 0x58, 0xcc, 0x28, 0xe1, 0x13, 0x3f, 0x7e, 0x74, 0x59, + 0xb4, 0xec, 0x73, 0x58, 0x6f, 0xf5, 0x68, 0x12, 0xcc, 0xed, 0x3d, + 0xb6, 0xa0, 0x2c, 0xe2, 0x86, 0x45, 0x63, 0x78, 0x6d, 0x56}, + }, + { + {0xd0, 0x2f, 0x5a, 0xc6, 0x85, 0x42, 0x5, 0xa1, 0xc3, 0x67, 0x16, + 0xf3, 0x2a, 0x11, 0x64, 0x6c, 0x58, 0xee, 0x1a, 0x73, 0x40, 0xe2, + 0xa, 0x68, 0x2a, 0xb2, 0x93, 0x47, 0xf3, 0xa5, 0xfb, 0x14}, + {0x34, 0x8, 0xc1, 0x9c, 0x9f, 0xa4, 0x37, 0x16, 0x51, 0xc4, 0x9b, + 0xa8, 0xd5, 0x56, 0x8e, 0xbc, 0xdb, 0xd2, 0x7f, 0x7f, 0xf, 0xec, + 0xb5, 0x1c, 0xd9, 0x35, 0xcc, 0x5e, 0xca, 0x5b, 0x97, 0x33}, + {0xd4, 0xf7, 0x85, 0x69, 0x16, 0x46, 0xd7, 0x3c, 0x57, 0x0, 0xc8, + 0xc9, 0x84, 0x5e, 0x3e, 0x59, 0x1e, 0x13, 0x61, 0x7b, 0xb6, 0xf2, + 0xc3, 0x2f, 0x6c, 0x52, 0xfc, 0x83, 0xea, 0x9c, 0x82, 0x14}, + }, + { + {0xb8, 0xec, 0x71, 0x4e, 0x2f, 0xb, 0xe7, 0x21, 0xe3, 0x77, 0xa4, + 0x40, 0xb9, 0xdd, 0x56, 0xe6, 0x80, 0x4f, 0x1d, 0xce, 0xce, 0x56, + 0x65, 0xbf, 0x7e, 0x7b, 0x5d, 0x53, 0xc4, 0x3b, 0xfc, 0x5}, + {0xc2, 0x95, 0xdd, 0x97, 0x84, 0x7b, 0x43, 0xff, 0xa7, 0xb5, 0x4e, + 0xaa, 0x30, 0x4e, 0x74, 0x6c, 0x8b, 0xe8, 0x85, 0x3c, 0x61, 0x5d, + 0xc, 0x9e, 0x73, 0x81, 0x75, 0x5f, 0x1e, 0xc7, 0xd9, 0x2f}, + {0xdd, 0xde, 0xaf, 0x52, 0xae, 0xb3, 0xb8, 0x24, 0xcf, 0x30, 0x3b, + 0xed, 0x8c, 0x63, 0x95, 0x34, 0x95, 0x81, 0xbe, 0xa9, 0x83, 0xbc, + 0xa4, 0x33, 0x4, 0x1f, 0x65, 0x5c, 0x47, 0x67, 0x37, 0x37}, + }, + { + {0x90, 0x65, 0x24, 0x14, 0xcb, 0x95, 0x40, 0x63, 0x35, 0x55, 0xc1, + 0x16, 0x40, 0x14, 0x12, 0xef, 0x60, 0xbc, 0x10, 0x89, 0xc, 0x14, + 0x38, 0x9e, 0x8c, 0x7c, 0x90, 0x30, 0x57, 0x90, 0xf5, 0x6b}, + {0xd9, 0xad, 0xd1, 0x40, 0xfd, 0x99, 0xba, 0x2f, 0x27, 0xd0, 0xf4, + 0x96, 0x6f, 0x16, 0x7, 0xb3, 0xae, 0x3b, 0xf0, 0x15, 0x52, 0xf0, + 0x63, 0x43, 0x99, 0xf9, 0x18, 0x3b, 0x6c, 0xa5, 0xbe, 0x1f}, + {0x8a, 0x5b, 0x41, 0xe1, 0xf1, 0x78, 0xa7, 0xf, 0x7e, 0xa7, 0xc3, + 0xba, 0xf7, 0x9f, 0x40, 0x6, 0x50, 0x9a, 0xa2, 0x9a, 0xb8, 0xd7, + 0x52, 0x6f, 0x56, 0x5a, 0x63, 0x7a, 0xf6, 0x1c, 0x52, 0x2}, + }, + { + {0xe4, 0x5e, 0x2f, 0x77, 0x20, 0x67, 0x14, 0xb1, 0xce, 0x9a, 0x7, + 0x96, 0xb1, 0x94, 0xf8, 0xe8, 0x4a, 0x82, 0xac, 0x0, 0x4d, 0x22, + 0xf8, 0x4a, 0xc4, 0x6c, 0xcd, 0xf7, 0xd9, 0x53, 0x17, 0x0}, + {0x94, 0x52, 0x9d, 0xa, 0xb, 0xee, 0x3f, 0x51, 0x66, 0x5a, 0xdf, + 0xf, 0x5c, 0xe7, 0x98, 0x8f, 0xce, 0x7, 0xe1, 0xbf, 0x88, 0x86, + 0x61, 0xd4, 0xed, 0x2c, 0x38, 0x71, 0x7e, 0xa, 0xa0, 0x3f}, + {0x34, 0xdb, 0x3d, 0x96, 0x2d, 0x23, 0x69, 0x3c, 0x58, 0x38, 0x97, + 0xb4, 0xda, 0x87, 0xde, 0x1d, 0x85, 0xf2, 0x91, 0xa0, 0xf9, 0xd1, + 0xd7, 0xaa, 0xb6, 0xed, 0x48, 0xa0, 0x2f, 0xfe, 0xb5, 0x12}, + }, + { + {0x92, 0x1e, 0x6f, 0xad, 0x26, 0x7c, 0x2b, 0xdf, 0x13, 0x89, 0x4b, + 0x50, 0x23, 0xd3, 0x66, 0x4b, 0xc3, 0x8b, 0x1c, 0x75, 0xc0, 0x9d, + 0x40, 0x8c, 0xb8, 0xc7, 0x96, 0x7, 0xc2, 0x93, 0x7e, 0x6f}, + {0x4d, 0xe3, 0xfc, 0x96, 0xc4, 0xfb, 0xf0, 0x71, 0xed, 0x5b, 0xf3, + 0xad, 0x6b, 0x82, 0xb9, 0x73, 0x61, 0xc5, 0x28, 0xff, 0x61, 0x72, + 0x4, 0xd2, 0x6f, 0x20, 0xb1, 0x6f, 0xf9, 0x76, 0x9b, 0x74}, + {0x5, 0xae, 0xa6, 0xae, 0x4, 0xf6, 0x5a, 0x1f, 0x99, 0x9c, 0xe4, + 0xbe, 0xf1, 0x51, 0x23, 0xc1, 0x66, 0x6b, 0xff, 0xee, 0xb5, 0x8, + 0xa8, 0x61, 0x51, 0x21, 0xe0, 0x1, 0xf, 0xc1, 0xce, 0xf}, + }, + { + {0x45, 0x4e, 0x24, 0xc4, 0x9d, 0xd2, 0xf2, 0x3d, 0xa, 0xde, 0xd8, + 0x93, 0x74, 0xe, 0x2, 0x2b, 0x4d, 0x21, 0xc, 0x82, 0x7e, 0x6, + 0xc8, 0x6c, 0xa, 0xb9, 0xea, 0x6f, 0x16, 0x79, 0x37, 0x41}, + {0x44, 0x1e, 0xfe, 0x49, 0xa6, 0x58, 0x4d, 0x64, 0x7e, 0x77, 0xad, + 0x31, 0xa2, 0xae, 0xfc, 0x21, 0xd2, 0xd0, 0x7f, 0x88, 0x5a, 0x1c, + 0x44, 0x2, 0xf3, 0x11, 0xc5, 0x83, 0x71, 0xaa, 0x1, 0x49}, + {0xf0, 0xf8, 0x1a, 0x8c, 0x54, 0xb7, 0xb1, 0x8, 0xb4, 0x99, 0x62, + 0x24, 0x7c, 0x7a, 0xf, 0xce, 0x39, 0xd9, 0x6, 0x1e, 0xf9, 0xb0, + 0x60, 0xf7, 0x13, 0x12, 0x6d, 0x72, 0x7b, 0x88, 0xbb, 0x41}, }, }, { { - {{ -#if defined(OPENSSL_64_BIT) - 1689713572022143, 593854559254373, 978095044791970, - 1985127338729499, 1676069120347625 -#else - 20678527, 25178694, 34436965, 8849122, 62099106, 14574751, - 31186971, 29580702, 9014761, 24975376 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1557207018622683, 340631692799603, 1477725909476187, - 614735951619419, 2033237123746766 -#else - 53464795, 23204192, 51146355, 5075807, 65594203, 22019831, - 34006363, 9160279, 8473550, 30297594 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 968764929340557, 1225534776710944, 662967304013036, - 1155521416178595, 791142883466590 -#else - 24900749, 14435722, 17209120, 18261891, 44516588, 9878982, - 59419555, 17218610, 42540382, 11788947 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1487081286167458, 993039441814934, 1792378982844640, - 698652444999874, 2153908693179754 -#else - 63990690, 22159237, 53306774, 14797440, 9652448, 26708528, - 47071426, 10410732, 42540394, 32095740 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1123181311102823, 685575944875442, 507605465509927, - 1412590462117473, 568017325228626 -#else - 51449703, 16736705, 44641714, 10215877, 58011687, 7563910, - 11871841, 21049238, 48595538, 8464117 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 560258797465417, 2193971151466401, 1824086900849026, - 579056363542056, 1690063960036441 -#else - 43708233, 8348506, 52522913, 32692717, 63158658, 27181012, - 14325288, 8628612, 33313881, 25183915 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 1918407319222416, 353767553059963, 1930426334528099, - 1564816146005724, 1861342381708096 -#else - 46921872, 28586496, 22367355, 5271547, 66011747, 28765593, - 42303196, 23317577, 58168128, 27736162 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2131325168777276, 1176636658428908, 1756922641512981, - 1390243617176012, 1966325177038383 -#else - 60160060, 31759219, 34483180, 17533252, 32635413, 26180187, - 15989196, 20716244, 28358191, 29300528 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2063958120364491, 2140267332393533, 699896251574968, - 273268351312140, 375580724713232 -#else - 43547083, 30755372, 34757181, 31892468, 57961144, 10429266, - 50471180, 4072015, 61757200, 5596588 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2024297515263178, 416959329722687, 1079014235017302, - 171612225573183, 1031677520051053 -#else - 38872266, 30164383, 12312895, 6213178, 3117142, 16078565, - 29266239, 2557221, 1768301, 15373193 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2033900009388450, 1744902869870788, 2190580087917640, - 1949474984254121, 231049754293748 -#else - 59865506, 30307471, 62515396, 26001078, 66980936, 32642186, - 66017961, 29049440, 42448372, 3442909 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 343868674606581, 550155864008088, 1450580864229630, - 481603765195050, 896972360018042 -#else - 36898293, 5124042, 14181784, 8197961, 18964734, 21615339, - 22597930, 7176455, 48523386, 13365929 -#endif - }}, - }, - { - {{ -#if defined(OPENSSL_64_BIT) - 2151139328380127, 314745882084928, 59756825775204, - 1676664391494651, 2048348075599360 -#else - 59231455, 32054473, 8324672, 4690079, 6261860, 890446, 24538107, - 24984246, 57419264, 30522764 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1528930066340597, 1605003907059576, 1055061081337675, - 1458319101947665, 1234195845213142 -#else - 25008885, 22782833, 62803832, 23916421, 16265035, 15721635, - 683793, 21730648, 15723478, 18390951 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 830430507734812, 1780282976102377, 1425386760709037, - 362399353095425, 2168861579799910 -#else - 57448220, 12374378, 40101865, 26528283, 59384749, 21239917, - 11879681, 5400171, 519526, 32318556 -#endif - }}, + {0xae, 0x91, 0x66, 0x7c, 0x59, 0x4c, 0x23, 0x7e, 0xc8, 0xb4, 0x85, + 0xa, 0x3d, 0x9d, 0x88, 0x64, 0xe7, 0xfa, 0x4a, 0x35, 0xc, 0xc9, + 0xe2, 0xda, 0x1d, 0x9e, 0x6a, 0xc, 0x7, 0x1e, 0x87, 0xa}, + {0xbe, 0x46, 0x43, 0x74, 0x44, 0x7d, 0xe8, 0x40, 0x25, 0x2b, 0xb5, + 0x15, 0xd4, 0xda, 0x48, 0x1d, 0x3e, 0x60, 0x3b, 0xa1, 0x18, 0x8a, + 0x3a, 0x7c, 0xf7, 0xbd, 0xcd, 0x2f, 0xc1, 0x28, 0xb7, 0x4e}, + {0x89, 0x89, 0xbc, 0x4b, 0x99, 0xb5, 0x1, 0x33, 0x60, 0x42, 0xdd, + 0x5b, 0x3a, 0xae, 0x6b, 0x73, 0x3c, 0x9e, 0xd5, 0x19, 0xe2, 0xad, + 0x61, 0xd, 0x64, 0xd4, 0x85, 0x26, 0xf, 0x30, 0xe7, 0x3e}, + }, + { + {0x18, 0x75, 0x1e, 0x84, 0x47, 0x79, 0xfa, 0x43, 0xd7, 0x46, 0x9c, + 0x63, 0x59, 0xfa, 0xc6, 0xe5, 0x74, 0x2b, 0x5, 0xe3, 0x1d, 0x5e, + 0x6, 0xa1, 0x30, 0x90, 0xb8, 0xcf, 0xa2, 0xc6, 0x47, 0x7d}, + {0xb7, 0xd6, 0x7d, 0x9e, 0xe4, 0x55, 0xd2, 0xf5, 0xac, 0x1e, 0xb, + 0x61, 0x5c, 0x11, 0x16, 0x80, 0xca, 0x87, 0xe1, 0x92, 0x5d, 0x97, + 0x99, 0x3c, 0xc2, 0x25, 0x91, 0x97, 0x62, 0x57, 0x81, 0x13}, + {0xe0, 0xd6, 0xf0, 0x8e, 0x14, 0xd0, 0xda, 0x3f, 0x3c, 0x6f, 0x54, + 0x91, 0x9a, 0x74, 0x3e, 0x9d, 0x57, 0x81, 0xbb, 0x26, 0x10, 0x62, + 0xec, 0x71, 0x80, 0xec, 0xc9, 0x34, 0x8d, 0xf5, 0x8c, 0x14}, + }, + { + {0x6d, 0x75, 0xe4, 0x9a, 0x7d, 0x2f, 0x57, 0xe2, 0x7f, 0x48, 0xf3, + 0x88, 0xbb, 0x45, 0xc3, 0x56, 0x8d, 0xa8, 0x60, 0x69, 0x6d, 0xb, + 0xd1, 0x9f, 0xb9, 0xa1, 0xae, 0x4e, 0xad, 0xeb, 0x8f, 0x27}, + {0x27, 0xf0, 0x34, 0x79, 0xf6, 0x92, 0xa4, 0x46, 0xa9, 0xa, 0x84, + 0xf6, 0xbe, 0x84, 0x99, 0x46, 0x54, 0x18, 0x61, 0x89, 0x2a, 0xbc, + 0xa1, 0x5c, 0xd4, 0xbb, 0x5d, 0xbd, 0x1e, 0xfa, 0xf2, 0x3f}, + {0x66, 0x39, 0x93, 0x8c, 0x1f, 0x68, 0xaa, 0xb1, 0x98, 0xc, 0x29, + 0x20, 0x9c, 0x94, 0x21, 0x8c, 0x52, 0x3c, 0x9d, 0x21, 0x91, 0x52, + 0x11, 0x39, 0x7b, 0x67, 0x9c, 0xfe, 0x2, 0xdd, 0x4, 0x41}, + }, + { + {0xb8, 0x6a, 0x9, 0xdb, 0x6, 0x4e, 0x21, 0x81, 0x35, 0x4f, 0xe4, + 0xc, 0xc9, 0xb6, 0xa8, 0x21, 0xf5, 0x2a, 0x9e, 0x40, 0x2a, 0xc1, + 0x24, 0x65, 0x81, 0xa4, 0xfc, 0x8e, 0xa4, 0xb5, 0x65, 0x1}, + {0x2a, 0x42, 0x24, 0x11, 0x5e, 0xbf, 0xb2, 0x72, 0xb5, 0x3a, 0xa3, + 0x98, 0x33, 0xc, 0xfa, 0xa1, 0x66, 0xb6, 0x52, 0xfa, 0x1, 0x61, + 0xcb, 0x94, 0xd5, 0x53, 0xaf, 0xaf, 0x0, 0x3b, 0x86, 0x2c}, + {0x76, 0x6a, 0x84, 0xa0, 0x74, 0xa4, 0x90, 0xf1, 0xc0, 0x7c, 0x2f, + 0xcd, 0x84, 0xf9, 0xef, 0x12, 0x8f, 0x2b, 0xaa, 0x58, 0x6, 0x29, + 0x5e, 0x69, 0xb8, 0xc8, 0xfe, 0xbf, 0xd9, 0x67, 0x1b, 0x59}, + }, + { + {0x5d, 0xb5, 0x18, 0x9f, 0x71, 0xb3, 0xb9, 0x99, 0x1e, 0x64, 0x8c, + 0xa1, 0xfa, 0xe5, 0x65, 0xe4, 0xed, 0x5, 0x9f, 0xc2, 0x36, 0x11, + 0x8, 0x61, 0x8b, 0x12, 0x30, 0x70, 0x86, 0x4f, 0x9b, 0x48}, + {0xfa, 0x9b, 0xb4, 0x80, 0x1c, 0xd, 0x2f, 0x31, 0x8a, 0xec, 0xf3, + 0xab, 0x5e, 0x51, 0x79, 0x59, 0x88, 0x1c, 0xf0, 0x9e, 0xc0, 0x33, + 0x70, 0x72, 0xcb, 0x7b, 0x8f, 0xca, 0xc7, 0x2e, 0xe0, 0x3d}, + {0xef, 0x92, 0xeb, 0x3a, 0x2d, 0x10, 0x32, 0xd2, 0x61, 0xa8, 0x16, + 0x61, 0xb4, 0x53, 0x62, 0xe1, 0x24, 0xaa, 0xb, 0x19, 0xe7, 0xab, + 0x7e, 0x3d, 0xbf, 0xbe, 0x6c, 0x49, 0xba, 0xfb, 0xf5, 0x49}, + }, + { + {0x2e, 0x57, 0x9c, 0x1e, 0x8c, 0x62, 0x5d, 0x15, 0x41, 0x47, 0x88, + 0xc5, 0xac, 0x86, 0x4d, 0x8a, 0xeb, 0x63, 0x57, 0x51, 0xf6, 0x52, + 0xa3, 0x91, 0x5b, 0x51, 0x67, 0x88, 0xc2, 0xa6, 0xa1, 0x6}, + {0xd4, 0xcf, 0x5b, 0x8a, 0x10, 0x9a, 0x94, 0x30, 0xeb, 0x73, 0x64, + 0xbc, 0x70, 0xdd, 0x40, 0xdc, 0x1c, 0xd, 0x7c, 0x30, 0xc1, 0x94, + 0xc2, 0x92, 0x74, 0x6e, 0xfa, 0xcb, 0x6d, 0xa8, 0x4, 0x56}, + {0xb6, 0x64, 0x17, 0x7c, 0xd4, 0xd1, 0x88, 0x72, 0x51, 0x8b, 0x41, + 0xe0, 0x40, 0x11, 0x54, 0x72, 0xd1, 0xf6, 0xac, 0x18, 0x60, 0x1a, + 0x3, 0x9f, 0xc6, 0x42, 0x27, 0xfe, 0x89, 0x9e, 0x98, 0x20}, + }, + { + {0x2e, 0xec, 0xea, 0x85, 0x8b, 0x27, 0x74, 0x16, 0xdf, 0x2b, 0xcb, + 0x7a, 0x7, 0xdc, 0x21, 0x56, 0x5a, 0xf4, 0xcb, 0x61, 0x16, 0x4c, + 0xa, 0x64, 0xd3, 0x95, 0x5, 0xf7, 0x50, 0x99, 0xb, 0x73}, + {0x7f, 0xcc, 0x2d, 0x3a, 0xfd, 0x77, 0x97, 0x49, 0x92, 0xd8, 0x4f, + 0xa5, 0x2c, 0x7c, 0x85, 0x32, 0xa0, 0xe3, 0x7, 0xd2, 0x64, 0xd8, + 0x79, 0xa2, 0x29, 0x7e, 0xa6, 0xc, 0x1d, 0xed, 0x3, 0x4}, + {0x52, 0xc5, 0x4e, 0x87, 0x35, 0x2d, 0x4b, 0xc9, 0x8d, 0x6f, 0x24, + 0x98, 0xcf, 0xc8, 0xe6, 0xc5, 0xce, 0x35, 0xc0, 0x16, 0xfa, 0x46, + 0xcb, 0xf7, 0xcc, 0x3d, 0x30, 0x8, 0x43, 0x45, 0xd7, 0x5b}, + }, + { + {0x2a, 0x79, 0xe7, 0x15, 0x21, 0x93, 0xc4, 0x85, 0xc9, 0xdd, 0xcd, + 0xbd, 0xa2, 0x89, 0x4c, 0xc6, 0x62, 0xd7, 0xa3, 0xad, 0xa8, 0x3d, + 0x1e, 0x9d, 0x2c, 0xf8, 0x67, 0x30, 0x12, 0xdb, 0xb7, 0x5b}, + {0xc2, 0x4c, 0xb2, 0x28, 0x95, 0xd1, 0x9a, 0x7f, 0x81, 0xc1, 0x35, + 0x63, 0x65, 0x54, 0x6b, 0x7f, 0x36, 0x72, 0xc0, 0x4f, 0x6e, 0xb6, + 0xb8, 0x66, 0x83, 0xad, 0x80, 0x73, 0x0, 0x78, 0x3a, 0x13}, + {0xbe, 0x62, 0xca, 0xc6, 0x67, 0xf4, 0x61, 0x9, 0xee, 0x52, 0x19, + 0x21, 0xd6, 0x21, 0xec, 0x4, 0x70, 0x47, 0xd5, 0x9b, 0x77, 0x60, + 0x23, 0x18, 0xd2, 0xe0, 0xf0, 0x58, 0x6d, 0xca, 0xd, 0x74}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1155762232730333, 980662895504006, 2053766700883521, - 490966214077606, 510405877041357 -#else - 22258397, 17222199, 59239046, 14613015, 44588609, 30603508, - 46754982, 7315966, 16648397, 7605640 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1683750316716132, 652278688286128, 1221798761193539, - 1897360681476669, 319658166027343 -#else - 59027556, 25089834, 58885552, 9719709, 19259459, 18206220, - 23994941, 28272877, 57640015, 4763277 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 618808732869972, 72755186759744, 2060379135624181, - 1730731526741822, 48862757828238 -#else - 45409620, 9220968, 51378240, 1084136, 41632757, 30702041, - 31088446, 25789909, 55752334, 728111 -#endif - }}, + {0x3c, 0x43, 0x78, 0x4, 0x57, 0x8c, 0x1a, 0x23, 0x9d, 0x43, 0x81, + 0xc2, 0xe, 0x27, 0xb5, 0xb7, 0x9f, 0x7, 0xd9, 0xe3, 0xea, 0x99, + 0xaa, 0xdb, 0xd9, 0x3, 0x2b, 0x6c, 0x25, 0xf5, 0x3, 0x2c}, + {0x4e, 0xce, 0xcf, 0x52, 0x7, 0xee, 0x48, 0xdf, 0xb7, 0x8, 0xec, + 0x6, 0xf3, 0xfa, 0xff, 0xc3, 0xc4, 0x59, 0x54, 0xb9, 0x2a, 0xb, + 0x71, 0x5, 0x8d, 0xa3, 0x3e, 0x96, 0xfa, 0x25, 0x1d, 0x16}, + {0x7d, 0xa4, 0x53, 0x7b, 0x75, 0x18, 0xf, 0x79, 0x79, 0x58, 0xc, + 0xcf, 0x30, 0x1, 0x7b, 0x30, 0xf9, 0xf7, 0x7e, 0x25, 0x77, 0x3d, + 0x90, 0x31, 0xaf, 0xbb, 0x96, 0xbd, 0xbd, 0x68, 0x94, 0x69}, + }, + { + {0x48, 0x19, 0xa9, 0x6a, 0xe6, 0x3d, 0xdd, 0xd8, 0xcc, 0xd2, 0xc0, + 0x2f, 0xc2, 0x64, 0x50, 0x48, 0x2f, 0xea, 0xfd, 0x34, 0x66, 0x24, + 0x48, 0x9b, 0x3a, 0x2e, 0x4a, 0x6c, 0x4e, 0x1c, 0x3e, 0x29}, + {0xcf, 0xfe, 0xda, 0xf4, 0x46, 0x2f, 0x1f, 0xbd, 0xf7, 0xd6, 0x7f, + 0xa4, 0x14, 0x1, 0xef, 0x7c, 0x7f, 0xb3, 0x47, 0x4a, 0xda, 0xfd, + 0x1f, 0xd3, 0x85, 0x57, 0x90, 0x73, 0xa4, 0x19, 0x52, 0x52}, + {0xe1, 0x12, 0x51, 0x92, 0x4b, 0x13, 0x6e, 0x37, 0xa0, 0x5d, 0xa1, + 0xdc, 0xb5, 0x78, 0x37, 0x70, 0x11, 0x31, 0x1c, 0x46, 0xaf, 0x89, + 0x45, 0xb0, 0x23, 0x28, 0x3, 0x7f, 0x44, 0x5c, 0x60, 0x5b}, + }, + { + {0x4c, 0xf0, 0xe7, 0xf0, 0xc6, 0xfe, 0xe9, 0x3b, 0x62, 0x49, 0xe3, + 0x75, 0x9e, 0x57, 0x6a, 0x86, 0x1a, 0xe6, 0x1d, 0x1e, 0x16, 0xef, + 0x42, 0x55, 0xd5, 0xbd, 0x5a, 0xcc, 0xf4, 0xfe, 0x12, 0x2f}, + {0x89, 0x7c, 0xc4, 0x20, 0x59, 0x80, 0x65, 0xb9, 0xcc, 0x8f, 0x3b, + 0x92, 0xc, 0x10, 0xf0, 0xe7, 0x77, 0xef, 0xe2, 0x2, 0x65, 0x25, + 0x1, 0x0, 0xee, 0xb3, 0xae, 0xa8, 0xce, 0x6d, 0xa7, 0x24}, + {0x40, 0xc7, 0xc0, 0xdf, 0xb2, 0x22, 0x45, 0xa, 0x7, 0xa4, 0xc9, + 0x40, 0x7f, 0x6e, 0xd0, 0x10, 0x68, 0xf6, 0xcf, 0x78, 0x41, 0x14, + 0xcf, 0xc6, 0x90, 0x37, 0xa4, 0x18, 0x25, 0x7b, 0x60, 0x5e}, + }, + { + {0x14, 0xcf, 0x96, 0xa5, 0x1c, 0x43, 0x2c, 0xa0, 0x0, 0xe4, 0xd3, + 0xae, 0x40, 0x2d, 0xc4, 0xe3, 0xdb, 0x26, 0xf, 0x2e, 0x80, 0x26, + 0x45, 0xd2, 0x68, 0x70, 0x45, 0x9e, 0x13, 0x33, 0x1f, 0x20}, + {0x18, 0x18, 0xdf, 0x6c, 0x8f, 0x1d, 0xb3, 0x58, 0xa2, 0x58, 0x62, + 0xc3, 0x4f, 0xa7, 0xcf, 0x35, 0x6e, 0x1d, 0xe6, 0x66, 0x4f, 0xff, + 0xb3, 0xe1, 0xf7, 0xd5, 0xcd, 0x6c, 0xab, 0xac, 0x67, 0x50}, + {0x51, 0x9d, 0x3, 0x8, 0x6b, 0x7f, 0x52, 0xfd, 0x6, 0x0, 0x7c, + 0x1, 0x64, 0x49, 0xb1, 0x18, 0xa8, 0xa4, 0x25, 0x2e, 0xb0, 0xe, + 0x22, 0xd5, 0x75, 0x3, 0x46, 0x62, 0x88, 0xba, 0x7c, 0x39}, + }, + { + {0xe7, 0x79, 0x13, 0xc8, 0xfb, 0xc3, 0x15, 0x78, 0xf1, 0x2a, 0xe1, + 0xdd, 0x20, 0x94, 0x61, 0xa6, 0xd5, 0xfd, 0xa8, 0x85, 0xf8, 0xc0, + 0xa9, 0xff, 0x52, 0xc2, 0xe1, 0xc1, 0x22, 0x40, 0x1b, 0x77}, + {0xb2, 0x59, 0x59, 0xf0, 0x93, 0x30, 0xc1, 0x30, 0x76, 0x79, 0xa9, + 0xe9, 0x8d, 0xa1, 0x3a, 0xe2, 0x26, 0x5e, 0x1d, 0x72, 0x91, 0xd4, + 0x2f, 0x22, 0x3a, 0x6c, 0x6e, 0x76, 0x20, 0xd3, 0x39, 0x23}, + {0xa7, 0x2f, 0x3a, 0x51, 0x86, 0xd9, 0x7d, 0xd8, 0x8, 0xcf, 0xd4, + 0xf9, 0x71, 0x9b, 0xac, 0xf5, 0xb3, 0x83, 0xa2, 0x1e, 0x1b, 0xc3, + 0x6b, 0xd0, 0x76, 0x1a, 0x97, 0x19, 0x92, 0x18, 0x1a, 0x33}, + }, + { + {0xaf, 0x72, 0x75, 0x9d, 0x3a, 0x2f, 0x51, 0x26, 0x9e, 0x4a, 0x7, + 0x68, 0x88, 0xe2, 0xcb, 0x5b, 0xc4, 0xf7, 0x80, 0x11, 0xc1, 0xc1, + 0xed, 0x84, 0x7b, 0xa6, 0x49, 0xf6, 0x9f, 0x61, 0xc9, 0x1a}, + {0xc6, 0x80, 0x4f, 0xfb, 0x45, 0x6f, 0x16, 0xf5, 0xcf, 0x75, 0xc7, + 0x61, 0xde, 0xc7, 0x36, 0x9c, 0x1c, 0xd9, 0x41, 0x90, 0x1b, 0xe8, + 0xd4, 0xe3, 0x21, 0xfe, 0xbd, 0x83, 0x6b, 0x7c, 0x16, 0x31}, + {0x68, 0x10, 0x4b, 0x52, 0x42, 0x38, 0x2b, 0xf2, 0x87, 0xe9, 0x9c, + 0xee, 0x3b, 0x34, 0x68, 0x50, 0xc8, 0x50, 0x62, 0x4a, 0x84, 0x71, + 0x9d, 0xfc, 0x11, 0xb1, 0x8, 0x1f, 0x34, 0x36, 0x24, 0x61}, + }, + { + {0x38, 0x26, 0x2d, 0x1a, 0xe3, 0x49, 0x63, 0x8b, 0x35, 0xfd, 0xd3, + 0x9b, 0x0, 0xb7, 0xdf, 0x9d, 0xa4, 0x6b, 0xa0, 0xa3, 0xb8, 0xf1, + 0x8b, 0x7f, 0x45, 0x4, 0xd9, 0x78, 0x31, 0xaa, 0x22, 0x15}, + {0x8d, 0x89, 0x4e, 0x87, 0xdb, 0x41, 0x9d, 0xd9, 0x20, 0xdc, 0x7, + 0x6c, 0xf1, 0xa5, 0xfe, 0x9, 0xbc, 0x9b, 0xf, 0xd0, 0x67, 0x2c, + 0x3d, 0x79, 0x40, 0xff, 0x5e, 0x9e, 0x30, 0xe2, 0xeb, 0x46}, + {0x38, 0x49, 0x61, 0x69, 0x53, 0x2f, 0x38, 0x2c, 0x10, 0x6d, 0x2d, + 0xb7, 0x9a, 0x40, 0xfe, 0xda, 0x27, 0xf2, 0x46, 0xb6, 0x91, 0x33, + 0xc8, 0xe8, 0x6c, 0x30, 0x24, 0x5, 0xf5, 0x70, 0xfe, 0x45}, + }, + { + {0x91, 0x14, 0x95, 0xc8, 0x20, 0x49, 0xf2, 0x62, 0xa2, 0xc, 0x63, + 0x3f, 0xc8, 0x7, 0xf0, 0x5, 0xb8, 0xd4, 0xc9, 0xf5, 0xd2, 0x45, + 0xbb, 0x6f, 0x45, 0x22, 0x7a, 0xb5, 0x6d, 0x9f, 0x61, 0x16}, + {0x8c, 0xb, 0xc, 0x96, 0xa6, 0x75, 0x48, 0xda, 0x20, 0x2f, 0xe, + 0xef, 0x76, 0xd0, 0x68, 0x5b, 0xd4, 0x8f, 0xb, 0x3d, 0xcf, 0x51, + 0xfb, 0x7, 0xd4, 0x92, 0xe3, 0xa0, 0x23, 0x16, 0x8d, 0x42}, + {0xfd, 0x8, 0xa3, 0x1, 0x44, 0x4a, 0x4f, 0x8, 0xac, 0xca, 0xa5, + 0x76, 0xc3, 0x19, 0x22, 0xa8, 0x7d, 0xbc, 0xd1, 0x43, 0x46, 0xde, + 0xb8, 0xde, 0xc6, 0x38, 0xbd, 0x60, 0x2d, 0x59, 0x81, 0x1d}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1463171970593505, 1143040711767452, 614590986558883, - 1409210575145591, 1882816996436803 -#else - 26047201, 21802961, 60208540, 17032633, 24092067, 9158119, - 62835319, 20998873, 37743427, 28056159 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2230133264691131, 563950955091024, 2042915975426398, - 827314356293472, 672028980152815 -#else - 17510331, 33231575, 5854288, 8403524, 17133918, 30441820, - 38997856, 12327944, 10750447, 10014012 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 264204366029760, 1654686424479449, 2185050199932931, - 2207056159091748, 506015669043634 -#else - 56796096, 3936951, 9156313, 24656749, 16498691, 32559785, - 39627812, 32887699, 3424690, 7540221 -#endif - }}, + {0xe8, 0xc5, 0x85, 0x7b, 0x9f, 0xb6, 0x65, 0x87, 0xb2, 0xba, 0x68, + 0xd1, 0x8b, 0x67, 0xf0, 0x6f, 0x9b, 0xf, 0x33, 0x1d, 0x7c, 0xe7, + 0x70, 0x3a, 0x7c, 0x8e, 0xaf, 0xb0, 0x51, 0x6d, 0x5f, 0x3a}, + {0x5f, 0xac, 0xd, 0xa6, 0x56, 0x87, 0x36, 0x61, 0x57, 0xdc, 0xab, + 0xeb, 0x6a, 0x2f, 0xe0, 0x17, 0x7d, 0xf, 0xce, 0x4c, 0x2d, 0x3f, + 0x19, 0x7f, 0xf0, 0xdc, 0xec, 0x89, 0x77, 0x4a, 0x23, 0x20}, + {0x52, 0xb2, 0x78, 0x71, 0xb6, 0xd, 0xd2, 0x76, 0x60, 0xd1, 0x1e, + 0xd5, 0xf9, 0x34, 0x1c, 0x7, 0x70, 0x11, 0xe4, 0xb3, 0x20, 0x4a, + 0x2a, 0xf6, 0x66, 0xe3, 0xff, 0x3c, 0x35, 0x82, 0xd6, 0x7c}, + }, + { + {0xf3, 0xf4, 0xac, 0x68, 0x60, 0xcd, 0x65, 0xa6, 0xd3, 0xe3, 0xd7, + 0x3c, 0x18, 0x2d, 0xd9, 0x42, 0xd9, 0x25, 0x60, 0x33, 0x9d, 0x38, + 0x59, 0x57, 0xff, 0xd8, 0x2c, 0x2b, 0x3b, 0x25, 0xf0, 0x3e}, + {0xb6, 0xfa, 0x87, 0xd8, 0x5b, 0xa4, 0xe1, 0xb, 0x6e, 0x3b, 0x40, + 0xba, 0x32, 0x6a, 0x84, 0x2a, 0x0, 0x60, 0x6e, 0xe9, 0x12, 0x10, + 0x92, 0xd9, 0x43, 0x9, 0xdc, 0x3b, 0x86, 0xc8, 0x38, 0x28}, + {0x30, 0x50, 0x46, 0x4a, 0xcf, 0xb0, 0x6b, 0xd1, 0xab, 0x77, 0xc5, + 0x15, 0x41, 0x6b, 0x49, 0xfa, 0x9d, 0x41, 0xab, 0xf4, 0x8a, 0xae, + 0xcf, 0x82, 0x12, 0x28, 0xa8, 0x6, 0xa6, 0xb8, 0xdc, 0x21}, + }, + { + {0xba, 0x31, 0x77, 0xbe, 0xfa, 0x0, 0x8d, 0x9a, 0x89, 0x18, 0x9e, + 0x62, 0x7e, 0x60, 0x3, 0x82, 0x7f, 0xd9, 0xf3, 0x43, 0x37, 0x2, + 0xcc, 0xb2, 0x8b, 0x67, 0x6f, 0x6c, 0xbf, 0xd, 0x84, 0x5d}, + {0xc8, 0x9f, 0x9d, 0x8c, 0x46, 0x4, 0x60, 0x5c, 0xcb, 0xa3, 0x2a, + 0xd4, 0x6e, 0x9, 0x40, 0x25, 0x9c, 0x2f, 0xee, 0x12, 0x4c, 0x4d, + 0x5b, 0x12, 0xab, 0x1d, 0xa3, 0x94, 0x81, 0xd0, 0xc3, 0xb}, + {0x8b, 0xe1, 0x9f, 0x30, 0xd, 0x38, 0x6e, 0x70, 0xc7, 0x65, 0xe1, + 0xb9, 0xa6, 0x2d, 0xb0, 0x6e, 0xab, 0x20, 0xae, 0x7d, 0x99, 0xba, + 0xbb, 0x57, 0xdd, 0x96, 0xc1, 0x2a, 0x23, 0x76, 0x42, 0x3a}, + }, + { + {0xcb, 0x7e, 0x44, 0xdb, 0x72, 0xc1, 0xf8, 0x3b, 0xbd, 0x2d, 0x28, + 0xc6, 0x1f, 0xc4, 0xcf, 0x5f, 0xfe, 0x15, 0xaa, 0x75, 0xc0, 0xff, + 0xac, 0x80, 0xf9, 0xa9, 0xe1, 0x24, 0xe8, 0xc9, 0x70, 0x7}, + {0xfa, 0x84, 0x70, 0x8a, 0x2c, 0x43, 0x42, 0x4b, 0x45, 0xe5, 0xb9, + 0xdf, 0xe3, 0x19, 0x8a, 0x89, 0x5d, 0xe4, 0x58, 0x9c, 0x21, 0x0, + 0x9f, 0xbe, 0xd1, 0xeb, 0x6d, 0xa1, 0xce, 0x77, 0xf1, 0x1f}, + {0xfd, 0xb5, 0xb5, 0x45, 0x9a, 0xd9, 0x61, 0xcf, 0x24, 0x79, 0x3a, + 0x1b, 0xe9, 0x84, 0x9, 0x86, 0x89, 0x3e, 0x3e, 0x30, 0x19, 0x9, + 0x30, 0xe7, 0x1e, 0xb, 0x50, 0x41, 0xfd, 0x64, 0xf2, 0x39}, + }, + { + {0xe1, 0x7b, 0x9, 0xfe, 0xab, 0x4a, 0x9b, 0xd1, 0x29, 0x19, 0xe0, + 0xdf, 0xe1, 0xfc, 0x6d, 0xa4, 0xff, 0xf1, 0xa6, 0x2c, 0x94, 0x8, + 0xc9, 0xc3, 0x4e, 0xf1, 0x35, 0x2c, 0x27, 0x21, 0xc6, 0x65}, + {0x9c, 0xe2, 0xe7, 0xdb, 0x17, 0x34, 0xad, 0xa7, 0x9c, 0x13, 0x9c, + 0x2b, 0x6a, 0x37, 0x94, 0xbd, 0xa9, 0x7b, 0x59, 0x93, 0x8e, 0x1b, + 0xe9, 0xa0, 0x40, 0x98, 0x88, 0x68, 0x34, 0xd7, 0x12, 0x17}, + {0xdd, 0x93, 0x31, 0xce, 0xf8, 0x89, 0x2b, 0xe7, 0xbb, 0xc0, 0x25, + 0xa1, 0x56, 0x33, 0x10, 0x4d, 0x83, 0xfe, 0x1c, 0x2e, 0x3d, 0xa9, + 0x19, 0x4, 0x72, 0xe2, 0x9c, 0xb1, 0xa, 0x80, 0xf9, 0x22}, + }, + { + {0xac, 0xfd, 0x6e, 0x9a, 0xdd, 0x9f, 0x2, 0x42, 0x41, 0x49, 0xa5, + 0x34, 0xbe, 0xce, 0x12, 0xb9, 0x7b, 0xf3, 0xbd, 0x87, 0xb9, 0x64, + 0xf, 0x64, 0xb4, 0xca, 0x98, 0x85, 0xd3, 0xa4, 0x71, 0x41}, + {0xcb, 0xf8, 0x9e, 0x3e, 0x8a, 0x36, 0x5a, 0x60, 0x15, 0x47, 0x50, + 0xa5, 0x22, 0xc0, 0xe9, 0xe3, 0x8f, 0x24, 0x24, 0x5f, 0xb0, 0x48, + 0x3d, 0x55, 0xe5, 0x26, 0x76, 0x64, 0xcd, 0x16, 0xf4, 0x13}, + {0x8c, 0x4c, 0xc9, 0x99, 0xaa, 0x58, 0x27, 0xfa, 0x7, 0xb8, 0x0, + 0xb0, 0x6f, 0x6f, 0x0, 0x23, 0x92, 0x53, 0xda, 0xad, 0xdd, 0x91, + 0xd2, 0xfb, 0xab, 0xd1, 0x4b, 0x57, 0xfa, 0x14, 0x82, 0x50}, + }, + { + {0xd6, 0x3, 0xd0, 0x53, 0xbb, 0x15, 0x1a, 0x46, 0x65, 0xc9, 0xf3, + 0xbc, 0x88, 0x28, 0x10, 0xb2, 0x5a, 0x3a, 0x68, 0x6c, 0x75, 0x76, + 0xc5, 0x27, 0x47, 0xb4, 0x6c, 0xc8, 0xa4, 0x58, 0x77, 0x3a}, + {0x4b, 0xfe, 0xd6, 0x3e, 0x15, 0x69, 0x2, 0xc2, 0xc4, 0x77, 0x1d, + 0x51, 0x39, 0x67, 0x5a, 0xa6, 0x94, 0xaf, 0x14, 0x2c, 0x46, 0x26, + 0xde, 0xcb, 0x4b, 0xa7, 0xab, 0x6f, 0xec, 0x60, 0xf9, 0x22}, + {0x76, 0x50, 0xae, 0x93, 0xf6, 0x11, 0x81, 0x54, 0xa6, 0x54, 0xfd, + 0x1d, 0xdf, 0x21, 0xae, 0x1d, 0x65, 0x5e, 0x11, 0xf3, 0x90, 0x8c, + 0x24, 0x12, 0x94, 0xf4, 0xe7, 0x8d, 0x5f, 0xd1, 0x9f, 0x5d}, + }, + { + {0x1e, 0x52, 0xd7, 0xee, 0x2a, 0x4d, 0x24, 0x3f, 0x15, 0x96, 0x2e, + 0x43, 0x28, 0x90, 0x3a, 0x8e, 0xd4, 0x16, 0x9c, 0x2e, 0x77, 0xba, + 0x64, 0xe1, 0xd8, 0x98, 0xeb, 0x47, 0xfa, 0x87, 0xc1, 0x3b}, + {0x7f, 0x72, 0x63, 0x6d, 0xd3, 0x8, 0x14, 0x3, 0x33, 0xb5, 0xc7, + 0xd7, 0xef, 0x9a, 0x37, 0x6a, 0x4b, 0xe2, 0xae, 0xcc, 0xc5, 0x8f, + 0xe1, 0xa9, 0xd3, 0xbe, 0x8f, 0x4f, 0x91, 0x35, 0x2f, 0x33}, + {0xc, 0xc2, 0x86, 0xea, 0x15, 0x1, 0x47, 0x6d, 0x25, 0xd1, 0x46, + 0x6c, 0xcb, 0xb7, 0x8a, 0x99, 0x88, 0x1, 0x66, 0x3a, 0xb5, 0x32, + 0x78, 0xd7, 0x3, 0xba, 0x6f, 0x90, 0xce, 0x81, 0xd, 0x45}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1784446333136569, 1973746527984364, 334856327359575, - 1156769775884610, 1023950124675478 -#else - 30322361, 26590322, 11361004, 29411115, 7433303, 4989748, - 60037442, 17237212, 57864598, 15258045 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2065270940578383, 31477096270353, 306421879113491, - 181958643936686, 1907105536686083 -#else - 13054543, 30774935, 19155473, 469045, 54626067, 4566041, - 5631406, 2711395, 1062915, 28418087 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1496516440779464, 1748485652986458, 872778352227340, - 818358834654919, 97932669284220 -#else - 47868616, 22299832, 37599834, 26054466, 61273100, 13005410, - 61042375, 12194496, 32960380, 1459310 -#endif - }}, + {0x3f, 0x74, 0xae, 0x1c, 0x96, 0xd8, 0x74, 0xd0, 0xed, 0x63, 0x1c, + 0xee, 0xf5, 0x18, 0x6d, 0xf8, 0x29, 0xed, 0xf4, 0xe7, 0x5b, 0xc5, + 0xbd, 0x97, 0x8, 0xb1, 0x3a, 0x66, 0x79, 0xd2, 0xba, 0x4c}, + {0x75, 0x52, 0x20, 0xa6, 0xa1, 0xb6, 0x7b, 0x6e, 0x83, 0x8e, 0x3c, + 0x41, 0xd7, 0x21, 0x4f, 0xaa, 0xb2, 0x5c, 0x8f, 0xe8, 0x55, 0xd1, + 0x56, 0x6f, 0xe1, 0x5b, 0x34, 0xa6, 0x4b, 0x5d, 0xe2, 0x2d}, + {0xcd, 0x1f, 0xd7, 0xa0, 0x24, 0x90, 0xd1, 0x80, 0xf8, 0x8a, 0x28, + 0xfb, 0xa, 0xc2, 0x25, 0xc5, 0x19, 0x64, 0x3a, 0x5f, 0x4b, 0x97, + 0xa3, 0xb1, 0x33, 0x72, 0x0, 0xe2, 0xef, 0xbc, 0x7f, 0x7d}, + }, + { + {0x94, 0x90, 0xc2, 0xf3, 0xc5, 0x5d, 0x7c, 0xcd, 0xab, 0x5, 0x91, + 0x2a, 0x9a, 0xa2, 0x81, 0xc7, 0x58, 0x30, 0x1c, 0x42, 0x36, 0x1d, + 0xc6, 0x80, 0xd7, 0xd4, 0xd8, 0xdc, 0x96, 0xd1, 0x9c, 0x4f}, + {0x1, 0x28, 0x6b, 0x26, 0x6a, 0x1e, 0xef, 0xfa, 0x16, 0x9f, 0x73, + 0xd5, 0xc4, 0x68, 0x6c, 0x86, 0x2c, 0x76, 0x3, 0x1b, 0xbc, 0x2f, + 0x8a, 0xf6, 0x8d, 0x5a, 0xb7, 0x87, 0x5e, 0x43, 0x75, 0x59}, + {0x68, 0x37, 0x7b, 0x6a, 0xd8, 0x97, 0x92, 0x19, 0x63, 0x7a, 0xd1, + 0x1a, 0x24, 0x58, 0xd0, 0xd0, 0x17, 0xc, 0x1c, 0x5c, 0xad, 0x9c, + 0x2, 0xba, 0x7, 0x3, 0x7a, 0x38, 0x84, 0xd0, 0xcd, 0x7c}, + }, + { + {0x93, 0xcc, 0x60, 0x67, 0x18, 0x84, 0xc, 0x9b, 0x99, 0x2a, 0xb3, + 0x1a, 0x7a, 0x0, 0xae, 0xcd, 0x18, 0xda, 0xb, 0x62, 0x86, 0xec, + 0x8d, 0xa8, 0x44, 0xca, 0x90, 0x81, 0x84, 0xca, 0x93, 0x35}, + {0x17, 0x4, 0x26, 0x6d, 0x2c, 0x42, 0xa6, 0xdc, 0xbd, 0x40, 0x82, + 0x94, 0x50, 0x3d, 0x15, 0xae, 0x77, 0xc6, 0x68, 0xfb, 0xb4, 0xc1, + 0xc0, 0xa9, 0x53, 0xcf, 0xd0, 0x61, 0xed, 0xd0, 0x8b, 0x42}, + {0xa7, 0x9a, 0x84, 0x5e, 0x9a, 0x18, 0x13, 0x92, 0xcd, 0xfa, 0xd8, + 0x65, 0x35, 0xc3, 0xd8, 0xd4, 0xd1, 0xbb, 0xfd, 0x53, 0x5b, 0x54, + 0x52, 0x8c, 0xe6, 0x63, 0x2d, 0xda, 0x8, 0x83, 0x39, 0x27}, + }, + { + {0x53, 0x24, 0x70, 0xa, 0x4c, 0xe, 0xa1, 0xb9, 0xde, 0x1b, 0x7d, + 0xd5, 0x66, 0x58, 0xa2, 0xf, 0xf7, 0xda, 0x27, 0xcd, 0xb5, 0xd9, + 0xb9, 0xff, 0xfd, 0x33, 0x2c, 0x49, 0x45, 0x29, 0x2c, 0x57}, + {0x13, 0xd4, 0x5e, 0x43, 0x28, 0x8d, 0xc3, 0x42, 0xc9, 0xcc, 0x78, + 0x32, 0x60, 0xf3, 0x50, 0xbd, 0xef, 0x3, 0xda, 0x79, 0x1a, 0xab, + 0x7, 0xbb, 0x55, 0x33, 0x8c, 0xbe, 0xae, 0x97, 0x95, 0x26}, + {0xbe, 0x30, 0xcd, 0xd6, 0x45, 0xc7, 0x7f, 0xc7, 0xfb, 0xae, 0xba, + 0xe3, 0xd3, 0xe8, 0xdf, 0xe4, 0xc, 0xda, 0x5d, 0xaa, 0x30, 0x88, + 0x2c, 0xa2, 0x80, 0xca, 0x5b, 0xc0, 0x98, 0x54, 0x98, 0x7f}, + }, + { + {0x63, 0x63, 0xbf, 0xf, 0x52, 0x15, 0x56, 0xd3, 0xa6, 0xfb, 0x4d, + 0xcf, 0x45, 0x5a, 0x4, 0x8, 0xc2, 0xa0, 0x3f, 0x87, 0xbc, 0x4f, + 0xc2, 0xee, 0xe7, 0x12, 0x9b, 0xd6, 0x3c, 0x65, 0xf2, 0x30}, + {0x17, 0xe1, 0xb, 0x9f, 0x88, 0xce, 0x49, 0x38, 0x88, 0xa2, 0x54, + 0x7b, 0x1b, 0xad, 0x5, 0x80, 0x1c, 0x92, 0xfc, 0x23, 0x9f, 0xc3, + 0xa3, 0x3d, 0x4, 0xf3, 0x31, 0xa, 0x47, 0xec, 0xc2, 0x76}, + {0x85, 0xc, 0xc1, 0xaa, 0x38, 0xc9, 0x8, 0x8a, 0xcb, 0x6b, 0x27, + 0xdb, 0x60, 0x9b, 0x17, 0x46, 0x70, 0xac, 0x6f, 0xe, 0x1e, 0xc0, + 0x20, 0xa9, 0xda, 0x73, 0x64, 0x59, 0xf1, 0x73, 0x12, 0x2f}, + }, + { + {0xc0, 0xb, 0xa7, 0x55, 0xd7, 0x8b, 0x48, 0x30, 0xe7, 0x42, 0xd4, + 0xf1, 0xa4, 0xb5, 0xd6, 0x6, 0x62, 0x61, 0x59, 0xbc, 0x9e, 0xa6, + 0xd1, 0xea, 0x84, 0xf7, 0xc5, 0xed, 0x97, 0x19, 0xac, 0x38}, + {0x11, 0x1e, 0xe0, 0x8a, 0x7c, 0xfc, 0x39, 0x47, 0x9f, 0xab, 0x6a, + 0x4a, 0x90, 0x74, 0x52, 0xfd, 0x2e, 0x8f, 0x72, 0x87, 0x82, 0x8a, + 0xd9, 0x41, 0xf2, 0x69, 0x5b, 0xd8, 0x2a, 0x57, 0x9e, 0x5d}, + {0x3b, 0xb1, 0x51, 0xa7, 0x17, 0xb5, 0x66, 0x6, 0x8c, 0x85, 0x9b, + 0x7e, 0x86, 0x6, 0x7d, 0x74, 0x49, 0xde, 0x4d, 0x45, 0x11, 0xc0, + 0xac, 0xac, 0x9c, 0xe6, 0xe9, 0xbf, 0x9c, 0xcd, 0xdf, 0x22}, + }, + { + {0xa1, 0xe0, 0x3b, 0x10, 0xb4, 0x59, 0xec, 0x56, 0x69, 0xf9, 0x59, + 0xd2, 0xec, 0xba, 0xe3, 0x2e, 0x32, 0xcd, 0xf5, 0x13, 0x94, 0xb2, + 0x7c, 0x79, 0x72, 0xe4, 0xcd, 0x24, 0x78, 0x87, 0xe9, 0xf}, + {0xd9, 0xc, 0xd, 0xc3, 0xe0, 0xd2, 0xdb, 0x8d, 0x33, 0x43, 0xbb, + 0xac, 0x5f, 0x66, 0x8e, 0xad, 0x1f, 0x96, 0x2a, 0x32, 0x8c, 0x25, + 0x6b, 0x8f, 0xc7, 0xc1, 0x48, 0x54, 0xc0, 0x16, 0x29, 0x6b}, + {0x3b, 0x91, 0xba, 0xa, 0xd1, 0x34, 0xdb, 0x7e, 0xe, 0xac, 0x6d, + 0x2e, 0x82, 0xcd, 0xa3, 0x4e, 0x15, 0xf8, 0x78, 0x65, 0xff, 0x3d, + 0x8, 0x66, 0x17, 0xa, 0xf0, 0x7f, 0x30, 0x3f, 0x30, 0x4c}, + }, + { + {0x0, 0x45, 0xd9, 0xd, 0x58, 0x3, 0xfc, 0x29, 0x93, 0xec, 0xbb, + 0x6f, 0xa4, 0x7a, 0xd2, 0xec, 0xf8, 0xa7, 0xe2, 0xc2, 0x5f, 0x15, + 0xa, 0x13, 0xd5, 0xa1, 0x6, 0xb7, 0x1a, 0x15, 0x6b, 0x41}, + {0x85, 0x8c, 0xb2, 0x17, 0xd6, 0x3b, 0xa, 0xd3, 0xea, 0x3b, 0x77, + 0x39, 0xb7, 0x77, 0xd3, 0xc5, 0xbf, 0x5c, 0x6a, 0x1e, 0x8c, 0xe7, + 0xc6, 0xc6, 0xc4, 0xb7, 0x2a, 0x8b, 0xf7, 0xb8, 0x61, 0xd}, + {0xb0, 0x36, 0xc1, 0xe9, 0xef, 0xd7, 0xa8, 0x56, 0x20, 0x4b, 0xe4, + 0x58, 0xcd, 0xe5, 0x7, 0xbd, 0xab, 0xe0, 0x57, 0x1b, 0xda, 0x2f, + 0xe6, 0xaf, 0xd2, 0xe8, 0x77, 0x42, 0xf7, 0x2a, 0x1a, 0x19}, }, }, { { - {{ -#if defined(OPENSSL_64_BIT) - 471636015770351, 672455402793577, 1804995246884103, - 1842309243470804, 1501862504981682 -#else - 19852015, 7027924, 23669353, 10020366, 8586503, 26896525, - 394196, 27452547, 18638002, 22379495 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1013216974933691, 538921919682598, 1915776722521558, - 1742822441583877, 1886550687916656 -#else - 31395515, 15098109, 26581030, 8030562, 50580950, 28547297, - 9012485, 25970078, 60465776, 28111795 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2094270000643336, 303971879192276, 40801275554748, - 649448917027930, 1818544418535447 -#else - 57916680, 31207054, 65111764, 4529533, 25766844, 607986, - 67095642, 9677542, 34813975, 27098423 -#endif - }}, + {0xfb, 0xe, 0x46, 0x4f, 0x43, 0x2b, 0xe6, 0x9f, 0xd6, 0x7, 0x36, + 0xa6, 0xd4, 0x3, 0xd3, 0xde, 0x24, 0xda, 0xa0, 0xb7, 0xe, 0x21, + 0x52, 0xf0, 0x93, 0x5b, 0x54, 0x0, 0xbe, 0x7d, 0x7e, 0x23}, + {0x31, 0x14, 0x3c, 0xc5, 0x4b, 0xf7, 0x16, 0xce, 0xde, 0xed, 0x72, + 0x20, 0xce, 0x25, 0x97, 0x2b, 0xe7, 0x3e, 0xb2, 0xb5, 0x6f, 0xc3, + 0xb9, 0xb8, 0x8, 0xc9, 0x5c, 0xb, 0x45, 0xe, 0x2e, 0x7e}, + {0x30, 0xb4, 0x1, 0x67, 0xed, 0x75, 0x35, 0x1, 0x10, 0xfd, 0xb, + 0x9f, 0xe6, 0x94, 0x10, 0x23, 0x22, 0x7f, 0xe4, 0x83, 0x15, 0xf, + 0x32, 0x75, 0xe3, 0x55, 0x11, 0xb1, 0x99, 0xa6, 0xaf, 0x71}, + }, + { + {0xd6, 0x50, 0x3b, 0x47, 0x1c, 0x3c, 0x42, 0xea, 0x10, 0xef, 0x38, + 0x3b, 0x1f, 0x7a, 0xe8, 0x51, 0x95, 0xbe, 0xc9, 0xb2, 0x5f, 0xbf, + 0x84, 0x9b, 0x1c, 0x9a, 0xf8, 0x78, 0xbc, 0x1f, 0x73, 0x0}, + {0x1d, 0xb6, 0x53, 0x39, 0x9b, 0x6f, 0xce, 0x65, 0xe6, 0x41, 0xa1, + 0xaf, 0xea, 0x39, 0x58, 0xc6, 0xfe, 0x59, 0xf7, 0xa9, 0xfd, 0x5f, + 0x43, 0xf, 0x8e, 0xc2, 0xb1, 0xc2, 0xe9, 0x42, 0x11, 0x2}, + {0x80, 0x18, 0xf8, 0x48, 0x18, 0xc7, 0x30, 0xe4, 0x19, 0xc1, 0xce, + 0x5e, 0x22, 0xc, 0x96, 0xbf, 0xe3, 0x15, 0xba, 0x6b, 0x83, 0xe0, + 0xda, 0xb6, 0x8, 0x58, 0xe1, 0x47, 0x33, 0x6f, 0x4d, 0x4c}, + }, + { + {0x70, 0x19, 0x8f, 0x98, 0xfc, 0xdd, 0xc, 0x2f, 0x1b, 0xf5, 0xb9, + 0xb0, 0x27, 0x62, 0x91, 0x6b, 0xbe, 0x76, 0x91, 0x77, 0xc4, 0xb6, + 0xc7, 0x6e, 0xa8, 0x9f, 0x8f, 0xa8, 0x0, 0x95, 0xbf, 0x38}, + {0xc9, 0x1f, 0x7d, 0xc1, 0xcf, 0xec, 0xf7, 0x18, 0x14, 0x3c, 0x40, + 0x51, 0xa6, 0xf5, 0x75, 0x6c, 0xdf, 0xc, 0xee, 0xf7, 0x2b, 0x71, + 0xde, 0xdb, 0x22, 0x7a, 0xe4, 0xa7, 0xaa, 0xdd, 0x3f, 0x19}, + {0x6f, 0x87, 0xe8, 0x37, 0x3c, 0xc9, 0xd2, 0x1f, 0x2c, 0x46, 0xd1, + 0x18, 0x5a, 0x1e, 0xf6, 0xa2, 0x76, 0x12, 0x24, 0x39, 0x82, 0xf5, + 0x80, 0x50, 0x69, 0x49, 0xd, 0xbf, 0x9e, 0xb9, 0x6f, 0x6a}, + }, + { + {0xc6, 0x23, 0xe4, 0xb6, 0xb5, 0x22, 0xb1, 0xee, 0x8e, 0xff, 0x86, + 0xf2, 0x10, 0x70, 0x9d, 0x93, 0x8c, 0x5d, 0xcf, 0x1d, 0x83, 0x2a, + 0xa9, 0x90, 0x10, 0xeb, 0xc5, 0x42, 0x9f, 0xda, 0x6f, 0x13}, + {0xeb, 0x55, 0x8, 0x56, 0xbb, 0xc1, 0x46, 0x6a, 0x9d, 0xf0, 0x93, + 0xf8, 0x38, 0xbb, 0x16, 0x24, 0xc1, 0xac, 0x71, 0x8f, 0x37, 0x11, + 0x1d, 0xd7, 0xea, 0x96, 0x18, 0xa3, 0x14, 0x69, 0xf7, 0x75}, + {0xd1, 0xbd, 0x5, 0xa3, 0xb1, 0xdf, 0x4c, 0xf9, 0x8, 0x2c, 0xf8, + 0x9f, 0x9d, 0x4b, 0x36, 0xf, 0x8a, 0x58, 0xbb, 0xc3, 0xa5, 0xd8, + 0x87, 0x2a, 0xba, 0xdc, 0xe8, 0xb, 0x51, 0x83, 0x21, 0x2}, + }, + { + {0x7f, 0x7a, 0x30, 0x43, 0x1, 0x71, 0x5a, 0x9d, 0x5f, 0xa4, 0x7d, + 0xc4, 0x9e, 0xde, 0x63, 0xb0, 0xd3, 0x7a, 0x92, 0xbe, 0x52, 0xfe, + 0xbb, 0x22, 0x6c, 0x42, 0x40, 0xfd, 0x41, 0xc4, 0x87, 0x13}, + {0x14, 0x2d, 0xad, 0x5e, 0x38, 0x66, 0xf7, 0x4a, 0x30, 0x58, 0x7c, + 0xca, 0x80, 0xd8, 0x8e, 0xa0, 0x3d, 0x1e, 0x21, 0x10, 0xe6, 0xa6, + 0x13, 0xd, 0x3, 0x6c, 0x80, 0x7b, 0xe1, 0x1c, 0x7, 0x6a}, + {0xf8, 0x8a, 0x97, 0x87, 0xd1, 0xc3, 0xd3, 0xb5, 0x13, 0x44, 0xe, + 0x7f, 0x3d, 0x5a, 0x2b, 0x72, 0xa0, 0x7c, 0x47, 0xbb, 0x48, 0x48, + 0x7b, 0xd, 0x92, 0xdc, 0x1e, 0xaf, 0x6a, 0xb2, 0x71, 0x31}, + }, + { + {0xd1, 0x47, 0x8a, 0xb2, 0xd8, 0xb7, 0xd, 0xa6, 0xf1, 0xa4, 0x70, + 0x17, 0xd6, 0x14, 0xbf, 0xa6, 0x58, 0xbd, 0xdd, 0x53, 0x93, 0xf8, + 0xa1, 0xd4, 0xe9, 0x43, 0x42, 0x34, 0x63, 0x4a, 0x51, 0x6c}, + {0xa8, 0x4c, 0x56, 0x97, 0x90, 0x31, 0x2f, 0xa9, 0x19, 0xe1, 0x75, + 0x22, 0x4c, 0xb8, 0x7b, 0xff, 0x50, 0x51, 0x87, 0xa4, 0x37, 0xfe, + 0x55, 0x4f, 0x5a, 0x83, 0xf0, 0x3c, 0x87, 0xd4, 0x1f, 0x22}, + {0x41, 0x63, 0x15, 0x3a, 0x4f, 0x20, 0x22, 0x23, 0x2d, 0x3, 0xa, + 0xba, 0xe9, 0xe0, 0x73, 0xfb, 0xe, 0x3, 0xf, 0x41, 0x4c, 0xdd, + 0xe0, 0xfc, 0xaa, 0x4a, 0x92, 0xfb, 0x96, 0xa5, 0xda, 0x48}, + }, + { + {0x93, 0x97, 0x4c, 0xc8, 0x5d, 0x1d, 0xf6, 0x14, 0x6, 0x82, 0x41, + 0xef, 0xe3, 0xf9, 0x41, 0x99, 0xac, 0x77, 0x62, 0x34, 0x8f, 0xb8, + 0xf5, 0xcd, 0xa9, 0x79, 0x8a, 0xe, 0xfa, 0x37, 0xc8, 0x58}, + {0xc7, 0x9c, 0xa5, 0x5c, 0x66, 0x8e, 0xca, 0x6e, 0xa0, 0xac, 0x38, + 0x2e, 0x4b, 0x25, 0x47, 0xa8, 0xce, 0x17, 0x1e, 0xd2, 0x8, 0xc7, + 0xaf, 0x31, 0xf7, 0x4a, 0xd8, 0xca, 0xfc, 0xd6, 0x6d, 0x67}, + {0x58, 0x90, 0xfc, 0x96, 0x85, 0x68, 0xf9, 0xc, 0x1b, 0xa0, 0x56, + 0x7b, 0xf3, 0xbb, 0xdc, 0x1d, 0x6a, 0xd6, 0x35, 0x49, 0x7d, 0xe7, + 0xc2, 0xdc, 0xa, 0x7f, 0xa5, 0xc6, 0xf2, 0x73, 0x4f, 0x1c}, + }, + { + {0x84, 0x34, 0x7c, 0xfc, 0x6e, 0x70, 0x6e, 0xb3, 0x61, 0xcf, 0xc1, + 0xc3, 0xb4, 0xc9, 0xdf, 0x73, 0xe5, 0xc7, 0x1c, 0x78, 0xc9, 0x79, + 0x1d, 0xeb, 0x5c, 0x67, 0xaf, 0x7d, 0xdb, 0x9a, 0x45, 0x70}, + {0xbb, 0xa0, 0x5f, 0x30, 0xbd, 0x4f, 0x7a, 0xe, 0xad, 0x63, 0xc6, + 0x54, 0xe0, 0x4c, 0x9d, 0x82, 0x48, 0x38, 0xe3, 0x2f, 0x83, 0xc3, + 0x21, 0xf4, 0x42, 0x4c, 0xf6, 0x1b, 0xd, 0xc8, 0x5a, 0x79}, + {0xb3, 0x2b, 0xb4, 0x91, 0x49, 0xdb, 0x91, 0x1b, 0xca, 0xdc, 0x2, + 0x4b, 0x23, 0x96, 0x26, 0x57, 0xdc, 0x78, 0x8c, 0x1f, 0xe5, 0x9e, + 0xdf, 0x9f, 0xd3, 0x1f, 0xe2, 0x8c, 0x84, 0x62, 0xe1, 0x5f}, + }, + }, + { + { + {0x8, 0xb2, 0x7c, 0x5d, 0x2d, 0x85, 0x79, 0x28, 0xe7, 0xf2, 0x7d, + 0x68, 0x70, 0xdd, 0xde, 0xb8, 0x91, 0x78, 0x68, 0x21, 0xab, 0xff, + 0xb, 0xdc, 0x35, 0xaa, 0x7d, 0x67, 0x43, 0xc0, 0x44, 0x2b}, + {0x1a, 0x96, 0x94, 0xe1, 0x4f, 0x21, 0x59, 0x4e, 0x4f, 0xcd, 0x71, + 0xd, 0xc7, 0x7d, 0xbe, 0x49, 0x2d, 0xf2, 0x50, 0x3b, 0xd2, 0xcf, + 0x0, 0x93, 0x32, 0x72, 0x91, 0xfc, 0x46, 0xd4, 0x89, 0x47}, + {0x8e, 0xb7, 0x4e, 0x7, 0xab, 0x87, 0x1c, 0x1a, 0x67, 0xf4, 0xda, + 0x99, 0x8e, 0xd1, 0xc6, 0xfa, 0x67, 0x90, 0x4f, 0x48, 0xcd, 0xbb, + 0xac, 0x3e, 0xe4, 0xa4, 0xb9, 0x2b, 0xef, 0x2e, 0xc5, 0x60}, + }, + { + {0x11, 0x6d, 0xae, 0x7c, 0xc2, 0xc5, 0x2b, 0x70, 0xab, 0x8c, 0xa4, + 0x54, 0x9b, 0x69, 0xc7, 0x44, 0xb2, 0x2e, 0x49, 0xba, 0x56, 0x40, + 0xbc, 0xef, 0x6d, 0x67, 0xb6, 0xd9, 0x48, 0x72, 0xd7, 0x70}, + {0xf1, 0x8b, 0xfd, 0x3b, 0xbc, 0x89, 0x5d, 0xb, 0x1a, 0x55, 0xf3, + 0xc9, 0x37, 0x92, 0x6b, 0xb0, 0xf5, 0x28, 0x30, 0xd5, 0xb0, 0x16, + 0x4c, 0xe, 0xab, 0xca, 0xcf, 0x2c, 0x31, 0x9c, 0xbc, 0x10}, + {0x5b, 0xa0, 0xc2, 0x3e, 0x4b, 0xe8, 0x8a, 0xaa, 0xe0, 0x81, 0x17, + 0xed, 0xf4, 0x9e, 0x69, 0x98, 0xd1, 0x85, 0x8e, 0x70, 0xe4, 0x13, + 0x45, 0x79, 0x13, 0xf4, 0x76, 0xa9, 0xd3, 0x5b, 0x75, 0x63}, + }, + { + {0xb7, 0xac, 0xf1, 0x97, 0x18, 0x10, 0xc7, 0x3d, 0xd8, 0xbb, 0x65, + 0xc1, 0x5e, 0x7d, 0xda, 0x5d, 0xf, 0x2, 0xa1, 0xf, 0x9c, 0x5b, + 0x8e, 0x50, 0x56, 0x2a, 0xc5, 0x37, 0x17, 0x75, 0x63, 0x27}, + {0x53, 0x8, 0xd1, 0x2a, 0x3e, 0xa0, 0x5f, 0xb5, 0x69, 0x35, 0xe6, + 0x9e, 0x90, 0x75, 0x6f, 0x35, 0x90, 0xb8, 0x69, 0xbe, 0xfd, 0xf1, + 0xf9, 0x9f, 0x84, 0x6f, 0xc1, 0x8b, 0xc4, 0xc1, 0x8c, 0xd}, + {0xa9, 0x19, 0xb4, 0x6e, 0xd3, 0x2, 0x94, 0x2, 0xa5, 0x60, 0xb4, + 0x77, 0x7e, 0x4e, 0xb4, 0xf0, 0x56, 0x49, 0x3c, 0xd4, 0x30, 0x62, + 0xa8, 0xcf, 0xe7, 0x66, 0xd1, 0x7a, 0x8a, 0xdd, 0xc2, 0x70}, + }, + { + {0x13, 0x7e, 0xed, 0xb8, 0x7d, 0x96, 0xd4, 0x91, 0x7a, 0x81, 0x76, + 0xd7, 0xa, 0x2f, 0x25, 0x74, 0x64, 0x25, 0x85, 0xd, 0xe0, 0x82, + 0x9, 0xe4, 0xe5, 0x3c, 0xa5, 0x16, 0x38, 0x61, 0xb8, 0x32}, + {0xe, 0xec, 0x6f, 0x9f, 0x50, 0x94, 0x61, 0x65, 0x8d, 0x51, 0xc6, + 0x46, 0xa9, 0x7e, 0x2e, 0xee, 0x5c, 0x9b, 0xe0, 0x67, 0xf3, 0xc1, + 0x33, 0x97, 0x95, 0x84, 0x94, 0x63, 0x63, 0xac, 0xf, 0x2e}, + {0x64, 0xcd, 0x48, 0xe4, 0xbe, 0xf7, 0xe7, 0x79, 0xd0, 0x86, 0x78, + 0x8, 0x67, 0x3a, 0xc8, 0x6a, 0x2e, 0xdb, 0xe4, 0xa0, 0xd9, 0xd4, + 0x9f, 0xf8, 0x41, 0x4f, 0x5a, 0x73, 0x5c, 0x21, 0x79, 0x41}, + }, + { + {0x34, 0xcd, 0x6b, 0x28, 0xb9, 0x33, 0xae, 0xe4, 0xdc, 0xd6, 0x9d, + 0x55, 0xb6, 0x7e, 0xef, 0xb7, 0x1f, 0x8e, 0xd3, 0xb3, 0x1f, 0x14, + 0x8b, 0x27, 0x86, 0xc2, 0x41, 0x22, 0x66, 0x85, 0xfa, 0x31}, + {0x2a, 0xed, 0xdc, 0xd7, 0xe7, 0x94, 0x70, 0x8c, 0x70, 0x9c, 0xd3, + 0x47, 0xc3, 0x8a, 0xfb, 0x97, 0x2, 0xd9, 0x6, 0xa9, 0x33, 0xe0, + 0x3b, 0xe1, 0x76, 0x9d, 0xd9, 0xc, 0xa3, 0x44, 0x3, 0x70}, + {0xf4, 0x22, 0x36, 0x2e, 0x42, 0x6c, 0x82, 0xaf, 0x2d, 0x50, 0x33, + 0x98, 0x87, 0x29, 0x20, 0xc1, 0x23, 0x91, 0x38, 0x2b, 0xe1, 0xb7, + 0xc1, 0x9b, 0x89, 0x24, 0x95, 0xa9, 0x12, 0x23, 0xbb, 0x24}, + }, + { + {0x6b, 0x5c, 0xf8, 0xf5, 0x2a, 0xc, 0xf8, 0x41, 0x94, 0x67, 0xfa, + 0x4, 0xc3, 0x84, 0x72, 0x68, 0xad, 0x1b, 0xba, 0xa3, 0x99, 0xdf, + 0x45, 0x89, 0x16, 0x5d, 0xeb, 0xff, 0xf9, 0x2a, 0x1d, 0xd}, + {0xc3, 0x67, 0xde, 0x32, 0x17, 0xed, 0xa8, 0xb1, 0x48, 0x49, 0x1b, + 0x46, 0x18, 0x94, 0xb4, 0x3c, 0xd2, 0xbc, 0xcf, 0x76, 0x43, 0x43, + 0xbd, 0x8e, 0x8, 0x80, 0x18, 0x1e, 0x87, 0x3e, 0xee, 0xf}, + {0xdf, 0x1e, 0x62, 0x32, 0xa1, 0x8a, 0xda, 0xa9, 0x79, 0x65, 0x22, + 0x59, 0xa1, 0x22, 0xb8, 0x30, 0x93, 0xc1, 0x9a, 0xa7, 0x7b, 0x19, + 0x4, 0x40, 0x76, 0x1d, 0x53, 0x18, 0x97, 0xd7, 0xac, 0x16}, + }, + { + {0xad, 0xb6, 0x87, 0x78, 0xc5, 0xc6, 0x59, 0xc9, 0xba, 0xfe, 0x90, + 0x5f, 0xad, 0x9e, 0xe1, 0x94, 0x4, 0xf5, 0x42, 0xa3, 0x62, 0x4e, + 0xe2, 0x16, 0x0, 0x17, 0x16, 0x18, 0x4b, 0xd3, 0x4e, 0x16}, + {0x3d, 0x1d, 0x9b, 0x2d, 0xaf, 0x72, 0xdf, 0x72, 0x5a, 0x24, 0x32, + 0xa4, 0x36, 0x2a, 0x46, 0x63, 0x37, 0x96, 0xb3, 0x16, 0x79, 0xa0, + 0xce, 0x3e, 0x9, 0x23, 0x30, 0xb9, 0xf6, 0xe, 0x3e, 0x12}, + {0x9a, 0xe6, 0x2f, 0x19, 0x4c, 0xd9, 0x7e, 0x48, 0x13, 0x15, 0x91, + 0x3a, 0xea, 0x2c, 0xae, 0x61, 0x27, 0xde, 0xa4, 0xb9, 0xd3, 0xf6, + 0x7b, 0x87, 0xeb, 0xf3, 0x73, 0x10, 0xc6, 0xf, 0xda, 0x78}, + }, + { + {0x94, 0x3a, 0xc, 0x68, 0xf1, 0x80, 0x9f, 0xa2, 0xe6, 0xe7, 0xe9, + 0x1a, 0x15, 0x7e, 0xf7, 0x71, 0x73, 0x79, 0x1, 0x48, 0x58, 0xf1, + 0x0, 0x11, 0xdd, 0x8d, 0xb3, 0x16, 0xb3, 0xa4, 0x4a, 0x5}, + {0x6a, 0xc6, 0x2b, 0xe5, 0x28, 0x5d, 0xf1, 0x5b, 0x8e, 0x1a, 0xf0, + 0x70, 0x18, 0xe3, 0x47, 0x2c, 0xdd, 0x8b, 0xc2, 0x6, 0xbc, 0xaf, + 0x19, 0x24, 0x3a, 0x17, 0x6b, 0x25, 0xeb, 0xde, 0x25, 0x2d}, + {0xb8, 0x7c, 0x26, 0x19, 0x8d, 0x46, 0xc8, 0xdf, 0xaf, 0x4d, 0xe5, + 0x66, 0x9c, 0x78, 0x28, 0xb, 0x17, 0xec, 0x6e, 0x66, 0x2a, 0x1d, + 0xeb, 0x2a, 0x60, 0xa7, 0x7d, 0xab, 0xa6, 0x10, 0x46, 0x13}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 2241737709499165, 549397817447461, 838180519319392, - 1725686958520781, 1705639080897747 -#else - 64664349, 33404494, 29348901, 8186665, 1873760, 12489863, - 36174285, 25714739, 59256019, 25416002 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1216074541925116, 50120933933509, 1565829004133810, - 721728156134580, 349206064666188 -#else - 51872508, 18120922, 7766469, 746860, 26346930, 23332670, - 39775412, 10754587, 57677388, 5203575 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 948617110470858, 346222547451945, 1126511960599975, - 1759386906004538, 493053284802266 -#else - 31834314, 14135496, 66338857, 5159117, 20917671, 16786336, - 59640890, 26216907, 31809242, 7347066 -#endif - }}, + {0x15, 0xf5, 0xd1, 0x77, 0xe7, 0x65, 0x2a, 0xcd, 0xf1, 0x60, 0xaa, + 0x8f, 0x87, 0x91, 0x89, 0x54, 0xe5, 0x6, 0xbc, 0xda, 0xbc, 0x3b, + 0xb7, 0xb1, 0xfb, 0xc9, 0x7c, 0xa9, 0xcb, 0x78, 0x48, 0x65}, + {0xfe, 0xb0, 0xf6, 0x8d, 0xc7, 0x8e, 0x13, 0x51, 0x1b, 0xf5, 0x75, + 0xe5, 0x89, 0xda, 0x97, 0x53, 0xb9, 0xf1, 0x7a, 0x71, 0x1d, 0x7a, + 0x20, 0x9, 0x50, 0xd6, 0x20, 0x2b, 0xba, 0xfd, 0x2, 0x21}, + {0xa1, 0xe6, 0x5c, 0x5, 0x5, 0xe4, 0x9e, 0x96, 0x29, 0xad, 0x51, + 0x12, 0x68, 0xa7, 0xbc, 0x36, 0x15, 0xa4, 0x7d, 0xaa, 0x17, 0xf5, + 0x1a, 0x3a, 0xba, 0xb2, 0xec, 0x29, 0xdb, 0x25, 0xd7, 0xa}, + }, + { + {0x85, 0x6f, 0x5, 0x9b, 0xc, 0xbc, 0xc7, 0xfe, 0xd7, 0xff, 0xf5, + 0xe7, 0x68, 0x52, 0x7d, 0x53, 0xfa, 0xae, 0x12, 0x43, 0x62, 0xc6, + 0xaf, 0x77, 0xd9, 0x9f, 0x39, 0x2, 0x53, 0x5f, 0x67, 0x4f}, + {0x57, 0x24, 0x4e, 0x83, 0xb1, 0x67, 0x42, 0xdc, 0xc5, 0x1b, 0xce, + 0x70, 0xb5, 0x44, 0x75, 0xb6, 0xd7, 0x5e, 0xd1, 0xf7, 0xb, 0x7a, + 0xf0, 0x1a, 0x50, 0x36, 0xa0, 0x71, 0xfb, 0xcf, 0xef, 0x4a}, + {0x1e, 0x17, 0x15, 0x4, 0x36, 0x36, 0x2d, 0xc3, 0x3b, 0x48, 0x98, + 0x89, 0x11, 0xef, 0x2b, 0xcd, 0x10, 0x51, 0x94, 0xd0, 0xad, 0x6e, + 0xa, 0x87, 0x61, 0x65, 0xa8, 0xa2, 0x72, 0xbb, 0xcc, 0xb}, + }, + { + {0x96, 0x12, 0xfe, 0x50, 0x4c, 0x5e, 0x6d, 0x18, 0x7e, 0x9f, 0xe8, + 0xfe, 0x82, 0x7b, 0x39, 0xe0, 0xb0, 0x31, 0x70, 0x50, 0xc5, 0xf6, + 0xc7, 0x3b, 0xc2, 0x37, 0x8f, 0x10, 0x69, 0xfd, 0x78, 0x66}, + {0xc8, 0xa9, 0xb1, 0xea, 0x2f, 0x96, 0x5e, 0x18, 0xcd, 0x7d, 0x14, + 0x65, 0x35, 0xe6, 0xe7, 0x86, 0xf2, 0x6d, 0x5b, 0xbb, 0x31, 0xe0, + 0x92, 0xb0, 0x3e, 0xb7, 0xd6, 0x59, 0xab, 0xf0, 0x24, 0x40}, + {0xc2, 0x63, 0x68, 0x63, 0x31, 0xfa, 0x86, 0x15, 0xf2, 0x33, 0x2d, + 0x57, 0x48, 0x8c, 0xf6, 0x7, 0xfc, 0xae, 0x9e, 0x78, 0x9f, 0xcc, + 0x73, 0x4f, 0x1, 0x47, 0xad, 0x8e, 0x10, 0xe2, 0x42, 0x2d}, + }, + { + {0x93, 0x75, 0x53, 0xf, 0xd, 0x7b, 0x71, 0x21, 0x4c, 0x6, 0x1e, + 0x13, 0xb, 0x69, 0x4e, 0x91, 0x9f, 0xe0, 0x2a, 0x75, 0xae, 0x87, + 0xb6, 0x1b, 0x6e, 0x3c, 0x42, 0x9b, 0xa7, 0xf3, 0xb, 0x42}, + {0x9b, 0xd2, 0xdf, 0x94, 0x15, 0x13, 0xf5, 0x97, 0x6a, 0x4c, 0x3f, + 0x31, 0x5d, 0x98, 0x55, 0x61, 0x10, 0x50, 0x45, 0x8, 0x7, 0x3f, + 0xa1, 0xeb, 0x22, 0xd3, 0xd2, 0xb8, 0x8, 0x26, 0x6b, 0x67}, + {0x47, 0x2b, 0x5b, 0x1c, 0x65, 0xba, 0x38, 0x81, 0x80, 0x1b, 0x1b, + 0x31, 0xec, 0xb6, 0x71, 0x86, 0xb0, 0x35, 0x31, 0xbc, 0xb1, 0xc, + 0xff, 0x7b, 0xe0, 0xf1, 0xc, 0x9c, 0xfa, 0x2f, 0x5d, 0x74}, + }, + { + {0x6a, 0x4e, 0xd3, 0x21, 0x57, 0xdf, 0x36, 0x60, 0xd0, 0xb3, 0x7b, + 0x99, 0x27, 0x88, 0xdb, 0xb1, 0xfa, 0x6a, 0x75, 0xc8, 0xc3, 0x9, + 0xc2, 0xd3, 0x39, 0xc8, 0x1d, 0x4c, 0xe5, 0x5b, 0xe1, 0x6}, + {0xbd, 0xc8, 0xc9, 0x2b, 0x1e, 0x5a, 0x52, 0xbf, 0x81, 0x9d, 0x47, + 0x26, 0x8, 0x26, 0x5b, 0xea, 0xdb, 0x55, 0x1, 0xdf, 0xe, 0xc7, + 0x11, 0xd5, 0xd0, 0xf5, 0xc, 0x96, 0xeb, 0x3c, 0xe2, 0x1a}, + {0x4a, 0x99, 0x32, 0x19, 0x87, 0x5d, 0x72, 0x5b, 0xb0, 0xda, 0xb1, + 0xce, 0xb5, 0x1c, 0x35, 0x32, 0x5, 0xca, 0xb7, 0xda, 0x49, 0x15, + 0xc4, 0x7d, 0xf7, 0xc1, 0x8e, 0x27, 0x61, 0xd8, 0xde, 0x58}, + }, + { + {0xa8, 0xc9, 0xc2, 0xb6, 0xa8, 0x5b, 0xfb, 0x2d, 0x8c, 0x59, 0x2c, + 0xf5, 0x8e, 0xef, 0xee, 0x48, 0x73, 0x15, 0x2d, 0xf1, 0x7, 0x91, + 0x80, 0x33, 0xd8, 0x5b, 0x1d, 0x53, 0x6b, 0x69, 0xba, 0x8}, + {0x5c, 0xc5, 0x66, 0xf2, 0x93, 0x37, 0x17, 0xd8, 0x49, 0x4e, 0x45, + 0xcc, 0xc5, 0x76, 0xc9, 0xc8, 0xa8, 0xc3, 0x26, 0xbc, 0xf8, 0x82, + 0xe3, 0x5c, 0xf9, 0xf6, 0x85, 0x54, 0xe8, 0x9d, 0xf3, 0x2f}, + {0x7a, 0xc5, 0xef, 0xc3, 0xee, 0x3e, 0xed, 0x77, 0x11, 0x48, 0xff, + 0xd4, 0x17, 0x55, 0xe0, 0x4, 0xcb, 0x71, 0xa6, 0xf1, 0x3f, 0x7a, + 0x3d, 0xea, 0x54, 0xfe, 0x7c, 0x94, 0xb4, 0x33, 0x6, 0x12}, + }, + { + {0xa, 0x10, 0x12, 0x49, 0x47, 0x31, 0xbd, 0x82, 0x6, 0xbe, 0x6f, + 0x7e, 0x6d, 0x7b, 0x23, 0xde, 0xc6, 0x79, 0xea, 0x11, 0x19, 0x76, + 0x1e, 0xe1, 0xde, 0x3b, 0x39, 0xcb, 0xe3, 0x3b, 0x43, 0x7}, + {0x42, 0x0, 0x61, 0x91, 0x78, 0x98, 0x94, 0xb, 0xe8, 0xfa, 0xeb, + 0xec, 0x3c, 0xb1, 0xe7, 0x4e, 0xc0, 0xa4, 0xf0, 0x94, 0x95, 0x73, + 0xbe, 0x70, 0x85, 0x91, 0xd5, 0xb4, 0x99, 0xa, 0xd3, 0x35}, + {0xf4, 0x97, 0xe9, 0x5c, 0xc0, 0x44, 0x79, 0xff, 0xa3, 0x51, 0x5c, + 0xb0, 0xe4, 0x3d, 0x5d, 0x57, 0x7c, 0x84, 0x76, 0x5a, 0xfd, 0x81, + 0x33, 0x58, 0x9f, 0xda, 0xf6, 0x7a, 0xde, 0x3e, 0x87, 0x2d}, + }, + { + {0x81, 0xf9, 0x5d, 0x4e, 0xe1, 0x2, 0x62, 0xaa, 0xf5, 0xe1, 0x15, + 0x50, 0x17, 0x59, 0xd, 0xa2, 0x6c, 0x1d, 0xe2, 0xba, 0xd3, 0x75, + 0xa2, 0x18, 0x53, 0x2, 0x60, 0x1, 0x8a, 0x61, 0x43, 0x5}, + {0x9, 0x34, 0x37, 0x43, 0x64, 0x31, 0x7a, 0x15, 0xd9, 0x81, 0xaa, + 0xf4, 0xee, 0xb7, 0xb8, 0xfa, 0x6, 0x48, 0xa6, 0xf5, 0xe6, 0xfe, + 0x93, 0xb0, 0xb6, 0xa7, 0x7f, 0x70, 0x54, 0x36, 0x77, 0x2e}, + {0xc1, 0x23, 0x4c, 0x97, 0xf4, 0xbd, 0xea, 0xd, 0x93, 0x46, 0xce, + 0x9d, 0x25, 0xa, 0x6f, 0xaa, 0x2c, 0xba, 0x9a, 0xa2, 0xb8, 0x2c, + 0x20, 0x4, 0xd, 0x96, 0x7, 0x2d, 0x36, 0x43, 0x14, 0x4b}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1454933046815146, 874696014266362, 1467170975468588, - 1432316382418897, 2111710746366763 -#else - 57502122, 21680191, 20414458, 13033986, 13716524, 21862551, - 19797969, 21343177, 15192875, 31466942 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2105387117364450, 1996463405126433, 1303008614294500, - 851908115948209, 1353742049788635 -#else - 54445282, 31372712, 1168161, 29749623, 26747876, 19416341, - 10609329, 12694420, 33473243, 20172328 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 750300956351719, 1487736556065813, 15158817002104, - 1511998221598392, 971739901354129 -#else - 33184999, 11180355, 15832085, 22169002, 65475192, 225883, - 15089336, 22530529, 60973201, 14480052 -#endif - }}, + {0xcb, 0x9c, 0x52, 0x1c, 0xe9, 0x54, 0x7c, 0x96, 0xfb, 0x35, 0xc6, + 0x64, 0x92, 0x26, 0xf6, 0x30, 0x65, 0x19, 0x12, 0x78, 0xf4, 0xaf, + 0x47, 0x27, 0x5c, 0x6f, 0xf6, 0xea, 0x18, 0x84, 0x3, 0x17}, + {0x7a, 0x1f, 0x6e, 0xb6, 0xc7, 0xb7, 0xc4, 0xcc, 0x7e, 0x2f, 0xc, + 0xf5, 0x25, 0x7e, 0x15, 0x44, 0x1c, 0xaf, 0x3e, 0x71, 0xfc, 0x6d, + 0xf0, 0x3e, 0xf7, 0x63, 0xda, 0x52, 0x67, 0x44, 0x2f, 0x58}, + {0xe4, 0x4c, 0x32, 0x20, 0xd3, 0x7b, 0x31, 0xc6, 0xc4, 0x8b, 0x48, + 0xa4, 0xe8, 0x42, 0x10, 0xa8, 0x64, 0x13, 0x5a, 0x4e, 0x8b, 0xf1, + 0x1e, 0xb2, 0xc9, 0x8d, 0xa2, 0xcd, 0x4b, 0x1c, 0x2a, 0xc}, + }, + { + {0x45, 0x69, 0xbd, 0x69, 0x48, 0x81, 0xc4, 0xed, 0x22, 0x8d, 0x1c, + 0xbe, 0x7d, 0x90, 0x6d, 0xd, 0xab, 0xc5, 0x5c, 0xd5, 0x12, 0xd2, + 0x3b, 0xc6, 0x83, 0xdc, 0x14, 0xa3, 0x30, 0x9b, 0x6a, 0x5a}, + {0x47, 0x4, 0x1f, 0x6f, 0xd0, 0xc7, 0x4d, 0xd2, 0x59, 0xc0, 0x87, + 0xdb, 0x3e, 0x9e, 0x26, 0xb2, 0x8f, 0xd2, 0xb2, 0xfb, 0x72, 0x2, + 0x5b, 0xd1, 0x77, 0x48, 0xf6, 0xc6, 0xd1, 0x8b, 0x55, 0x7c}, + {0x3d, 0x46, 0x96, 0xd3, 0x24, 0x15, 0xec, 0xd0, 0xf0, 0x24, 0x5a, + 0xc3, 0x8a, 0x62, 0xbb, 0x12, 0xa4, 0x5f, 0xbc, 0x1c, 0x79, 0x3a, + 0xc, 0xa5, 0xc3, 0xaf, 0xfb, 0xa, 0xca, 0xa5, 0x4, 0x4}, + }, + { + {0xd1, 0x6f, 0x41, 0x2a, 0x1b, 0x9e, 0xbc, 0x62, 0x8b, 0x59, 0x50, + 0xe3, 0x28, 0xf7, 0xc6, 0xb5, 0x67, 0x69, 0x5d, 0x3d, 0xd8, 0x3f, + 0x34, 0x4, 0x98, 0xee, 0xf8, 0xe7, 0x16, 0x75, 0x52, 0x39}, + {0xd6, 0x43, 0xa7, 0xa, 0x7, 0x40, 0x1f, 0x8c, 0xe8, 0x5e, 0x26, + 0x5b, 0xcb, 0xd0, 0xba, 0xcc, 0xde, 0xd2, 0x8f, 0x66, 0x6b, 0x4, + 0x4b, 0x57, 0x33, 0x96, 0xdd, 0xca, 0xfd, 0x5b, 0x39, 0x46}, + {0x9c, 0x9a, 0x5d, 0x1a, 0x2d, 0xdb, 0x7f, 0x11, 0x2a, 0x5c, 0x0, + 0xd1, 0xbc, 0x45, 0x77, 0x9c, 0xea, 0x6f, 0xd5, 0x54, 0xf1, 0xbe, + 0xd4, 0xef, 0x16, 0xd0, 0x22, 0xe8, 0x29, 0x9a, 0x57, 0x76}, + }, + { + {0xf2, 0x34, 0xb4, 0x52, 0x13, 0xb5, 0x3c, 0x33, 0xe1, 0x80, 0xde, + 0x93, 0x49, 0x28, 0x32, 0xd8, 0xce, 0x35, 0xd, 0x75, 0x87, 0x28, + 0x51, 0xb5, 0xc1, 0x77, 0x27, 0x2a, 0xbb, 0x14, 0xc5, 0x2}, + {0x17, 0x2a, 0xc0, 0x49, 0x7e, 0x8e, 0xb6, 0x45, 0x7f, 0xa3, 0xa9, + 0xbc, 0xa2, 0x51, 0xcd, 0x23, 0x1b, 0x4c, 0x22, 0xec, 0x11, 0x5f, + 0xd6, 0x3e, 0xb1, 0xbd, 0x5, 0x9e, 0xdc, 0x84, 0xa3, 0x43}, + {0x45, 0xb6, 0xf1, 0x8b, 0xda, 0xd5, 0x4b, 0x68, 0x53, 0x4b, 0xb5, + 0xf6, 0x7e, 0xd3, 0x8b, 0xfb, 0x53, 0xd2, 0xb0, 0xa9, 0xd7, 0x16, + 0x39, 0x31, 0x59, 0x80, 0x54, 0x61, 0x9, 0x92, 0x60, 0x11}, + }, + { + {0xcd, 0x4d, 0x9b, 0x36, 0x16, 0x56, 0x38, 0x7a, 0x63, 0x35, 0x5c, + 0x65, 0xa7, 0x2c, 0xc0, 0x75, 0x21, 0x80, 0xf1, 0xd4, 0xf9, 0x1b, + 0xc2, 0x7d, 0x42, 0xe0, 0xe6, 0x91, 0x74, 0x7d, 0x63, 0x2f}, + {0xaa, 0xcf, 0xda, 0x29, 0x69, 0x16, 0x4d, 0xb4, 0x8f, 0x59, 0x13, + 0x84, 0x4c, 0x9f, 0x52, 0xda, 0x59, 0x55, 0x3d, 0x45, 0xca, 0x63, + 0xef, 0xe9, 0xb, 0x8e, 0x69, 0xc5, 0x5b, 0x12, 0x1e, 0x35}, + {0xbe, 0x7b, 0xf6, 0x1a, 0x46, 0x9b, 0xb4, 0xd4, 0x61, 0x89, 0xab, + 0xc8, 0x7a, 0x3, 0x3, 0xd6, 0xfb, 0x99, 0xa6, 0xf9, 0x9f, 0xe1, + 0xde, 0x71, 0x9a, 0x2a, 0xce, 0xe7, 0x6, 0x2d, 0x18, 0x7f}, + }, + { + {0x22, 0x75, 0x21, 0x8e, 0x72, 0x4b, 0x45, 0x9, 0xd8, 0xb8, 0x84, + 0xd4, 0xf4, 0xe8, 0x58, 0xaa, 0x3c, 0x90, 0x46, 0x7f, 0x4d, 0x25, + 0x58, 0xd3, 0x17, 0x52, 0x1c, 0x24, 0x43, 0xc0, 0xac, 0x44}, + {0xec, 0x68, 0x1, 0xab, 0x64, 0x8e, 0x7c, 0x7a, 0x43, 0xc5, 0xed, + 0x15, 0x55, 0x4a, 0x5a, 0xcb, 0xda, 0xe, 0xcd, 0x47, 0xd3, 0x19, + 0x55, 0x9, 0xb0, 0x93, 0x3e, 0x34, 0x8c, 0xac, 0xd4, 0x67}, + {0x77, 0x57, 0x7a, 0x4f, 0xbb, 0x6b, 0x7d, 0x1c, 0xe1, 0x13, 0x83, + 0x91, 0xd4, 0xfe, 0x35, 0x8b, 0x84, 0x46, 0x6b, 0xc9, 0xc6, 0xa1, + 0xdc, 0x4a, 0xbd, 0x71, 0xad, 0x12, 0x83, 0x1c, 0x6d, 0x55}, + }, + { + {0x21, 0xe8, 0x1b, 0xb1, 0x56, 0x67, 0xf0, 0x81, 0xdd, 0xf3, 0xa3, + 0x10, 0x23, 0xf8, 0xaf, 0xf, 0x5d, 0x46, 0x99, 0x6a, 0x55, 0xd0, + 0xb2, 0xf8, 0x5, 0x7f, 0x8c, 0xcc, 0x38, 0xbe, 0x7a, 0x9}, + {0x82, 0x39, 0x8d, 0xc, 0xe3, 0x40, 0xef, 0x17, 0x34, 0xfa, 0xa3, + 0x15, 0x3e, 0x7, 0xf7, 0x31, 0x6e, 0x64, 0x73, 0x7, 0xcb, 0xf3, + 0x21, 0x4f, 0xff, 0x4e, 0x82, 0x1d, 0x6d, 0x6c, 0x6c, 0x74}, + {0xa4, 0x2d, 0xa5, 0x7e, 0x87, 0xc9, 0x49, 0xc, 0x43, 0x1d, 0xdc, + 0x9b, 0x55, 0x69, 0x43, 0x4c, 0xd2, 0xeb, 0xcc, 0xf7, 0x9, 0x38, + 0x2c, 0x2, 0xbd, 0x84, 0xee, 0x4b, 0xa3, 0x14, 0x7e, 0x57}, + }, + { + {0x2b, 0xd7, 0x4d, 0xbd, 0xbe, 0xce, 0xfe, 0x94, 0x11, 0x22, 0xf, + 0x6, 0xda, 0x4f, 0x6a, 0xf4, 0xff, 0xd1, 0xc8, 0xc0, 0x77, 0x59, + 0x4a, 0x12, 0x95, 0x92, 0x0, 0xfb, 0xb8, 0x4, 0x53, 0x70}, + {0xa, 0x3b, 0xa7, 0x61, 0xac, 0x68, 0xe2, 0xf0, 0xf5, 0xa5, 0x91, + 0x37, 0x10, 0xfa, 0xfa, 0xf2, 0xe9, 0x0, 0x6d, 0x6b, 0x82, 0x3e, + 0xe1, 0xc1, 0x42, 0x8f, 0xd7, 0x6f, 0xe9, 0x7e, 0xfa, 0x60}, + {0xc6, 0x6e, 0x29, 0x4d, 0x35, 0x1d, 0x3d, 0xb6, 0xd8, 0x31, 0xad, + 0x5f, 0x3e, 0x5, 0xc3, 0xf3, 0xec, 0x42, 0xbd, 0xb4, 0x8c, 0x95, + 0xb, 0x67, 0xfd, 0x53, 0x63, 0xa1, 0xc, 0x8e, 0x39, 0x21}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1874648163531693, 2124487685930551, 1810030029384882, - 918400043048335, 586348627300650 -#else - 31308717, 27934434, 31030839, 31657333, 15674546, 26971549, - 5496207, 13685227, 27595050, 8737275 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1235084464747900, 1166111146432082, 1745394857881591, - 1405516473883040, 4463504151617 -#else - 46790012, 18404192, 10933842, 17376410, 8335351, 26008410, - 36100512, 20943827, 26498113, 66511 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1663810156463827, 327797390285791, 1341846161759410, - 1964121122800605, 1747470312055380 -#else - 22644435, 24792703, 50437087, 4884561, 64003250, 19995065, - 30540765, 29267685, 53781076, 26039336 -#endif - }}, + {0x1, 0x56, 0xb7, 0xb4, 0xf9, 0xaa, 0x98, 0x27, 0x72, 0xad, 0x8d, + 0x5c, 0x13, 0x72, 0xac, 0x5e, 0x23, 0xa0, 0xb7, 0x61, 0x61, 0xaa, + 0xce, 0xd2, 0x4e, 0x7d, 0x8f, 0xe9, 0x84, 0xb2, 0xbf, 0x1b}, + {0xf3, 0x33, 0x2b, 0x38, 0x8a, 0x5, 0xf5, 0x89, 0xb4, 0xc0, 0x48, + 0xad, 0xb, 0xba, 0xe2, 0x5a, 0x6e, 0xb3, 0x3d, 0xa5, 0x3, 0xb5, + 0x93, 0x8f, 0xe6, 0x32, 0xa2, 0x95, 0x9d, 0xed, 0xa3, 0x5a}, + {0x61, 0x65, 0xd9, 0xc7, 0xe9, 0x77, 0x67, 0x65, 0x36, 0x80, 0xc7, + 0x72, 0x54, 0x12, 0x2b, 0xcb, 0xee, 0x6e, 0x50, 0xd9, 0x99, 0x32, + 0x5, 0x65, 0xcc, 0x57, 0x89, 0x5e, 0x4e, 0xe1, 0x7, 0x4a}, + }, + { + {0x9b, 0xa4, 0x77, 0xc4, 0xcd, 0x58, 0xb, 0x24, 0x17, 0xf0, 0x47, + 0x64, 0xde, 0xda, 0x38, 0xfd, 0xad, 0x6a, 0xc8, 0xa7, 0x32, 0x8d, + 0x92, 0x19, 0x81, 0xa0, 0xaf, 0x84, 0xed, 0x7a, 0xaf, 0x50}, + {0x99, 0xf9, 0xd, 0x98, 0xcb, 0x12, 0xe4, 0x4e, 0x71, 0xc7, 0x6e, + 0x3c, 0x6f, 0xd7, 0x15, 0xa3, 0xfd, 0x77, 0x5c, 0x92, 0xde, 0xed, + 0xa5, 0xbb, 0x2, 0x34, 0x31, 0x1d, 0x39, 0xac, 0xb, 0x3f}, + {0xe5, 0x5b, 0xf6, 0x15, 0x1, 0xde, 0x4f, 0x6e, 0xb2, 0x9, 0x61, + 0x21, 0x21, 0x26, 0x98, 0x29, 0xd9, 0xd6, 0xad, 0xb, 0x81, 0x5, + 0x2, 0x78, 0x6, 0xd0, 0xeb, 0xba, 0x16, 0xa3, 0x21, 0x19}, + }, + { + {0x8b, 0xc1, 0xf3, 0xd9, 0x9a, 0xad, 0x5a, 0xd7, 0x9c, 0xc1, 0xb1, + 0x60, 0xef, 0xe, 0x6a, 0x56, 0xd9, 0xe, 0x5c, 0x25, 0xac, 0xb, + 0x9a, 0x3e, 0xf5, 0xc7, 0x62, 0xa0, 0xec, 0x9d, 0x4, 0x7b}, + {0xfc, 0x70, 0xb8, 0xdf, 0x7e, 0x2f, 0x42, 0x89, 0xbd, 0xb3, 0x76, + 0x4f, 0xeb, 0x6b, 0x29, 0x2c, 0xf7, 0x4d, 0xc2, 0x36, 0xd4, 0xf1, + 0x38, 0x7, 0xb0, 0xae, 0x73, 0xe2, 0x41, 0xdf, 0x58, 0x64}, + {0x83, 0x44, 0x44, 0x35, 0x7a, 0xe3, 0xcb, 0xdc, 0x93, 0xbe, 0xed, + 0xf, 0x33, 0x79, 0x88, 0x75, 0x87, 0xdd, 0xc5, 0x12, 0xc3, 0x4, + 0x60, 0x78, 0x64, 0xe, 0x95, 0xc2, 0xcb, 0xdc, 0x93, 0x60}, + }, + { + {0x4b, 0x3, 0x84, 0x60, 0xbe, 0xee, 0xde, 0x6b, 0x54, 0xb8, 0xf, + 0x78, 0xb6, 0xc2, 0x99, 0x31, 0x95, 0x6, 0x2d, 0xb6, 0xab, 0x76, + 0x33, 0x97, 0x90, 0x7d, 0x64, 0x8b, 0xc9, 0x80, 0x31, 0x6e}, + {0x6d, 0x70, 0xe0, 0x85, 0x85, 0x9a, 0xf3, 0x1f, 0x33, 0x39, 0xe7, + 0xb3, 0xd8, 0xa5, 0xd0, 0x36, 0x3b, 0x45, 0x8f, 0x71, 0xe1, 0xf2, + 0xb9, 0x43, 0x7c, 0xa9, 0x27, 0x48, 0x8, 0xea, 0xd1, 0x57}, + {0x71, 0xb0, 0x28, 0xa1, 0xe7, 0xb6, 0x7a, 0xee, 0xaa, 0x8b, 0xa8, + 0x93, 0x6d, 0x59, 0xc1, 0xa4, 0x30, 0x61, 0x21, 0xb2, 0x82, 0xde, + 0xb4, 0xf7, 0x18, 0xbd, 0x97, 0xdd, 0x9d, 0x99, 0x3e, 0x36}, + }, + { + {0xc6, 0xae, 0x4b, 0xe2, 0xdc, 0x48, 0x18, 0x2f, 0x60, 0xaf, 0xbc, + 0xba, 0x55, 0x72, 0x9b, 0x76, 0x31, 0xe9, 0xef, 0x3c, 0x6e, 0x3c, + 0xcb, 0x90, 0x55, 0xb3, 0xf9, 0xc6, 0x9b, 0x97, 0x1f, 0x23}, + {0xc4, 0x1f, 0xee, 0x35, 0xc1, 0x43, 0xa8, 0x96, 0xcf, 0xc8, 0xe4, + 0x8, 0x55, 0xb3, 0x6e, 0x97, 0x30, 0xd3, 0x8c, 0xb5, 0x1, 0x68, + 0x2f, 0xb4, 0x2b, 0x5, 0x3a, 0x69, 0x78, 0x9b, 0xee, 0x48}, + {0xc6, 0xf3, 0x2a, 0xcc, 0x4b, 0xde, 0x31, 0x5c, 0x1f, 0x8d, 0x20, + 0xfe, 0x30, 0xb0, 0x4b, 0xb0, 0x66, 0xb4, 0x4f, 0xc1, 0x9, 0x70, + 0x8d, 0xb7, 0x13, 0x24, 0x79, 0x8, 0x9b, 0xfa, 0x9b, 0x7}, + }, + { + {0x45, 0x42, 0xd5, 0xa2, 0x80, 0xed, 0xc9, 0xf3, 0x52, 0x39, 0xf6, + 0x77, 0x78, 0x8b, 0xa0, 0xa, 0x75, 0x54, 0x8, 0xd1, 0x63, 0xac, + 0x6d, 0xd7, 0x6b, 0x63, 0x70, 0x94, 0x15, 0xfb, 0xf4, 0x1e}, + {0xf4, 0xd, 0x30, 0xda, 0x51, 0x3a, 0x90, 0xe3, 0xb0, 0x5a, 0xa9, + 0x3d, 0x23, 0x64, 0x39, 0x84, 0x80, 0x64, 0x35, 0xb, 0x2d, 0xf1, + 0x3c, 0xed, 0x94, 0x71, 0x81, 0x84, 0xf6, 0x77, 0x8c, 0x3}, + {0xec, 0x7b, 0x16, 0x5b, 0xe6, 0x5e, 0x4e, 0x85, 0xc2, 0xcd, 0xd0, + 0x96, 0x42, 0xa, 0x59, 0x59, 0x99, 0x21, 0x10, 0x98, 0x34, 0xdf, + 0xb2, 0x72, 0x56, 0xff, 0xb, 0x4a, 0x2a, 0xe9, 0x5e, 0x57}, + }, + { + {0x1, 0xd8, 0xa4, 0xa, 0x45, 0xbc, 0x46, 0x5d, 0xd8, 0xb9, 0x33, + 0xa5, 0x27, 0x12, 0xaf, 0xc3, 0xc2, 0x6, 0x89, 0x2b, 0x26, 0x3b, + 0x9e, 0x38, 0x1b, 0x58, 0x2f, 0x38, 0x7e, 0x1e, 0xa, 0x20}, + {0xcf, 0x2f, 0x18, 0x8a, 0x90, 0x80, 0xc0, 0xd4, 0xbd, 0x9d, 0x48, + 0x99, 0xc2, 0x70, 0xe1, 0x30, 0xde, 0x33, 0xf7, 0x52, 0x57, 0xbd, + 0xba, 0x5, 0x0, 0xfd, 0xd3, 0x2c, 0x11, 0xe7, 0xd4, 0x43}, + {0xc5, 0x3a, 0xf9, 0xea, 0x67, 0xb9, 0x8d, 0x51, 0xc0, 0x52, 0x66, + 0x5, 0x9b, 0x98, 0xbc, 0x71, 0xf5, 0x97, 0x71, 0x56, 0xd9, 0x85, + 0x2b, 0xfe, 0x38, 0x4e, 0x1e, 0x65, 0x52, 0xca, 0xe, 0x5}, + }, + { + {0xea, 0x68, 0xe6, 0x60, 0x76, 0x39, 0xac, 0x97, 0x97, 0xb4, 0x3a, + 0x15, 0xfe, 0xbb, 0x19, 0x9b, 0x9f, 0xa7, 0xec, 0x34, 0xb5, 0x79, + 0xb1, 0x4c, 0x57, 0xae, 0x31, 0xa1, 0x9f, 0xc0, 0x51, 0x61}, + {0x9c, 0xc, 0x3f, 0x45, 0xde, 0x1a, 0x43, 0xc3, 0x9b, 0x3b, 0x70, + 0xff, 0x5e, 0x4, 0xf5, 0xe9, 0x3d, 0x7b, 0x84, 0xed, 0xc9, 0x7a, + 0xd9, 0xfc, 0xc6, 0xf4, 0x58, 0x1c, 0xc2, 0xe6, 0xe, 0x4b}, + {0x96, 0x5d, 0xf0, 0xfd, 0xd, 0x5c, 0xf5, 0x3a, 0x7a, 0xee, 0xb4, + 0x2a, 0xe0, 0x2e, 0x26, 0xdd, 0x9, 0x17, 0x17, 0x12, 0x87, 0xbb, + 0xb2, 0x11, 0xb, 0x3, 0xf, 0x80, 0xfa, 0x24, 0xef, 0x1f}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 660005247548233, 2071860029952887, 1358748199950107, - 911703252219107, 1014379923023831 -#else - 39091017, 9834844, 18617207, 30873120, 63706907, 20246925, - 8205539, 13585437, 49981399, 15115438 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2206641276178231, 1690587809721504, 1600173622825126, - 2156096097634421, 1106822408548216 -#else - 23711543, 32881517, 31206560, 25191721, 6164646, 23844445, - 33572981, 32128335, 8236920, 16492939 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1344788193552206, 1949552134239140, 1735915881729557, - 675891104100469, 1834220014427292 -#else - 43198286, 20038905, 40809380, 29050590, 25005589, 25867162, - 19574901, 10071562, 6708380, 27332008 -#endif - }}, + {0x86, 0x6b, 0x97, 0x30, 0xf5, 0xaf, 0xd2, 0x22, 0x4, 0x46, 0xd2, + 0xc2, 0x6, 0xb8, 0x90, 0x8d, 0xe5, 0xba, 0xe5, 0x4d, 0x6c, 0x89, + 0xa1, 0xdc, 0x17, 0xc, 0x34, 0xc8, 0xe6, 0x5f, 0x0, 0x28}, + {0x96, 0x31, 0xa7, 0x1a, 0xfb, 0x53, 0xd6, 0x37, 0x18, 0x64, 0xd7, + 0x3f, 0x30, 0x95, 0x94, 0xf, 0xb2, 0x17, 0x3a, 0xfb, 0x9, 0xb, + 0x20, 0xad, 0x3e, 0x61, 0xc8, 0x2f, 0x29, 0x49, 0x4d, 0x54}, + {0x88, 0x86, 0x52, 0x34, 0x9f, 0xba, 0xef, 0x6a, 0xa1, 0x7d, 0x10, + 0x25, 0x94, 0xff, 0x1b, 0x5c, 0x36, 0x4b, 0xd9, 0x66, 0xcd, 0xbb, + 0x5b, 0xf7, 0xfa, 0x6d, 0x31, 0xf, 0x93, 0x72, 0xe4, 0x72}, + }, + { + {0x27, 0x76, 0x2a, 0xd3, 0x35, 0xf6, 0xf3, 0x7, 0xf0, 0x66, 0x65, + 0x5f, 0x86, 0x4d, 0xaa, 0x7a, 0x50, 0x44, 0xd0, 0x28, 0x97, 0xe7, + 0x85, 0x3c, 0x38, 0x64, 0xe0, 0xf, 0x0, 0x7f, 0xee, 0x1f}, + {0x4f, 0x8, 0x81, 0x97, 0x8c, 0x20, 0x95, 0x26, 0xe1, 0xe, 0x45, + 0x23, 0xb, 0x2a, 0x50, 0xb1, 0x2, 0xde, 0xef, 0x3, 0xa6, 0xae, + 0x9d, 0xfd, 0x4c, 0xa3, 0x33, 0x27, 0x8c, 0x2e, 0x9d, 0x5a}, + {0xe5, 0xf7, 0xdb, 0x3, 0xda, 0x5, 0x53, 0x76, 0xbd, 0xcd, 0x34, + 0x14, 0x49, 0xf2, 0xda, 0xa4, 0xec, 0x88, 0x4a, 0xd2, 0xcd, 0xd5, + 0x4a, 0x7b, 0x43, 0x5, 0x4, 0xee, 0x51, 0x40, 0xf9, 0x0}, + }, + { + {0x53, 0x97, 0xaf, 0x7, 0xbb, 0x93, 0xef, 0xd7, 0xa7, 0x66, 0xb7, + 0x3d, 0xcf, 0xd0, 0x3e, 0x58, 0xc5, 0x1e, 0xb, 0x6e, 0xbf, 0x98, + 0x69, 0xce, 0x52, 0x4, 0xd4, 0x5d, 0xd2, 0xff, 0xb7, 0x47}, + {0xb2, 0x30, 0xd3, 0xc3, 0x23, 0x6b, 0x35, 0x8d, 0x6, 0x1b, 0x47, + 0xb0, 0x9b, 0x8b, 0x1c, 0xf2, 0x3c, 0xb8, 0x42, 0x6e, 0x6c, 0x31, + 0x6c, 0xb3, 0xd, 0xb1, 0xea, 0x8b, 0x7e, 0x9c, 0xd7, 0x7}, + {0x12, 0xdd, 0x8, 0xbc, 0x9c, 0xfb, 0xfb, 0x87, 0x9b, 0xc2, 0xee, + 0xe1, 0x3a, 0x6b, 0x6, 0x8a, 0xbf, 0xc1, 0x1f, 0xdb, 0x2b, 0x24, + 0x57, 0xd, 0xb6, 0x4b, 0xa6, 0x5e, 0xa3, 0x20, 0x35, 0x1c}, + }, + { + {0x59, 0xc0, 0x6b, 0x21, 0x40, 0x6f, 0xa8, 0xcd, 0x7e, 0xd8, 0xbc, + 0x12, 0x1d, 0x23, 0xbb, 0x1f, 0x90, 0x9, 0xc7, 0x17, 0x9e, 0x6a, + 0x95, 0xb4, 0x55, 0x2e, 0xd1, 0x66, 0x3b, 0xc, 0x75, 0x38}, + {0x4a, 0xa3, 0xcb, 0xbc, 0xa6, 0x53, 0xd2, 0x80, 0x9b, 0x21, 0x38, + 0x38, 0xa1, 0xc3, 0x61, 0x3e, 0x96, 0xe3, 0x82, 0x98, 0x1, 0xb6, + 0xc3, 0x90, 0x6f, 0xe6, 0xe, 0x5d, 0x77, 0x5, 0x3d, 0x1c}, + {0x1a, 0xe5, 0x22, 0x94, 0x40, 0xf1, 0x2e, 0x69, 0x71, 0xf6, 0x5d, + 0x2b, 0x3c, 0xc7, 0xc0, 0xcb, 0x29, 0xe0, 0x4c, 0x74, 0xe7, 0x4f, + 0x1, 0x21, 0x7c, 0x48, 0x30, 0xd3, 0xc7, 0xe2, 0x21, 0x6}, + }, + { + {0xf3, 0xf0, 0xdb, 0xb0, 0x96, 0x17, 0xae, 0xb7, 0x96, 0xe1, 0x7c, + 0xe1, 0xb9, 0xaf, 0xdf, 0x54, 0xb4, 0xa3, 0xaa, 0xe9, 0x71, 0x30, + 0x92, 0x25, 0x9d, 0x2e, 0x0, 0xa1, 0x9c, 0x58, 0x8e, 0x5d}, + {0x8d, 0x83, 0x59, 0x82, 0xcc, 0x60, 0x98, 0xaf, 0xdc, 0x9a, 0x9f, + 0xc6, 0xc1, 0x48, 0xea, 0x90, 0x30, 0x1e, 0x58, 0x65, 0x37, 0x48, + 0x26, 0x65, 0xbc, 0xa5, 0xd3, 0x7b, 0x9, 0xd6, 0x7, 0x0}, + {0x4b, 0xa9, 0x42, 0x8, 0x95, 0x1d, 0xbf, 0xc0, 0x3e, 0x2e, 0x8f, + 0x58, 0x63, 0xc3, 0xd3, 0xb2, 0xef, 0xe2, 0x51, 0xbb, 0x38, 0x14, + 0x96, 0xa, 0x86, 0xbf, 0x1c, 0x3c, 0x78, 0xd7, 0x83, 0x15}, + }, + { + {0xc7, 0x28, 0x9d, 0xcc, 0x4, 0x47, 0x3, 0x90, 0x8f, 0xc5, 0x2c, + 0xf7, 0x9e, 0x67, 0x1b, 0x1d, 0x26, 0x87, 0x5b, 0xbe, 0x5f, 0x2b, + 0xe1, 0x16, 0xa, 0x58, 0xc5, 0x83, 0x4e, 0x6, 0x58, 0x49}, + {0xe1, 0x7a, 0xa2, 0x5d, 0xef, 0xa2, 0xee, 0xec, 0x74, 0x1, 0x67, + 0x55, 0x14, 0x3a, 0x7c, 0x59, 0x7a, 0x16, 0x9, 0x66, 0x12, 0x2a, + 0xa6, 0xc9, 0x70, 0x8f, 0xed, 0x81, 0x2e, 0x5f, 0x2a, 0x25}, + {0xd, 0xe8, 0x66, 0x50, 0x26, 0x94, 0x28, 0xd, 0x6b, 0x8c, 0x7c, + 0x30, 0x85, 0xf7, 0xc3, 0xfc, 0xfd, 0x12, 0x11, 0xc, 0x78, 0xda, + 0x53, 0x1b, 0x88, 0xb3, 0x43, 0xd8, 0xb, 0x17, 0x9c, 0x7}, + }, + { + {0x56, 0xd0, 0xd5, 0xc0, 0x50, 0xcd, 0xd6, 0xcd, 0x3b, 0x57, 0x3, + 0xbb, 0x6d, 0x68, 0xf7, 0x9a, 0x48, 0xef, 0xc3, 0xf3, 0x3f, 0x72, + 0xa6, 0x3c, 0xcc, 0x8a, 0x7b, 0x31, 0xd7, 0xc0, 0x68, 0x67}, + {0xff, 0x6f, 0xfa, 0x64, 0xe4, 0xec, 0x6, 0x5, 0x23, 0xe5, 0x5, + 0x62, 0x1e, 0x43, 0xe3, 0xbe, 0x42, 0xea, 0xb8, 0x51, 0x24, 0x42, + 0x79, 0x35, 0x0, 0xfb, 0xc9, 0x4a, 0xe3, 0x5, 0xec, 0x6d}, + {0xb3, 0xc1, 0x55, 0xf1, 0xe5, 0x25, 0xb6, 0x94, 0x91, 0x7b, 0x7b, + 0x99, 0xa7, 0xf3, 0x7b, 0x41, 0x0, 0x26, 0x6b, 0x6d, 0xdc, 0xbd, + 0x2c, 0xc2, 0xf4, 0x52, 0xcd, 0xdd, 0x14, 0x5e, 0x44, 0x51}, + }, + { + {0x55, 0xa4, 0xbe, 0x2b, 0xab, 0x47, 0x31, 0x89, 0x29, 0x91, 0x7, + 0x92, 0x4f, 0xa2, 0x53, 0x8c, 0xa7, 0xf7, 0x30, 0xbe, 0x48, 0xf9, + 0x49, 0x4b, 0x3d, 0xd4, 0x4f, 0x6e, 0x8, 0x90, 0xe9, 0x12}, + {0x51, 0x49, 0x14, 0x3b, 0x4b, 0x2b, 0x50, 0x57, 0xb3, 0xbc, 0x4b, + 0x44, 0x6b, 0xff, 0x67, 0x8e, 0xdb, 0x85, 0x63, 0x16, 0x27, 0x69, + 0xbd, 0xb8, 0xc8, 0x95, 0x92, 0xe3, 0x31, 0x6f, 0x18, 0x13}, + {0x2e, 0xbb, 0xdf, 0x7f, 0xb3, 0x96, 0xc, 0xf1, 0xf9, 0xea, 0x1c, + 0x12, 0x5e, 0x93, 0x9a, 0x9f, 0x3f, 0x98, 0x5b, 0x3a, 0xc4, 0x36, + 0x11, 0xdf, 0xaf, 0x99, 0x3e, 0x5d, 0xf0, 0xe3, 0xb2, 0x77}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1920949492387964, 158885288387530, 70308263664033, - 626038464897817, 1468081726101009 -#else - 2101372, 28624378, 19702730, 2367575, 51681697, 1047674, - 5301017, 9328700, 29955601, 21876122 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 622221042073383, 1210146474039168, 1742246422343683, - 1403839361379025, 417189490895736 -#else - 3096359, 9271816, 45488000, 18032587, 52260867, 25961494, - 41216721, 20918836, 57191288, 6216607 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 22727256592983, 168471543384997, 1324340989803650, - 1839310709638189, 504999476432775 -#else - 34493015, 338662, 41913253, 2510421, 37895298, 19734218, - 24822829, 27407865, 40341383, 7525078 -#endif - }}, + {0xa4, 0xb0, 0xdd, 0x12, 0x9c, 0x63, 0x98, 0xd5, 0x6b, 0x86, 0x24, + 0xc0, 0x30, 0x9f, 0xd1, 0xa5, 0x60, 0xe4, 0xfc, 0x58, 0x3, 0x2f, + 0x7c, 0xd1, 0x8a, 0x5e, 0x9, 0x2e, 0x15, 0x95, 0xa1, 0x7}, + {0xde, 0xc4, 0x2e, 0x9c, 0xc5, 0xa9, 0x6f, 0x29, 0xcb, 0xf3, 0x84, + 0x4f, 0xbf, 0x61, 0x8b, 0xbc, 0x8, 0xf9, 0xa8, 0x17, 0xd9, 0x6, + 0x77, 0x1c, 0x5d, 0x25, 0xd3, 0x7a, 0xfc, 0x95, 0xb7, 0x63}, + {0xc8, 0x5f, 0x9e, 0x38, 0x2, 0x8f, 0x36, 0xa8, 0x3b, 0xe4, 0x8d, + 0xcf, 0x2, 0x3b, 0x43, 0x90, 0x43, 0x26, 0x41, 0xc5, 0x5d, 0xfd, + 0xa1, 0xaf, 0x37, 0x1, 0x2f, 0x3, 0x3d, 0xe8, 0x8f, 0x3e}, + }, + { + {0x3c, 0xd1, 0xef, 0xe8, 0x8d, 0x4c, 0x70, 0x8, 0x31, 0x37, 0xe0, + 0x33, 0x8e, 0x1a, 0xc5, 0xdf, 0xe3, 0xcd, 0x60, 0x12, 0xa5, 0x5d, + 0x9d, 0xa5, 0x86, 0x8c, 0x25, 0xa6, 0x99, 0x8, 0xd6, 0x22}, + {0x94, 0xa2, 0x70, 0x5, 0xb9, 0x15, 0x8b, 0x2f, 0x49, 0x45, 0x8, + 0x67, 0x70, 0x42, 0xf2, 0x94, 0x84, 0xfd, 0xbb, 0x61, 0xe1, 0x5a, + 0x1c, 0xde, 0x7, 0x40, 0xac, 0x7f, 0x79, 0x3b, 0xba, 0x75}, + {0x96, 0xd1, 0xcd, 0x70, 0xc0, 0xdb, 0x39, 0x62, 0x9a, 0x8a, 0x7d, + 0x6c, 0x8b, 0x8a, 0xfe, 0x60, 0x60, 0x12, 0x40, 0xeb, 0xbc, 0x47, + 0x88, 0xb3, 0x5e, 0x9e, 0x77, 0x87, 0x7b, 0xd0, 0x4, 0x9}, + }, + { + {0xb9, 0x40, 0xf9, 0x48, 0x66, 0x2d, 0x32, 0xf4, 0x39, 0xc, 0x2d, + 0xbd, 0xc, 0x2f, 0x95, 0x6, 0x31, 0xf9, 0x81, 0xa0, 0xad, 0x97, + 0x76, 0x16, 0x6c, 0x2a, 0xf7, 0xba, 0xce, 0xaa, 0x40, 0x62}, + {0x9c, 0x91, 0xba, 0xdd, 0xd4, 0x1f, 0xce, 0xb4, 0xaa, 0x8d, 0x4c, + 0xc7, 0x3e, 0xdb, 0x31, 0xcf, 0x51, 0xcc, 0x86, 0xad, 0x63, 0xcc, + 0x63, 0x2c, 0x7, 0xde, 0x1d, 0xbc, 0x3f, 0x14, 0xe2, 0x43}, + {0xa0, 0x95, 0xa2, 0x5b, 0x9c, 0x74, 0x34, 0xf8, 0x5a, 0xd2, 0x37, + 0xca, 0x5b, 0x7c, 0x94, 0xd6, 0x6a, 0x31, 0xc9, 0xe7, 0xa7, 0x3b, + 0xf1, 0x66, 0xac, 0xc, 0xb4, 0x8d, 0x23, 0xaf, 0xbd, 0x56}, + }, + { + {0xb2, 0x3b, 0x9d, 0xc1, 0x6c, 0xd3, 0x10, 0x13, 0xb9, 0x86, 0x23, + 0x62, 0xb7, 0x6b, 0x2a, 0x6, 0x5c, 0x4f, 0xa1, 0xd7, 0x91, 0x85, + 0x9b, 0x7c, 0x54, 0x57, 0x1e, 0x7e, 0x50, 0x31, 0xaa, 0x3}, + {0xeb, 0x33, 0x35, 0xf5, 0xe3, 0xb9, 0x2a, 0x36, 0x40, 0x3d, 0xb9, + 0x6e, 0xd5, 0x68, 0x85, 0x33, 0x72, 0x55, 0x5a, 0x1d, 0x52, 0x14, + 0xe, 0x9e, 0x18, 0x13, 0x74, 0x83, 0x6d, 0xa8, 0x24, 0x1d}, + {0x1f, 0xce, 0xd4, 0xff, 0x48, 0x76, 0xec, 0xf4, 0x1c, 0x8c, 0xac, + 0x54, 0xf0, 0xea, 0x45, 0xe0, 0x7c, 0x35, 0x9, 0x1d, 0x82, 0x25, + 0xd2, 0x88, 0x59, 0x48, 0xeb, 0x9a, 0xdc, 0x61, 0xb2, 0x43}, + }, + { + {0x64, 0x13, 0x95, 0x6c, 0x8b, 0x3d, 0x51, 0x19, 0x7b, 0xf4, 0xb, + 0x0, 0x26, 0x71, 0xfe, 0x94, 0x67, 0x95, 0x4f, 0xd5, 0xdd, 0x10, + 0x8d, 0x2, 0x64, 0x9, 0x94, 0x42, 0xe2, 0xd5, 0xb4, 0x2}, + {0xbb, 0x79, 0xbb, 0x88, 0x19, 0x1e, 0x5b, 0xe5, 0x9d, 0x35, 0x7a, + 0xc1, 0x7d, 0xd0, 0x9e, 0xa0, 0x33, 0xea, 0x3d, 0x60, 0xe2, 0x2e, + 0x2c, 0xb0, 0xc2, 0x6b, 0x27, 0x5b, 0xcf, 0x55, 0x60, 0x32}, + {0xf2, 0x8d, 0xd1, 0x28, 0xcb, 0x55, 0xa1, 0xb4, 0x8, 0xe5, 0x6c, + 0x18, 0x46, 0x46, 0xcc, 0xea, 0x89, 0x43, 0x82, 0x6c, 0x93, 0xf4, + 0x9c, 0xc4, 0x10, 0x34, 0x5d, 0xae, 0x9, 0xc8, 0xa6, 0x27}, + }, + { + {0x54, 0x69, 0x3d, 0xc4, 0xa, 0x27, 0x2c, 0xcd, 0xb2, 0xca, 0x66, + 0x6a, 0x57, 0x3e, 0x4a, 0xdd, 0x6c, 0x3, 0xd7, 0x69, 0x24, 0x59, + 0xfa, 0x79, 0x99, 0x25, 0x8c, 0x3d, 0x60, 0x3, 0x15, 0x22}, + {0x88, 0xb1, 0xd, 0x1f, 0xcd, 0xeb, 0xa6, 0x8b, 0xe8, 0x5b, 0x5a, + 0x67, 0x3a, 0xd7, 0xd3, 0x37, 0x5a, 0x58, 0xf5, 0x15, 0xa3, 0xdf, + 0x2e, 0xf2, 0x7e, 0xa1, 0x60, 0xff, 0x74, 0x71, 0xb6, 0x2c}, + {0xd0, 0xe1, 0xb, 0x39, 0xf9, 0xcd, 0xee, 0x59, 0xf1, 0xe3, 0x8c, + 0x72, 0x44, 0x20, 0x42, 0xa9, 0xf4, 0xf0, 0x94, 0x7a, 0x66, 0x1c, + 0x89, 0x82, 0x36, 0xf4, 0x90, 0x38, 0xb7, 0xf4, 0x1d, 0x7b}, + }, + { + {0x8c, 0xf5, 0xf8, 0x7, 0x18, 0x22, 0x2e, 0x5f, 0xd4, 0x9, 0x94, + 0xd4, 0x9f, 0x5c, 0x55, 0xe3, 0x30, 0xa6, 0xb6, 0x1f, 0x8d, 0xa8, + 0xaa, 0xb2, 0x3d, 0xe0, 0x52, 0xd3, 0x45, 0x82, 0x69, 0x68}, + {0x24, 0xa2, 0xb2, 0xb3, 0xe0, 0xf2, 0x92, 0xe4, 0x60, 0x11, 0x55, + 0x2b, 0x6, 0x9e, 0x6c, 0x7c, 0xe, 0x7b, 0x7f, 0xd, 0xe2, 0x8f, + 0xeb, 0x15, 0x92, 0x59, 0xfc, 0x58, 0x26, 0xef, 0xfc, 0x61}, + {0x7a, 0x18, 0x18, 0x2a, 0x85, 0x5d, 0xb1, 0xdb, 0xd7, 0xac, 0xdd, + 0x86, 0xd3, 0xaa, 0xe4, 0xf3, 0x82, 0xc4, 0xf6, 0xf, 0x81, 0xe2, + 0xba, 0x44, 0xcf, 0x1, 0xaf, 0x3d, 0x47, 0x4c, 0xcf, 0x46}, + }, + { + {0x40, 0x81, 0x49, 0xf1, 0xa7, 0x6e, 0x3c, 0x21, 0x54, 0x48, 0x2b, + 0x39, 0xf8, 0x7e, 0x1e, 0x7c, 0xba, 0xce, 0x29, 0x56, 0x8c, 0xc3, + 0x88, 0x24, 0xbb, 0xc5, 0x8c, 0xd, 0xe5, 0xaa, 0x65, 0x10}, + {0xf9, 0xe5, 0xc4, 0x9e, 0xed, 0x25, 0x65, 0x42, 0x3, 0x33, 0x90, + 0x16, 0x1, 0xda, 0x5e, 0xe, 0xdc, 0xca, 0xe5, 0xcb, 0xf2, 0xa7, + 0xb1, 0x72, 0x40, 0x5f, 0xeb, 0x14, 0xcd, 0x7b, 0x38, 0x29}, + {0x57, 0xd, 0x20, 0xdf, 0x25, 0x45, 0x2c, 0x1c, 0x4a, 0x67, 0xca, + 0xbf, 0xd6, 0x2d, 0x3b, 0x5c, 0x30, 0x40, 0x83, 0xe1, 0xb1, 0xe7, + 0x7, 0xa, 0x16, 0xe7, 0x1c, 0x4f, 0xe6, 0x98, 0xa1, 0x69}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1313240518756327, 1721896294296942, 52263574587266, - 2065069734239232, 804910473424630 -#else - 44042215, 19568808, 16133486, 25658254, 63719298, 778787, - 66198528, 30771936, 47722230, 11994100 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1337466662091884, 1287645354669772, 2018019646776184, - 652181229374245, 898011753211715 -#else - 21691500, 19929806, 66467532, 19187410, 3285880, 30070836, - 42044197, 9718257, 59631427, 13381417 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1969792547910734, 779969968247557, 2011350094423418, - 1823964252907487, 1058949448296945 -#else - 18445390, 29352196, 14979845, 11622458, 65381754, 29971451, - 23111647, 27179185, 28535281, 15779576 -#endif - }}, + {0xed, 0xca, 0xc5, 0xdc, 0x34, 0x44, 0x1, 0xe1, 0x33, 0xfb, 0x84, + 0x3c, 0x96, 0x5d, 0xed, 0x47, 0xe7, 0xa0, 0x86, 0xed, 0x76, 0x95, + 0x1, 0x70, 0xe4, 0xf9, 0x67, 0xd2, 0x7b, 0x69, 0xb2, 0x25}, + {0xbc, 0x78, 0x1a, 0xd9, 0xe0, 0xb2, 0x62, 0x90, 0x67, 0x96, 0x50, + 0xc8, 0x9c, 0x88, 0xc9, 0x47, 0xb8, 0x70, 0x50, 0x40, 0x66, 0x4a, + 0xf5, 0x9d, 0xbf, 0xa1, 0x93, 0x24, 0xa9, 0xe6, 0x69, 0x73}, + {0x64, 0x68, 0x98, 0x13, 0xfb, 0x3f, 0x67, 0x9d, 0xb8, 0xc7, 0x5d, + 0x41, 0xd9, 0xfb, 0xa5, 0x3c, 0x5e, 0x3b, 0x27, 0xdf, 0x3b, 0xcc, + 0x4e, 0xe0, 0xd2, 0x4c, 0x4e, 0xb5, 0x3d, 0x68, 0x20, 0x14}, + }, + { + {0xd0, 0x5a, 0xcc, 0xc1, 0x6f, 0xbb, 0xee, 0x34, 0x8b, 0xac, 0x46, + 0x96, 0xe9, 0xc, 0x1b, 0x6a, 0x53, 0xde, 0x6b, 0xa6, 0x49, 0xda, + 0xb0, 0xd3, 0xc1, 0x81, 0xd0, 0x61, 0x41, 0x3b, 0xe8, 0x31}, + {0x97, 0xd1, 0x9d, 0x24, 0x1e, 0xbd, 0x78, 0xb4, 0x2, 0xc1, 0x58, + 0x5e, 0x0, 0x35, 0xc, 0x62, 0x5c, 0xac, 0xba, 0xcc, 0x2f, 0xd3, + 0x2, 0xfb, 0x2d, 0xa7, 0x8, 0xf5, 0xeb, 0x3b, 0xb6, 0x60}, + {0x4f, 0x2b, 0x6, 0x9e, 0x12, 0xc7, 0xe8, 0x97, 0xd8, 0xa, 0x32, + 0x29, 0x4f, 0x8f, 0xe4, 0x49, 0x3f, 0x68, 0x18, 0x6f, 0x4b, 0xe1, + 0xec, 0x5b, 0x17, 0x3, 0x55, 0x2d, 0xb6, 0x1e, 0xcf, 0x55}, + }, + { + {0x52, 0x8c, 0xf5, 0x7d, 0xe3, 0xb5, 0x76, 0x30, 0x36, 0xcc, 0x99, + 0xe7, 0xdd, 0xb9, 0x3a, 0xd7, 0x20, 0xee, 0x13, 0x49, 0xe3, 0x1c, + 0x83, 0xbd, 0x33, 0x1, 0xba, 0x62, 0xaa, 0xfb, 0x56, 0x1a}, + {0x58, 0x3d, 0xc2, 0x65, 0x10, 0x10, 0x79, 0x58, 0x9c, 0x81, 0x94, + 0x50, 0x6d, 0x8, 0x9d, 0x8b, 0xa7, 0x5f, 0xc5, 0x12, 0xa9, 0x2f, + 0x40, 0xe2, 0xd4, 0x91, 0x8, 0x57, 0x64, 0x65, 0x9a, 0x66}, + {0xec, 0xc9, 0x9d, 0x5c, 0x50, 0x6b, 0x3e, 0x94, 0x1a, 0x37, 0x7c, + 0xa7, 0xbb, 0x57, 0x25, 0x30, 0x51, 0x76, 0x34, 0x41, 0x56, 0xae, + 0x73, 0x98, 0x5c, 0x8a, 0xc5, 0x99, 0x67, 0x83, 0xc4, 0x13}, + }, + { + {0x80, 0xd0, 0x8b, 0x5d, 0x6a, 0xfb, 0xdc, 0xc4, 0x42, 0x48, 0x1a, + 0x57, 0xec, 0xc4, 0xeb, 0xde, 0x65, 0x53, 0xe5, 0xb8, 0x83, 0xe8, + 0xb2, 0xd4, 0x27, 0xb8, 0xe5, 0xc8, 0x7d, 0xc8, 0xbd, 0x50}, + {0xb9, 0xe1, 0xb3, 0x5a, 0x46, 0x5d, 0x3a, 0x42, 0x61, 0x3f, 0xf1, + 0xc7, 0x87, 0xc1, 0x13, 0xfc, 0xb6, 0xb9, 0xb5, 0xec, 0x64, 0x36, + 0xf8, 0x19, 0x7, 0xb6, 0x37, 0xa6, 0x93, 0xc, 0xf8, 0x66}, + {0x11, 0xe1, 0xdf, 0x6e, 0x83, 0x37, 0x6d, 0x60, 0xd9, 0xab, 0x11, + 0xf0, 0x15, 0x3e, 0x35, 0x32, 0x96, 0x3b, 0xb7, 0x25, 0xc3, 0x3a, + 0xb0, 0x64, 0xae, 0xd5, 0x5f, 0x72, 0x44, 0x64, 0xd5, 0x1d}, + }, + { + {0x9a, 0xc8, 0xba, 0x8, 0x0, 0xe6, 0x97, 0xc2, 0xe0, 0xc3, 0xe1, + 0xea, 0x11, 0xea, 0x4c, 0x7d, 0x7c, 0x97, 0xe7, 0x9f, 0xe1, 0x8b, + 0xe3, 0xf3, 0xcd, 0x5, 0xa3, 0x63, 0xf, 0x45, 0x3a, 0x3a}, + {0x7d, 0x12, 0x62, 0x33, 0xf8, 0x7f, 0xa4, 0x8f, 0x15, 0x7c, 0xcd, + 0x71, 0xc4, 0x6a, 0x9f, 0xbc, 0x8b, 0xc, 0x22, 0x49, 0x43, 0x45, + 0x71, 0x6e, 0x2e, 0x73, 0x9f, 0x21, 0x12, 0x59, 0x64, 0xe}, + {0x27, 0x46, 0x39, 0xd8, 0x31, 0x2f, 0x8f, 0x7, 0x10, 0xa5, 0x94, + 0xde, 0x83, 0x31, 0x9d, 0x38, 0x80, 0x6f, 0x99, 0x17, 0x6d, 0x6c, + 0xe3, 0xd1, 0x7b, 0xa8, 0xa9, 0x93, 0x93, 0x8d, 0x8c, 0x31}, + }, + { + {0x98, 0xd3, 0x1d, 0xab, 0x29, 0x9e, 0x66, 0x5d, 0x3b, 0x9e, 0x2d, + 0x34, 0x58, 0x16, 0x92, 0xfc, 0xcd, 0x73, 0x59, 0xf3, 0xfd, 0x1d, + 0x85, 0x55, 0xf6, 0xa, 0x95, 0x25, 0xc3, 0x41, 0x9a, 0x50}, + {0x19, 0xfe, 0xff, 0x2a, 0x3, 0x5d, 0x74, 0xf2, 0x66, 0xdb, 0x24, + 0x7f, 0x49, 0x3c, 0x9f, 0xc, 0xef, 0x98, 0x85, 0xba, 0xe3, 0xd3, + 0x98, 0xbc, 0x14, 0x53, 0x1d, 0x9a, 0x67, 0x7c, 0x4c, 0x22}, + {0xe9, 0x25, 0xf9, 0xa6, 0xdc, 0x6e, 0xc0, 0xbd, 0x33, 0x1f, 0x1b, + 0x64, 0xf4, 0xf3, 0x3e, 0x79, 0x89, 0x3e, 0x83, 0x9d, 0x80, 0x12, + 0xec, 0x82, 0x89, 0x13, 0xa1, 0x28, 0x23, 0xf0, 0xbf, 0x5}, + }, + { + {0xe4, 0x12, 0xc5, 0xd, 0xdd, 0xa0, 0x81, 0x68, 0xfe, 0xfa, 0xa5, + 0x44, 0xc8, 0xd, 0xe7, 0x4f, 0x40, 0x52, 0x4a, 0x8f, 0x6b, 0x8e, + 0x74, 0x1f, 0xea, 0xa3, 0x1, 0xee, 0xcd, 0x77, 0x62, 0x57}, + {0xb, 0xe0, 0xca, 0x23, 0x70, 0x13, 0x32, 0x36, 0x59, 0xcf, 0xac, + 0xd1, 0xa, 0xcf, 0x4a, 0x54, 0x88, 0x1c, 0x1a, 0xd2, 0x49, 0x10, + 0x74, 0x96, 0xa7, 0x44, 0x2a, 0xfa, 0xc3, 0x8c, 0xb, 0x78}, + {0x5f, 0x30, 0x4f, 0x23, 0xbc, 0x8a, 0xf3, 0x1e, 0x8, 0xde, 0x5, + 0x14, 0xbd, 0x7f, 0x57, 0x9a, 0xd, 0x2a, 0xe6, 0x34, 0x14, 0xa5, + 0x82, 0x5e, 0xa1, 0xb7, 0x71, 0x62, 0x72, 0x18, 0xf4, 0x5f}, + }, + { + {0x40, 0x95, 0xb6, 0x13, 0xe8, 0x47, 0xdb, 0xe5, 0xe1, 0x10, 0x26, + 0x43, 0x3b, 0x2a, 0x5d, 0xf3, 0x76, 0x12, 0x78, 0x38, 0xe9, 0x26, + 0x1f, 0xac, 0x69, 0xcb, 0xa0, 0xa0, 0x8c, 0xdb, 0xd4, 0x29}, + {0x9d, 0xdb, 0x89, 0x17, 0xc, 0x8, 0x8e, 0x39, 0xf5, 0x78, 0xe7, + 0xf3, 0x25, 0x20, 0x60, 0xa7, 0x5d, 0x3, 0xbd, 0x6, 0x4c, 0x89, + 0x98, 0xfa, 0xbe, 0x66, 0xa9, 0x25, 0xdc, 0x3, 0x6a, 0x10}, + {0xd0, 0x53, 0x33, 0x33, 0xaf, 0xa, 0xad, 0xd9, 0xe5, 0x9, 0xd3, + 0xac, 0xa5, 0x9d, 0x66, 0x38, 0xf0, 0xf7, 0x88, 0xc8, 0x8a, 0x65, + 0x57, 0x3c, 0xfa, 0xbe, 0x2c, 0x5, 0x51, 0x8a, 0xb3, 0x4a}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 207343737062002, 1118176942430253, 758894594548164, - 806764629546266, 1157700123092949 -#else - 30098034, 3089662, 57874477, 16662134, 45801924, 11308410, - 53040410, 12021729, 9955285, 17251076 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1273565321399022, 1638509681964574, 759235866488935, - 666015124346707, 897983460943405 -#else - 9734894, 18977602, 59635230, 24415696, 2060391, 11313496, - 48682835, 9924398, 20194861, 13380996 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1717263794012298, 1059601762860786, 1837819172257618, - 1054130665797229, 680893204263559 -#else - 40730762, 25589224, 44941042, 15789296, 49053522, 27385639, - 65123949, 15707770, 26342023, 10146099 -#endif - }}, + {0x9c, 0xc0, 0xdd, 0x5f, 0xef, 0xd1, 0xcf, 0xd6, 0xce, 0x5d, 0x57, + 0xf7, 0xfd, 0x3e, 0x2b, 0xe8, 0xc2, 0x34, 0x16, 0x20, 0x5d, 0x6b, + 0xd5, 0x25, 0x9b, 0x2b, 0xed, 0x4, 0xbb, 0xc6, 0x41, 0x30}, + {0x93, 0xd5, 0x68, 0x67, 0x25, 0x2b, 0x7c, 0xda, 0x13, 0xca, 0x22, + 0x44, 0x57, 0xc0, 0xc1, 0x98, 0x1d, 0xce, 0xa, 0xca, 0xd5, 0xb, + 0xa8, 0xf1, 0x90, 0xa6, 0x88, 0xc0, 0xad, 0xd1, 0xcd, 0x29}, + {0x48, 0xe1, 0x56, 0xd9, 0xf9, 0xf2, 0xf2, 0xf, 0x2e, 0x6b, 0x35, + 0x9f, 0x75, 0x97, 0xe7, 0xad, 0x5c, 0x2, 0x6c, 0x5f, 0xbb, 0x98, + 0x46, 0x1a, 0x7b, 0x9a, 0x4, 0x14, 0x68, 0xbd, 0x4b, 0x10}, + }, + { + {0x63, 0xf1, 0x7f, 0xd6, 0x5f, 0x9a, 0x5d, 0xa9, 0x81, 0x56, 0xc7, + 0x4c, 0x9d, 0xe6, 0x2b, 0xe9, 0x57, 0xf2, 0x20, 0xde, 0x4c, 0x2, + 0xf8, 0xb7, 0xf5, 0x2d, 0x7, 0xfb, 0x20, 0x2a, 0x4f, 0x20}, + {0x67, 0xed, 0xf1, 0x68, 0x31, 0xfd, 0xf0, 0x51, 0xc2, 0x3b, 0x6f, + 0xd8, 0xcd, 0x1d, 0x81, 0x2c, 0xde, 0xf2, 0xd2, 0x4, 0x43, 0x5c, + 0xdc, 0x44, 0x49, 0x71, 0x2a, 0x9, 0x57, 0xcc, 0xe8, 0x5b}, + {0x79, 0xb0, 0xeb, 0x30, 0x3d, 0x3b, 0x14, 0xc8, 0x30, 0x2e, 0x65, + 0xbd, 0x5a, 0x15, 0x89, 0x75, 0x31, 0x5c, 0x6d, 0x8f, 0x31, 0x3c, + 0x3c, 0x65, 0x1f, 0x16, 0x79, 0xc2, 0x17, 0xfb, 0x70, 0x25}, + }, + { + {0x5a, 0x24, 0xb8, 0xb, 0x55, 0xa9, 0x2e, 0x19, 0xd1, 0x50, 0x90, + 0x8f, 0xa8, 0xfb, 0xe6, 0xc8, 0x35, 0xc9, 0xa4, 0x88, 0x2d, 0xea, + 0x86, 0x79, 0x68, 0x86, 0x1, 0xde, 0x91, 0x5f, 0x1c, 0x24}, + {0x75, 0x15, 0xb6, 0x2c, 0x7f, 0x36, 0xfa, 0x3e, 0x6c, 0x2, 0xd6, + 0x1c, 0x76, 0x6f, 0xf9, 0xf5, 0x62, 0x25, 0xb5, 0x65, 0x2a, 0x14, + 0xc7, 0xe8, 0xcd, 0xa, 0x3, 0x53, 0xea, 0x65, 0xcb, 0x3d}, + {0xaa, 0x6c, 0xde, 0x40, 0x29, 0x17, 0xd8, 0x28, 0x3a, 0x73, 0xd9, + 0x22, 0xf0, 0x2c, 0xbf, 0x8f, 0xd1, 0x1, 0x5b, 0x23, 0xdd, 0xfc, + 0xd7, 0x16, 0xe5, 0xf0, 0xcd, 0x5f, 0xdd, 0xe, 0x42, 0x8}, + }, + { + {0xce, 0x10, 0xf4, 0x4, 0x4e, 0xc3, 0x58, 0x3, 0x85, 0x6, 0x6e, + 0x27, 0x5a, 0x5b, 0x13, 0xb6, 0x21, 0x15, 0xb9, 0xeb, 0xc7, 0x70, + 0x96, 0x5d, 0x9c, 0x88, 0xdb, 0x21, 0xf3, 0x54, 0xd6, 0x4}, + {0x4a, 0xfa, 0x62, 0x83, 0xab, 0x20, 0xff, 0xcd, 0x6e, 0x3e, 0x1a, + 0xe2, 0xd4, 0x18, 0xe1, 0x57, 0x2b, 0xe6, 0x39, 0xfc, 0x17, 0x96, + 0x17, 0xe3, 0xfd, 0x69, 0x17, 0xbc, 0xef, 0x53, 0x9a, 0xd}, + {0xd5, 0xb5, 0xbd, 0xdd, 0x16, 0xc1, 0x7d, 0x5e, 0x2d, 0xdd, 0xa5, + 0x8d, 0xb6, 0xde, 0x54, 0x29, 0x92, 0xa2, 0x34, 0x33, 0x17, 0x8, + 0xb6, 0x1c, 0xd7, 0x1a, 0x99, 0x18, 0x26, 0x4f, 0x7a, 0x4a}, + }, + { + {0x4b, 0x2a, 0x37, 0xaf, 0x91, 0xb2, 0xc3, 0x24, 0xf2, 0x47, 0x81, + 0x71, 0x70, 0x82, 0xda, 0x93, 0xf2, 0x9e, 0x89, 0x86, 0x64, 0x85, + 0x84, 0xdd, 0x33, 0xee, 0xe0, 0x23, 0x42, 0x31, 0x96, 0x4a}, + {0x95, 0x5f, 0xb1, 0x5f, 0x2, 0x18, 0xa7, 0xf4, 0x8f, 0x1b, 0x5c, + 0x6b, 0x34, 0x5f, 0xf6, 0x3d, 0x12, 0x11, 0xe0, 0x0, 0x85, 0xf0, + 0xfc, 0xcd, 0x48, 0x18, 0xd3, 0xdd, 0x4c, 0xc, 0xb5, 0x11}, + {0xd6, 0xff, 0xa4, 0x8, 0x44, 0x27, 0xe8, 0xa6, 0xd9, 0x76, 0x15, + 0x9c, 0x7e, 0x17, 0x8e, 0x73, 0xf2, 0xb3, 0x2, 0x3d, 0xb6, 0x48, + 0x33, 0x77, 0x51, 0xcc, 0x6b, 0xce, 0x4d, 0xce, 0x4b, 0x4f}, + }, + { + {0x6f, 0xb, 0x9d, 0xc4, 0x6e, 0x61, 0xe2, 0x30, 0x17, 0x23, 0xec, + 0xca, 0x8f, 0x71, 0x56, 0xe4, 0xa6, 0x4f, 0x6b, 0xf2, 0x9b, 0x40, + 0xeb, 0x48, 0x37, 0x5f, 0x59, 0x61, 0xe5, 0xce, 0x42, 0x30}, + {0x84, 0x25, 0x24, 0xe2, 0x5a, 0xce, 0x1f, 0xa7, 0x9e, 0x8a, 0xf5, + 0x92, 0x56, 0x72, 0xea, 0x26, 0xf4, 0x3c, 0xea, 0x1c, 0xd7, 0x9, + 0x1a, 0xd2, 0xe6, 0x1, 0x1c, 0xb7, 0x14, 0xdd, 0xfc, 0x73}, + {0x41, 0xac, 0x9b, 0x44, 0x79, 0x70, 0x7e, 0x42, 0xa, 0x31, 0xe2, + 0xbc, 0x6d, 0xe3, 0x5a, 0x85, 0x7c, 0x1a, 0x84, 0x5f, 0x21, 0x76, + 0xae, 0x4c, 0xd6, 0xe1, 0x9c, 0x9a, 0xc, 0x74, 0x9e, 0x38}, + }, + { + {0x28, 0xac, 0xe, 0x57, 0xf6, 0x78, 0xbd, 0xc9, 0xe1, 0x9c, 0x91, + 0x27, 0x32, 0xb, 0x5b, 0xe5, 0xed, 0x91, 0x9b, 0xa1, 0xab, 0x3e, + 0xfc, 0x65, 0x90, 0x36, 0x26, 0xd6, 0xe5, 0x25, 0xc4, 0x25}, + {0xce, 0xb9, 0xdc, 0x34, 0xae, 0xb3, 0xfc, 0x64, 0xad, 0xd0, 0x48, + 0xe3, 0x23, 0x3, 0x50, 0x97, 0x1b, 0x38, 0xc6, 0x62, 0x7d, 0xf0, + 0xb3, 0x45, 0x88, 0x67, 0x5a, 0x46, 0x79, 0x53, 0x54, 0x61}, + {0x6e, 0xde, 0xd7, 0xf1, 0xa6, 0x6, 0x3e, 0x3f, 0x8, 0x23, 0x6, + 0x8e, 0x27, 0x76, 0xf9, 0x3e, 0x77, 0x6c, 0x8a, 0x4e, 0x26, 0xf6, + 0x14, 0x8c, 0x59, 0x47, 0x48, 0x15, 0x89, 0xa0, 0x39, 0x65}, + }, + { + {0x19, 0x4a, 0xbb, 0x14, 0xd4, 0xdb, 0xc4, 0xdd, 0x8e, 0x4f, 0x42, + 0x98, 0x3c, 0xbc, 0xb2, 0x19, 0x69, 0x71, 0xca, 0x36, 0xd7, 0x9f, + 0xa8, 0x48, 0x90, 0xbd, 0x19, 0xf0, 0xe, 0x32, 0x65, 0xf}, + {0x73, 0xf7, 0xd2, 0xc3, 0x74, 0x1f, 0xd2, 0xe9, 0x45, 0x68, 0xc4, + 0x25, 0x41, 0x54, 0x50, 0xc1, 0x33, 0x9e, 0xb9, 0xf9, 0xe8, 0x5c, + 0x4e, 0x62, 0x6c, 0x18, 0xcd, 0xc5, 0xaa, 0xe4, 0xc5, 0x11}, + {0xc6, 0xe0, 0xfd, 0xca, 0xb1, 0xd1, 0x86, 0xd4, 0x81, 0x51, 0x3b, + 0x16, 0xe3, 0xe6, 0x3f, 0x4f, 0x9a, 0x93, 0xf2, 0xfa, 0xd, 0xaf, + 0xa8, 0x59, 0x2a, 0x7, 0x33, 0xec, 0xbd, 0xc7, 0xab, 0x4c}, }, }, { { - {{ -#if defined(OPENSSL_64_BIT) - 2237039662793603, 2249022333361206, 2058613546633703, - 149454094845279, 2215176649164582 -#else - 41091971, 33334488, 21339190, 33513044, 19745255, 30675732, - 37471583, 2227039, 21612326, 33008704 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 79472182719605, 1851130257050174, 1825744808933107, - 821667333481068, 781795293511946 -#else - 54031477, 1184227, 23562814, 27583990, 46757619, 27205717, - 25764460, 12243797, 46252298, 11649657 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 755822026485370, 152464789723500, 1178207602290608, - 410307889503239, 156581253571278 -#else - 57077370, 11262625, 27384172, 2271902, 26947504, 17556661, - 39943, 6114064, 33514190, 2333242 -#endif - }}, + {0x89, 0xd2, 0x78, 0x3f, 0x8f, 0x78, 0x8f, 0xc0, 0x9f, 0x4d, 0x40, + 0xa1, 0x2c, 0xa7, 0x30, 0xfe, 0x9d, 0xcc, 0x65, 0xcf, 0xfc, 0x8b, + 0x77, 0xf2, 0x21, 0x20, 0xcb, 0x5a, 0x16, 0x98, 0xe4, 0x7e}, + {0x2e, 0xa, 0x9c, 0x8, 0x24, 0x96, 0x9e, 0x23, 0x38, 0x47, 0xfe, + 0x3a, 0xc0, 0xc4, 0x48, 0xc7, 0x2a, 0xa1, 0x4f, 0x76, 0x2a, 0xed, + 0xdb, 0x17, 0x82, 0x85, 0x1c, 0x32, 0xf0, 0x93, 0x9b, 0x63}, + {0xc3, 0xa1, 0x11, 0x91, 0xe3, 0x8, 0xd5, 0x7b, 0x89, 0x74, 0x90, + 0x80, 0xd4, 0x90, 0x2b, 0x2b, 0x19, 0xfd, 0x72, 0xae, 0xc2, 0xae, + 0xd2, 0xe7, 0xa6, 0x2, 0xb6, 0x85, 0x3c, 0x49, 0xdf, 0xe}, + }, + { + {0x13, 0x41, 0x76, 0x84, 0xd2, 0xc4, 0x67, 0x67, 0x35, 0xf8, 0xf5, + 0xf7, 0x3f, 0x40, 0x90, 0xa0, 0xde, 0xbe, 0xe6, 0xca, 0xfa, 0xcf, + 0x8f, 0x1c, 0x69, 0xa3, 0xdf, 0xd1, 0x54, 0xc, 0xc0, 0x4}, + {0x68, 0x5a, 0x9b, 0x59, 0x58, 0x81, 0xcc, 0xae, 0xe, 0xe2, 0xad, + 0xeb, 0xf, 0x4f, 0x57, 0xea, 0x7, 0x7f, 0xb6, 0x22, 0x74, 0x1d, + 0xe4, 0x4f, 0xb4, 0x4f, 0x9d, 0x1, 0xe3, 0x92, 0x3b, 0x40}, + {0xf8, 0x5c, 0x46, 0x8b, 0x81, 0x2f, 0xc2, 0x4d, 0xf8, 0xef, 0x80, + 0x14, 0x5a, 0xf3, 0xa0, 0x71, 0x57, 0xd6, 0xc7, 0x4, 0xad, 0xbf, + 0xe8, 0xae, 0xf4, 0x76, 0x61, 0xb2, 0x2a, 0xb1, 0x5b, 0x35}, + }, + { + {0x18, 0x73, 0x8c, 0x5a, 0xc7, 0xda, 0x1, 0xa3, 0x11, 0xaa, 0xce, + 0xb3, 0x9d, 0x3, 0x90, 0xed, 0x2d, 0x3f, 0xae, 0x3b, 0xbf, 0x7c, + 0x7, 0x6f, 0x8e, 0xad, 0x52, 0xe0, 0xf8, 0xea, 0x18, 0x75}, + {0xf4, 0xbb, 0x93, 0x74, 0xcc, 0x64, 0x1e, 0xa7, 0xc3, 0xb0, 0xa3, + 0xec, 0xd9, 0x84, 0xbd, 0xe5, 0x85, 0xe7, 0x5, 0xfa, 0xc, 0xc5, + 0x6b, 0xa, 0x12, 0xc3, 0x2e, 0x18, 0x32, 0x81, 0x9b, 0xf}, + {0x32, 0x6c, 0x7f, 0x1b, 0xc4, 0x59, 0x88, 0xa4, 0x98, 0x32, 0x38, + 0xf4, 0xbc, 0x60, 0x2d, 0xf, 0xd9, 0xd1, 0xb1, 0xc9, 0x29, 0xa9, + 0x15, 0x18, 0xc4, 0x55, 0x17, 0xbb, 0x1b, 0x87, 0xc3, 0x47}, + }, + { + {0xb0, 0x66, 0x50, 0xc8, 0x50, 0x5d, 0xe6, 0xfb, 0xb0, 0x99, 0xa2, + 0xb3, 0xb0, 0xc4, 0xec, 0x62, 0xe0, 0xe8, 0x1a, 0x44, 0xea, 0x54, + 0x37, 0xe5, 0x5f, 0x8d, 0xd4, 0xe8, 0x2c, 0xa0, 0xfe, 0x8}, + {0x48, 0x4f, 0xec, 0x71, 0x97, 0x53, 0x44, 0x51, 0x6e, 0x5d, 0x8c, + 0xc9, 0x7d, 0xb1, 0x5, 0xf8, 0x6b, 0xc6, 0xc3, 0x47, 0x1a, 0xc1, + 0x62, 0xf7, 0xdc, 0x99, 0x46, 0x76, 0x85, 0x9b, 0xb8, 0x0}, + {0xd0, 0xea, 0xde, 0x68, 0x76, 0xdd, 0x4d, 0x82, 0x23, 0x5d, 0x68, + 0x4b, 0x20, 0x45, 0x64, 0xc8, 0x65, 0xd6, 0x89, 0x5d, 0xcd, 0xcf, + 0x14, 0xb5, 0x37, 0xd5, 0x75, 0x4f, 0xa7, 0x29, 0x38, 0x47}, + }, + { + {0xc9, 0x2, 0x39, 0xad, 0x3a, 0x53, 0xd9, 0x23, 0x8f, 0x58, 0x3, + 0xef, 0xce, 0xdd, 0xc2, 0x64, 0xb4, 0x2f, 0xe1, 0xcf, 0x90, 0x73, + 0x25, 0x15, 0x90, 0xd3, 0xe4, 0x44, 0x4d, 0x8b, 0x66, 0x6c}, + {0x18, 0xc4, 0x79, 0x46, 0x75, 0xda, 0xd2, 0x82, 0xf0, 0x8d, 0x61, + 0xb2, 0xd8, 0xd7, 0x3b, 0xe6, 0xa, 0xeb, 0x47, 0xac, 0x24, 0xef, + 0x5e, 0x35, 0xb4, 0xc6, 0x33, 0x48, 0x4c, 0x68, 0x78, 0x20}, + {0xc, 0x82, 0x78, 0x7a, 0x21, 0xcf, 0x48, 0x3b, 0x97, 0x3e, 0x27, + 0x81, 0xb2, 0xa, 0x6a, 0xf7, 0x7b, 0xed, 0x8e, 0x8c, 0xa7, 0x65, + 0x6c, 0xa9, 0x3f, 0x43, 0x8a, 0x4f, 0x5, 0xa6, 0x11, 0x74}, + }, + { + {0xb4, 0x75, 0xb1, 0x18, 0x3d, 0xe5, 0x9a, 0x57, 0x2, 0xa1, 0x92, + 0xf3, 0x59, 0x31, 0x71, 0x68, 0xf5, 0x35, 0xef, 0x1e, 0xba, 0xec, + 0x55, 0x84, 0x8f, 0x39, 0x8c, 0x45, 0x72, 0xa8, 0xc9, 0x1e}, + {0x6d, 0xc8, 0x9d, 0xb9, 0x32, 0x9d, 0x65, 0x4d, 0x15, 0xf1, 0x3a, + 0x60, 0x75, 0xdc, 0x4c, 0x4, 0x88, 0xe4, 0xc2, 0xdc, 0x2c, 0x71, + 0x4c, 0xb3, 0xff, 0x34, 0x81, 0xfb, 0x74, 0x65, 0x13, 0x7c}, + {0x9b, 0x50, 0xa2, 0x0, 0xd4, 0xa4, 0xe6, 0xb8, 0xb4, 0x82, 0xc8, + 0xb, 0x2, 0xd7, 0x81, 0x9b, 0x61, 0x75, 0x95, 0xf1, 0x9b, 0xcc, + 0xe7, 0x57, 0x60, 0x64, 0xcd, 0xc7, 0xa5, 0x88, 0xdd, 0x3a}, + }, + { + {0x46, 0x30, 0x39, 0x59, 0xd4, 0x98, 0xc2, 0x85, 0xec, 0x59, 0xf6, + 0x5f, 0x98, 0x35, 0x7e, 0x8f, 0x3a, 0x6e, 0xf6, 0xf2, 0x2a, 0xa2, + 0x2c, 0x1d, 0x20, 0xa7, 0x6, 0xa4, 0x31, 0x11, 0xba, 0x61}, + {0xf2, 0xdc, 0x35, 0xb6, 0x70, 0x57, 0x89, 0xab, 0xbc, 0x1f, 0x6c, + 0xf6, 0x6c, 0xef, 0xdf, 0x2, 0x87, 0xd1, 0xb6, 0xbe, 0x68, 0x2, + 0x53, 0x85, 0x74, 0x9e, 0x87, 0xcc, 0xfc, 0x29, 0x99, 0x24}, + {0x29, 0x90, 0x95, 0x16, 0xf1, 0xa0, 0xd0, 0xa3, 0x89, 0xbd, 0x7e, + 0xba, 0x6c, 0x6b, 0x3b, 0x2, 0x7, 0x33, 0x78, 0x26, 0x3e, 0x5a, + 0xf1, 0x7b, 0xe7, 0xec, 0xd8, 0xbb, 0xc, 0x31, 0x20, 0x56}, + }, + { + {0xd6, 0x85, 0xe2, 0x77, 0xf4, 0xb5, 0x46, 0x66, 0x93, 0x61, 0x8f, + 0x6c, 0x67, 0xff, 0xe8, 0x40, 0xdd, 0x94, 0xb5, 0xab, 0x11, 0x73, + 0xec, 0xa6, 0x4d, 0xec, 0x8c, 0x65, 0xf3, 0x46, 0xc8, 0x7e}, + {0x43, 0xd6, 0x34, 0x49, 0x43, 0x93, 0x89, 0x52, 0xf5, 0x22, 0x12, + 0xa5, 0x6, 0xf8, 0xdb, 0xb9, 0x22, 0x1c, 0xf4, 0xc3, 0x8f, 0x87, + 0x6d, 0x8f, 0x30, 0x97, 0x9d, 0x4d, 0x2a, 0x6a, 0x67, 0x37}, + {0xc7, 0x2e, 0xa2, 0x1d, 0x3f, 0x8f, 0x5e, 0x9b, 0x13, 0xcd, 0x1, + 0x6c, 0x77, 0x1d, 0xf, 0x13, 0xb8, 0x9f, 0x98, 0xa2, 0xcf, 0x8f, + 0x4c, 0x21, 0xd5, 0x9d, 0x9b, 0x39, 0x23, 0xf7, 0xaa, 0x6d}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1418185496130297, 484520167728613, 1646737281442950, - 1401487684670265, 1349185550126961 -#else - 45675257, 21132610, 8119781, 7219913, 45278342, 24538297, - 60429113, 20883793, 24350577, 20104431 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1495380034400429, 325049476417173, 46346894893933, - 1553408840354856, 828980101835683 -#else - 62992557, 22282898, 43222677, 4843614, 37020525, 690622, - 35572776, 23147595, 8317859, 12352766 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1280337889310282, 2070832742866672, 1640940617225222, - 2098284908289951, 450929509534434 -#else - 18200138, 19078521, 34021104, 30857812, 43406342, 24451920, - 43556767, 31266881, 20712162, 6719373 -#endif - }}, + {0xa2, 0x8e, 0xad, 0xac, 0xbf, 0x4, 0x3b, 0x58, 0x84, 0xe8, 0x8b, + 0x14, 0xe8, 0x43, 0xb7, 0x29, 0xdb, 0xc5, 0x10, 0x8, 0x3b, 0x58, + 0x1e, 0x2b, 0xaa, 0xbb, 0xb3, 0x8e, 0xe5, 0x49, 0x54, 0x2b}, + {0x47, 0xbe, 0x3d, 0xeb, 0x62, 0x75, 0x3a, 0x5f, 0xb8, 0xa0, 0xbd, + 0x8e, 0x54, 0x38, 0xea, 0xf7, 0x99, 0x72, 0x74, 0x45, 0x31, 0xe5, + 0xc3, 0x0, 0x51, 0xd5, 0x27, 0x16, 0xe7, 0xe9, 0x4, 0x13}, + {0xfe, 0x9c, 0xdc, 0x6a, 0xd2, 0x14, 0x98, 0x78, 0xb, 0xdd, 0x48, + 0x8b, 0x3f, 0xab, 0x1b, 0x3c, 0xa, 0xc6, 0x79, 0xf9, 0xff, 0xe1, + 0xf, 0xda, 0x93, 0xd6, 0x2d, 0x7c, 0x2d, 0xde, 0x68, 0x44}, + }, + { + {0xce, 0x7, 0x63, 0xf8, 0xc6, 0xd8, 0x9a, 0x4b, 0x28, 0xc, 0x5d, + 0x43, 0x31, 0x35, 0x11, 0x21, 0x2c, 0x77, 0x7a, 0x65, 0xc5, 0x66, + 0xa8, 0xd4, 0x52, 0x73, 0x24, 0x63, 0x7e, 0x42, 0xa6, 0x5d}, + {0x9e, 0x46, 0x19, 0x94, 0x5e, 0x35, 0xbb, 0x51, 0x54, 0xc7, 0xdd, + 0x23, 0x4c, 0xdc, 0xe6, 0x33, 0x62, 0x99, 0x7f, 0x44, 0xd6, 0xb6, + 0xa5, 0x93, 0x63, 0xbd, 0x44, 0xfb, 0x6f, 0x7c, 0xce, 0x6c}, + {0xca, 0x22, 0xac, 0xde, 0x88, 0xc6, 0x94, 0x1a, 0xf8, 0x1f, 0xae, + 0xbb, 0xf7, 0x6e, 0x6, 0xb9, 0xf, 0x58, 0x59, 0x8d, 0x38, 0x8c, + 0xad, 0x88, 0xa8, 0x2c, 0x9f, 0xe7, 0xbf, 0x9a, 0xf2, 0x58}, + }, + { + {0xf6, 0xcd, 0xe, 0x71, 0xbf, 0x64, 0x5a, 0x4b, 0x3c, 0x29, 0x2c, + 0x46, 0x38, 0xe5, 0x4c, 0xb1, 0xb9, 0x3a, 0xb, 0xd5, 0x56, 0xd0, + 0x43, 0x36, 0x70, 0x48, 0x5b, 0x18, 0x24, 0x37, 0xf9, 0x6a}, + {0x68, 0x3e, 0xe7, 0x8d, 0xab, 0xcf, 0xe, 0xe9, 0xa5, 0x76, 0x7e, + 0x37, 0x9f, 0x6f, 0x3, 0x54, 0x82, 0x59, 0x1, 0xbe, 0xb, 0x5b, + 0x49, 0xf0, 0x36, 0x1e, 0xf4, 0xa7, 0xc4, 0x29, 0x76, 0x57}, + {0x88, 0xa8, 0xc6, 0x9, 0x45, 0x2, 0x20, 0x32, 0x73, 0x89, 0x55, + 0x4b, 0x13, 0x36, 0xe0, 0xd2, 0x9f, 0x28, 0x33, 0x3c, 0x23, 0x36, + 0xe2, 0x83, 0x8f, 0xc1, 0xae, 0xc, 0xbb, 0x25, 0x1f, 0x70}, + }, + { + {0x13, 0xc1, 0xbe, 0x7c, 0xd9, 0xf6, 0x18, 0x9d, 0xe4, 0xdb, 0xbf, + 0x74, 0xe6, 0x6, 0x4a, 0x84, 0xd6, 0x60, 0x4e, 0xac, 0x22, 0xb5, + 0xf5, 0x20, 0x51, 0x5e, 0x95, 0x50, 0xc0, 0x5b, 0xa, 0x72}, + {0xed, 0x6c, 0x61, 0xe4, 0xf8, 0xb0, 0xa8, 0xc3, 0x7d, 0xa8, 0x25, + 0x9e, 0xe, 0x66, 0x0, 0xf7, 0x9c, 0xa5, 0xbc, 0xf4, 0x1f, 0x6, + 0xe3, 0x61, 0xe9, 0xb, 0xc4, 0xbd, 0xbf, 0x92, 0xc, 0x2e}, + {0x35, 0x5a, 0x80, 0x9b, 0x43, 0x9, 0x3f, 0xc, 0xfc, 0xab, 0x42, + 0x62, 0x37, 0x8b, 0x4e, 0xe8, 0x46, 0x93, 0x22, 0x5c, 0xf3, 0x17, + 0x14, 0x69, 0xec, 0xf0, 0x4e, 0x14, 0xbb, 0x9c, 0x9b, 0xe}, + }, + { + {0xee, 0xbe, 0xb1, 0x5d, 0xd5, 0x9b, 0xee, 0x8d, 0xb9, 0x3f, 0x72, + 0xa, 0x37, 0xab, 0xc3, 0xc9, 0x91, 0xd7, 0x68, 0x1c, 0xbf, 0xf1, + 0xa8, 0x44, 0xde, 0x3c, 0xfd, 0x1c, 0x19, 0x44, 0x6d, 0x36}, + {0xad, 0x20, 0x57, 0xfb, 0x8f, 0xd4, 0xba, 0xfb, 0xe, 0xd, 0xf9, + 0xdb, 0x6b, 0x91, 0x81, 0xee, 0xbf, 0x43, 0x55, 0x63, 0x52, 0x31, + 0x81, 0xd4, 0xd8, 0x7b, 0x33, 0x3f, 0xeb, 0x4, 0x11, 0x22}, + {0x14, 0x8c, 0xbc, 0xf2, 0x43, 0x17, 0x3c, 0x9e, 0x3b, 0x6c, 0x85, + 0xb5, 0xfc, 0x26, 0xda, 0x2e, 0x97, 0xfb, 0xa7, 0x68, 0xe, 0x2f, + 0xb8, 0xcc, 0x44, 0x32, 0x59, 0xbc, 0xe6, 0xa4, 0x67, 0x41}, + }, + { + {0xee, 0x8f, 0xce, 0xf8, 0x65, 0x26, 0xbe, 0xc2, 0x2c, 0xd6, 0x80, + 0xe8, 0x14, 0xff, 0x67, 0xe9, 0xee, 0x4e, 0x36, 0x2f, 0x7e, 0x6e, + 0x2e, 0xf1, 0xf6, 0xd2, 0x7e, 0xcb, 0x70, 0x33, 0xb3, 0x34}, + {0x0, 0x27, 0xf6, 0x76, 0x28, 0x9d, 0x3b, 0x64, 0xeb, 0x68, 0x76, + 0xe, 0x40, 0x9d, 0x1d, 0x5d, 0x84, 0x6, 0xfc, 0x21, 0x3, 0x43, + 0x4b, 0x1b, 0x6a, 0x24, 0x55, 0x22, 0x7e, 0xbb, 0x38, 0x79}, + {0xcc, 0xd6, 0x81, 0x86, 0xee, 0x91, 0xc5, 0xcd, 0x53, 0xa7, 0x85, + 0xed, 0x9c, 0x10, 0x2, 0xce, 0x83, 0x88, 0x80, 0x58, 0xc1, 0x85, + 0x74, 0xed, 0xe4, 0x65, 0xfe, 0x2d, 0x6e, 0xfc, 0x76, 0x11}, + }, + { + {0xb8, 0xe, 0x77, 0x49, 0x89, 0xe2, 0x90, 0xdb, 0xa3, 0x40, 0xf4, + 0xac, 0x2a, 0xcc, 0xfb, 0x98, 0x9b, 0x87, 0xd7, 0xde, 0xfe, 0x4f, + 0x35, 0x21, 0xb6, 0x6, 0x69, 0xf2, 0x54, 0x3e, 0x6a, 0x1f}, + {0x9b, 0x61, 0x9c, 0x5b, 0xd0, 0x6c, 0xaf, 0xb4, 0x80, 0x84, 0xa5, + 0xb2, 0xf4, 0xc9, 0xdf, 0x2d, 0xc4, 0x4d, 0xe9, 0xeb, 0x2, 0xa5, + 0x4f, 0x3d, 0x34, 0x5f, 0x7d, 0x67, 0x4c, 0x3a, 0xfc, 0x8}, + {0xea, 0x34, 0x7, 0xd3, 0x99, 0xc1, 0xa4, 0x60, 0xd6, 0x5c, 0x16, + 0x31, 0xb6, 0x85, 0xc0, 0x40, 0x95, 0x82, 0x59, 0xf7, 0x23, 0x3e, + 0x33, 0xe2, 0xd1, 0x0, 0xb9, 0x16, 0x1, 0xad, 0x2f, 0x4f}, + }, + { + {0x38, 0xb6, 0x3b, 0xb7, 0x1d, 0xd9, 0x2c, 0x96, 0x8, 0x9c, 0x12, + 0xfc, 0xaa, 0x77, 0x5, 0xe6, 0x89, 0x16, 0xb6, 0xf3, 0x39, 0x9b, + 0x61, 0x6f, 0x81, 0xee, 0x44, 0x29, 0x5f, 0x99, 0x51, 0x34}, + {0x54, 0x4e, 0xae, 0x94, 0x41, 0xb2, 0xbe, 0x44, 0x6c, 0xef, 0x57, + 0x18, 0x51, 0x1c, 0x54, 0x5f, 0x98, 0x4, 0x8d, 0x36, 0x2d, 0x6b, + 0x1e, 0xa6, 0xab, 0xf7, 0x2e, 0x97, 0xa4, 0x84, 0x54, 0x44}, + {0x7c, 0x7d, 0xea, 0x9f, 0xd0, 0xfc, 0x52, 0x91, 0xf6, 0x5c, 0x93, + 0xb0, 0x94, 0x6c, 0x81, 0x4a, 0x40, 0x5c, 0x28, 0x47, 0xaa, 0x9a, + 0x8e, 0x25, 0xb7, 0x93, 0x28, 0x4, 0xa6, 0x9c, 0xb8, 0x10}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 407703353998781, 126572141483652, 286039827513621, - 1999255076709338, 2030511179441770 -#else - 26656189, 6075253, 59250308, 1886071, 38764821, 4262325, - 11117530, 29791222, 26224234, 30256974 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1254958221100483, 1153235960999843, 942907704968834, - 637105404087392, 1149293270147267 -#else - 49939907, 18700334, 63713187, 17184554, 47154818, 14050419, - 21728352, 9493610, 18620611, 17125804 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 894249020470196, 400291701616810, 406878712230981, - 1599128793487393, 1145868722604026 -#else - 53785524, 13325348, 11432106, 5964811, 18609221, 6062965, - 61839393, 23828875, 36407290, 17074774 -#endif - }}, + {0x6e, 0xf0, 0x45, 0x5a, 0xbe, 0x41, 0x39, 0x75, 0x65, 0x5f, 0x9c, + 0x6d, 0xed, 0xae, 0x7c, 0xd0, 0xb6, 0x51, 0xff, 0x72, 0x9c, 0x6b, + 0x77, 0x11, 0xa9, 0x4d, 0xd, 0xef, 0xd9, 0xd1, 0xd2, 0x17}, + {0x9c, 0x28, 0x18, 0x97, 0x49, 0x47, 0x59, 0x3d, 0x26, 0x3f, 0x53, + 0x24, 0xc5, 0xf8, 0xeb, 0x12, 0x15, 0xef, 0xc3, 0x14, 0xcb, 0xbf, + 0x62, 0x2, 0x8e, 0x51, 0xb7, 0x77, 0xd5, 0x78, 0xb8, 0x20}, + {0x6a, 0x3e, 0x3f, 0x7, 0x18, 0xaf, 0xf2, 0x27, 0x69, 0x10, 0x52, + 0xd7, 0x19, 0xe5, 0x3f, 0xfd, 0x22, 0x0, 0xa6, 0x3c, 0x2c, 0xb7, + 0xe3, 0x22, 0xa7, 0xc6, 0x65, 0xcc, 0x63, 0x4f, 0x21, 0x72}, + }, + { + {0xc9, 0x29, 0x3b, 0xf4, 0xb9, 0xb7, 0x9d, 0x1d, 0x75, 0x8f, 0x51, + 0x4f, 0x4a, 0x82, 0x5, 0xd6, 0xc4, 0x9d, 0x2f, 0x31, 0xbd, 0x72, + 0xc0, 0xf2, 0xb0, 0x45, 0x15, 0x5a, 0x85, 0xac, 0x24, 0x1f}, + {0x93, 0xa6, 0x7, 0x53, 0x40, 0x7f, 0xe3, 0xb4, 0x95, 0x67, 0x33, + 0x2f, 0xd7, 0x14, 0xa7, 0xab, 0x99, 0x10, 0x76, 0x73, 0xa7, 0xd0, + 0xfb, 0xd6, 0xc9, 0xcb, 0x71, 0x81, 0xc5, 0x48, 0xdf, 0x5f}, + {0xaa, 0x5, 0x95, 0x8e, 0x32, 0x8, 0xd6, 0x24, 0xee, 0x20, 0x14, + 0xc, 0xd1, 0xc1, 0x48, 0x47, 0xa2, 0x25, 0xfb, 0x6, 0x5c, 0xe4, + 0xff, 0xc7, 0xe6, 0x95, 0xe3, 0x2a, 0x9e, 0x73, 0xba, 0x0}, + }, + { + {0x26, 0xbb, 0x88, 0xea, 0xf5, 0x26, 0x44, 0xae, 0xfb, 0x3b, 0x97, + 0x84, 0xd9, 0x79, 0x6, 0x36, 0x50, 0x4e, 0x69, 0x26, 0xc, 0x3, + 0x9f, 0x5c, 0x26, 0xd2, 0x18, 0xd5, 0xe7, 0x7d, 0x29, 0x72}, + {0xd6, 0x90, 0x87, 0x5c, 0xde, 0x98, 0x2e, 0x59, 0xdf, 0xa2, 0xc2, + 0x45, 0xd3, 0xb7, 0xbf, 0xe5, 0x22, 0x99, 0xb4, 0xf9, 0x60, 0x3b, + 0x5a, 0x11, 0xf3, 0x78, 0xad, 0x67, 0x3e, 0x3a, 0x28, 0x3}, + {0x39, 0xb9, 0xc, 0xbe, 0xc7, 0x1d, 0x24, 0x48, 0x80, 0x30, 0x63, + 0x8b, 0x4d, 0x9b, 0xf1, 0x32, 0x8, 0x93, 0x28, 0x2, 0xd, 0xc9, + 0xdf, 0xd3, 0x45, 0x19, 0x27, 0x46, 0x68, 0x29, 0xe1, 0x5}, + }, + { + {0x50, 0x45, 0x2c, 0x24, 0xc8, 0xbb, 0xbf, 0xad, 0xd9, 0x81, 0x30, + 0xd0, 0xec, 0xc, 0xc8, 0xbc, 0x92, 0xdf, 0xc8, 0xf5, 0xa6, 0x66, + 0x35, 0x84, 0x4c, 0xce, 0x58, 0x82, 0xd3, 0x25, 0xcf, 0x78}, + {0x5a, 0x49, 0x9c, 0x2d, 0xb3, 0xee, 0x82, 0xba, 0x7c, 0xb9, 0x2b, + 0xf1, 0xfc, 0xc8, 0xef, 0xce, 0xe0, 0xd1, 0xb5, 0x93, 0xae, 0xab, + 0x2d, 0xb0, 0x9b, 0x8d, 0x69, 0x13, 0x9c, 0xc, 0xc0, 0x39}, + {0x68, 0x9d, 0x48, 0x31, 0x8e, 0x6b, 0xae, 0x15, 0x87, 0xf0, 0x2b, + 0x9c, 0xab, 0x1c, 0x85, 0xaa, 0x5, 0xfa, 0x4e, 0xf0, 0x97, 0x5a, + 0xa7, 0xc9, 0x32, 0xf8, 0x3f, 0x6b, 0x7, 0x52, 0x6b, 0x0}, + }, + { + {0x2d, 0x8, 0xce, 0xb9, 0x16, 0x7e, 0xcb, 0xf5, 0x29, 0xbc, 0x7a, + 0x41, 0x4c, 0xf1, 0x7, 0x34, 0xab, 0xa7, 0xf4, 0x2b, 0xce, 0x6b, + 0xb3, 0xd4, 0xce, 0x75, 0x9f, 0x1a, 0x56, 0xe9, 0xe2, 0x7d}, + {0x1c, 0x78, 0x95, 0x9d, 0xe1, 0xcf, 0xe0, 0x29, 0xe2, 0x10, 0x63, + 0x96, 0x18, 0xdf, 0x81, 0xb6, 0x39, 0x6b, 0x51, 0x70, 0xd3, 0x39, + 0xdf, 0x57, 0x22, 0x61, 0xc7, 0x3b, 0x44, 0xe3, 0x57, 0x4d}, + {0xcb, 0x5e, 0xa5, 0xb6, 0xf4, 0xd4, 0x70, 0xde, 0x99, 0xdb, 0x85, + 0x5d, 0x7f, 0x52, 0x1, 0x48, 0x81, 0x9a, 0xee, 0xd3, 0x40, 0xc4, + 0xc9, 0xdb, 0xed, 0x29, 0x60, 0x1a, 0xaf, 0x90, 0x2a, 0x6b}, + }, + { + {0xa, 0xd8, 0xb2, 0x5b, 0x24, 0xf3, 0xeb, 0x77, 0x9b, 0x7, 0xb9, + 0x2f, 0x47, 0x1b, 0x30, 0xd8, 0x33, 0x73, 0xee, 0x4c, 0xf2, 0xe6, + 0x47, 0xc6, 0x9, 0x21, 0x6c, 0x27, 0xc8, 0x12, 0x58, 0x46}, + {0x97, 0x1e, 0xe6, 0x9a, 0xfc, 0xf4, 0x23, 0x69, 0xd1, 0x5f, 0x3f, + 0xe0, 0x1d, 0x28, 0x35, 0x57, 0x2d, 0xd1, 0xed, 0xe6, 0x43, 0xae, + 0x64, 0xa7, 0x4a, 0x3e, 0x2d, 0xd1, 0xe9, 0xf4, 0xd8, 0x5f}, + {0xd9, 0x62, 0x10, 0x2a, 0xb2, 0xbe, 0x43, 0x4d, 0x16, 0xdc, 0x31, + 0x38, 0x75, 0xfb, 0x65, 0x70, 0xd7, 0x68, 0x29, 0xde, 0x7b, 0x4a, + 0xd, 0x18, 0x90, 0x67, 0xb1, 0x1c, 0x2b, 0x2c, 0xb3, 0x5}, + }, + { + {0x95, 0x81, 0xd5, 0x7a, 0x2c, 0xa4, 0xfc, 0xf7, 0xcc, 0xf3, 0x33, + 0x43, 0x6e, 0x28, 0x14, 0x32, 0x9d, 0x97, 0xb, 0x34, 0xd, 0x9d, + 0xc2, 0xb6, 0xe1, 0x7, 0x73, 0x56, 0x48, 0x1a, 0x77, 0x31}, + {0xfd, 0xa8, 0x4d, 0xd2, 0xcc, 0x5e, 0xc0, 0xc8, 0x83, 0xef, 0xdf, + 0x5, 0xac, 0x1a, 0xcf, 0xa1, 0x61, 0xcd, 0xf9, 0x7d, 0xf2, 0xef, + 0xbe, 0xdb, 0x99, 0x1e, 0x47, 0x7b, 0xa3, 0x56, 0x55, 0x3b}, + {0x82, 0xd4, 0x4d, 0xe1, 0x24, 0xc5, 0xb0, 0x32, 0xb6, 0xa4, 0x2b, + 0x1a, 0x54, 0x51, 0xb3, 0xed, 0xf3, 0x5a, 0x2b, 0x28, 0x48, 0x60, + 0xd1, 0xa3, 0xeb, 0x36, 0x73, 0x7a, 0xd2, 0x79, 0xc0, 0x4f}, + }, + { + {0xd, 0xc5, 0x86, 0xc, 0x44, 0x8b, 0x34, 0xdc, 0x51, 0xe6, 0x94, + 0xcc, 0xc9, 0xcb, 0x37, 0x13, 0xb9, 0x3c, 0x3e, 0x64, 0x4d, 0xf7, + 0x22, 0x64, 0x8, 0xcd, 0xe3, 0xba, 0xc2, 0x70, 0x11, 0x24}, + {0x7f, 0x2f, 0xbf, 0x89, 0xb0, 0x38, 0xc9, 0x51, 0xa7, 0xe9, 0xdf, + 0x2, 0x65, 0xbd, 0x97, 0x24, 0x53, 0xe4, 0x80, 0x78, 0x9c, 0xc0, + 0xff, 0xff, 0x92, 0x8e, 0xf9, 0xca, 0xce, 0x67, 0x45, 0x12}, + {0xb4, 0x73, 0xc4, 0xa, 0x86, 0xab, 0xf9, 0x3f, 0x35, 0xe4, 0x13, + 0x1, 0xee, 0x1d, 0x91, 0xf0, 0xaf, 0xc4, 0xc6, 0xeb, 0x60, 0x50, + 0xe7, 0x4a, 0xd, 0x0, 0x87, 0x6c, 0x96, 0x12, 0x86, 0x3f}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1497955250203334, 110116344653260, 1128535642171976, - 1900106496009660, 129792717460909 -#else - 43248326, 22321272, 26961356, 1640861, 34695752, 16816491, - 12248508, 28313793, 13735341, 1934062 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 452487513298665, 1352120549024569, 1173495883910956, - 1999111705922009, 367328130454226 -#else - 25089769, 6742589, 17081145, 20148166, 21909292, 17486451, - 51972569, 29789085, 45830866, 5473615 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1717539401269642, 1475188995688487, 891921989653942, - 836824441505699, 1885988485608364 -#else - 31883658, 25593331, 1083431, 21982029, 22828470, 13290673, - 59983779, 12469655, 29111212, 28103418 -#endif - }}, + {0x13, 0x8d, 0x4, 0x36, 0xfa, 0xfc, 0x18, 0x9c, 0xdd, 0x9d, 0x89, + 0x73, 0xb3, 0x9d, 0x15, 0x29, 0xaa, 0xd0, 0x92, 0x9f, 0xb, 0x35, + 0x9f, 0xdc, 0xd4, 0x19, 0x8a, 0x87, 0xee, 0x7e, 0xf5, 0x26}, + {0xde, 0xd, 0x2a, 0x78, 0xc9, 0xc, 0x9a, 0x55, 0x85, 0x83, 0x71, + 0xea, 0xb2, 0xcd, 0x1d, 0x55, 0x8c, 0x23, 0xef, 0x31, 0x5b, 0x86, + 0x62, 0x7f, 0x3d, 0x61, 0x73, 0x79, 0x76, 0xa7, 0x4a, 0x50}, + {0xb1, 0xef, 0x87, 0x56, 0xd5, 0x2c, 0xab, 0xc, 0x7b, 0xf1, 0x7a, + 0x24, 0x62, 0xd1, 0x80, 0x51, 0x67, 0x24, 0x5a, 0x4f, 0x34, 0x5a, + 0xc1, 0x85, 0x69, 0x30, 0xba, 0x9d, 0x3d, 0x94, 0x41, 0x40}, + }, + { + {0xdd, 0xaa, 0x6c, 0xa2, 0x43, 0x77, 0x21, 0x4b, 0xce, 0xb7, 0x8a, + 0x64, 0x24, 0xb4, 0xa6, 0x47, 0xe3, 0xc9, 0xfb, 0x3, 0x7a, 0x4f, + 0x1d, 0xcb, 0x19, 0xd0, 0x0, 0x98, 0x42, 0x31, 0xd9, 0x12}, + {0x96, 0xcc, 0xeb, 0x43, 0xba, 0xee, 0xc0, 0xc3, 0xaf, 0x9c, 0xea, + 0x26, 0x9c, 0x9c, 0x74, 0x8d, 0xc6, 0xcc, 0x77, 0x1c, 0xee, 0x95, + 0xfa, 0xd9, 0xf, 0x34, 0x84, 0x76, 0xd9, 0xa1, 0x20, 0x14}, + {0x4f, 0x59, 0x37, 0xd3, 0x99, 0x77, 0xc6, 0x0, 0x7b, 0xa4, 0x3a, + 0xb2, 0x40, 0x51, 0x3c, 0x5e, 0x95, 0xf3, 0x5f, 0xe3, 0x54, 0x28, + 0x18, 0x44, 0x12, 0xa0, 0x59, 0x43, 0x31, 0x92, 0x4f, 0x1b}, + }, + { + {0xb1, 0x66, 0x98, 0xa4, 0x30, 0x30, 0xcf, 0x33, 0x59, 0x48, 0x5f, + 0x21, 0xd2, 0x73, 0x1f, 0x25, 0xf6, 0xf4, 0xde, 0x51, 0x40, 0xaa, + 0x82, 0xab, 0xf6, 0x23, 0x9a, 0x6f, 0xd5, 0x91, 0xf1, 0x5f}, + {0x51, 0x9, 0x15, 0x89, 0x9d, 0x10, 0x5c, 0x3e, 0x6a, 0x69, 0xe9, + 0x2d, 0x91, 0xfa, 0xce, 0x39, 0x20, 0x30, 0x5f, 0x97, 0x3f, 0xe4, + 0xea, 0x20, 0xae, 0x2d, 0x13, 0x7f, 0x2a, 0x57, 0x9b, 0x23}, + {0x68, 0x90, 0x2d, 0xac, 0x33, 0xd4, 0x9e, 0x81, 0x23, 0x85, 0xc9, + 0x5f, 0x79, 0xab, 0x83, 0x28, 0x3d, 0xeb, 0x93, 0x55, 0x80, 0x72, + 0x45, 0xef, 0xcb, 0x36, 0x8f, 0x75, 0x6a, 0x52, 0xc, 0x2}, + }, + { + {0x89, 0xcc, 0x42, 0xf0, 0x59, 0xef, 0x31, 0xe9, 0xb6, 0x4b, 0x12, + 0x8e, 0x9d, 0x9c, 0x58, 0x2c, 0x97, 0x59, 0xc7, 0xae, 0x8a, 0xe1, + 0xc8, 0xad, 0xc, 0xc5, 0x2, 0x56, 0xa, 0xfe, 0x2c, 0x45}, + {0xbc, 0xdb, 0xd8, 0x9e, 0xf8, 0x34, 0x98, 0x77, 0x6c, 0xa4, 0x7c, + 0xdc, 0xf9, 0xaa, 0xf2, 0xc8, 0x74, 0xb0, 0xe1, 0xa3, 0xdc, 0x4c, + 0x52, 0xa9, 0x77, 0x38, 0x31, 0x15, 0x46, 0xcc, 0xaa, 0x2}, + {0xdf, 0x77, 0x78, 0x64, 0xa0, 0xf7, 0xa0, 0x86, 0x9f, 0x7c, 0x60, + 0xe, 0x27, 0x64, 0xc4, 0xbb, 0xc9, 0x11, 0xfb, 0xf1, 0x25, 0xea, + 0x17, 0xab, 0x7b, 0x87, 0x4b, 0x30, 0x7b, 0x7d, 0xfb, 0x4c}, + }, + { + {0x12, 0xef, 0x89, 0x97, 0xc2, 0x99, 0x86, 0xe2, 0xd, 0x19, 0x57, + 0xdf, 0x71, 0xcd, 0x6e, 0x2b, 0xd0, 0x70, 0xc9, 0xec, 0x57, 0xc8, + 0x43, 0xc3, 0xc5, 0x3a, 0x4d, 0x43, 0xbc, 0x4c, 0x1d, 0x5b}, + {0xfe, 0x75, 0x9b, 0xb8, 0x6c, 0x3d, 0xb4, 0x72, 0x80, 0xdc, 0x6a, + 0x9c, 0xd9, 0x94, 0xc6, 0x54, 0x9f, 0x4c, 0xe3, 0x3e, 0x37, 0xaa, + 0xc3, 0xb8, 0x64, 0x53, 0x7, 0x39, 0x2b, 0x62, 0xb4, 0x14}, + {0x26, 0x9f, 0xa, 0xcc, 0x15, 0x26, 0xfb, 0xb6, 0xe5, 0xcc, 0x8d, + 0xb8, 0x2b, 0xe, 0x4f, 0x3a, 0x5, 0xa7, 0x69, 0x33, 0x8b, 0x49, + 0x1, 0x13, 0xd1, 0x2d, 0x59, 0x58, 0x12, 0xf7, 0x98, 0x2f}, + }, + { + {0x1, 0xa7, 0x54, 0x4f, 0x44, 0xae, 0x12, 0x2e, 0xde, 0xd7, 0xcb, + 0xa9, 0xf0, 0x3e, 0xfe, 0xfc, 0xe0, 0x5d, 0x83, 0x75, 0xd, 0x89, + 0xbf, 0xce, 0x54, 0x45, 0x61, 0xe7, 0xe9, 0x62, 0x80, 0x1d}, + {0x56, 0x9e, 0xf, 0xb5, 0x4c, 0xa7, 0x94, 0xc, 0x20, 0x13, 0x8e, + 0x8e, 0xa9, 0xf4, 0x1f, 0x5b, 0x67, 0xf, 0x30, 0x82, 0x21, 0xcc, + 0x2a, 0x9a, 0xf9, 0xaa, 0x6, 0xd8, 0x49, 0xe2, 0x6a, 0x3a}, + {0x5a, 0x7c, 0x90, 0xa9, 0x85, 0xda, 0x7a, 0x65, 0x62, 0xf, 0xb9, + 0x91, 0xb5, 0xa8, 0xe, 0x1a, 0xe9, 0xb4, 0x34, 0xdf, 0xfb, 0x1d, + 0xe, 0x8d, 0xf3, 0x5f, 0xf2, 0xae, 0xe8, 0x8c, 0x8b, 0x29}, + }, + { + {0xde, 0x65, 0x21, 0xa, 0xea, 0x72, 0x7a, 0x83, 0xf6, 0x79, 0xcf, + 0xb, 0xb4, 0x7, 0xab, 0x3f, 0x70, 0xae, 0x38, 0x77, 0xc7, 0x36, + 0x16, 0x52, 0xdc, 0xd7, 0xa7, 0x3, 0x18, 0x27, 0xa6, 0x6b}, + {0xb2, 0xc, 0xf7, 0xef, 0x53, 0x79, 0x92, 0x2a, 0x76, 0x70, 0x15, + 0x79, 0x2a, 0xc9, 0x89, 0x4b, 0x6a, 0xcf, 0xa7, 0x30, 0x7a, 0x45, + 0x18, 0x94, 0x85, 0xe4, 0x5c, 0x4d, 0x40, 0xa8, 0xb8, 0x34}, + {0x35, 0x33, 0x69, 0x83, 0xb5, 0xec, 0x6e, 0xc2, 0xfd, 0xfe, 0xb5, + 0x63, 0xdf, 0x13, 0xa8, 0xd5, 0x73, 0x25, 0xb2, 0xa4, 0x9a, 0xaa, + 0x93, 0xa2, 0x6a, 0x1c, 0x5e, 0x46, 0xdd, 0x2b, 0xd6, 0x71}, + }, + { + {0xf5, 0x5e, 0xf7, 0xb1, 0xda, 0xb5, 0x2d, 0xcd, 0xf5, 0x65, 0xb0, + 0x16, 0xcf, 0x95, 0x7f, 0xd7, 0x85, 0xf0, 0x49, 0x3f, 0xea, 0x1f, + 0x57, 0x14, 0x3d, 0x2b, 0x2b, 0x26, 0x21, 0x36, 0x33, 0x1c}, + {0x80, 0xdf, 0x78, 0xd3, 0x28, 0xcc, 0x33, 0x65, 0xb4, 0xa4, 0xf, + 0xa, 0x79, 0x43, 0xdb, 0xf6, 0x5a, 0xda, 0x1, 0xf7, 0xf9, 0x5f, + 0x64, 0xe3, 0xa4, 0x2b, 0x17, 0xf3, 0x17, 0xf3, 0xd5, 0x74}, + {0x81, 0xca, 0xd9, 0x67, 0x54, 0xe5, 0x6f, 0xa8, 0x37, 0x8c, 0x29, + 0x2b, 0x75, 0x7c, 0x8b, 0x39, 0x3b, 0x62, 0xac, 0xe3, 0x92, 0x8, + 0x6d, 0xda, 0x8c, 0xd9, 0xe9, 0x47, 0x45, 0xcc, 0xeb, 0x4a}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1241784121422547, 187337051947583, 1118481812236193, - 428747751936362, 30358898927325 -#else - 24244947, 18504025, 40845887, 2791539, 52111265, 16666677, - 24367466, 6388839, 56813277, 452382 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2022432361201842, 1088816090685051, 1977843398539868, - 1854834215890724, 564238862029357 -#else - 41468082, 30136590, 5217915, 16224624, 19987036, 29472163, - 42872612, 27639183, 15766061, 8407814 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 938868489100585, 1100285072929025, 1017806255688848, - 1957262154788833, 152787950560442 -#else - 46701865, 13990230, 15495425, 16395525, 5377168, 15166495, - 58191841, 29165478, 59040954, 2276717 -#endif - }}, + {0x10, 0xb6, 0x54, 0x73, 0x9e, 0x8d, 0x40, 0xb, 0x6e, 0x5b, 0xa8, + 0x5b, 0x53, 0x32, 0x6b, 0x80, 0x7, 0xa2, 0x58, 0x4a, 0x3, 0x3a, + 0xe6, 0xdb, 0x2c, 0xdf, 0xa1, 0xc9, 0xdd, 0xd9, 0x3b, 0x17}, + {0xc9, 0x1, 0x6d, 0x27, 0x1b, 0x7, 0xf0, 0x12, 0x70, 0x8c, 0xc4, + 0x86, 0xc5, 0xba, 0xb8, 0xe7, 0xa9, 0xfb, 0xd6, 0x71, 0x9b, 0x12, + 0x8, 0x53, 0x92, 0xb7, 0x3d, 0x5a, 0xf9, 0xfb, 0x88, 0x5d}, + {0xdf, 0x72, 0x58, 0xfe, 0x1e, 0xf, 0x50, 0x2b, 0xc1, 0x18, 0x39, + 0xd4, 0x2e, 0x58, 0xd6, 0x58, 0xe0, 0x3a, 0x67, 0xc9, 0x8e, 0x27, + 0xed, 0xe6, 0x19, 0xa3, 0x9e, 0xb1, 0x13, 0xcd, 0xe1, 0x6}, + }, + { + {0x53, 0x3, 0x5b, 0x9e, 0x62, 0xaf, 0x2b, 0x47, 0x47, 0x4, 0x8d, + 0x27, 0x90, 0xb, 0xaa, 0x3b, 0x27, 0xbf, 0x43, 0x96, 0x46, 0x5f, + 0x78, 0xc, 0x13, 0x7b, 0x83, 0x8d, 0x1a, 0x6a, 0x3a, 0x7f}, + {0x23, 0x6f, 0x16, 0x6f, 0x51, 0xad, 0xd0, 0x40, 0xbe, 0x6a, 0xab, + 0x1f, 0x93, 0x32, 0x8e, 0x11, 0x8e, 0x8, 0x4d, 0xa0, 0x14, 0x5e, + 0xe3, 0x3f, 0x66, 0x62, 0xe1, 0x26, 0x35, 0x60, 0x80, 0x30}, + {0xb, 0x80, 0x3d, 0x5d, 0x39, 0x44, 0xe6, 0xf7, 0xf6, 0xed, 0x1, + 0xc9, 0x55, 0xd5, 0xa8, 0x95, 0x39, 0x63, 0x2c, 0x59, 0x30, 0x78, + 0xcd, 0x68, 0x7e, 0x30, 0x51, 0x2e, 0xed, 0xfd, 0xd0, 0x30}, + }, + { + {0x50, 0x47, 0xb8, 0x68, 0x1e, 0x97, 0xb4, 0x9c, 0xcf, 0xbb, 0x64, + 0x66, 0x29, 0x72, 0x95, 0xa0, 0x2b, 0x41, 0xfa, 0x72, 0x26, 0xe7, + 0x8d, 0x5c, 0xd9, 0x89, 0xc5, 0x51, 0x43, 0x8, 0x15, 0x46}, + {0xb3, 0x33, 0x12, 0xf2, 0x1a, 0x4d, 0x59, 0xe0, 0x9c, 0x4d, 0xcc, + 0xf0, 0x8e, 0xe7, 0xdb, 0x1b, 0x77, 0x9a, 0x49, 0x8f, 0x7f, 0x18, + 0x65, 0x69, 0x68, 0x98, 0x9, 0x2c, 0x20, 0x14, 0x92, 0xa}, + {0x2e, 0xa0, 0xb9, 0xae, 0xc0, 0x19, 0x90, 0xbc, 0xae, 0x4c, 0x3, + 0x16, 0xd, 0x11, 0xc7, 0x55, 0xec, 0x32, 0x99, 0x65, 0x1, 0xf5, + 0x6d, 0xe, 0xfe, 0x5d, 0xca, 0x95, 0x28, 0xd, 0xca, 0x3b}, + }, + { + {0xbf, 0x1, 0xcc, 0x9e, 0xb6, 0x8e, 0x68, 0x9c, 0x6f, 0x89, 0x44, + 0xa6, 0xad, 0x83, 0xbc, 0xf0, 0xe2, 0x9f, 0x7a, 0x5f, 0x5f, 0x95, + 0x2d, 0xca, 0x41, 0x82, 0xf2, 0x8d, 0x3, 0xb4, 0xa8, 0x4e}, + {0xa4, 0x62, 0x5d, 0x3c, 0xbc, 0x31, 0xf0, 0x40, 0x60, 0x7a, 0xf0, + 0xcf, 0x3e, 0x8b, 0xfc, 0x19, 0x45, 0xb5, 0xf, 0x13, 0xa2, 0x3d, + 0x18, 0x98, 0xcd, 0x13, 0x8f, 0xae, 0xdd, 0xde, 0x31, 0x56}, + {0x2, 0xd2, 0xca, 0xf1, 0xa, 0x46, 0xed, 0x2a, 0x83, 0xee, 0x8c, + 0xa4, 0x5, 0x53, 0x30, 0x46, 0x5f, 0x1a, 0xf1, 0x49, 0x45, 0x77, + 0x21, 0x91, 0x63, 0xa4, 0x2c, 0x54, 0x30, 0x9, 0xce, 0x24}, + }, + { + {0x85, 0xb, 0xf3, 0xfd, 0x55, 0xa1, 0xcf, 0x3f, 0xa4, 0x2e, 0x37, + 0x36, 0x8e, 0x16, 0xf7, 0xd2, 0x44, 0xf8, 0x92, 0x64, 0xde, 0x64, + 0xe0, 0xb2, 0x80, 0x42, 0x4f, 0x32, 0xa7, 0x28, 0x99, 0x54}, + {0x6, 0xc1, 0x6, 0xfd, 0xf5, 0x90, 0xe8, 0x1f, 0xf2, 0x10, 0x88, + 0x5d, 0x35, 0x68, 0xc4, 0xb5, 0x3e, 0xaf, 0x8c, 0x6e, 0xfe, 0x8, + 0x78, 0x82, 0x4b, 0xd7, 0x6, 0x8a, 0xc2, 0xe3, 0xd4, 0x41}, + {0x2e, 0x1a, 0xee, 0x63, 0xa7, 0x32, 0x6e, 0xf2, 0xea, 0xfd, 0x5f, + 0xd2, 0xb7, 0xe4, 0x91, 0xae, 0x69, 0x4d, 0x7f, 0xd1, 0x3b, 0xd3, + 0x3b, 0xbc, 0x6a, 0xff, 0xdc, 0xc0, 0xde, 0x66, 0x1b, 0x49}, + }, + { + {0xa1, 0x64, 0xda, 0xd0, 0x8e, 0x4a, 0xf0, 0x75, 0x4b, 0x28, 0xe2, + 0x67, 0xaf, 0x2c, 0x22, 0xed, 0xa4, 0x7b, 0x7b, 0x1f, 0x79, 0xa3, + 0x34, 0x82, 0x67, 0x8b, 0x1, 0xb7, 0xb0, 0xb8, 0xf6, 0x4c}, + {0xa7, 0x32, 0xea, 0xc7, 0x3d, 0xb1, 0xf5, 0x98, 0x98, 0xdb, 0x16, + 0x7e, 0xcc, 0xf8, 0xd5, 0xe3, 0x47, 0xd9, 0xf8, 0xcb, 0x52, 0xbf, + 0xa, 0xac, 0xac, 0xe4, 0x5e, 0xc8, 0xd0, 0x38, 0xf3, 0x8}, + {0xbd, 0x73, 0x1a, 0x99, 0x21, 0xa8, 0x83, 0xc3, 0x7a, 0xc, 0x32, + 0xdf, 0x1, 0xbc, 0x27, 0xab, 0x63, 0x70, 0x77, 0x84, 0x1b, 0x33, + 0x3d, 0xc1, 0x99, 0x8a, 0x7, 0xeb, 0x82, 0x4a, 0xd, 0x53}, + }, + { + {0x9e, 0xbf, 0x9a, 0x6c, 0x45, 0x73, 0x69, 0x6d, 0x80, 0xa8, 0x0, + 0x49, 0xfc, 0xb2, 0x7f, 0x25, 0x50, 0xb8, 0xcf, 0xc8, 0x12, 0xf4, + 0xac, 0x2b, 0x5b, 0xbd, 0xbf, 0xc, 0xe0, 0xe7, 0xb3, 0xd}, + {0x25, 0x48, 0xf9, 0xe1, 0x30, 0x36, 0x4c, 0x0, 0x5a, 0x53, 0xab, + 0x8c, 0x26, 0x78, 0x2d, 0x7e, 0x8b, 0xff, 0x84, 0xcc, 0x23, 0x23, + 0x48, 0xc7, 0xb9, 0x70, 0x17, 0x10, 0x3f, 0x75, 0xea, 0x65}, + {0x63, 0x63, 0x9, 0xe2, 0x3e, 0xfc, 0x66, 0x3d, 0x6b, 0xcb, 0xb5, + 0x61, 0x7f, 0x2c, 0xd6, 0x81, 0x1a, 0x3b, 0x44, 0x13, 0x42, 0x4, + 0xbe, 0xf, 0xdb, 0xa1, 0xe1, 0x21, 0x19, 0xec, 0xa4, 0x2}, + }, + { + {0x5f, 0x79, 0xcf, 0xf1, 0x62, 0x61, 0xc8, 0xf5, 0xf2, 0x57, 0xee, + 0x26, 0x19, 0x86, 0x8c, 0x11, 0x78, 0x35, 0x6, 0x1c, 0x85, 0x24, + 0x21, 0x17, 0xcf, 0x7f, 0x6, 0xec, 0x5d, 0x2b, 0xd1, 0x36}, + {0xa2, 0xb8, 0x24, 0x3b, 0x9a, 0x25, 0xe6, 0x5c, 0xb8, 0xa0, 0xaf, + 0x45, 0xcc, 0x7a, 0x57, 0xb8, 0x37, 0x70, 0xa0, 0x8b, 0xe8, 0xe6, + 0xcb, 0xcc, 0xbf, 0x9, 0x78, 0x12, 0x51, 0x3c, 0x14, 0x3d}, + {0x57, 0x45, 0x15, 0x79, 0x91, 0x27, 0x6d, 0x12, 0xa, 0x3a, 0x78, + 0xfc, 0x5c, 0x8f, 0xe4, 0xd5, 0xac, 0x9b, 0x17, 0xdf, 0xe8, 0xb6, + 0xbd, 0x36, 0x59, 0x28, 0xa8, 0x5b, 0x88, 0x17, 0xf5, 0x2e}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 867319417678923, 620471962942542, 226032203305716, - 342001443957629, 1761675818237336 -#else - 30157899, 12924066, 49396814, 9245752, 19895028, 3368142, - 43281277, 5096218, 22740376, 26251015 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1295072362439987, 931227904689414, 1355731432641687, - 922235735834035, 892227229410209 -#else - 2041139, 19298082, 7783686, 13876377, 41161879, 20201972, - 24051123, 13742383, 51471265, 13295221 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1680989767906154, 535362787031440, 2136691276706570, - 1942228485381244, 1267350086882274 -#else - 33338218, 25048699, 12532112, 7977527, 9106186, 31839181, - 49388668, 28941459, 62657506, 18884987 -#endif - }}, + {0x51, 0x2f, 0x5b, 0x30, 0xfb, 0xbf, 0xee, 0x96, 0xb8, 0x96, 0x95, + 0x88, 0xad, 0x38, 0xf9, 0xd3, 0x25, 0xdd, 0xd5, 0x46, 0xc7, 0x2d, + 0xf5, 0xf0, 0x95, 0x0, 0x3a, 0xbb, 0x90, 0x82, 0x96, 0x57}, + {0xdc, 0xae, 0x58, 0x8c, 0x4e, 0x97, 0x37, 0x46, 0xa4, 0x41, 0xf0, + 0xab, 0xfb, 0x22, 0xef, 0xb9, 0x8a, 0x71, 0x80, 0xe9, 0x56, 0xd9, + 0x85, 0xe1, 0xa6, 0xa8, 0x43, 0xb1, 0xfa, 0x78, 0x1b, 0x2f}, + {0x1, 0xe1, 0x20, 0xa, 0x43, 0xb8, 0x1a, 0xf7, 0x47, 0xec, 0xf0, + 0x24, 0x8d, 0x65, 0x93, 0xf3, 0xd1, 0xee, 0xe2, 0x6e, 0xa8, 0x9, + 0x75, 0xcf, 0xe1, 0xa3, 0x2a, 0xdc, 0x35, 0x3e, 0xc4, 0x7d}, + }, + { + {0x18, 0x97, 0x3e, 0x27, 0x5c, 0x2a, 0x78, 0x5a, 0x94, 0xfd, 0x4e, + 0x5e, 0x99, 0xc6, 0x76, 0x35, 0x3e, 0x7d, 0x23, 0x1f, 0x5, 0xd8, + 0x2e, 0xf, 0x99, 0xa, 0xd5, 0x82, 0x1d, 0xb8, 0x4f, 0x4}, + {0xc3, 0xd9, 0x7d, 0x88, 0x65, 0x66, 0x96, 0x85, 0x55, 0x53, 0xb0, + 0x4b, 0x31, 0x9b, 0xf, 0xc9, 0xb1, 0x79, 0x20, 0xef, 0xf8, 0x8d, + 0xe0, 0xc6, 0x2f, 0xc1, 0x8c, 0x75, 0x16, 0x20, 0xf7, 0x7e}, + {0xd9, 0xe3, 0x7, 0xa9, 0xc5, 0x18, 0xdf, 0xc1, 0x59, 0x63, 0x4c, + 0xce, 0x1d, 0x37, 0xb3, 0x57, 0x49, 0xbb, 0x1, 0xb2, 0x34, 0x45, + 0x70, 0xca, 0x2e, 0xdd, 0x30, 0x9c, 0x3f, 0x82, 0x79, 0x7f}, + }, + { + {0xba, 0x87, 0xf5, 0x68, 0xf0, 0x1f, 0x9c, 0x6a, 0xde, 0xc8, 0x50, + 0x0, 0x4e, 0x89, 0x27, 0x8, 0xe7, 0x5b, 0xed, 0x7d, 0x55, 0x99, + 0xbf, 0x3c, 0xf0, 0xd6, 0x6, 0x1c, 0x43, 0xb0, 0xa9, 0x64}, + {0xe8, 0x13, 0xb5, 0xa3, 0x39, 0xd2, 0x34, 0x83, 0xd8, 0xa8, 0x1f, + 0xb9, 0xd4, 0x70, 0x36, 0xc1, 0x33, 0xbd, 0x90, 0xf5, 0x36, 0x41, + 0xb5, 0x12, 0xb4, 0xd9, 0x84, 0xd7, 0x73, 0x3, 0x4e, 0xa}, + {0x19, 0x29, 0x7d, 0x5b, 0xa1, 0xd6, 0xb3, 0x2e, 0x35, 0x82, 0x3a, + 0xd5, 0xa0, 0xf6, 0xb4, 0xb0, 0x47, 0x5d, 0xa4, 0x89, 0x43, 0xce, + 0x56, 0x71, 0x6c, 0x34, 0x18, 0xce, 0xa, 0x7d, 0x1a, 0x7}, + }, + { + {0x31, 0x44, 0xe1, 0x20, 0x52, 0x35, 0xc, 0xcc, 0x41, 0x51, 0xb1, + 0x9, 0x7, 0x95, 0x65, 0xd, 0x36, 0x5f, 0x9d, 0x20, 0x1b, 0x62, + 0xf5, 0x9a, 0xd3, 0x55, 0x77, 0x61, 0xf7, 0xbc, 0x69, 0x7c}, + {0xb, 0xba, 0x87, 0xc8, 0xaa, 0x2d, 0x7, 0xd3, 0xee, 0x62, 0xa5, + 0xbf, 0x5, 0x29, 0x26, 0x1, 0x8b, 0x76, 0xef, 0xc0, 0x2, 0x30, + 0x54, 0xcf, 0x9c, 0x7e, 0xea, 0x46, 0x71, 0xcc, 0x3b, 0x2c}, + {0x5f, 0x29, 0xe8, 0x4, 0xeb, 0xd7, 0xf0, 0x7, 0x7d, 0xf3, 0x50, + 0x2f, 0x25, 0x18, 0xdb, 0x10, 0xd7, 0x98, 0x17, 0x17, 0xa3, 0xa9, + 0x51, 0xe9, 0x1d, 0xa5, 0xac, 0x22, 0x73, 0x9a, 0x5a, 0x6f}, + }, + { + {0xbe, 0x44, 0xd9, 0xa3, 0xeb, 0xd4, 0x29, 0xe7, 0x9e, 0xaf, 0x78, + 0x80, 0x40, 0x9, 0x9e, 0x8d, 0x3, 0x9c, 0x86, 0x47, 0x7a, 0x56, + 0x25, 0x45, 0x24, 0x3b, 0x8d, 0xee, 0x80, 0x96, 0xab, 0x2}, + {0xc5, 0xc6, 0x41, 0x2f, 0xc, 0x0, 0xa1, 0x8b, 0x9b, 0xfb, 0xfe, + 0xc, 0xc1, 0x79, 0x9f, 0xc4, 0x9f, 0x1c, 0xc5, 0x3c, 0x70, 0x47, + 0xfa, 0x4e, 0xca, 0xaf, 0x47, 0xe1, 0xa2, 0x21, 0x4e, 0x49}, + {0x9a, 0xd, 0xe5, 0xdd, 0x85, 0x8a, 0xa4, 0xef, 0x49, 0xa2, 0xb9, + 0xf, 0x4e, 0x22, 0x9a, 0x21, 0xd9, 0xf6, 0x1e, 0xd9, 0x1d, 0x1f, + 0x9, 0xfa, 0x34, 0xbb, 0x46, 0xea, 0xcb, 0x76, 0x5d, 0x6b}, + }, + { + {0x22, 0x25, 0x78, 0x1e, 0x17, 0x41, 0xf9, 0xe0, 0xd3, 0x36, 0x69, + 0x3, 0x74, 0xae, 0xe6, 0xf1, 0x46, 0xc7, 0xfc, 0xd0, 0xa2, 0x3e, + 0x8b, 0x40, 0x3e, 0x31, 0xdd, 0x3, 0x9c, 0x86, 0xfb, 0x16}, + {0x94, 0xd9, 0xc, 0xec, 0x6c, 0x55, 0x57, 0x88, 0xba, 0x1d, 0xd0, + 0x5c, 0x6f, 0xdc, 0x72, 0x64, 0x77, 0xb4, 0x42, 0x8f, 0x14, 0x69, + 0x1, 0xaf, 0x54, 0x73, 0x27, 0x85, 0xf6, 0x33, 0xe3, 0xa}, + {0x62, 0x9, 0xb6, 0x33, 0x97, 0x19, 0x8e, 0x28, 0x33, 0xe1, 0xab, + 0xd8, 0xb4, 0x72, 0xfc, 0x24, 0x3e, 0xd0, 0x91, 0x9, 0xed, 0xf7, + 0x11, 0x48, 0x75, 0xd0, 0x70, 0x8f, 0x8b, 0xe3, 0x81, 0x3f}, + }, + { + {0x24, 0xc8, 0x17, 0x5f, 0x35, 0x7f, 0xdb, 0xa, 0xa4, 0x99, 0x42, + 0xd7, 0xc3, 0x23, 0xb9, 0x74, 0xf7, 0xea, 0xf8, 0xcb, 0x8b, 0x3e, + 0x7c, 0xd5, 0x3d, 0xdc, 0xde, 0x4c, 0xd3, 0xe2, 0xd3, 0xa}, + {0xfe, 0xaf, 0xd9, 0x7e, 0xcc, 0xf, 0x91, 0x7f, 0x4b, 0x87, 0x65, + 0x24, 0xa1, 0xb8, 0x5c, 0x54, 0x4, 0x47, 0xc, 0x4b, 0xd2, 0x7e, + 0x39, 0xa8, 0x93, 0x9, 0xf5, 0x4, 0xc1, 0xf, 0x51, 0x50}, + {0x9d, 0x24, 0x6e, 0x33, 0xc5, 0xf, 0xc, 0x6f, 0xd9, 0xcf, 0x31, + 0xc3, 0x19, 0xde, 0x5e, 0x74, 0x1c, 0xfe, 0xee, 0x9, 0x0, 0xfd, + 0xd6, 0xf2, 0xbe, 0x1e, 0xfa, 0xf0, 0x8b, 0x15, 0x7c, 0x12}, + }, + { + {0x74, 0xb9, 0x51, 0xae, 0xc4, 0x8f, 0xa2, 0xde, 0x96, 0xfe, 0x4d, + 0x74, 0xd3, 0x73, 0x99, 0x1d, 0xa8, 0x48, 0x38, 0x87, 0xb, 0x68, + 0x40, 0x62, 0x95, 0xdf, 0x67, 0xd1, 0x79, 0x24, 0xd8, 0x4e}, + {0xa2, 0x79, 0x98, 0x2e, 0x42, 0x7c, 0x19, 0xf6, 0x47, 0x36, 0xca, + 0x52, 0xd4, 0xdd, 0x4a, 0xa4, 0xcb, 0xac, 0x4e, 0x4b, 0xc1, 0x3f, + 0x41, 0x9b, 0x68, 0x4f, 0xef, 0x7, 0x7d, 0xf8, 0x4e, 0x35}, + {0x75, 0xd9, 0xc5, 0x60, 0x22, 0xb5, 0xe3, 0xfe, 0xb8, 0xb0, 0x41, + 0xeb, 0xfc, 0x2e, 0x35, 0x50, 0x3c, 0x65, 0xf6, 0xa9, 0x30, 0xac, + 0x8, 0x88, 0x6d, 0x23, 0x39, 0x5, 0xd2, 0x92, 0x2d, 0x30}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 366018233770527, 432660629755596, 126409707644535, - 1973842949591662, 645627343442376 -#else - 47063583, 5454096, 52762316, 6447145, 28862071, 1883651, - 64639598, 29412551, 7770568, 9620597 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 535509430575217, 546885533737322, 1524675609547799, - 2138095752851703, 1260738089896827 -#else - 23208049, 7979712, 33071466, 8149229, 1758231, 22719437, - 30945527, 31860109, 33606523, 18786461 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1159906385590467, 2198530004321610, 714559485023225, - 81880727882151, 1484020820037082 -#else - 1439939, 17283952, 66028874, 32760649, 4625401, 10647766, - 62065063, 1220117, 30494170, 22113633 -#endif - }}, + {0x77, 0xf1, 0xe0, 0xe4, 0xb6, 0x6f, 0xbc, 0x2d, 0x93, 0x6a, 0xbd, + 0xa4, 0x29, 0xbf, 0xe1, 0x4, 0xe8, 0xf6, 0x7a, 0x78, 0xd4, 0x66, + 0x19, 0x5e, 0x60, 0xd0, 0x26, 0xb4, 0x5e, 0x5f, 0xdc, 0xe}, + {0x3d, 0x28, 0xa4, 0xbc, 0xa2, 0xc1, 0x13, 0x78, 0xd9, 0x3d, 0x86, + 0xa1, 0x91, 0xf0, 0x62, 0xed, 0x86, 0xfa, 0x68, 0xc2, 0xb8, 0xbc, + 0xc7, 0xae, 0x4c, 0xae, 0x1c, 0x6f, 0xb7, 0xd3, 0xe5, 0x10}, + {0x67, 0x8e, 0xda, 0x53, 0xd6, 0xbf, 0x53, 0x54, 0x41, 0xf6, 0xa9, + 0x24, 0xec, 0x1e, 0xdc, 0xe9, 0x23, 0x8a, 0x57, 0x3, 0x3b, 0x26, + 0x87, 0xbf, 0x72, 0xba, 0x1c, 0x36, 0x51, 0x6c, 0xb4, 0x45}, + }, + { + {0xe4, 0xe3, 0x7f, 0x8a, 0xdd, 0x4d, 0x9d, 0xce, 0x30, 0xe, 0x62, + 0x76, 0x56, 0x64, 0x13, 0xab, 0x58, 0x99, 0xe, 0xb3, 0x7b, 0x4f, + 0x59, 0x4b, 0xdf, 0x29, 0x12, 0x32, 0xef, 0xa, 0x1c, 0x5c}, + {0xa1, 0x7f, 0x4f, 0x31, 0xbf, 0x2a, 0x40, 0xa9, 0x50, 0xf4, 0x8c, + 0x8e, 0xdc, 0xf1, 0x57, 0xe2, 0x84, 0xbe, 0xa8, 0x23, 0x4b, 0xd5, + 0xbb, 0x1d, 0x3b, 0x71, 0xcb, 0x6d, 0xa3, 0xbf, 0x77, 0x21}, + {0x8f, 0xdb, 0x79, 0xfa, 0xbc, 0x1b, 0x8, 0x37, 0xb3, 0x59, 0x5f, + 0xc2, 0x1e, 0x81, 0x48, 0x60, 0x87, 0x24, 0x83, 0x9c, 0x65, 0x76, + 0x7a, 0x8, 0xbb, 0xb5, 0x8a, 0x7d, 0x38, 0x19, 0xe6, 0x4a}, + }, + { + {0x83, 0xfb, 0x5b, 0x98, 0x44, 0x7e, 0x11, 0x61, 0x36, 0x31, 0x96, + 0x71, 0x2a, 0x46, 0xe0, 0xfc, 0x4b, 0x90, 0x25, 0xd4, 0x48, 0x34, + 0xac, 0x83, 0x64, 0x3d, 0xa4, 0x5b, 0xbe, 0x5a, 0x68, 0x75}, + {0x2e, 0xa3, 0x44, 0x53, 0xaa, 0xf6, 0xdb, 0x8d, 0x78, 0x40, 0x1b, + 0xb4, 0xb4, 0xea, 0x88, 0x7d, 0x60, 0xd, 0x13, 0x4a, 0x97, 0xeb, + 0xb0, 0x5e, 0x3, 0x3e, 0xbf, 0x17, 0x1b, 0xd9, 0x0, 0x1a}, + {0xb2, 0xf2, 0x61, 0xeb, 0x33, 0x9, 0x96, 0x6e, 0x52, 0x49, 0xff, + 0xc9, 0xa8, 0xf, 0x3d, 0x54, 0x69, 0x65, 0xf6, 0x7a, 0x10, 0x75, + 0x72, 0xdf, 0xaa, 0xe6, 0xb0, 0x23, 0xb6, 0x29, 0x55, 0x13}, + }, + { + {0xfe, 0x83, 0x2e, 0xe2, 0xbc, 0x16, 0xc7, 0xf5, 0xc1, 0x85, 0x9, + 0xe8, 0x19, 0xeb, 0x2b, 0xb4, 0xae, 0x4a, 0x25, 0x14, 0x37, 0xa6, + 0x9d, 0xec, 0x13, 0xa6, 0x90, 0x15, 0x5, 0xea, 0x72, 0x59}, + {0x18, 0xd5, 0xd1, 0xad, 0xd7, 0xdb, 0xf0, 0x18, 0x11, 0x1f, 0xc1, + 0xcf, 0x88, 0x78, 0x9f, 0x97, 0x9b, 0x75, 0x14, 0x71, 0xf0, 0xe1, + 0x32, 0x87, 0x1, 0x3a, 0xca, 0x65, 0x1a, 0xb8, 0xb5, 0x79}, + {0x11, 0x78, 0x8f, 0xdc, 0x20, 0xac, 0xd4, 0xf, 0xa8, 0x4f, 0x4d, + 0xac, 0x94, 0xd2, 0x9a, 0x9a, 0x34, 0x4, 0x36, 0xb3, 0x64, 0x2d, + 0x1b, 0xc0, 0xdb, 0x3b, 0x5f, 0x90, 0x95, 0x9c, 0x7e, 0x4f}, + }, + { + {0xfe, 0x99, 0x52, 0x35, 0x3d, 0x44, 0xc8, 0x71, 0xd7, 0xea, 0xeb, + 0xdb, 0x1c, 0x3b, 0xcd, 0x8b, 0x66, 0x94, 0xa4, 0xf1, 0x9e, 0x49, + 0x92, 0x80, 0xc8, 0xad, 0x44, 0xa1, 0xc4, 0xee, 0x42, 0x19}, + {0x2e, 0x30, 0x81, 0x57, 0xbc, 0x4b, 0x67, 0x62, 0xf, 0xdc, 0xad, + 0x89, 0x39, 0xf, 0x52, 0xd8, 0xc6, 0xd9, 0xfb, 0x53, 0xae, 0x99, + 0x29, 0x8c, 0x4c, 0x8e, 0x63, 0x2e, 0xd9, 0x3a, 0x99, 0x31}, + {0x92, 0x49, 0x23, 0xae, 0x19, 0x53, 0xac, 0x7d, 0x92, 0x3e, 0xea, + 0xc, 0x91, 0x3d, 0x1b, 0x2c, 0x22, 0x11, 0x3c, 0x25, 0x94, 0xe4, + 0x3c, 0x55, 0x75, 0xca, 0xf9, 0x4e, 0x31, 0x65, 0xa, 0x2a}, + }, + { + {0x3a, 0x79, 0x1c, 0x3c, 0xcd, 0x1a, 0x36, 0xcf, 0x3b, 0xbc, 0x35, + 0x5a, 0xac, 0xbc, 0x9e, 0x2f, 0xab, 0xa6, 0xcd, 0xa8, 0xe9, 0x60, + 0xe8, 0x60, 0x13, 0x1a, 0xea, 0x6d, 0x9b, 0xc3, 0x5d, 0x5}, + {0xc2, 0x27, 0xf9, 0xf7, 0x7f, 0x93, 0xb7, 0x2d, 0x35, 0xa6, 0xd0, + 0x17, 0x6, 0x1f, 0x74, 0xdb, 0x76, 0xaf, 0x55, 0x11, 0xa2, 0xf3, + 0x82, 0x59, 0xed, 0x2d, 0x7c, 0x64, 0x18, 0xe2, 0xf6, 0x4c}, + {0xb6, 0x5b, 0x8d, 0xc2, 0x7c, 0x22, 0x19, 0xb1, 0xab, 0xff, 0x4d, + 0x77, 0xbc, 0x4e, 0xe2, 0x7, 0x89, 0x2c, 0xa3, 0xe4, 0xce, 0x78, + 0x3c, 0xa8, 0xb6, 0x24, 0xaa, 0x10, 0x77, 0x30, 0x1a, 0x12}, + }, + { + {0xc9, 0x83, 0x74, 0xc7, 0x3e, 0x71, 0x59, 0xd6, 0xaf, 0x96, 0x2b, + 0xb8, 0x77, 0xe0, 0xbf, 0x88, 0xd3, 0xbc, 0x97, 0x10, 0x23, 0x28, + 0x9e, 0x28, 0x9b, 0x3a, 0xed, 0x6c, 0x4a, 0xb9, 0x7b, 0x52}, + {0x97, 0x4a, 0x3, 0x9f, 0x5e, 0x5d, 0xdb, 0xe4, 0x2d, 0xbc, 0x34, + 0x30, 0x9, 0xfc, 0x53, 0xe1, 0xb1, 0xd3, 0x51, 0x95, 0x91, 0x46, + 0x5, 0x46, 0x2d, 0xe5, 0x40, 0x7a, 0x6c, 0xc7, 0x3f, 0x33}, + {0x2e, 0x48, 0x5b, 0x99, 0x2a, 0x99, 0x3d, 0x56, 0x1, 0x38, 0x38, + 0x6e, 0x7c, 0xd0, 0x5, 0x34, 0xe5, 0xd8, 0x64, 0x2f, 0xde, 0x35, + 0x50, 0x48, 0xf7, 0xa9, 0xa7, 0x20, 0x9b, 0x6, 0x89, 0x6b}, + }, + { + {0x77, 0xdb, 0xc7, 0xb5, 0x8c, 0xfa, 0x82, 0x40, 0x55, 0xc1, 0x34, + 0xc7, 0xf8, 0x86, 0x86, 0x6, 0x7e, 0xa5, 0xe7, 0xf6, 0xd9, 0xc8, + 0xe6, 0x29, 0xcf, 0x9b, 0x63, 0xa7, 0x8, 0xd3, 0x73, 0x4}, + {0xd, 0x22, 0x70, 0x62, 0x41, 0xa0, 0x2a, 0x81, 0x4e, 0x5b, 0x24, + 0xf9, 0xfa, 0x89, 0x5a, 0x99, 0x5, 0xef, 0x72, 0x50, 0xce, 0xc4, + 0xad, 0xff, 0x73, 0xeb, 0x73, 0xaa, 0x3, 0x21, 0xbc, 0x23}, + {0x5, 0x9e, 0x58, 0x3, 0x26, 0x79, 0xee, 0xca, 0x92, 0xc4, 0xdc, + 0x46, 0x12, 0x42, 0x4b, 0x2b, 0x4f, 0xa9, 0x1, 0xe6, 0x74, 0xef, + 0xa1, 0x2, 0x1a, 0x34, 0x4, 0xde, 0xbf, 0x73, 0x2f, 0x10}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1377485731340769, 2046328105512000, 1802058637158797, - 62146136768173, 1356993908853901 -#else - 62071265, 20526136, 64138304, 30492664, 15640973, 26852766, - 40369837, 926049, 65424525, 20220784 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 2013612215646735, 1830770575920375, 536135310219832, - 609272325580394, 270684344495013 -#else - 13908495, 30005160, 30919927, 27280607, 45587000, 7989038, - 9021034, 9078865, 3353509, 4033511 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1237542585982777, 2228682050256790, 1385281931622824, - 593183794882890, 493654978552689 -#else - 37445433, 18440821, 32259990, 33209950, 24295848, 20642309, - 23161162, 8839127, 27485041, 7356032 -#endif - }}, + {0x9a, 0x1c, 0x51, 0xb5, 0xe0, 0xda, 0xb4, 0xa2, 0x6, 0xff, 0xff, + 0x2b, 0x29, 0x60, 0xc8, 0x7a, 0x34, 0x42, 0x50, 0xf5, 0x5d, 0x37, + 0x1f, 0x98, 0x2d, 0xa1, 0x4e, 0xda, 0x25, 0xd7, 0x6b, 0x3f}, + {0xc6, 0x45, 0x57, 0x7f, 0xab, 0xb9, 0x18, 0xeb, 0x90, 0xc6, 0x87, + 0x57, 0xee, 0x8a, 0x3a, 0x2, 0xa9, 0xaf, 0xf7, 0x2d, 0xda, 0x12, + 0x27, 0xb7, 0x3d, 0x1, 0x5c, 0xea, 0x25, 0x7d, 0x59, 0x36}, + {0xac, 0x58, 0x60, 0x10, 0x7b, 0x8d, 0x4d, 0x73, 0x5f, 0x90, 0xc6, + 0x6f, 0x9e, 0x57, 0x40, 0xd9, 0x2d, 0x93, 0x2, 0x92, 0xf9, 0xf8, + 0x66, 0x64, 0xd0, 0xd6, 0x60, 0xda, 0x19, 0xcc, 0x7e, 0x7b}, + }, + { + {0x9b, 0xfa, 0x7c, 0xa7, 0x51, 0x4a, 0xae, 0x6d, 0x50, 0x86, 0xa3, + 0xe7, 0x54, 0x36, 0x26, 0x82, 0xdb, 0x82, 0x2d, 0x8f, 0xcd, 0xff, + 0xbb, 0x9, 0xba, 0xca, 0xf5, 0x1b, 0x66, 0xdc, 0xbe, 0x3}, + {0xd, 0x69, 0x5c, 0x69, 0x3c, 0x37, 0xc2, 0x78, 0x6e, 0x90, 0x42, + 0x6, 0x66, 0x2e, 0x25, 0xdd, 0xd2, 0x2b, 0xe1, 0x4a, 0x44, 0x44, + 0x1d, 0x95, 0x56, 0x39, 0x74, 0x1, 0x76, 0xad, 0x35, 0x42}, + {0xf5, 0x75, 0x89, 0x7, 0xd, 0xcb, 0x58, 0x62, 0x98, 0xf2, 0x89, + 0x91, 0x54, 0x42, 0x29, 0x49, 0xe4, 0x6e, 0xe3, 0xe2, 0x23, 0xb4, + 0xca, 0xa0, 0xa1, 0x66, 0xf0, 0xcd, 0xb0, 0xe2, 0x7c, 0xe}, + }, + { + {0xf9, 0x70, 0x4b, 0xd9, 0xdf, 0xfe, 0xa6, 0xfe, 0x2d, 0xba, 0xfc, + 0xc1, 0x51, 0xc0, 0x30, 0xf1, 0x89, 0xab, 0x2f, 0x7f, 0x7e, 0xd4, + 0x82, 0x48, 0xb5, 0xee, 0xec, 0x8a, 0x13, 0x56, 0x52, 0x61}, + {0xa3, 0x85, 0x8c, 0xc4, 0x3a, 0x64, 0x94, 0xc4, 0xad, 0x39, 0x61, + 0x3c, 0xf4, 0x1d, 0x36, 0xfd, 0x48, 0x4d, 0xe9, 0x3a, 0xdd, 0x17, + 0xdb, 0x9, 0x4a, 0x67, 0xb4, 0x8f, 0x5d, 0xa, 0x6e, 0x66}, + {0xd, 0xcb, 0x70, 0x48, 0x4e, 0xf6, 0xbb, 0x2a, 0x6b, 0x8b, 0x45, + 0xaa, 0xf0, 0xbc, 0x65, 0xcd, 0x5d, 0x98, 0xe8, 0x75, 0xba, 0x4e, + 0xbe, 0x9a, 0xe4, 0xde, 0x14, 0xd5, 0x10, 0xc8, 0xb, 0x7f}, + }, + { + {0xa0, 0x13, 0x72, 0x73, 0xad, 0x9d, 0xac, 0x83, 0x98, 0x2e, 0xf7, + 0x2e, 0xba, 0xf8, 0xf6, 0x9f, 0x57, 0x69, 0xec, 0x43, 0xdd, 0x2e, + 0x1e, 0x31, 0x75, 0xab, 0xc5, 0xde, 0x7d, 0x90, 0x3a, 0x1d}, + {0x6f, 0x13, 0xf4, 0x26, 0xa4, 0x6b, 0x0, 0xb9, 0x35, 0x30, 0xe0, + 0x57, 0x9e, 0x36, 0x67, 0x8d, 0x28, 0x3c, 0x46, 0x4f, 0xd9, 0xdf, + 0xc8, 0xcb, 0xf5, 0xdb, 0xee, 0xf8, 0xbc, 0x8d, 0x1f, 0xd}, + {0xdc, 0x81, 0xd0, 0x3e, 0x31, 0x93, 0x16, 0xba, 0x80, 0x34, 0x1b, + 0x85, 0xad, 0x9f, 0x32, 0x29, 0xcb, 0x21, 0x3, 0x3, 0x3c, 0x1, + 0x28, 0x1, 0xe3, 0xfd, 0x1b, 0xa3, 0x44, 0x1b, 0x1, 0x0}, + }, + { + {0x5c, 0xa7, 0xa, 0x6a, 0x69, 0x1f, 0x56, 0x16, 0x6a, 0xbd, 0x52, + 0x58, 0x5c, 0x72, 0xbf, 0xc1, 0xad, 0x66, 0x79, 0x9a, 0x7f, 0xdd, + 0xa8, 0x11, 0x26, 0x10, 0x85, 0xd2, 0xa2, 0x88, 0xd9, 0x63}, + {0xc, 0x6c, 0xc6, 0x3f, 0x6c, 0xa0, 0xdf, 0x3f, 0xd2, 0xd, 0xd6, + 0x4d, 0x8e, 0xe3, 0x40, 0x5d, 0x71, 0x4d, 0x8e, 0x26, 0x38, 0x8b, + 0xe3, 0x7a, 0xe1, 0x57, 0x83, 0x6e, 0x91, 0x8d, 0xc4, 0x3a}, + {0x2e, 0x23, 0xbd, 0xaf, 0x53, 0x7, 0x12, 0x0, 0x83, 0xf6, 0xd8, + 0xfd, 0xb8, 0xce, 0x2b, 0xe9, 0x91, 0x2b, 0xe7, 0x84, 0xb3, 0x69, + 0x16, 0xf8, 0x66, 0xa0, 0x68, 0x23, 0x2b, 0xd5, 0xfa, 0x33}, + }, + { + {0xe8, 0xcf, 0x22, 0xc4, 0xd0, 0xc8, 0x2c, 0x8d, 0xcb, 0x3a, 0xa1, + 0x5, 0x7b, 0x4f, 0x2b, 0x7, 0x6f, 0xa5, 0xf6, 0xec, 0xe6, 0xb6, + 0xfe, 0xa3, 0xe2, 0x71, 0xa, 0xb9, 0xcc, 0x55, 0xc3, 0x3c}, + {0x16, 0x1e, 0xe4, 0xc5, 0xc6, 0x49, 0x6, 0x54, 0x35, 0x77, 0x3f, + 0x33, 0x30, 0x64, 0xf8, 0xa, 0x46, 0xe7, 0x5, 0xf3, 0xd2, 0xfc, + 0xac, 0xb2, 0xa7, 0xdc, 0x56, 0xa2, 0x29, 0xf4, 0xc0, 0x16}, + {0x31, 0x91, 0x3e, 0x90, 0x43, 0x94, 0xb6, 0xe9, 0xce, 0x37, 0x56, + 0x7a, 0xcb, 0x94, 0xa4, 0xb8, 0x44, 0x92, 0xba, 0xba, 0xa4, 0xd1, + 0x7c, 0xc8, 0x68, 0x75, 0xae, 0x6b, 0x42, 0xaf, 0x1e, 0x63}, + }, + { + {0xe8, 0xd, 0x70, 0xa3, 0xb9, 0x75, 0xd9, 0x47, 0x52, 0x5, 0xf8, + 0xe2, 0xfb, 0xc5, 0x80, 0x72, 0xe1, 0x5d, 0xe4, 0x32, 0x27, 0x8f, + 0x65, 0x53, 0xb5, 0x80, 0x5f, 0x66, 0x7f, 0x2c, 0x1f, 0x43}, + {0x9f, 0xfe, 0x66, 0xda, 0x10, 0x4, 0xe9, 0xb3, 0xa6, 0xe5, 0x16, + 0x6c, 0x52, 0x4b, 0xdd, 0x85, 0x83, 0xbf, 0xf9, 0x1e, 0x61, 0x97, + 0x3d, 0xbc, 0xb5, 0x19, 0xa9, 0x1e, 0x8b, 0x64, 0x99, 0x55}, + {0x19, 0x7b, 0x8f, 0x85, 0x44, 0x63, 0x2, 0xd6, 0x4a, 0x51, 0xea, + 0xa1, 0x2f, 0x35, 0xab, 0x14, 0xd7, 0xa9, 0x90, 0x20, 0x1a, 0x44, + 0x0, 0x89, 0x26, 0x3b, 0x25, 0x91, 0x5f, 0x71, 0x4, 0x7b}, + }, + { + {0xc6, 0xba, 0xe6, 0xc4, 0x80, 0xc2, 0x76, 0xb3, 0xb, 0x9b, 0x1d, + 0x6d, 0xdd, 0xd3, 0xe, 0x97, 0x44, 0xf9, 0xb, 0x45, 0x58, 0x95, + 0x9a, 0xb0, 0x23, 0xe2, 0xcd, 0x57, 0xfa, 0xac, 0xd0, 0x48}, + {0x43, 0xae, 0xf6, 0xac, 0x28, 0xbd, 0xed, 0x83, 0xb4, 0x7a, 0x5c, + 0x7d, 0x8b, 0x7c, 0x35, 0x86, 0x44, 0x2c, 0xeb, 0xb7, 0x69, 0x47, + 0x40, 0xc0, 0x3f, 0x58, 0xf6, 0xc2, 0xf5, 0x7b, 0xb3, 0x59}, + {0x71, 0xe6, 0xab, 0x7d, 0xe4, 0x26, 0xf, 0xb6, 0x37, 0x3a, 0x2f, + 0x62, 0x97, 0xa1, 0xd1, 0xf1, 0x94, 0x3, 0x96, 0xe9, 0x7e, 0xce, + 0x8, 0x42, 0xdb, 0x3b, 0x6d, 0x33, 0x91, 0x41, 0x23, 0x16}, }, }, { { - {{ -#if defined(OPENSSL_64_BIT) - 47341488007760, 1891414891220257, 983894663308928, - 176161768286818, 1126261115179708 -#else - 9661008, 705443, 11980065, 28184278, 65480320, 14661172, - 60762722, 2625014, 28431036, 16782598 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1694030170963455, 502038567066200, 1691160065225467, - 949628319562187, 275110186693066 -#else - 43269631, 25243016, 41163352, 7480957, 49427195, 25200248, - 44562891, 14150564, 15970762, 4099461 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1124515748676336, 1661673816593408, 1499640319059718, - 1584929449166988, 558148594103306 -#else - 29262576, 16756590, 26350592, 24760869, 8529670, 22346382, - 13617292, 23617289, 11465738, 8317062 -#endif - }}, + {0x40, 0x86, 0xf3, 0x1f, 0xd6, 0x9c, 0x49, 0xdd, 0xa0, 0x25, 0x36, + 0x6, 0xc3, 0x9b, 0xcd, 0x29, 0xc3, 0x3d, 0xd7, 0x3d, 0x2, 0xd8, + 0xe2, 0x51, 0x31, 0x92, 0x3b, 0x20, 0x7a, 0x70, 0x25, 0x4a}, + {0xf6, 0x7f, 0x26, 0xf6, 0xde, 0x99, 0xe4, 0xb9, 0x43, 0x8, 0x2c, + 0x74, 0x7b, 0xca, 0x72, 0x77, 0xb1, 0xf2, 0xa4, 0xe9, 0x3f, 0x15, + 0xa0, 0x23, 0x6, 0x50, 0xd0, 0xd5, 0xec, 0xdf, 0xdf, 0x2c}, + {0x6a, 0xed, 0xf6, 0x53, 0x8a, 0x66, 0xb7, 0x2a, 0xa1, 0x70, 0xd1, + 0x1d, 0x58, 0x42, 0x42, 0x30, 0x61, 0x1, 0xe2, 0x3a, 0x4c, 0x14, + 0x0, 0x40, 0xfc, 0x49, 0x8e, 0x24, 0x6d, 0x89, 0x21, 0x57}, + }, + { + {0x4e, 0xda, 0xd0, 0xa1, 0x91, 0x50, 0x5d, 0x28, 0x8, 0x3e, 0xfe, + 0xb5, 0xa7, 0x6f, 0xaa, 0x4b, 0xb3, 0x93, 0x93, 0xe1, 0x7c, 0x17, + 0xe5, 0x63, 0xfd, 0x30, 0xb0, 0xc4, 0xaf, 0x35, 0xc9, 0x3}, + {0xae, 0x1b, 0x18, 0xfd, 0x17, 0x55, 0x6e, 0xb, 0xb4, 0x63, 0xb9, + 0x2b, 0x9f, 0x62, 0x22, 0x90, 0x25, 0x46, 0x6, 0x32, 0xe9, 0xbc, + 0x9, 0x55, 0xda, 0x13, 0x3c, 0xf6, 0x74, 0xdd, 0x8e, 0x57}, + {0x3d, 0xc, 0x2b, 0x49, 0xc6, 0x76, 0x72, 0x99, 0xfc, 0x5, 0xe2, + 0xdf, 0xc4, 0xc2, 0xcc, 0x47, 0x3c, 0x3a, 0x62, 0xdd, 0x84, 0x9b, + 0xd2, 0xdc, 0xa2, 0xc7, 0x88, 0x2, 0x59, 0xab, 0xc2, 0x3e}, + }, + { + {0xcb, 0xd1, 0x32, 0xae, 0x9, 0x3a, 0x21, 0xa7, 0xd5, 0xc2, 0xf5, + 0x40, 0xdf, 0x87, 0x2b, 0xf, 0x29, 0xab, 0x1e, 0xe8, 0xc6, 0xa4, + 0xae, 0xb, 0x5e, 0xac, 0xdb, 0x6a, 0x6c, 0xf6, 0x1b, 0xe}, + {0xb9, 0x7b, 0xd8, 0xe4, 0x7b, 0xd2, 0xa0, 0xa1, 0xed, 0x1a, 0x39, + 0x61, 0xeb, 0x4d, 0x8b, 0xa9, 0x83, 0x9b, 0xcb, 0x73, 0xd0, 0xdd, + 0xa0, 0x99, 0xce, 0xca, 0xf, 0x20, 0x5a, 0xc2, 0xd5, 0x2d}, + {0x7e, 0x88, 0x2c, 0x79, 0xe9, 0xd5, 0xab, 0xe2, 0x5d, 0x6d, 0x92, + 0xcb, 0x18, 0x0, 0x2, 0x1a, 0x1e, 0x5f, 0xae, 0xba, 0xcd, 0x69, + 0xba, 0xbf, 0x5f, 0x8f, 0xe8, 0x5a, 0xb3, 0x48, 0x5, 0x73}, + }, + { + {0x34, 0xe3, 0xd6, 0xa1, 0x4b, 0x9, 0x5b, 0x80, 0x19, 0x3f, 0x35, + 0x9, 0x77, 0xf1, 0x3e, 0xbf, 0x2b, 0x70, 0x22, 0x6, 0xcb, 0x6, + 0x3f, 0x42, 0xdd, 0x45, 0x78, 0xd8, 0x77, 0x22, 0x5a, 0x58}, + {0xee, 0xb8, 0xa8, 0xcb, 0xa3, 0x51, 0x35, 0xc4, 0x16, 0x5f, 0x11, + 0xb2, 0x1d, 0x6f, 0xa2, 0x65, 0x50, 0x38, 0x8c, 0xab, 0x52, 0x4f, + 0xf, 0x76, 0xca, 0xb8, 0x1d, 0x41, 0x3b, 0x44, 0x43, 0x30}, + {0x62, 0x89, 0xd4, 0x33, 0x82, 0x5f, 0x8a, 0xa1, 0x7f, 0x25, 0x78, + 0xec, 0xb5, 0xc4, 0x98, 0x66, 0xff, 0x41, 0x3e, 0x37, 0xa5, 0x6f, + 0x8e, 0xa7, 0x1f, 0x98, 0xef, 0x50, 0x89, 0x27, 0x56, 0x76}, + }, + { + {0x9d, 0xcf, 0x86, 0xea, 0xa3, 0x73, 0x70, 0xe1, 0xdc, 0x5f, 0x15, + 0x7, 0xb7, 0xfb, 0x8c, 0x3a, 0x8e, 0x8a, 0x83, 0x31, 0xfc, 0xe7, + 0x53, 0x48, 0x16, 0xf6, 0x13, 0xb6, 0x84, 0xf4, 0xbb, 0x28}, + {0xc0, 0xc8, 0x1f, 0xd5, 0x59, 0xcf, 0xc3, 0x38, 0xf2, 0xb6, 0x6, + 0x5, 0xfd, 0xd2, 0xed, 0x9b, 0x8f, 0xe, 0x57, 0xab, 0x9f, 0x10, + 0xbf, 0x26, 0xa6, 0x46, 0xb8, 0xc1, 0xa8, 0x60, 0x41, 0x3f}, + {0x7c, 0x6c, 0x13, 0x6f, 0x5c, 0x2f, 0x61, 0xf2, 0xbe, 0x11, 0xdd, + 0xf6, 0x7, 0xd1, 0xea, 0xaf, 0x33, 0x6f, 0xde, 0x13, 0xd2, 0x9a, + 0x7e, 0x52, 0x5d, 0xf7, 0x88, 0x81, 0x35, 0xcb, 0x79, 0x1e}, + }, + { + {0x81, 0x81, 0xe0, 0xf5, 0xd8, 0x53, 0xe9, 0x77, 0xd9, 0xde, 0x9d, + 0x29, 0x44, 0xc, 0xa5, 0x84, 0xe5, 0x25, 0x45, 0x86, 0xc, 0x2d, + 0x6c, 0xdc, 0xf4, 0xf2, 0xd1, 0x39, 0x2d, 0xb5, 0x8a, 0x47}, + {0xf1, 0xe3, 0xf7, 0xee, 0xc3, 0x36, 0x34, 0x1, 0xf8, 0x10, 0x9e, + 0xfe, 0x7f, 0x6a, 0x8b, 0x82, 0xfc, 0xde, 0xf9, 0xbc, 0xe5, 0x8, + 0xf9, 0x7f, 0x31, 0x38, 0x3b, 0x3a, 0x1b, 0x95, 0xd7, 0x65}, + {0x59, 0xd1, 0x52, 0x92, 0xd3, 0xa4, 0xa6, 0x66, 0x7, 0xc8, 0x1a, + 0x87, 0xbc, 0xe1, 0xdd, 0xe5, 0x6f, 0xc9, 0xc1, 0xa6, 0x40, 0x6b, + 0x2c, 0xb8, 0x14, 0x22, 0x21, 0x1a, 0x41, 0x7a, 0xd8, 0x16}, + }, + { + {0x83, 0x5, 0x4e, 0xd5, 0xe2, 0xd5, 0xa4, 0xfb, 0xfa, 0x99, 0xbd, + 0x2e, 0xd7, 0xaf, 0x1f, 0xe2, 0x8f, 0x77, 0xe9, 0x6e, 0x73, 0xc2, + 0x7a, 0x49, 0xde, 0x6d, 0x5a, 0x7a, 0x57, 0xb, 0x99, 0x1f}, + {0x15, 0x62, 0x6, 0x42, 0x5a, 0x7e, 0xbd, 0xb3, 0xc1, 0x24, 0x5a, + 0xc, 0xcd, 0xe3, 0x9b, 0x87, 0xb7, 0x94, 0xf9, 0xd6, 0xb1, 0x5d, + 0xc0, 0x57, 0xa6, 0x8c, 0xf3, 0x65, 0x81, 0x7c, 0xf8, 0x28}, + {0xd6, 0xf7, 0xe8, 0x1b, 0xad, 0x4e, 0x34, 0xa3, 0x8f, 0x79, 0xea, + 0xac, 0xeb, 0x50, 0x1e, 0x7d, 0x52, 0xe0, 0xd, 0x52, 0x9e, 0x56, + 0xc6, 0x77, 0x3e, 0x6d, 0x4d, 0x53, 0xe1, 0x2f, 0x88, 0x45}, + }, + { + {0xe4, 0x6f, 0x3c, 0x94, 0x29, 0x99, 0xac, 0xd8, 0xa2, 0x92, 0x83, + 0xa3, 0x61, 0xf1, 0xf9, 0xb5, 0xf3, 0x9a, 0xc8, 0xbe, 0x13, 0xdb, + 0x99, 0x26, 0x74, 0xf0, 0x5, 0xe4, 0x3c, 0x84, 0xcf, 0x7d}, + {0xd6, 0x83, 0x79, 0x75, 0x5d, 0x34, 0x69, 0x66, 0xa6, 0x11, 0xaa, + 0x17, 0x11, 0xed, 0xb6, 0x62, 0x8f, 0x12, 0x5e, 0x98, 0x57, 0x18, + 0xdd, 0x7d, 0xdd, 0xf6, 0x26, 0xf6, 0xb8, 0xe5, 0x8f, 0x68}, + {0xc0, 0x32, 0x47, 0x4a, 0x48, 0xd6, 0x90, 0x6c, 0x99, 0x32, 0x56, + 0xca, 0xfd, 0x43, 0x21, 0xd5, 0xe1, 0xc6, 0x5d, 0x91, 0xc3, 0x28, + 0xbe, 0xb3, 0x1b, 0x19, 0x27, 0x73, 0x7e, 0x68, 0x39, 0x67}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1784525599998356, 1619698033617383, 2097300287550715, - 258265458103756, 1905684794832758 -#else - 41615764, 26591503, 32500199, 24135381, 44070139, 31252209, - 14898636, 3848455, 20969334, 28396916 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1288941072872766, 931787902039402, 190731008859042, - 2006859954667190, 1005931482221702 -#else - 46724414, 19206718, 48772458, 13884721, 34069410, 2842113, - 45498038, 29904543, 11177094, 14989547 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1465551264822703, 152905080555927, 680334307368453, - 173227184634745, 666407097159852 -#else - 42612143, 21838415, 16959895, 2278463, 12066309, 10137771, - 13515641, 2581286, 38621356, 9930239 -#endif - }}, + {0xc0, 0x1a, 0xc, 0xc8, 0x9d, 0xcc, 0x6d, 0xa6, 0x36, 0xa4, 0x38, + 0x1b, 0xf4, 0x5c, 0xa0, 0x97, 0xc6, 0xd7, 0xdb, 0x95, 0xbe, 0xf3, + 0xeb, 0xa7, 0xab, 0x7d, 0x7e, 0x8d, 0xf6, 0xb8, 0xa0, 0x7d}, + {0xa6, 0x75, 0x56, 0x38, 0x14, 0x20, 0x78, 0xef, 0xe8, 0xa9, 0xfd, + 0xaa, 0x30, 0x9f, 0x64, 0xa2, 0xcb, 0xa8, 0xdf, 0x5c, 0x50, 0xeb, + 0xd1, 0x4c, 0xb3, 0xc0, 0x4d, 0x1d, 0xba, 0x5a, 0x11, 0x46}, + {0x76, 0xda, 0xb5, 0xc3, 0x53, 0x19, 0xf, 0xd4, 0x9b, 0x9e, 0x11, + 0x21, 0x73, 0x6f, 0xac, 0x1d, 0x60, 0x59, 0xb2, 0xfe, 0x21, 0x60, + 0xcc, 0x3, 0x4b, 0x4b, 0x67, 0x83, 0x7e, 0x88, 0x5f, 0x5a}, + }, + { + {0xb9, 0x43, 0xa6, 0xa0, 0xd3, 0x28, 0x96, 0x9e, 0x64, 0x20, 0xc3, + 0xe6, 0x0, 0xcb, 0xc3, 0xb5, 0x32, 0xec, 0x2d, 0x7c, 0x89, 0x2, + 0x53, 0x9b, 0xc, 0xc7, 0xd1, 0xd5, 0xe2, 0x7a, 0xe3, 0x43}, + {0x11, 0x3d, 0xa1, 0x70, 0xcf, 0x1, 0x63, 0x8f, 0xc4, 0xd0, 0xd, + 0x35, 0x15, 0xb8, 0xce, 0xcf, 0x7e, 0xa4, 0xbc, 0xa4, 0xd4, 0x97, + 0x2, 0xf7, 0x34, 0x14, 0x4d, 0xe4, 0x56, 0xb6, 0x69, 0x36}, + {0x33, 0xe1, 0xa6, 0xed, 0x6, 0x3f, 0x7e, 0x38, 0xc0, 0x3a, 0xa1, + 0x99, 0x51, 0x1d, 0x30, 0x67, 0x11, 0x38, 0x26, 0x36, 0xf8, 0xd8, + 0x5a, 0xbd, 0xbe, 0xe9, 0xd5, 0x4f, 0xcd, 0xe6, 0x21, 0x6a}, + }, + { + {0xe3, 0xb2, 0x99, 0x66, 0x12, 0x29, 0x41, 0xef, 0x1, 0x13, 0x8d, + 0x70, 0x47, 0x8, 0xd3, 0x71, 0xbd, 0xb0, 0x82, 0x11, 0xd0, 0x32, + 0x54, 0x32, 0x36, 0x8b, 0x1e, 0x0, 0x7, 0x1b, 0x37, 0x45}, + {0x5f, 0xe6, 0x46, 0x30, 0xa, 0x17, 0xc6, 0xf1, 0x24, 0x35, 0xd2, + 0x0, 0x2a, 0x2a, 0x71, 0x58, 0x55, 0xb7, 0x82, 0x8c, 0x3c, 0xbd, + 0xdb, 0x69, 0x57, 0xff, 0x95, 0xa1, 0xf1, 0xf9, 0x6b, 0x58}, + {0xb, 0x79, 0xf8, 0x5e, 0x8d, 0x8, 0xdb, 0xa6, 0xe5, 0x37, 0x9, + 0x61, 0xdc, 0xf0, 0x78, 0x52, 0xb8, 0x6e, 0xa1, 0x61, 0xd2, 0x49, + 0x3, 0xac, 0x79, 0x21, 0xe5, 0x90, 0x37, 0xb0, 0xaf, 0xe}, + }, + { + {0x1d, 0xae, 0x75, 0xf, 0x5e, 0x80, 0x40, 0x51, 0x30, 0xcc, 0x62, + 0x26, 0xe3, 0xfb, 0x2, 0xec, 0x6d, 0x39, 0x92, 0xea, 0x1e, 0xdf, + 0xeb, 0x2c, 0xb3, 0x5b, 0x43, 0xc5, 0x44, 0x33, 0xae, 0x44}, + {0x2f, 0x4, 0x48, 0x37, 0xc1, 0x55, 0x5, 0x96, 0x11, 0xaa, 0xb, + 0x82, 0xe6, 0x41, 0x9a, 0x21, 0xc, 0x6d, 0x48, 0x73, 0x38, 0xf7, + 0x81, 0x1c, 0x61, 0xc6, 0x2, 0x5a, 0x67, 0xcc, 0x9a, 0x30}, + {0xee, 0x43, 0xa5, 0xbb, 0xb9, 0x89, 0xf2, 0x9c, 0x42, 0x71, 0xc9, + 0x5a, 0x9d, 0xe, 0x76, 0xf3, 0xaa, 0x60, 0x93, 0x4f, 0xc6, 0xe5, + 0x82, 0x1d, 0x8f, 0x67, 0x94, 0x7f, 0x1b, 0x22, 0xd5, 0x62}, + }, + { + {0x3c, 0x7a, 0xf7, 0x3a, 0x26, 0xd4, 0x85, 0x75, 0x4d, 0x14, 0xe9, + 0xfe, 0x11, 0x7b, 0xae, 0xdf, 0x3d, 0x19, 0xf7, 0x59, 0x80, 0x70, + 0x6, 0xa5, 0x37, 0x20, 0x92, 0x83, 0x53, 0x9a, 0xf2, 0x14}, + {0x6d, 0x93, 0xd0, 0x18, 0x9c, 0x29, 0x4c, 0x52, 0xc, 0x1a, 0xc, + 0x8a, 0x6c, 0xb5, 0x6b, 0xc8, 0x31, 0x86, 0x4a, 0xdb, 0x2e, 0x5, + 0x75, 0xa3, 0x62, 0x45, 0x75, 0xbc, 0xe4, 0xfd, 0xe, 0x5c}, + {0xf5, 0xd7, 0xb2, 0x25, 0xdc, 0x7e, 0x71, 0xdf, 0x40, 0x30, 0xb5, + 0x99, 0xdb, 0x70, 0xf9, 0x21, 0x62, 0x4c, 0xed, 0xc3, 0xb7, 0x34, + 0x92, 0xda, 0x3e, 0x9, 0xee, 0x7b, 0x5c, 0x36, 0x72, 0x5e}, + }, + { + {0x3e, 0xb3, 0x8, 0x2f, 0x6, 0x39, 0x93, 0x7d, 0xbe, 0x32, 0x9f, + 0xdf, 0xe5, 0x59, 0x96, 0x5b, 0xfd, 0xbd, 0x9e, 0x1f, 0xad, 0x3d, + 0xff, 0xac, 0xb7, 0x49, 0x73, 0xcb, 0x55, 0x5, 0xb2, 0x70}, + {0x7f, 0x21, 0x71, 0x45, 0x7, 0xfc, 0x5b, 0x57, 0x5b, 0xd9, 0x94, + 0x6, 0x5d, 0x67, 0x79, 0x37, 0x33, 0x1e, 0x19, 0xf4, 0xbb, 0x37, + 0xa, 0x9a, 0xbc, 0xea, 0xb4, 0x47, 0x4c, 0x10, 0xf1, 0x77}, + {0x4c, 0x2c, 0x11, 0x55, 0xc5, 0x13, 0x51, 0xbe, 0xcd, 0x1f, 0x88, + 0x9a, 0x3a, 0x42, 0x88, 0x66, 0x47, 0x3b, 0x50, 0x5e, 0x85, 0x77, + 0x66, 0x44, 0x4a, 0x40, 0x6, 0x4a, 0x8f, 0x39, 0x34, 0xe}, + }, + { + {0x28, 0x19, 0x4b, 0x3e, 0x9, 0xb, 0x93, 0x18, 0x40, 0xf6, 0xf3, + 0x73, 0xe, 0xe1, 0xe3, 0x7d, 0x6f, 0x5d, 0x39, 0x73, 0xda, 0x17, + 0x32, 0xf4, 0x3e, 0x9c, 0x37, 0xca, 0xd6, 0xde, 0x8a, 0x6f}, + {0xe8, 0xbd, 0xce, 0x3e, 0xd9, 0x22, 0x7d, 0xb6, 0x7, 0x2f, 0x82, + 0x27, 0x41, 0xe8, 0xb3, 0x9, 0x8d, 0x6d, 0x5b, 0xb0, 0x1f, 0xa6, + 0x3f, 0x74, 0x72, 0x23, 0x36, 0x8a, 0x36, 0x5, 0x54, 0x5e}, + {0x9a, 0xb2, 0xb7, 0xfd, 0x3d, 0x12, 0x40, 0xe3, 0x91, 0xb2, 0x1a, + 0xa2, 0xe1, 0x97, 0x7b, 0x48, 0x9e, 0x94, 0xe6, 0xfd, 0x2, 0x7d, + 0x96, 0xf9, 0x97, 0xde, 0xd3, 0xc8, 0x2e, 0xe7, 0xd, 0x78}, + }, + { + {0x72, 0x27, 0xf4, 0x0, 0xf3, 0xea, 0x1f, 0x67, 0xaa, 0x41, 0x8c, + 0x2a, 0x2a, 0xeb, 0x72, 0x8f, 0x92, 0x32, 0x37, 0x97, 0xd7, 0x7f, + 0xa1, 0x29, 0xa6, 0x87, 0xb5, 0x32, 0xad, 0xc6, 0xef, 0x1d}, + {0xbc, 0xe7, 0x9a, 0x8, 0x45, 0x85, 0xe2, 0xa, 0x6, 0x4d, 0x7f, + 0x1c, 0xcf, 0xde, 0x8d, 0x38, 0xb8, 0x11, 0x48, 0xa, 0x51, 0x15, + 0xac, 0x38, 0xe4, 0x8c, 0x92, 0x71, 0xf6, 0x8b, 0xb2, 0xe}, + {0xa7, 0x95, 0x51, 0xef, 0x1a, 0xbe, 0x5b, 0xaf, 0xed, 0x15, 0x7b, + 0x91, 0x77, 0x12, 0x8c, 0x14, 0x2e, 0xda, 0xe5, 0x7a, 0xfb, 0xf7, + 0x91, 0x29, 0x67, 0x28, 0xdd, 0xf8, 0x1b, 0x20, 0x7d, 0x46}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 2111017076203943, 1378760485794347, 1248583954016456, - 1352289194864422, 1895180776543896 -#else - 49357223, 31456605, 16544299, 20545132, 51194056, 18605350, - 18345766, 20150679, 16291480, 28240394 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 171348223915638, 662766099800389, 462338943760497, - 466917763340314, 656911292869115 -#else - 33879670, 2553287, 32678213, 9875984, 8534129, 6889387, - 57432090, 6957616, 4368891, 9788741 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 488623681976577, 866497561541722, 1708105560937768, - 1673781214218839, 1506146329818807 -#else - 16660737, 7281060, 56278106, 12911819, 20108584, 25452756, - 45386327, 24941283, 16250551, 22443329 -#endif - }}, + {0xa9, 0xe7, 0x7a, 0x56, 0xbd, 0xf4, 0x1e, 0xbc, 0xbd, 0x98, 0x44, + 0xd6, 0xb2, 0x4c, 0x62, 0x3f, 0xc8, 0x4e, 0x1f, 0x2c, 0xd2, 0x64, + 0x10, 0xe4, 0x1, 0x40, 0x38, 0xba, 0xa5, 0xc5, 0xf9, 0x2e}, + {0xad, 0x4f, 0xef, 0x74, 0x9a, 0x91, 0xfe, 0x95, 0xa2, 0x8, 0xa3, + 0xf6, 0xec, 0x7b, 0x82, 0x3a, 0x1, 0x7b, 0xa4, 0x9, 0xd3, 0x1, + 0x4e, 0x96, 0x97, 0xc7, 0xa3, 0x5b, 0x4f, 0x3c, 0xc4, 0x71}, + {0xcd, 0x74, 0x9e, 0xfa, 0xf6, 0x6d, 0xfd, 0xb6, 0x7a, 0x26, 0xaf, + 0xe4, 0xbc, 0x78, 0x82, 0xf1, 0xe, 0x99, 0xef, 0xf1, 0xd0, 0xb3, + 0x55, 0x82, 0x93, 0xf2, 0xc5, 0x90, 0xa3, 0x8c, 0x75, 0x5a}, + }, + { + {0x94, 0xdc, 0x61, 0x1d, 0x8b, 0x91, 0xe0, 0x8c, 0x66, 0x30, 0x81, + 0x9a, 0x46, 0x36, 0xed, 0x8d, 0xd3, 0xaa, 0xe8, 0xaf, 0x29, 0xa8, + 0xe6, 0xd4, 0x3f, 0xd4, 0x39, 0xf6, 0x27, 0x80, 0x73, 0xa}, + {0x95, 0x24, 0x46, 0xd9, 0x10, 0x27, 0xb7, 0xa2, 0x3, 0x50, 0x7d, + 0xd5, 0xd2, 0xc6, 0xa8, 0x3a, 0xca, 0x87, 0xb4, 0xa0, 0xbf, 0x0, + 0xd4, 0xe3, 0xec, 0x72, 0xeb, 0xb3, 0x44, 0xe2, 0xba, 0x2d}, + {0xcc, 0xe1, 0xff, 0x57, 0x2f, 0x4a, 0xf, 0x98, 0x43, 0x98, 0x83, + 0xe1, 0xd, 0xd, 0x67, 0x0, 0xfd, 0x15, 0xfb, 0x49, 0x4a, 0x3f, + 0x5c, 0x10, 0x9c, 0xa6, 0x26, 0x51, 0x63, 0xca, 0x98, 0x26}, + }, + { + {0xe, 0xd9, 0x3d, 0x5e, 0x2f, 0x70, 0x3d, 0x2e, 0x86, 0x53, 0xd2, + 0xe4, 0x18, 0x9, 0x3f, 0x9e, 0x6a, 0xa9, 0x4d, 0x2, 0xf6, 0x3e, + 0x77, 0x5e, 0x32, 0x33, 0xfa, 0x4a, 0xc, 0x4b, 0x0, 0x3c}, + {0x78, 0xba, 0xb0, 0x32, 0x88, 0x31, 0x65, 0xe7, 0x8b, 0xff, 0x5c, + 0x92, 0xf7, 0x31, 0x18, 0x38, 0xcc, 0x1f, 0x29, 0xa0, 0x91, 0x1b, + 0xa8, 0x8, 0x7, 0xeb, 0xca, 0x49, 0xcc, 0x3d, 0xb4, 0x1f}, + {0x2b, 0xb8, 0xf4, 0x6, 0xac, 0x46, 0xa9, 0x9a, 0xf3, 0xc4, 0x6, + 0xa8, 0xa5, 0x84, 0xa2, 0x1c, 0x87, 0x47, 0xcd, 0xc6, 0x5f, 0x26, + 0xd3, 0x3e, 0x17, 0xd2, 0x1f, 0xcd, 0x1, 0xfd, 0x43, 0x6b}, + }, + { + {0xf3, 0xe, 0x76, 0x3e, 0x58, 0x42, 0xc7, 0xb5, 0x90, 0xb9, 0xa, + 0xee, 0xb9, 0x52, 0xdc, 0x75, 0x3f, 0x92, 0x2b, 0x7, 0xc2, 0x27, + 0x14, 0xbf, 0xf0, 0xd9, 0xf0, 0x6f, 0x2d, 0xb, 0x42, 0x73}, + {0x44, 0xc5, 0x97, 0x46, 0x4b, 0x5d, 0xa7, 0xc7, 0xbf, 0xff, 0xf, + 0xdf, 0x48, 0xf8, 0xfd, 0x15, 0x5a, 0x78, 0x46, 0xaa, 0xeb, 0xb9, + 0x68, 0x28, 0x14, 0xf7, 0x52, 0x5b, 0x10, 0xd7, 0x68, 0x5a}, + {0x6, 0x1e, 0x85, 0x9e, 0xcb, 0xf6, 0x2c, 0xaf, 0xc4, 0x38, 0x22, + 0xc6, 0x13, 0x39, 0x59, 0x8f, 0x73, 0xf3, 0xfb, 0x99, 0x96, 0xb8, + 0x8a, 0xda, 0x9e, 0xbc, 0x34, 0xea, 0x2f, 0x63, 0xb5, 0x3d}, + }, + { + {0xd5, 0x25, 0x98, 0x82, 0xb1, 0x90, 0x49, 0x2e, 0x91, 0x89, 0x9a, + 0x3e, 0x87, 0xeb, 0xea, 0xed, 0xf8, 0x4a, 0x70, 0x4c, 0x39, 0x3d, + 0xf0, 0xee, 0xe, 0x2b, 0xdf, 0x95, 0xa4, 0x7e, 0x19, 0x59}, + {0xd8, 0xd9, 0x5d, 0xf7, 0x2b, 0xee, 0x6e, 0xf4, 0xa5, 0x59, 0x67, + 0x39, 0xf6, 0xb1, 0x17, 0xd, 0x73, 0x72, 0x9e, 0x49, 0x31, 0xd1, + 0xf2, 0x1b, 0x13, 0x5f, 0xd7, 0x49, 0xdf, 0x1a, 0x32, 0x4}, + {0xae, 0x5a, 0xe5, 0xe4, 0x19, 0x60, 0xe1, 0x4, 0xe9, 0x92, 0x2f, + 0x7e, 0x7a, 0x43, 0x7b, 0xe7, 0xa4, 0x9a, 0x15, 0x6f, 0xc1, 0x2d, + 0xce, 0xc7, 0xc0, 0xc, 0xd7, 0xf4, 0xc1, 0xfd, 0xea, 0x45}, + }, + { + {0xed, 0xb1, 0xcc, 0xcf, 0x24, 0x46, 0xe, 0xb6, 0x95, 0x3, 0x5c, + 0xbd, 0x92, 0xc2, 0xdb, 0x59, 0xc9, 0x81, 0x4, 0xdc, 0x1d, 0x9d, + 0xa0, 0x31, 0x40, 0xd9, 0x56, 0x5d, 0xea, 0xce, 0x73, 0x3f}, + {0x2b, 0xd7, 0x45, 0x80, 0x85, 0x1, 0x84, 0x69, 0x51, 0x6, 0x2f, + 0xcf, 0xa2, 0xfa, 0x22, 0x4c, 0xc6, 0x2d, 0x22, 0x6b, 0x65, 0x36, + 0x1a, 0x94, 0xde, 0xda, 0x62, 0x3, 0xc8, 0xeb, 0x5e, 0x5a}, + {0xc6, 0x8d, 0x4e, 0xa, 0xd1, 0xbf, 0xa7, 0xb7, 0x39, 0xb3, 0xc9, + 0x44, 0x7e, 0x0, 0x57, 0xbe, 0xfa, 0xae, 0x57, 0x15, 0x7f, 0x20, + 0xc1, 0x60, 0xdb, 0x18, 0x62, 0x26, 0x91, 0x88, 0x5, 0x26}, + }, + { + {0x42, 0xe5, 0x76, 0xc6, 0x3c, 0x8e, 0x81, 0x4c, 0xad, 0xcc, 0xce, + 0x3, 0x93, 0x2c, 0x42, 0x5e, 0x8, 0x9f, 0x12, 0xb4, 0xca, 0xcc, + 0x7, 0xec, 0xb8, 0x43, 0x44, 0xb2, 0x10, 0xfa, 0xed, 0xd}, + {0x4, 0xff, 0x60, 0x83, 0xa6, 0x4, 0xf7, 0x59, 0xf4, 0xe6, 0x61, + 0x76, 0xde, 0x3f, 0xd9, 0xc3, 0x51, 0x35, 0x87, 0x12, 0x73, 0x2a, + 0x1b, 0x83, 0x57, 0x5d, 0x61, 0x4e, 0x2e, 0xc, 0xad, 0x54}, + {0x2a, 0x52, 0x2b, 0xb8, 0xd5, 0x67, 0x3b, 0xee, 0xeb, 0xc1, 0xa5, + 0x9f, 0x46, 0x63, 0xf1, 0x36, 0xd3, 0x9f, 0xc1, 0x6e, 0xf2, 0xd2, + 0xb4, 0xa5, 0x8, 0x94, 0x7a, 0xa7, 0xba, 0xb2, 0xec, 0x62}, + }, + { + {0x74, 0x28, 0xb6, 0xaf, 0x36, 0x28, 0x7, 0x92, 0xa5, 0x4, 0xe1, + 0x79, 0x85, 0x5e, 0xcd, 0x5f, 0x4a, 0xa1, 0x30, 0xc6, 0xad, 0x1, + 0xad, 0x5a, 0x98, 0x3f, 0x66, 0x75, 0x50, 0x3d, 0x91, 0x61}, + {0x3d, 0x2b, 0x15, 0x61, 0x52, 0x79, 0xed, 0xe5, 0xd1, 0xd7, 0xdd, + 0xe, 0x7d, 0x35, 0x62, 0x49, 0x71, 0x4c, 0x6b, 0xb9, 0xd0, 0xc8, + 0x82, 0x74, 0xbe, 0xd8, 0x66, 0xa9, 0x19, 0xf9, 0x59, 0x2e}, + {0xda, 0x31, 0x32, 0x1a, 0x36, 0x2d, 0xc6, 0xd, 0x70, 0x2, 0x20, + 0x94, 0x32, 0x58, 0x47, 0xfa, 0xce, 0x94, 0x95, 0x3f, 0x51, 0x1, + 0xd8, 0x2, 0x5c, 0x5d, 0xc0, 0x31, 0xa1, 0xc2, 0xdb, 0x3d}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 160425464456957, 950394373239689, 430497123340934, - 711676555398832, 320964687779005 -#else - 47343357, 2390525, 50557833, 14161979, 1905286, 6414907, - 4689584, 10604807, 36918461, 4782746 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 988979367990485, 1359729327576302, 1301834257246029, - 294141160829308, 29348272277475 -#else - 65754325, 14736940, 59741422, 20261545, 7710541, 19398842, - 57127292, 4383044, 22546403, 437323 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1434382743317910, 100082049942065, 221102347892623, - 186982837860588, 1305765053501834 -#else - 31665558, 21373968, 50922033, 1491338, 48740239, 3294681, - 27343084, 2786261, 36475274, 19457415 -#endif - }}, + {0x14, 0xbb, 0x96, 0x27, 0xa2, 0x57, 0xaa, 0xf3, 0x21, 0xda, 0x7, + 0x9b, 0xb7, 0xba, 0x3a, 0x88, 0x1c, 0x39, 0xa0, 0x31, 0x18, 0xe2, + 0x4b, 0xe5, 0xf9, 0x5, 0x32, 0xd8, 0x38, 0xfb, 0xe7, 0x5e}, + {0x4b, 0xc5, 0x5e, 0xce, 0xf9, 0xf, 0xdc, 0x9a, 0xd, 0x13, 0x2f, + 0x8c, 0x6b, 0x2a, 0x9c, 0x3, 0x15, 0x95, 0xf8, 0xf0, 0xc7, 0x7, + 0x80, 0x2, 0x6b, 0xb3, 0x4, 0xac, 0x14, 0x83, 0x96, 0x78}, + {0x8e, 0x6a, 0x44, 0x41, 0xcb, 0xfd, 0x8d, 0x53, 0xf9, 0x37, 0x49, + 0x43, 0xa9, 0xfd, 0xac, 0xa5, 0x78, 0x8c, 0x3c, 0x26, 0x8d, 0x90, + 0xaf, 0x46, 0x9, 0xd, 0xca, 0x9b, 0x3c, 0x63, 0xd0, 0x61}, + }, + { + {0xdf, 0x73, 0xfc, 0xf8, 0xbc, 0x28, 0xa3, 0xad, 0xfc, 0x37, 0xf0, + 0xa6, 0x5d, 0x69, 0x84, 0xee, 0x9, 0xa9, 0xc2, 0x38, 0xdb, 0xb4, + 0x7f, 0x63, 0xdc, 0x7b, 0x6, 0xf8, 0x2d, 0xac, 0x23, 0x5b}, + {0x66, 0x25, 0xdb, 0xff, 0x35, 0x49, 0x74, 0x63, 0xbb, 0x68, 0xb, + 0x78, 0x89, 0x6b, 0xbd, 0xc5, 0x3, 0xec, 0x3e, 0x55, 0x80, 0x32, + 0x1b, 0x6f, 0xf5, 0xd7, 0xae, 0x47, 0xd8, 0x5f, 0x96, 0x6e}, + {0x7b, 0x52, 0x80, 0xee, 0x53, 0xb9, 0xd2, 0x9a, 0x8d, 0x6d, 0xde, + 0xfa, 0xaa, 0x19, 0x8f, 0xe8, 0xcf, 0x82, 0xe, 0x15, 0x4, 0x17, + 0x71, 0xe, 0xdc, 0xde, 0x95, 0xdd, 0xb9, 0xbb, 0xb9, 0x79}, + }, + { + {0x74, 0x73, 0x9f, 0x8e, 0xae, 0x7d, 0x99, 0xd1, 0x16, 0x8, 0xbb, + 0xcf, 0xf8, 0xa2, 0x32, 0xa0, 0xa, 0x5f, 0x44, 0x6d, 0x12, 0xba, + 0x6c, 0xcd, 0x34, 0xb8, 0xcc, 0xa, 0x46, 0x11, 0xa8, 0x1b}, + {0xc2, 0x26, 0x31, 0x6a, 0x40, 0x55, 0xb3, 0xeb, 0x93, 0xc3, 0xc8, + 0x68, 0xa8, 0x83, 0x63, 0xd2, 0x82, 0x7a, 0xb9, 0xe5, 0x29, 0x64, + 0xc, 0x6c, 0x47, 0x21, 0xfd, 0xc9, 0x58, 0xf1, 0x65, 0x50}, + {0x54, 0x99, 0x42, 0xc, 0xfb, 0x69, 0x81, 0x70, 0x67, 0xcf, 0x6e, + 0xd7, 0xac, 0x0, 0x46, 0xe1, 0xba, 0x45, 0xe6, 0x70, 0x8a, 0xb9, + 0xaa, 0x2e, 0xf2, 0xfa, 0xa4, 0x58, 0x9e, 0xf3, 0x81, 0x39}, + }, + { + {0xde, 0x6f, 0xe6, 0x6d, 0xa5, 0xdf, 0x45, 0xc8, 0x3a, 0x48, 0x40, + 0x2c, 0x0, 0xa5, 0x52, 0xe1, 0x32, 0xf6, 0xb4, 0xc7, 0x63, 0xe1, + 0xd2, 0xe9, 0x65, 0x1b, 0xbc, 0xdc, 0x2e, 0x45, 0xf4, 0x30}, + {0x93, 0xa, 0x23, 0x59, 0x75, 0x8a, 0xfb, 0x18, 0x5d, 0xf4, 0xe6, + 0x60, 0x69, 0x8f, 0x16, 0x1d, 0xb5, 0x3c, 0xa9, 0x14, 0x45, 0xa9, + 0x85, 0x3a, 0xfd, 0xd0, 0xac, 0x5, 0x37, 0x8, 0xdc, 0x38}, + {0x40, 0x97, 0x75, 0xc5, 0x82, 0x27, 0x6d, 0x85, 0xcc, 0xbe, 0x9c, + 0xf9, 0x69, 0x45, 0x13, 0xfa, 0x71, 0x4e, 0xea, 0xc0, 0x73, 0xfc, + 0x44, 0x88, 0x69, 0x24, 0x3f, 0x59, 0x1a, 0x9a, 0x2d, 0x63}, + }, + { + {0xa7, 0x84, 0xc, 0xed, 0x11, 0xfd, 0x9, 0xbf, 0x3a, 0x69, 0x9f, + 0xd, 0x81, 0x71, 0xf0, 0x63, 0x79, 0x87, 0xcf, 0x57, 0x2d, 0x8c, + 0x90, 0x21, 0xa2, 0x4b, 0xf6, 0x8a, 0xf2, 0x7d, 0x5a, 0x3a}, + {0xa6, 0xcb, 0x7, 0xb8, 0x15, 0x6b, 0xbb, 0xf6, 0xd7, 0xf0, 0x54, + 0xbc, 0xdf, 0xc7, 0x23, 0x18, 0xb, 0x67, 0x29, 0x6e, 0x3, 0x97, + 0x1d, 0xbb, 0x57, 0x4a, 0xed, 0x47, 0x88, 0xf4, 0x24, 0xb}, + {0xc7, 0xea, 0x1b, 0x51, 0xbe, 0xd4, 0xda, 0xdc, 0xf2, 0xcc, 0x26, + 0xed, 0x75, 0x80, 0x53, 0xa4, 0x65, 0x9a, 0x5f, 0x0, 0x9f, 0xff, + 0x9c, 0xe1, 0x63, 0x1f, 0x48, 0x75, 0x44, 0xf7, 0xfc, 0x34}, + }, + { + {0x98, 0xaa, 0xcf, 0x78, 0xab, 0x1d, 0xbb, 0xa5, 0xf2, 0x72, 0xb, + 0x19, 0x67, 0xa2, 0xed, 0x5c, 0x8e, 0x60, 0x92, 0xa, 0x11, 0xc9, + 0x9, 0x93, 0xb0, 0x74, 0xb3, 0x2f, 0x4, 0xa3, 0x19, 0x1}, + {0xca, 0x67, 0x97, 0x78, 0x4c, 0xe0, 0x97, 0xc1, 0x7d, 0x46, 0xd9, + 0x38, 0xcb, 0x4d, 0x71, 0xb8, 0xa8, 0x5f, 0xf9, 0x83, 0x82, 0x88, + 0xde, 0x55, 0xf7, 0x63, 0xfa, 0x4d, 0x16, 0xdc, 0x3b, 0x3d}, + {0x7d, 0x17, 0xc2, 0xe8, 0x9c, 0xd8, 0xa2, 0x67, 0xc1, 0xd0, 0x95, + 0x68, 0xf6, 0xa5, 0x9d, 0x66, 0xb0, 0xa2, 0x82, 0xb2, 0xe5, 0x98, + 0x65, 0xf5, 0x73, 0xa, 0xe2, 0xed, 0xf1, 0x88, 0xc0, 0x56}, + }, + { + {0x2, 0x8f, 0xf3, 0x24, 0xac, 0x5f, 0x1b, 0x58, 0xbd, 0xc, 0xe3, + 0xba, 0xfe, 0xe9, 0xb, 0xa9, 0xf0, 0x92, 0xcf, 0x8a, 0x2, 0x69, + 0x21, 0x9a, 0x8f, 0x3, 0x59, 0x83, 0xa4, 0x7e, 0x8b, 0x3}, + {0x17, 0x6e, 0xa8, 0x10, 0x11, 0x3d, 0x6d, 0x33, 0xfa, 0xb2, 0x75, + 0xb, 0x32, 0x88, 0xf3, 0xd7, 0x88, 0x29, 0x7, 0x25, 0x76, 0x33, + 0x15, 0xf9, 0x87, 0x8b, 0x10, 0x99, 0x6b, 0x4c, 0x67, 0x9}, + {0xf8, 0x6f, 0x31, 0x99, 0x21, 0xf8, 0x4e, 0x9f, 0x4f, 0x8d, 0xa7, + 0xea, 0x82, 0xd2, 0x49, 0x2f, 0x74, 0x31, 0xef, 0x5a, 0xab, 0xa5, + 0x71, 0x9, 0x65, 0xeb, 0x69, 0x59, 0x2, 0x31, 0x5e, 0x6e}, + }, + { + {0x22, 0x62, 0x6, 0x63, 0xe, 0xfb, 0x4, 0x33, 0x3f, 0xba, 0xac, + 0x87, 0x89, 0x6, 0x35, 0xfb, 0xa3, 0x61, 0x10, 0x8c, 0x77, 0x24, + 0x19, 0xbd, 0x20, 0x86, 0x83, 0xd1, 0x43, 0xad, 0x58, 0x30}, + {0xfb, 0x93, 0xe5, 0x87, 0xf5, 0x62, 0x6c, 0xb1, 0x71, 0x3e, 0x5d, + 0xca, 0xde, 0xed, 0x99, 0x49, 0x6d, 0x3e, 0xcc, 0x14, 0xe0, 0xc1, + 0x91, 0xb4, 0xa8, 0xdb, 0xa8, 0x89, 0x47, 0x11, 0xf5, 0x8}, + {0xd0, 0x63, 0x76, 0xe5, 0xfd, 0xf, 0x3c, 0x32, 0x10, 0xa6, 0x2e, + 0xa2, 0x38, 0xdf, 0xc3, 0x5, 0x9a, 0x4f, 0x99, 0xac, 0xbd, 0x8a, + 0xc7, 0xbd, 0x99, 0xdc, 0xe3, 0xef, 0xa4, 0x9f, 0x54, 0x26}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 2205916462268190, 499863829790820, 961960554686616, - 158062762756985, 1841471168298305 -#else - 52641566, 32870716, 33734756, 7448551, 19294360, 14334329, - 47418233, 2355318, 47824193, 27440058 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1191737341426592, 1847042034978363, 1382213545049056, - 1039952395710448, 788812858896859 -#else - 15121312, 17758270, 6377019, 27523071, 56310752, 20596586, - 18952176, 15496498, 37728731, 11754227 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1346965964571152, 1291881610839830, 2142916164336056, - 786821641205979, 1571709146321039 -#else - 64471568, 20071356, 8488726, 19250536, 12728760, 31931939, - 7141595, 11724556, 22761615, 23420291 -#endif - }}, + {0x6e, 0x66, 0x3f, 0xaf, 0x49, 0x85, 0x46, 0xdb, 0xa5, 0xe, 0x4a, + 0xf1, 0x4, 0xcf, 0x7f, 0xd7, 0x47, 0xc, 0xba, 0xa4, 0xf7, 0x3f, + 0xf2, 0x3d, 0x85, 0x3c, 0xce, 0x32, 0xe1, 0xdf, 0x10, 0x3a}, + {0xd6, 0xf9, 0x6b, 0x1e, 0x46, 0x5a, 0x1d, 0x74, 0x81, 0xa5, 0x77, + 0x77, 0xfc, 0xb3, 0x5, 0x23, 0xd9, 0xd3, 0x74, 0x64, 0xa2, 0x74, + 0x55, 0xd4, 0xff, 0xe0, 0x1, 0x64, 0xdc, 0xe1, 0x26, 0x19}, + {0xa0, 0xce, 0x17, 0xea, 0x8a, 0x4e, 0x7f, 0xe0, 0xfd, 0xc1, 0x1f, + 0x3a, 0x46, 0x15, 0xd5, 0x2f, 0xf1, 0xc0, 0xf2, 0x31, 0xfd, 0x22, + 0x53, 0x17, 0x15, 0x5d, 0x1e, 0x86, 0x1d, 0xd0, 0xa1, 0x1f}, + }, + { + {0xab, 0x94, 0xdf, 0xd1, 0x0, 0xac, 0xdc, 0x38, 0xe9, 0xd, 0x8, + 0xd1, 0xdd, 0x2b, 0x71, 0x2e, 0x62, 0xe2, 0xd5, 0xfd, 0x3e, 0xe9, + 0x13, 0x7f, 0xe5, 0x1, 0x9a, 0xee, 0x18, 0xed, 0xfc, 0x73}, + {0x32, 0x98, 0x59, 0x7d, 0x94, 0x55, 0x80, 0xcc, 0x20, 0x55, 0xf1, + 0x37, 0xda, 0x56, 0x46, 0x1e, 0x20, 0x93, 0x5, 0x4e, 0x74, 0xf7, + 0xf6, 0x99, 0x33, 0xcf, 0x75, 0x6a, 0xbc, 0x63, 0x35, 0x77}, + {0xb3, 0x9c, 0x13, 0x63, 0x8, 0xe9, 0xb1, 0x6, 0xcd, 0x3e, 0xa0, + 0xc5, 0x67, 0xda, 0x93, 0xa4, 0x32, 0x89, 0x63, 0xad, 0xc8, 0xce, + 0x77, 0x8d, 0x44, 0x4f, 0x86, 0x1b, 0x70, 0x6b, 0x42, 0x1f}, + }, + { + {0x52, 0x25, 0xa1, 0x91, 0xc8, 0x35, 0x7e, 0xf1, 0x76, 0x9c, 0x5e, + 0x57, 0x53, 0x81, 0x6b, 0xb7, 0x3e, 0x72, 0x9b, 0xd, 0x6f, 0x40, + 0x83, 0xfa, 0x38, 0xe4, 0xa7, 0x3f, 0x1b, 0xbb, 0x76, 0xb}, + {0x1, 0x1c, 0x91, 0x41, 0x4c, 0x26, 0xc9, 0xef, 0x25, 0x2c, 0xa2, + 0x17, 0xb8, 0xb7, 0xa3, 0xf1, 0x47, 0x14, 0xf, 0xf3, 0x6b, 0xda, + 0x75, 0x58, 0x90, 0xb0, 0x31, 0x1d, 0x27, 0xf5, 0x1a, 0x4e}, + {0x9b, 0x93, 0x92, 0x7f, 0xf9, 0xc1, 0xb8, 0x8, 0x6e, 0xab, 0x44, + 0xd4, 0xcb, 0x71, 0x67, 0xbe, 0x17, 0x80, 0xbb, 0x99, 0x63, 0x64, + 0xe5, 0x22, 0x55, 0xa9, 0x72, 0xb7, 0x1e, 0xd6, 0x6d, 0x7b}, + }, + { + {0xc7, 0xd2, 0x1, 0xab, 0xf9, 0xab, 0x30, 0x57, 0x18, 0x3b, 0x14, + 0x40, 0xdc, 0x76, 0xfb, 0x16, 0x81, 0xb2, 0xcb, 0xa0, 0x65, 0xbe, + 0x6c, 0x86, 0xfe, 0x6a, 0xff, 0x9b, 0x65, 0x9b, 0xfa, 0x53}, + {0x92, 0x3d, 0xf3, 0x50, 0xe8, 0xc1, 0xad, 0xb7, 0xcf, 0xd5, 0x8c, + 0x60, 0x4f, 0xfa, 0x98, 0x79, 0xdb, 0x5b, 0xfc, 0x8d, 0xbd, 0x2d, + 0x96, 0xad, 0x4f, 0x2f, 0x1d, 0xaf, 0xce, 0x9b, 0x3e, 0x70}, + {0x55, 0x54, 0x88, 0x94, 0xe9, 0xc8, 0x14, 0x6c, 0xe5, 0xd4, 0xae, + 0x65, 0x66, 0x5d, 0x3a, 0x84, 0xf1, 0x5a, 0xd6, 0xbc, 0x3e, 0xb7, + 0x1b, 0x18, 0x50, 0x1f, 0xc6, 0xc4, 0xe5, 0x93, 0x8d, 0x39}, + }, + { + {0xf2, 0xe3, 0xe7, 0xd2, 0x60, 0x7c, 0x87, 0xc3, 0xb1, 0x8b, 0x82, + 0x30, 0xa0, 0xaa, 0x34, 0x3b, 0x38, 0xf1, 0x9e, 0x73, 0xe7, 0x26, + 0x3e, 0x28, 0x77, 0x5, 0xc3, 0x2, 0x90, 0x9c, 0x9c, 0x69}, + {0xf3, 0x48, 0xe2, 0x33, 0x67, 0xd1, 0x4b, 0x1c, 0x5f, 0xa, 0xbf, + 0x15, 0x87, 0x12, 0x9e, 0xbd, 0x76, 0x3, 0xb, 0xa1, 0xf0, 0x8c, + 0x3f, 0xd4, 0x13, 0x1b, 0x19, 0xdf, 0x5d, 0x9b, 0xb0, 0x53}, + {0xcc, 0xf1, 0x46, 0x59, 0x23, 0xa7, 0x6, 0xf3, 0x7d, 0xd9, 0xe5, + 0xcc, 0xb5, 0x18, 0x17, 0x92, 0x75, 0xe9, 0xb4, 0x81, 0x47, 0xd2, + 0xcd, 0x28, 0x7, 0xd9, 0xcd, 0x6f, 0xc, 0xf3, 0xca, 0x51}, + }, + { + {0xc7, 0x54, 0xac, 0x18, 0x9a, 0xf9, 0x7a, 0x73, 0xf, 0xb3, 0x1c, + 0xc5, 0xdc, 0x78, 0x33, 0x90, 0xc7, 0xc, 0xe1, 0x4c, 0x33, 0xbc, + 0x89, 0x2b, 0x9a, 0xe9, 0xf8, 0x89, 0xc1, 0x29, 0xae, 0x12}, + {0xa, 0xe0, 0x74, 0x76, 0x42, 0xa7, 0xb, 0xa6, 0xf3, 0x7b, 0x7a, + 0xa1, 0x70, 0x85, 0xe, 0x63, 0xcc, 0x24, 0x33, 0xcf, 0x3d, 0x56, + 0x58, 0x37, 0xaa, 0xfd, 0x83, 0x23, 0x29, 0xaa, 0x4, 0x55}, + {0xcf, 0x1, 0xd, 0x1f, 0xcb, 0xc0, 0x9e, 0xa9, 0xae, 0xf7, 0x34, + 0x3a, 0xcc, 0xef, 0xd1, 0xd, 0x22, 0x4e, 0x9c, 0xd0, 0x21, 0x75, + 0xca, 0x55, 0xea, 0xa5, 0xeb, 0x58, 0xe9, 0x4f, 0xd1, 0x5f}, + }, + { + {0x8e, 0xcb, 0x93, 0xbf, 0x5e, 0xfe, 0x42, 0x3c, 0x5f, 0x56, 0xd4, + 0x36, 0x51, 0xa8, 0xdf, 0xbe, 0xe8, 0x20, 0x42, 0x88, 0x9e, 0x85, + 0xf0, 0xe0, 0x28, 0xd1, 0x25, 0x7, 0x96, 0x3f, 0xd7, 0x7d}, + {0x2c, 0xab, 0x45, 0x28, 0xdf, 0x2d, 0xdc, 0xb5, 0x93, 0xe9, 0x7f, + 0xa, 0xb1, 0x91, 0x94, 0x6, 0x46, 0xe3, 0x2, 0x40, 0xd6, 0xf3, + 0xaa, 0x4d, 0xd1, 0x74, 0x64, 0x58, 0x6e, 0xf2, 0x3f, 0x9}, + {0x29, 0x98, 0x5, 0x68, 0xfe, 0x24, 0xd, 0xb1, 0xe5, 0x23, 0xaf, + 0xdb, 0x72, 0x6, 0x73, 0x75, 0x29, 0xac, 0x57, 0xb4, 0x3a, 0x25, + 0x67, 0x13, 0xa4, 0x70, 0xb4, 0x86, 0xbc, 0xbc, 0x59, 0x2f}, + }, + { + {0x1, 0xc3, 0x91, 0xb6, 0x60, 0xd5, 0x41, 0x70, 0x1e, 0xe7, 0xd7, + 0xad, 0x3f, 0x1b, 0x20, 0x85, 0x85, 0x55, 0x33, 0x11, 0x63, 0xe1, + 0xc2, 0x16, 0xb1, 0x28, 0x8, 0x1, 0x3d, 0x5e, 0xa5, 0x2a}, + {0x5f, 0x13, 0x17, 0x99, 0x42, 0x7d, 0x84, 0x83, 0xd7, 0x3, 0x7d, + 0x56, 0x1f, 0x91, 0x1b, 0xad, 0xd1, 0xaa, 0x77, 0xbe, 0xd9, 0x48, + 0x77, 0x7e, 0x4a, 0xaf, 0x51, 0x2e, 0x2e, 0xb4, 0x58, 0x54}, + {0x4f, 0x44, 0x7, 0xc, 0xe6, 0x92, 0x51, 0xed, 0x10, 0x1d, 0x42, + 0x74, 0x2d, 0x4e, 0xc5, 0x42, 0x64, 0xc8, 0xb5, 0xfd, 0x82, 0x4c, + 0x2b, 0x35, 0x64, 0x86, 0x76, 0x8a, 0x4a, 0x0, 0xe9, 0x13}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 787164375951248, 202869205373189, 1356590421032140, - 1431233331032510, 786341368775957 -#else - 16918416, 11729663, 49025285, 3022986, 36093132, 20214772, - 38367678, 21327038, 32851221, 11717399 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 492448143532951, 304105152670757, 1761767168301056, - 233782684697790, 1981295323106089 -#else - 11166615, 7338049, 60386341, 4531519, 37640192, 26252376, - 31474878, 3483633, 65915689, 29523600 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 665807507761866, 1343384868355425, 895831046139653, - 439338948736892, 1986828765695105 -#else - 66923210, 9921304, 31456609, 20017994, 55095045, 13348922, - 33142652, 6546660, 47123585, 29606055 -#endif - }}, + {0x7f, 0x87, 0x3b, 0x19, 0xc9, 0x0, 0x2e, 0xbb, 0x6b, 0x50, 0xdc, + 0xe0, 0x90, 0xa8, 0xe3, 0xec, 0x9f, 0x64, 0xde, 0x36, 0xc0, 0xb7, + 0xf3, 0xec, 0x1a, 0x9e, 0xde, 0x98, 0x8, 0x4, 0x46, 0x5f}, + {0xdb, 0xce, 0x2f, 0x83, 0x45, 0x88, 0x9d, 0x73, 0x63, 0xf8, 0x6b, + 0xae, 0xc9, 0xd6, 0x38, 0xfa, 0xf7, 0xfe, 0x4f, 0xb7, 0xca, 0xd, + 0xbc, 0x32, 0x5e, 0xe4, 0xbc, 0x14, 0x88, 0x7e, 0x93, 0x73}, + {0x8d, 0xf4, 0x7b, 0x29, 0x16, 0x71, 0x3, 0xb9, 0x34, 0x68, 0xf0, + 0xd4, 0x22, 0x3b, 0xd1, 0xa9, 0xc6, 0xbd, 0x96, 0x46, 0x57, 0x15, + 0x97, 0xe1, 0x35, 0xe8, 0xd5, 0x91, 0xe8, 0xa4, 0xf8, 0x2c}, + }, + { + {0xa2, 0x6b, 0xd0, 0x17, 0x7e, 0x48, 0xb5, 0x2c, 0x6b, 0x19, 0x50, + 0x39, 0x1c, 0x38, 0xd2, 0x24, 0x30, 0x8a, 0x97, 0x85, 0x81, 0x9c, + 0x65, 0xd7, 0xf6, 0xa4, 0xd6, 0x91, 0x28, 0x7f, 0x6f, 0x7a}, + {0x67, 0xf, 0x11, 0x7, 0x87, 0xfd, 0x93, 0x6d, 0x49, 0xb5, 0x38, + 0x7c, 0xd3, 0x9, 0x4c, 0xdd, 0x86, 0x6a, 0x73, 0xc2, 0x4c, 0x6a, + 0xb1, 0x7c, 0x9, 0x2a, 0x25, 0x58, 0x6e, 0xbd, 0x49, 0x20}, + {0x49, 0xef, 0x9a, 0x6a, 0x8d, 0xfd, 0x9, 0x7d, 0xb, 0xb9, 0x3d, + 0x5b, 0xbe, 0x60, 0xee, 0xf0, 0xd4, 0xbf, 0x9e, 0x51, 0x2c, 0xb5, + 0x21, 0x4c, 0x1d, 0x94, 0x45, 0xc5, 0xdf, 0xaa, 0x11, 0x60}, + }, + { + {0x90, 0xf8, 0xcb, 0x2, 0xc8, 0xd0, 0xde, 0x63, 0xaa, 0x6a, 0xff, + 0xd, 0xca, 0x98, 0xd0, 0xfb, 0x99, 0xed, 0xb6, 0xb9, 0xfd, 0xa, + 0x4d, 0x62, 0x1e, 0xb, 0x34, 0x79, 0xb7, 0x18, 0xce, 0x69}, + {0x3c, 0xf8, 0x95, 0xcf, 0x6d, 0x92, 0x67, 0x5f, 0x71, 0x90, 0x28, + 0x71, 0x61, 0x85, 0x7e, 0x7c, 0x5b, 0x7a, 0x8f, 0x99, 0xf3, 0xe7, + 0xa1, 0xd6, 0xe0, 0xf9, 0x62, 0xb, 0x1b, 0xcc, 0xc5, 0x6f}, + {0xcb, 0x79, 0x98, 0xb2, 0x28, 0x55, 0xef, 0xd1, 0x92, 0x90, 0x7e, + 0xd4, 0x3c, 0xae, 0x1a, 0xdd, 0x52, 0x23, 0x9f, 0x18, 0x42, 0x4, + 0x7e, 0x12, 0xf1, 0x1, 0x71, 0xe5, 0x3a, 0x6b, 0x59, 0x15}, + }, + { + {0xca, 0x24, 0x51, 0x7e, 0x16, 0x31, 0xff, 0x9, 0xdf, 0x45, 0xc7, + 0xd9, 0x8b, 0x15, 0xe4, 0xb, 0xe5, 0x56, 0xf5, 0x7e, 0x22, 0x7d, + 0x2b, 0x29, 0x38, 0xd1, 0xb6, 0xaf, 0x41, 0xe2, 0xa4, 0x3a}, + {0xa2, 0x79, 0x91, 0x3f, 0xd2, 0x39, 0x27, 0x46, 0xcf, 0xdd, 0xd6, + 0x97, 0x31, 0x12, 0x83, 0xff, 0x8a, 0x14, 0xf2, 0x53, 0xb5, 0xde, + 0x7, 0x13, 0xda, 0x4d, 0x5f, 0x7b, 0x68, 0x37, 0x22, 0xd}, + {0xf5, 0x5, 0x33, 0x2a, 0xbf, 0x38, 0xc1, 0x2c, 0xc3, 0x26, 0xe9, + 0xa2, 0x8f, 0x3f, 0x58, 0x48, 0xeb, 0xd2, 0x49, 0x55, 0xa2, 0xb1, + 0x3a, 0x8, 0x6c, 0xa3, 0x87, 0x46, 0x6e, 0xaa, 0xfc, 0x32}, + }, + { + {0xdf, 0xcc, 0x87, 0x27, 0x73, 0xa4, 0x7, 0x32, 0xf8, 0xe3, 0x13, + 0xf2, 0x8, 0x19, 0xe3, 0x17, 0x4e, 0x96, 0xd, 0xf6, 0xd7, 0xec, + 0xb2, 0xd5, 0xe9, 0xb, 0x60, 0xc2, 0x36, 0x63, 0x6f, 0x74}, + {0xf5, 0x9a, 0x7d, 0xc5, 0x8d, 0x6e, 0xc5, 0x7b, 0xf2, 0xbd, 0xf0, + 0x9d, 0xed, 0xd2, 0xb, 0x3e, 0xa3, 0xe4, 0xef, 0x22, 0xde, 0x14, + 0xc0, 0xaa, 0x5c, 0x6a, 0xbd, 0xfe, 0xce, 0xe9, 0x27, 0x46}, + {0x1c, 0x97, 0x6c, 0xab, 0x45, 0xf3, 0x4a, 0x3f, 0x1f, 0x73, 0x43, + 0x99, 0x72, 0xeb, 0x88, 0xe2, 0x6d, 0x18, 0x44, 0x3, 0x8a, 0x6a, + 0x59, 0x33, 0x93, 0x62, 0xd6, 0x7e, 0x0, 0x17, 0x49, 0x7b}, + }, + { + {0xdd, 0xa2, 0x53, 0xdd, 0x28, 0x1b, 0x34, 0x54, 0x3f, 0xfc, 0x42, + 0xdf, 0x5b, 0x90, 0x17, 0xaa, 0xf4, 0xf8, 0xd2, 0x4d, 0xd9, 0x92, + 0xf5, 0xf, 0x7d, 0xd3, 0x8c, 0xe0, 0xf, 0x62, 0x3, 0x1d}, + {0x64, 0xb0, 0x84, 0xab, 0x5c, 0xfb, 0x85, 0x2d, 0x14, 0xbc, 0xf3, + 0x89, 0xd2, 0x10, 0x78, 0x49, 0xc, 0xce, 0x15, 0x7b, 0x44, 0xdc, + 0x6a, 0x47, 0x7b, 0xfd, 0x44, 0xf8, 0x76, 0xa3, 0x2b, 0x12}, + {0x54, 0xe5, 0xb4, 0xa2, 0xcd, 0x32, 0x2, 0xc2, 0x7f, 0x18, 0x5d, + 0x11, 0x42, 0xfd, 0xd0, 0x9e, 0xd9, 0x79, 0xd4, 0x7d, 0xbe, 0xb4, + 0xab, 0x2e, 0x4c, 0xec, 0x68, 0x2b, 0xf5, 0xb, 0xc7, 0x2}, + }, + { + {0xe1, 0x72, 0x8d, 0x45, 0xbf, 0x32, 0xe5, 0xac, 0xb5, 0x3c, 0xb7, + 0x7c, 0xe0, 0x68, 0xe7, 0x5b, 0xe7, 0xbd, 0x8b, 0xee, 0x94, 0x7d, + 0xcf, 0x56, 0x3, 0x3a, 0xb4, 0xfe, 0xe3, 0x97, 0x6, 0x6b}, + {0xbb, 0x2f, 0xb, 0x5d, 0x4b, 0xec, 0x87, 0xa2, 0xca, 0x82, 0x48, + 0x7, 0x90, 0x57, 0x5c, 0x41, 0x5c, 0x81, 0xd0, 0xc1, 0x1e, 0xa6, + 0x44, 0xe0, 0xe0, 0xf5, 0x9e, 0x40, 0xa, 0x4f, 0x33, 0x26}, + {0xc0, 0xa3, 0x62, 0xdf, 0x4a, 0xf0, 0xc8, 0xb6, 0x5d, 0xa4, 0x6d, + 0x7, 0xef, 0x0, 0xf0, 0x3e, 0xa9, 0xd2, 0xf0, 0x49, 0x58, 0xb9, + 0x9c, 0x9c, 0xae, 0x2f, 0x1b, 0x44, 0x43, 0x7f, 0xc3, 0x1c}, + }, + { + {0xb9, 0xae, 0xce, 0xc9, 0xf1, 0x56, 0x66, 0xd7, 0x6a, 0x65, 0xe5, + 0x18, 0xf8, 0x15, 0x5b, 0x1c, 0x34, 0x23, 0x4c, 0x84, 0x32, 0x28, + 0xe7, 0x26, 0x38, 0x68, 0x19, 0x2f, 0x77, 0x6f, 0x34, 0x3a}, + {0x4f, 0x32, 0xc7, 0x5c, 0x5a, 0x56, 0x8f, 0x50, 0x22, 0xa9, 0x6, + 0xe5, 0xc0, 0xc4, 0x61, 0xd0, 0x19, 0xac, 0x45, 0x5c, 0xdb, 0xab, + 0x18, 0xfb, 0x4a, 0x31, 0x80, 0x3, 0xc1, 0x9, 0x68, 0x6c}, + {0xc8, 0x6a, 0xda, 0xe2, 0x12, 0x51, 0xd5, 0xd2, 0xed, 0x51, 0xe8, + 0xb1, 0x31, 0x3, 0xbd, 0xe9, 0x62, 0x72, 0xc6, 0x8e, 0xdd, 0x46, + 0x7, 0x96, 0xd0, 0xc5, 0xf7, 0x6e, 0x9f, 0x1b, 0x91, 0x5}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 756096210874553, 1721699973539149, 258765301727885, - 1390588532210645, 1212530909934781 -#else - 34648249, 11266711, 55911757, 25655328, 31703693, 3855903, - 58571733, 20721383, 36336829, 18068118 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 852891097972275, 1816988871354562, 1543772755726524, - 1174710635522444, 202129090724628 -#else - 49102387, 12709067, 3991746, 27075244, 45617340, 23004006, - 35973516, 17504552, 10928916, 3011958 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1205281565824323, 22430498399418, 992947814485516, - 1392458699738672, 688441466734558 -#else - 60151107, 17960094, 31696058, 334240, 29576716, 14796075, - 36277808, 20749251, 18008030, 10258577 -#endif - }}, + {0xef, 0xea, 0x2e, 0x51, 0xf3, 0xac, 0x49, 0x53, 0x49, 0xcb, 0xc1, + 0x1c, 0xd3, 0x41, 0xc1, 0x20, 0x8d, 0x68, 0x9a, 0xa9, 0x7, 0xc, + 0x18, 0x24, 0x17, 0x2d, 0x4b, 0xc6, 0xd1, 0xf9, 0x5e, 0x55}, + {0xbb, 0xe, 0xdf, 0xf5, 0x83, 0x99, 0x33, 0xc1, 0xac, 0x4c, 0x2c, + 0x51, 0x8f, 0x75, 0xf3, 0xc0, 0xe1, 0x98, 0xb3, 0xb, 0xa, 0x13, + 0xf1, 0x2c, 0x62, 0xc, 0x27, 0xaa, 0xf9, 0xec, 0x3c, 0x6b}, + {0x8, 0xbd, 0x73, 0x3b, 0xba, 0x70, 0xa7, 0x36, 0xc, 0xbf, 0xaf, + 0xa3, 0x8, 0xef, 0x4a, 0x62, 0xf2, 0x46, 0x9, 0xb4, 0x98, 0xff, + 0x37, 0x57, 0x9d, 0x74, 0x81, 0x33, 0xe1, 0x4d, 0x5f, 0x67}, + }, + { + {0x1d, 0xb3, 0xda, 0x3b, 0xd9, 0xf6, 0x2f, 0xa1, 0xfe, 0x2d, 0x65, + 0x9d, 0xf, 0xd8, 0x25, 0x7, 0x87, 0x94, 0xbe, 0x9a, 0xf3, 0x4f, + 0x9c, 0x1, 0x43, 0x3c, 0xcd, 0x82, 0xb8, 0x50, 0xf4, 0x60}, + {0xfc, 0x82, 0x17, 0x6b, 0x3, 0x52, 0x2c, 0xe, 0xb4, 0x83, 0xad, + 0x6c, 0x81, 0x6c, 0x81, 0x64, 0x3e, 0x7, 0x64, 0x69, 0xd9, 0xbd, + 0xdc, 0xd0, 0x20, 0xc5, 0x64, 0x1, 0xf7, 0x9d, 0xd9, 0x13}, + {0xca, 0xc0, 0xe5, 0x21, 0xc3, 0x5e, 0x4b, 0x1, 0xa2, 0xbf, 0x19, + 0xd7, 0xc9, 0x69, 0xcb, 0x4f, 0xa0, 0x23, 0x0, 0x75, 0x18, 0x1c, + 0x5f, 0x4e, 0x80, 0xac, 0xed, 0x55, 0x9e, 0xde, 0x6, 0x1c}, + }, + { + {0xaa, 0x69, 0x6d, 0xff, 0x40, 0x2b, 0xd5, 0xff, 0xbb, 0x49, 0x40, + 0xdc, 0x18, 0xb, 0x53, 0x34, 0x97, 0x98, 0x4d, 0xa3, 0x2f, 0x5c, + 0x4a, 0x5e, 0x2d, 0xba, 0x32, 0x7d, 0x8e, 0x6f, 0x9, 0x78}, + {0xe2, 0xc4, 0x3e, 0xa3, 0xd6, 0x7a, 0xf, 0x99, 0x8e, 0xe0, 0x2e, + 0xbe, 0x38, 0xf9, 0x8, 0x66, 0x15, 0x45, 0x28, 0x63, 0xc5, 0x43, + 0xa1, 0x9c, 0xd, 0xb6, 0x2d, 0xec, 0x1f, 0x8a, 0xf3, 0x4c}, + {0xe7, 0x5c, 0xfa, 0xd, 0x65, 0xaa, 0xaa, 0xa0, 0x8c, 0x47, 0xb5, + 0x48, 0x2a, 0x9e, 0xc4, 0xf9, 0x5b, 0x72, 0x3, 0x70, 0x7d, 0xcc, + 0x9, 0x4f, 0xbe, 0x1a, 0x9, 0x26, 0x3a, 0xad, 0x3c, 0x37}, + }, + { + {0xad, 0xbb, 0xdd, 0x89, 0xfb, 0xa8, 0xbe, 0xf1, 0xcb, 0xae, 0xae, + 0x61, 0xbc, 0x2c, 0xcb, 0x3b, 0x9d, 0x8d, 0x9b, 0x1f, 0xbb, 0xa7, + 0x58, 0x8f, 0x86, 0xa6, 0x12, 0x51, 0xda, 0x7e, 0x54, 0x21}, + {0x7c, 0xf5, 0xc9, 0x82, 0x4d, 0x63, 0x94, 0xb2, 0x36, 0x45, 0x93, + 0x24, 0xe1, 0xfd, 0xcb, 0x1f, 0x5a, 0xdb, 0x8c, 0x41, 0xb3, 0x4d, + 0x9c, 0x9e, 0xfc, 0x19, 0x44, 0x45, 0xd9, 0xf3, 0x40, 0x0}, + {0xd3, 0x86, 0x59, 0xfd, 0x39, 0xe9, 0xfd, 0xde, 0xc, 0x38, 0xa, + 0x51, 0x89, 0x2c, 0x27, 0xf4, 0xb9, 0x19, 0x31, 0xbb, 0x7, 0xa4, + 0x2b, 0xb7, 0xf4, 0x4d, 0x25, 0x4a, 0x33, 0xa, 0x55, 0x63}, + }, + { + {0x49, 0x7b, 0x54, 0x72, 0x45, 0x58, 0xba, 0x9b, 0xe0, 0x8, 0xc4, + 0xe2, 0xfa, 0xc6, 0x5, 0xf3, 0x8d, 0xf1, 0x34, 0xc7, 0x69, 0xfa, + 0xe8, 0x60, 0x7a, 0x76, 0x7d, 0xaa, 0xaf, 0x2b, 0xa9, 0x39}, + {0x37, 0xcf, 0x69, 0xb5, 0xed, 0xd6, 0x7, 0x65, 0xe1, 0x2e, 0xa5, + 0xc, 0xb0, 0x29, 0x84, 0x17, 0x5d, 0xd6, 0x6b, 0xeb, 0x90, 0x0, + 0x7c, 0xea, 0x51, 0x8f, 0xf7, 0xda, 0xc7, 0x62, 0xea, 0x3e}, + {0x4e, 0x27, 0x93, 0xe6, 0x13, 0xc7, 0x24, 0x9d, 0x75, 0xd3, 0xdb, + 0x68, 0x77, 0x85, 0x63, 0x5f, 0x9a, 0xb3, 0x8a, 0xeb, 0x60, 0x55, + 0x52, 0x70, 0xcd, 0xc4, 0xc9, 0x65, 0x6, 0x6a, 0x43, 0x68}, + }, + { + {0x7c, 0x10, 0x20, 0xe8, 0x17, 0xd3, 0x56, 0x1e, 0x65, 0xe9, 0xa, + 0x84, 0x44, 0x68, 0x26, 0xc5, 0x7a, 0xfc, 0xf, 0x32, 0xc6, 0xa1, + 0xe0, 0xc1, 0x72, 0x14, 0x61, 0x91, 0x9c, 0x66, 0x73, 0x53}, + {0x27, 0x3f, 0x2f, 0x20, 0xe8, 0x35, 0x2, 0xbc, 0xb0, 0x75, 0xf9, + 0x64, 0xe2, 0x0, 0x5c, 0xc7, 0x16, 0x24, 0x8c, 0xa3, 0xd5, 0xe9, + 0xa4, 0x91, 0xf9, 0x89, 0xb7, 0x8a, 0xf6, 0xe7, 0xb6, 0x17}, + {0x57, 0x52, 0xe, 0x9a, 0xab, 0x14, 0x28, 0x5d, 0xfc, 0xb3, 0xca, + 0xc9, 0x84, 0x20, 0x8f, 0x90, 0xca, 0x1e, 0x2d, 0x5b, 0x88, 0xf5, + 0xca, 0xaf, 0x11, 0x7d, 0xf8, 0x78, 0xa6, 0xb5, 0xb4, 0x1c}, + }, + { + {0xe7, 0x7, 0xa0, 0xa2, 0x62, 0xaa, 0x74, 0x6b, 0xb1, 0xc7, 0x71, + 0xf0, 0xb0, 0xe0, 0x11, 0xf3, 0x23, 0xe2, 0xb, 0x0, 0x38, 0xe4, + 0x7, 0x57, 0xac, 0x6e, 0xef, 0x82, 0x2d, 0xfd, 0xc0, 0x2d}, + {0x6c, 0xfc, 0x4a, 0x39, 0x6b, 0xc0, 0x64, 0xb6, 0xb1, 0x5f, 0xda, + 0x98, 0x24, 0xde, 0x88, 0xc, 0x34, 0xd8, 0xca, 0x4b, 0x16, 0x3, + 0x8d, 0x4f, 0xa2, 0x34, 0x74, 0xde, 0x78, 0xca, 0xb, 0x33}, + {0x4e, 0x74, 0x19, 0x11, 0x84, 0xff, 0x2e, 0x98, 0x24, 0x47, 0x7, + 0x2b, 0x96, 0x5e, 0x69, 0xf9, 0xfb, 0x53, 0xc9, 0xbf, 0x4f, 0xc1, + 0x8a, 0xc5, 0xf5, 0x1c, 0x9f, 0x36, 0x1b, 0xbe, 0x31, 0x3c}, + }, + { + {0x72, 0x42, 0xcb, 0xf9, 0x93, 0xbc, 0x68, 0xc1, 0x98, 0xdb, 0xce, + 0xc7, 0x1f, 0x71, 0xb8, 0xae, 0x7a, 0x8d, 0xac, 0x34, 0xaa, 0x52, + 0xe, 0x7f, 0xbb, 0x55, 0x7d, 0x7e, 0x9, 0xc1, 0xce, 0x41}, + {0xee, 0x8a, 0x94, 0x8, 0x4d, 0x86, 0xf4, 0xb0, 0x6f, 0x1c, 0xba, + 0x91, 0xee, 0x19, 0xdc, 0x7, 0x58, 0xa1, 0xac, 0xa6, 0xae, 0xcd, + 0x75, 0x79, 0xbb, 0xd4, 0x62, 0x42, 0x13, 0x61, 0xb, 0x33}, + {0x8a, 0x80, 0x6d, 0xa2, 0xd7, 0x19, 0x96, 0xf7, 0x6d, 0x15, 0x9e, + 0x1d, 0x9e, 0xd4, 0x1f, 0xbb, 0x27, 0xdf, 0xa1, 0xdb, 0x6c, 0xc3, + 0xd7, 0x73, 0x7d, 0x77, 0x28, 0x1f, 0xd9, 0x4c, 0xb4, 0x26}, }, + }, + { { - {{ -#if defined(OPENSSL_64_BIT) - 1050627428414972, 1955849529137135, 2171162376368357, - 91745868298214, 447733118757826 -#else - 44660220, 15655568, 7018479, 29144429, 36794597, 32352840, - 65255398, 1367119, 25127874, 6671743 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1287181461435438, 622722465530711, 880952150571872, - 741035693459198, 311565274989772 -#else - 29701166, 19180498, 56230743, 9279287, 67091296, 13127209, - 21382910, 11042292, 25838796, 4642684 -#endif - }}, - {{ -#if defined(OPENSSL_64_BIT) - 1003649078149734, 545233927396469, 1849786171789880, - 1318943684880434, 280345687170552 -#else - 46678630, 14955536, 42982517, 8124618, 61739576, 27563961, - 30468146, 19653792, 18423288, 4177476 -#endif - }}, + {0x83, 0x3, 0x73, 0x62, 0x93, 0xf2, 0xb7, 0xe1, 0x2c, 0x8a, 0xca, + 0xeb, 0xff, 0x79, 0x52, 0x4b, 0x14, 0x13, 0xd4, 0xbf, 0x8a, 0x77, + 0xfc, 0xda, 0xf, 0x61, 0x72, 0x9c, 0x14, 0x10, 0xeb, 0x7d}, + {0x75, 0x74, 0x38, 0x8f, 0x47, 0x48, 0xf0, 0x51, 0x3c, 0xcb, 0xbe, + 0x9c, 0xf4, 0xbc, 0x5d, 0xb2, 0x55, 0x20, 0x9f, 0xd9, 0x44, 0x12, + 0xab, 0x9a, 0xd6, 0xa5, 0x10, 0x1c, 0x6c, 0x9e, 0x70, 0x2c}, + {0x7a, 0xee, 0x66, 0x87, 0x6a, 0xaf, 0x62, 0xcb, 0xe, 0xcd, 0x53, + 0x55, 0x4, 0xec, 0xcb, 0x66, 0xb5, 0xe4, 0xb, 0xf, 0x38, 0x1, + 0x80, 0x58, 0xea, 0xe2, 0x2c, 0xf6, 0x9f, 0x8e, 0xe6, 0x8}, + }, + { + {0xf9, 0xf2, 0xb8, 0xa, 0xd5, 0x9, 0x2d, 0x2f, 0xdf, 0x23, 0x59, + 0xc5, 0x8d, 0x21, 0xb9, 0xac, 0xb9, 0x6c, 0x76, 0x73, 0x26, 0x34, + 0x8f, 0x4a, 0xf5, 0x19, 0xf7, 0x38, 0xd7, 0x3b, 0xb1, 0x4c}, + {0xad, 0x30, 0xc1, 0x4b, 0xa, 0x50, 0xad, 0x34, 0x9c, 0xd4, 0xb, + 0x3d, 0x49, 0xdb, 0x38, 0x8d, 0xbe, 0x89, 0xa, 0x50, 0x98, 0x3d, + 0x5c, 0xa2, 0x9, 0x3b, 0xba, 0xee, 0x87, 0x3f, 0x1f, 0x2f}, + {0x4a, 0xb6, 0x15, 0xe5, 0x75, 0x8c, 0x84, 0xf7, 0x38, 0x90, 0x4a, + 0xdb, 0xba, 0x1, 0x95, 0xa5, 0x50, 0x1b, 0x75, 0x3f, 0x3f, 0x31, + 0xd, 0xc2, 0xe8, 0x2e, 0xae, 0xc0, 0x53, 0xe3, 0xa1, 0x19}, + }, + { + {0xbd, 0xbd, 0x96, 0xd5, 0xcd, 0x72, 0x21, 0xb4, 0x40, 0xfc, 0xee, + 0x98, 0x43, 0x45, 0xe0, 0x93, 0xb5, 0x9, 0x41, 0xb4, 0x47, 0x53, + 0xb1, 0x9f, 0x34, 0xae, 0x66, 0x2, 0x99, 0xd3, 0x6b, 0x73}, + {0xc3, 0x5, 0xfa, 0xba, 0x60, 0x75, 0x1c, 0x7d, 0x61, 0x5e, 0xe5, + 0xc6, 0xa0, 0xa0, 0xe1, 0xb3, 0x73, 0x64, 0xd6, 0xc0, 0x18, 0x97, + 0x52, 0xe3, 0x86, 0x34, 0xc, 0xc2, 0x11, 0x6b, 0x54, 0x41}, + {0xb4, 0xb3, 0x34, 0x93, 0x50, 0x2d, 0x53, 0x85, 0x73, 0x65, 0x81, + 0x60, 0x4b, 0x11, 0xfd, 0x46, 0x75, 0x83, 0x5c, 0x42, 0x30, 0x5f, + 0x5f, 0xcc, 0x5c, 0xab, 0x7f, 0xb8, 0xa2, 0x95, 0x22, 0x41}, + }, + { + {0xc6, 0xea, 0x93, 0xe2, 0x61, 0x52, 0x65, 0x2e, 0xdb, 0xac, 0x33, + 0x21, 0x3, 0x92, 0x5a, 0x84, 0x6b, 0x99, 0x0, 0x79, 0xcb, 0x75, + 0x9, 0x46, 0x80, 0xdd, 0x5a, 0x19, 0x8d, 0xbb, 0x60, 0x7}, + {0xe9, 0xd6, 0x7e, 0xf5, 0x88, 0x9b, 0xc9, 0x19, 0x25, 0xc8, 0xf8, + 0x6d, 0x26, 0xcb, 0x93, 0x53, 0x73, 0xd2, 0xa, 0xb3, 0x13, 0x32, + 0xee, 0x5c, 0x34, 0x2e, 0x2d, 0xb5, 0xeb, 0x53, 0xe1, 0x14}, + {0x8a, 0x81, 0xe6, 0xcd, 0x17, 0x1a, 0x3e, 0x41, 0x84, 0xa0, 0x69, + 0xed, 0xa9, 0x6d, 0x15, 0x57, 0xb1, 0xcc, 0xca, 0x46, 0x8f, 0x26, + 0xbf, 0x2c, 0xf2, 0xc5, 0x3a, 0xc3, 0x9b, 0xbe, 0x34, 0x6b}, + }, + { + {0xd3, 0xf2, 0x71, 0x65, 0x65, 0x69, 0xfc, 0x11, 0x7a, 0x73, 0xe, + 0x53, 0x45, 0xe8, 0xc9, 0xc6, 0x35, 0x50, 0xfe, 0xd4, 0xa2, 0xe7, + 0x3a, 0xe3, 0xb, 0xd3, 0x6d, 0x2e, 0xb6, 0xc7, 0xb9, 0x1}, + {0xb2, 0xc0, 0x78, 0x3a, 0x64, 0x2f, 0xdf, 0xf3, 0x7c, 0x2, 0x2e, + 0xf2, 0x1e, 0x97, 0x3e, 0x4c, 0xa3, 0xb5, 0xc1, 0x49, 0x5e, 0x1c, + 0x7d, 0xec, 0x2d, 0xdd, 0x22, 0x9, 0x8f, 0xc1, 0x12, 0x20}, + {0x29, 0x9d, 0xc8, 0x5a, 0xe5, 0x55, 0xb, 0x88, 0x63, 0xa7, 0xa0, + 0x45, 0x1f, 0x24, 0x83, 0x14, 0x1f, 0x6c, 0xe7, 0xc2, 0xdf, 0xef, + 0x36, 0x3d, 0xe8, 0xad, 0x4b, 0x4e, 0x78, 0x5b, 0xaf, 0x8}, + }, + { + {0x4b, 0x2c, 0xcc, 0x89, 0xd2, 0x14, 0x73, 0xe2, 0x8d, 0x17, 0x87, + 0xa2, 0x11, 0xbd, 0xe4, 0x4b, 0xce, 0x64, 0x33, 0xfa, 0xd6, 0x28, + 0xd5, 0x18, 0x6e, 0x82, 0xd9, 0xaf, 0xd5, 0xc1, 0x23, 0x64}, + {0x33, 0x25, 0x1f, 0x88, 0xdc, 0x99, 0x34, 0x28, 0xb6, 0x23, 0x93, + 0x77, 0xda, 0x25, 0x5, 0x9d, 0xf4, 0x41, 0x34, 0x67, 0xfb, 0xdd, + 0x7a, 0x89, 0x8d, 0x16, 0x3a, 0x16, 0x71, 0x9d, 0xb7, 0x32}, + {0x6a, 0xb3, 0xfc, 0xed, 0xd9, 0xf8, 0x85, 0xcc, 0xf9, 0xe5, 0x46, + 0x37, 0x8f, 0xc2, 0xbc, 0x22, 0xcd, 0xd3, 0xe5, 0xf9, 0x38, 0xe3, + 0x9d, 0xe4, 0xcc, 0x2d, 0x3e, 0xc1, 0xfb, 0x5e, 0xa, 0x48}, + }, + { + {0x1f, 0x22, 0xce, 0x42, 0xe4, 0x4c, 0x61, 0xb6, 0x28, 0x39, 0x5, + 0x4c, 0xcc, 0x9d, 0x19, 0x6e, 0x3, 0xbe, 0x1c, 0xdc, 0xa4, 0xb4, + 0x3f, 0x66, 0x6, 0x8e, 0x1c, 0x69, 0x47, 0x1d, 0xb3, 0x24}, + {0x71, 0x20, 0x62, 0x1, 0xb, 0xe7, 0x51, 0xb, 0xc5, 0xaf, 0x1d, + 0x8b, 0xcf, 0x5, 0xb5, 0x6, 0xcd, 0xab, 0x5a, 0xef, 0x61, 0xb0, + 0x6b, 0x2c, 0x31, 0xbf, 0xb7, 0xc, 0x60, 0x27, 0xaa, 0x47}, + {0xc3, 0xf8, 0x15, 0xc0, 0xed, 0x1e, 0x54, 0x2a, 0x7c, 0x3f, 0x69, + 0x7c, 0x7e, 0xfe, 0xa4, 0x11, 0xd6, 0x78, 0xa2, 0x4e, 0x13, 0x66, + 0xaf, 0xf0, 0x94, 0xa0, 0xdd, 0x14, 0x5d, 0x58, 0x5b, 0x54}, + }, + { + {0xe1, 0x21, 0xb3, 0xe3, 0xd0, 0xe4, 0x4, 0x62, 0x95, 0x1e, 0xff, + 0x28, 0x7a, 0x63, 0xaa, 0x3b, 0x9e, 0xbd, 0x99, 0x5b, 0xfd, 0xcf, + 0xc, 0xb, 0x71, 0xd0, 0xc8, 0x64, 0x3e, 0xdc, 0x22, 0x4d}, + {0xf, 0x3a, 0xd4, 0xa0, 0x5e, 0x27, 0xbf, 0x67, 0xbe, 0xee, 0x9b, + 0x8, 0x34, 0x8e, 0xe6, 0xad, 0x2e, 0xe7, 0x79, 0xd4, 0x4c, 0x13, + 0x89, 0x42, 0x54, 0x54, 0xba, 0x32, 0xc3, 0xf9, 0x62, 0xf}, + {0x39, 0x5f, 0x3b, 0xd6, 0x89, 0x65, 0xb4, 0xfc, 0x61, 0xcf, 0xcb, + 0x57, 0x3f, 0x6a, 0xae, 0x5c, 0x5, 0xfa, 0x3a, 0x95, 0xd2, 0xc2, + 0xba, 0xfe, 0x36, 0x14, 0x37, 0x36, 0x1a, 0xa0, 0xf, 0x1c}, + }, + }, + { + { + {0x50, 0x6a, 0x93, 0x8c, 0xe, 0x2b, 0x8, 0x69, 0xb6, 0xc5, 0xda, + 0xc1, 0x35, 0xa0, 0xc9, 0xf9, 0x34, 0xb6, 0xdf, 0xc4, 0x54, 0x3e, + 0xb7, 0x6f, 0x40, 0xc1, 0x2b, 0x1d, 0x9b, 0x41, 0x5, 0x40}, + {0xff, 0x3d, 0x94, 0x22, 0xb6, 0x4, 0xc6, 0xd2, 0xa0, 0xb3, 0xcf, + 0x44, 0xce, 0xbe, 0x8c, 0xbc, 0x78, 0x86, 0x80, 0x97, 0xf3, 0x4f, + 0x25, 0x5d, 0xbf, 0xa6, 0x1c, 0x3b, 0x4f, 0x61, 0xa3, 0xf}, + {0xf0, 0x82, 0xbe, 0xb9, 0xbd, 0xfe, 0x3, 0xa0, 0x90, 0xac, 0x44, + 0x3a, 0xaf, 0xc1, 0x89, 0x20, 0x8e, 0xfa, 0x54, 0x19, 0x91, 0x9f, + 0x49, 0xf8, 0x42, 0xab, 0x40, 0xef, 0x8a, 0x21, 0xba, 0x1f}, + }, + { + {0x94, 0x1, 0x7b, 0x3e, 0x4, 0x57, 0x3e, 0x4f, 0x7f, 0xaf, 0xda, + 0x8, 0xee, 0x3e, 0x1d, 0xa8, 0xf1, 0xde, 0xdc, 0x99, 0xab, 0xc6, + 0x39, 0xc8, 0xd5, 0x61, 0x77, 0xff, 0x13, 0x5d, 0x53, 0x6c}, + {0x3e, 0xf5, 0xc8, 0xfa, 0x48, 0x94, 0x54, 0xab, 0x41, 0x37, 0xa6, + 0x7b, 0x9a, 0xe8, 0xf6, 0x81, 0x1, 0x5e, 0x2b, 0x6c, 0x7d, 0x6c, + 0xfd, 0x74, 0x42, 0x6e, 0xc8, 0xa8, 0xca, 0x3a, 0x2e, 0x39}, + {0xaf, 0x35, 0x8a, 0x3e, 0xe9, 0x34, 0xbd, 0x4c, 0x16, 0xe8, 0x87, + 0x58, 0x44, 0x81, 0x7, 0x2e, 0xab, 0xb0, 0x9a, 0xf2, 0x76, 0x9c, + 0x31, 0x19, 0x3b, 0xc1, 0xa, 0xd5, 0xe4, 0x7f, 0xe1, 0x25}, + }, + { + {0xa7, 0x21, 0xf1, 0x76, 0xf5, 0x7f, 0x5f, 0x91, 0xe3, 0x87, 0xcd, + 0x2f, 0x27, 0x32, 0x4a, 0xc3, 0x26, 0xe5, 0x1b, 0x4d, 0xde, 0x2f, + 0xba, 0xcc, 0x9b, 0x89, 0x69, 0x89, 0x8f, 0x82, 0xba, 0x6b}, + {0x76, 0xf6, 0x4, 0x1e, 0xd7, 0x9b, 0x28, 0xa, 0x95, 0xf, 0x42, + 0xd6, 0x52, 0x1c, 0x8e, 0x20, 0xab, 0x1f, 0x69, 0x34, 0xb0, 0xd8, + 0x86, 0x51, 0x51, 0xb3, 0x9f, 0x2a, 0x44, 0x51, 0x57, 0x25}, + {0x1, 0x39, 0xfe, 0x90, 0x66, 0xbc, 0xd1, 0xe2, 0xd5, 0x7a, 0x99, + 0xa0, 0x18, 0x4a, 0xb5, 0x4c, 0xd4, 0x60, 0x84, 0xaf, 0x14, 0x69, + 0x1d, 0x97, 0xe4, 0x7b, 0x6b, 0x7f, 0x4f, 0x50, 0x9d, 0x55}, + }, + { + {0xfd, 0x66, 0xd2, 0xf6, 0xe7, 0x91, 0x48, 0x9c, 0x1b, 0x78, 0x7, + 0x3, 0x9b, 0xa1, 0x44, 0x7, 0x3b, 0xe2, 0x61, 0x60, 0x1d, 0x8f, + 0x38, 0x88, 0xe, 0xd5, 0x4b, 0x35, 0xa3, 0xa6, 0x3e, 0x12}, + {0xd5, 0x54, 0xeb, 0xb3, 0x78, 0x83, 0x73, 0xa7, 0x7c, 0x3c, 0x55, + 0xa5, 0x66, 0xd3, 0x69, 0x1d, 0xba, 0x0, 0x28, 0xf9, 0x62, 0xcf, + 0x26, 0xa, 0x17, 0x32, 0x7e, 0x80, 0xd5, 0x12, 0xab, 0x1}, + {0x96, 0x2d, 0xe3, 0x41, 0x90, 0x18, 0x8d, 0x11, 0x48, 0x58, 0x31, + 0xd8, 0xc2, 0xe3, 0xed, 0xb9, 0xd9, 0x45, 0x32, 0xd8, 0x71, 0x42, + 0xab, 0x1e, 0x54, 0xa1, 0x18, 0xc9, 0xe2, 0x61, 0x39, 0x4a}, + }, + { + {0x1e, 0x3f, 0x23, 0xf3, 0x44, 0xd6, 0x27, 0x3, 0x16, 0xf0, 0xfc, + 0x34, 0xe, 0x26, 0x9a, 0x49, 0x79, 0xb9, 0xda, 0xf2, 0x16, 0xa7, + 0xb5, 0x83, 0x1f, 0x11, 0xd4, 0x9b, 0xad, 0xee, 0xac, 0x68}, + {0xa0, 0xbb, 0xe6, 0xf8, 0xe0, 0x3b, 0xdc, 0x71, 0xa, 0xe3, 0xff, + 0x7e, 0x34, 0xf8, 0xce, 0xd6, 0x6a, 0x47, 0x3a, 0xe1, 0x5f, 0x42, + 0x92, 0xa9, 0x63, 0xb7, 0x1d, 0xfb, 0xe3, 0xbc, 0xd6, 0x2c}, + {0x10, 0xc2, 0xd7, 0xf3, 0xe, 0xc9, 0xb4, 0x38, 0xc, 0x4, 0xad, + 0xb7, 0x24, 0x6e, 0x8e, 0x30, 0x23, 0x3e, 0xe7, 0xb7, 0xf1, 0xd9, + 0x60, 0x38, 0x97, 0xf5, 0x8, 0xb5, 0xd5, 0x60, 0x57, 0x59}, + }, + { + {0x90, 0x27, 0x2, 0xfd, 0xeb, 0xcb, 0x2a, 0x88, 0x60, 0x57, 0x11, + 0xc4, 0x5, 0x33, 0xaf, 0x89, 0xf4, 0x73, 0x34, 0x7d, 0xe3, 0x92, + 0xf4, 0x65, 0x2b, 0x5a, 0x51, 0x54, 0xdf, 0xc5, 0xb2, 0x2c}, + {0x97, 0x63, 0xaa, 0x4, 0xe1, 0xbf, 0x29, 0x61, 0xcb, 0xfc, 0xa7, + 0xa4, 0x8, 0x0, 0x96, 0x8f, 0x58, 0x94, 0x90, 0x7d, 0x89, 0xc0, + 0x8b, 0x3f, 0xa9, 0x91, 0xb2, 0xdc, 0x3e, 0xa4, 0x9f, 0x70}, + {0xca, 0x2a, 0xfd, 0x63, 0x8c, 0x5d, 0xa, 0xeb, 0xff, 0x4e, 0x69, + 0x2e, 0x66, 0xc1, 0x2b, 0xd2, 0x3a, 0xb0, 0xcb, 0xf8, 0x6e, 0xf3, + 0x23, 0x27, 0x1f, 0x13, 0xc8, 0xf0, 0xec, 0x29, 0xf0, 0x70}, + }, + { + {0xb9, 0xb0, 0x10, 0x5e, 0xaa, 0xaf, 0x6a, 0x2a, 0xa9, 0x1a, 0x4, + 0xef, 0x70, 0xa3, 0xf0, 0x78, 0x1f, 0xd6, 0x3a, 0xaa, 0x77, 0xfb, + 0x3e, 0x77, 0xe1, 0xd9, 0x4b, 0xa7, 0xa2, 0xa5, 0xec, 0x44}, + {0x33, 0x3e, 0xed, 0x2e, 0xb3, 0x7, 0x13, 0x46, 0xe7, 0x81, 0x55, + 0xa4, 0x33, 0x2f, 0x4, 0xae, 0x66, 0x3, 0x5f, 0x19, 0xd3, 0x49, + 0x44, 0xc9, 0x58, 0x48, 0x31, 0x6c, 0x8a, 0x5d, 0x7d, 0xb}, + {0x43, 0xd5, 0x95, 0x7b, 0x32, 0x48, 0xd4, 0x25, 0x1d, 0xf, 0x34, + 0xa3, 0x0, 0x83, 0xd3, 0x70, 0x2b, 0xc5, 0xe1, 0x60, 0x1c, 0x53, + 0x1c, 0xde, 0xe4, 0xe9, 0x7d, 0x2c, 0x51, 0x24, 0x22, 0x27}, + }, + { + {0xfc, 0x75, 0xa9, 0x42, 0x8a, 0xbb, 0x7b, 0xbf, 0x58, 0xa3, 0xad, + 0x96, 0x77, 0x39, 0x5c, 0x8c, 0x48, 0xaa, 0xed, 0xcd, 0x6f, 0xc7, + 0x7f, 0xe2, 0xa6, 0x20, 0xbc, 0xf6, 0xd7, 0x5f, 0x73, 0x19}, + {0x2e, 0x34, 0xc5, 0x49, 0xaf, 0x92, 0xbc, 0x1a, 0xd0, 0xfa, 0xe6, + 0xb2, 0x11, 0xd8, 0xee, 0xff, 0x29, 0x4e, 0xc8, 0xfc, 0x8d, 0x8c, + 0xa2, 0xef, 0x43, 0xc5, 0x4c, 0xa4, 0x18, 0xdf, 0xb5, 0x11}, + {0x66, 0x42, 0xc8, 0x42, 0xd0, 0x90, 0xab, 0xe3, 0x7e, 0x54, 0x19, + 0x7f, 0xf, 0x8e, 0x84, 0xeb, 0xb9, 0x97, 0xa4, 0x65, 0xd0, 0xa1, + 0x3, 0x25, 0x5f, 0x89, 0xdf, 0x91, 0x11, 0x91, 0xef, 0xf}, }, }, }; diff --git a/Sources/CJWTKitBoringSSL/crypto/curve25519/internal.h b/Sources/CJWTKitBoringSSL/crypto/curve25519/internal.h index bd05f503..536deb0f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/curve25519/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/internal.h @@ -15,14 +15,13 @@ #ifndef OPENSSL_HEADER_CURVE25519_INTERNAL_H #define OPENSSL_HEADER_CURVE25519_INTERNAL_H -#if defined(__cplusplus) -extern "C" { -#endif - -#include +#include #include "../internal.h" +#if defined(__cplusplus) +extern "C" { +#endif #if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE) #define BORINGSSL_X25519_NEON @@ -32,6 +31,27 @@ void x25519_NEON(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]); #endif +#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \ + defined(__GNUC__) && defined(__x86_64__) && !defined(OPENSSL_WINDOWS) +#define BORINGSSL_FE25519_ADX + +// fiat_curve25519_adx_mul is defined in +// third_party/fiat/asm/fiat_curve25519_adx_mul.S +void __attribute__((sysv_abi)) +fiat_curve25519_adx_mul(uint64_t out[4], const uint64_t in1[4], + const uint64_t in2[4]); + +// fiat_curve25519_adx_square is defined in +// third_party/fiat/asm/fiat_curve25519_adx_square.S +void __attribute__((sysv_abi)) +fiat_curve25519_adx_square(uint64_t out[4], const uint64_t in[4]); + +// x25519_scalar_mult_adx is defined in third_party/fiat/curve25519_64_adx.h +void x25519_scalar_mult_adx(uint8_t out[32], const uint8_t scalar[32], + const uint8_t point[32]); +void x25519_ge_scalarmult_base_adx(uint8_t h[4][32], const uint8_t a[32]); +#endif + #if defined(OPENSSL_64_BIT) // fe means field element. Here the field is \Z/(2^255-19). An element t, // entries t[0]...t[4], represents the integer t[0]+2^51 t[1]+2^102 t[2]+2^153 @@ -135,6 +155,8 @@ struct spake2_ctx_st { }; +extern const uint8_t k25519Precomp[32][8][3][32]; + #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/curve25519/spake25519.c b/Sources/CJWTKitBoringSSL/crypto/curve25519/spake25519.c index 590fdc3f..8794cbb6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/curve25519/spake25519.c +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/spake25519.c @@ -272,12 +272,11 @@ static const uint8_t kSpakeMSmallPrecomp[15 * 2 * 32] = { SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role, const uint8_t *my_name, size_t my_name_len, const uint8_t *their_name, size_t their_name_len) { - SPAKE2_CTX *ctx = OPENSSL_malloc(sizeof(SPAKE2_CTX)); + SPAKE2_CTX *ctx = OPENSSL_zalloc(sizeof(SPAKE2_CTX)); if (ctx == NULL) { return NULL; } - OPENSSL_memset(ctx, 0, sizeof(SPAKE2_CTX)); ctx->my_role = my_role; CBS my_name_cbs, their_name_cbs; diff --git a/Sources/CJWTKitBoringSSL/crypto/des/des.c b/Sources/CJWTKitBoringSSL/crypto/des/des.c index 0636a531..643b18f1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/des/des.c +++ b/Sources/CJWTKitBoringSSL/crypto/des/des.c @@ -61,6 +61,91 @@ #include "internal.h" +/* IP and FP + * The problem is more of a geometric problem that random bit fiddling. + 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 + 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 +16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 +24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 + +32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 +40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 +48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 +56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 + +The output has been subject to swaps of the form +0 1 -> 3 1 but the odd and even bits have been put into +2 3 2 0 +different words. The main trick is to remember that +t=((l>>size)^r)&(mask); +r^=t; +l^=(t<> (n)) ^ (b)) & (m)); \ + (b) ^= (t); \ + (a) ^= ((t) << (n)); \ + } while (0) + +#define IP(l, r) \ + do { \ + uint32_t tt; \ + PERM_OP(r, l, tt, 4, 0x0f0f0f0fL); \ + PERM_OP(l, r, tt, 16, 0x0000ffffL); \ + PERM_OP(r, l, tt, 2, 0x33333333L); \ + PERM_OP(l, r, tt, 8, 0x00ff00ffL); \ + PERM_OP(r, l, tt, 1, 0x55555555L); \ + } while (0) + +#define FP(l, r) \ + do { \ + uint32_t tt; \ + PERM_OP(l, r, tt, 1, 0x55555555L); \ + PERM_OP(r, l, tt, 8, 0x00ff00ffL); \ + PERM_OP(l, r, tt, 2, 0x33333333L); \ + PERM_OP(r, l, tt, 16, 0x0000ffffL); \ + PERM_OP(l, r, tt, 4, 0x0f0f0f0fL); \ + } while (0) + +#define LOAD_DATA(ks, R, S, u, t, E0, E1) \ + do { \ + (u) = (R) ^ (ks)->subkeys[S][0]; \ + (t) = (R) ^ (ks)->subkeys[S][1]; \ + } while (0) + +#define D_ENCRYPT(ks, LL, R, S) \ + do { \ + LOAD_DATA(ks, R, S, u, t, E0, E1); \ + t = CRYPTO_rotr_u32(t, 4); \ + (LL) ^= \ + DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \ + DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \ + DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \ + DES_SPtrans[3][(t >> 10L) & 0x3f] ^ \ + DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \ + } while (0) + +#define ITERATIONS 16 +#define HALF_ITERATIONS 8 + static const uint32_t des_skb[8][64] = { { // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 0x00000000, 0x00000010, 0x20000000, 0x20000010, 0x00010000, @@ -294,13 +379,17 @@ static const uint32_t DES_SPtrans[8][64] = { (a) = (a) ^ (t) ^ ((t) >> (16 - (n)))) void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) { + DES_set_key_ex(key->bytes, schedule); +} + +void DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule) { static const int shifts2[16] = {0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0}; uint32_t c, d, t, s, t2; const uint8_t *in; int i; - in = key->bytes; + in = key; c2l(in, c); c2l(in, d); @@ -378,7 +467,8 @@ void DES_set_odd_parity(DES_cblock *key) { } } -static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) { +static void DES_encrypt1(uint32_t data[2], const DES_key_schedule *ks, + int enc) { uint32_t l, r, t, u; r = data[0]; @@ -442,7 +532,8 @@ static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) { data[1] = r; } -static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) { +static void DES_encrypt2(uint32_t data[2], const DES_key_schedule *ks, + int enc) { uint32_t l, r, t, u; r = data[0]; @@ -499,7 +590,7 @@ static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) { data[1] = CRYPTO_rotr_u32(r, 3); } -void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, +void DES_encrypt3(uint32_t data[2], const DES_key_schedule *ks1, const DES_key_schedule *ks2, const DES_key_schedule *ks3) { uint32_t l, r; @@ -508,9 +599,9 @@ void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, IP(l, r); data[0] = l; data[1] = r; - DES_encrypt2((uint32_t *)data, ks1, DES_ENCRYPT); - DES_encrypt2((uint32_t *)data, ks2, DES_DECRYPT); - DES_encrypt2((uint32_t *)data, ks3, DES_ENCRYPT); + DES_encrypt2(data, ks1, DES_ENCRYPT); + DES_encrypt2(data, ks2, DES_DECRYPT); + DES_encrypt2(data, ks3, DES_ENCRYPT); l = data[0]; r = data[1]; FP(r, l); @@ -518,7 +609,7 @@ void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, data[1] = r; } -void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, +void DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1, const DES_key_schedule *ks2, const DES_key_schedule *ks3) { uint32_t l, r; @@ -527,9 +618,9 @@ void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, IP(l, r); data[0] = l; data[1] = r; - DES_encrypt2((uint32_t *)data, ks3, DES_DECRYPT); - DES_encrypt2((uint32_t *)data, ks2, DES_ENCRYPT); - DES_encrypt2((uint32_t *)data, ks1, DES_DECRYPT); + DES_encrypt2(data, ks3, DES_DECRYPT); + DES_encrypt2(data, ks2, DES_ENCRYPT); + DES_encrypt2(data, ks1, DES_DECRYPT); l = data[0]; r = data[1]; FP(r, l); @@ -539,32 +630,34 @@ void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, void DES_ecb_encrypt(const DES_cblock *in_block, DES_cblock *out_block, const DES_key_schedule *schedule, int is_encrypt) { - uint32_t l; - uint32_t ll[2]; - const uint8_t *in = in_block->bytes; - uint8_t *out = out_block->bytes; + DES_ecb_encrypt_ex(in_block->bytes, out_block->bytes, schedule, is_encrypt); +} - c2l(in, l); - ll[0] = l; - c2l(in, l); - ll[1] = l; +void DES_ecb_encrypt_ex(const uint8_t in[8], uint8_t out[8], + const DES_key_schedule *schedule, int is_encrypt) { + uint32_t ll[2]; + ll[0] = CRYPTO_load_u32_le(in); + ll[1] = CRYPTO_load_u32_le(in + 4); DES_encrypt1(ll, schedule, is_encrypt); - l = ll[0]; - l2c(l, out); - l = ll[1]; - l2c(l, out); - ll[0] = ll[1] = 0; + CRYPTO_store_u32_le(out, ll[0]); + CRYPTO_store_u32_le(out + 4, ll[1]); } void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *schedule, DES_cblock *ivec, int enc) { + DES_ncbc_encrypt_ex(in, out, len, schedule, ivec->bytes, enc); +} + +void DES_ncbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *schedule, uint8_t ivec[8], + int enc) { uint32_t tin0, tin1; uint32_t tout0, tout1, xor0, xor1; uint32_t tin[2]; unsigned char *iv; - iv = ivec->bytes; + iv = ivec; if (enc) { c2l(iv, tout0); @@ -576,7 +669,7 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin1 ^= tout1; tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_ENCRYPT); + DES_encrypt1(tin, schedule, DES_ENCRYPT); tout0 = tin[0]; l2c(tout0, out); tout1 = tin[1]; @@ -588,13 +681,13 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin1 ^= tout1; tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_ENCRYPT); + DES_encrypt1(tin, schedule, DES_ENCRYPT); tout0 = tin[0]; l2c(tout0, out); tout1 = tin[1]; l2c(tout1, out); } - iv = ivec->bytes; + iv = ivec; l2c(tout0, iv); l2c(tout1, iv); } else { @@ -605,7 +698,7 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; c2l(in, tin1); tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_DECRYPT); + DES_encrypt1(tin, schedule, DES_DECRYPT); tout0 = tin[0] ^ xor0; tout1 = tin[1] ^ xor1; l2c(tout0, out); @@ -618,14 +711,14 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; c2l(in, tin1); tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_DECRYPT); + DES_encrypt1(tin, schedule, DES_DECRYPT); tout0 = tin[0] ^ xor0; tout1 = tin[1] ^ xor1; l2cn(tout0, tout1, out, len); xor0 = tin0; xor1 = tin1; } - iv = ivec->bytes; + iv = ivec; l2c(xor0, iv); l2c(xor1, iv); } @@ -635,24 +728,23 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, void DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output, const DES_key_schedule *ks1, const DES_key_schedule *ks2, const DES_key_schedule *ks3, int enc) { - uint32_t l0, l1; - uint32_t ll[2]; - const uint8_t *in = input->bytes; - uint8_t *out = output->bytes; + DES_ecb3_encrypt_ex(input->bytes, output->bytes, ks1, ks2, ks3, enc); +} - c2l(in, l0); - c2l(in, l1); - ll[0] = l0; - ll[1] = l1; +void DES_ecb3_encrypt_ex(const uint8_t in[8], uint8_t out[8], + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, int enc) { + uint32_t ll[2]; + ll[0] = CRYPTO_load_u32_le(in); + ll[1] = CRYPTO_load_u32_le(in + 4); if (enc) { DES_encrypt3(ll, ks1, ks2, ks3); } else { DES_decrypt3(ll, ks1, ks2, ks3); } - l0 = ll[0]; - l1 = ll[1]; - l2c(l0, out); - l2c(l1, out); + CRYPTO_store_u32_le(out, ll[0]); + CRYPTO_store_u32_le(out + 4, ll[1]); } void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, @@ -660,12 +752,20 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *ks2, const DES_key_schedule *ks3, DES_cblock *ivec, int enc) { + DES_ede3_cbc_encrypt_ex(in, out, len, ks1, ks2, ks3, ivec->bytes, enc); +} + +void DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, uint8_t ivec[8], + int enc) { uint32_t tin0, tin1; uint32_t tout0, tout1, xor0, xor1; uint32_t tin[2]; uint8_t *iv; - iv = ivec->bytes; + iv = ivec; if (enc) { c2l(iv, tout0); @@ -678,7 +778,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_encrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_encrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; @@ -692,14 +792,14 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_encrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_encrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; l2c(tout0, out); l2c(tout1, out); } - iv = ivec->bytes; + iv = ivec; l2c(tout0, iv); l2c(tout1, iv); } else { @@ -716,7 +816,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_decrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_decrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; @@ -736,7 +836,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_decrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_decrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; @@ -747,7 +847,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, xor1 = t1; } - iv = ivec->bytes; + iv = ivec; l2c(xor0, iv); l2c(xor1, iv); } @@ -769,16 +869,3 @@ void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) { DES_set_key(key, schedule); } - -#undef HPERM_OP -#undef c2l -#undef l2c -#undef c2ln -#undef l2cn -#undef PERM_OP -#undef IP -#undef FP -#undef LOAD_DATA -#undef D_ENCRYPT -#undef ITERATIONS -#undef HALF_ITERATIONS diff --git a/Sources/CJWTKitBoringSSL/crypto/des/internal.h b/Sources/CJWTKitBoringSSL/crypto/des/internal.h index 4de2b259..47311761 100644 --- a/Sources/CJWTKitBoringSSL/crypto/des/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/des/internal.h @@ -58,6 +58,7 @@ #define OPENSSL_HEADER_DES_INTERNAL_H #include +#include #include "../internal.h" @@ -66,6 +67,9 @@ extern "C" { #endif +// TODO(davidben): Ideally these macros would be replaced with +// |CRYPTO_load_u32_le| and |CRYPTO_store_u32_le|. + #define c2l(c, l) \ do { \ (l) = ((uint32_t)(*((c)++))); \ @@ -145,90 +149,39 @@ extern "C" { } \ } while (0) -/* IP and FP - * The problem is more of a geometric problem that random bit fiddling. - 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 - 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 -16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 -24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 - -32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 -40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 -48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 -56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 - -The output has been subject to swaps of the form -0 1 -> 3 1 but the odd and even bits have been put into -2 3 2 0 -different words. The main trick is to remember that -t=((l>>size)^r)&(mask); -r^=t; -l^=(t<> (n)) ^ (b)) & (m)); \ - (b) ^= (t); \ - (a) ^= ((t) << (n)); \ - } while (0) - -#define IP(l, r) \ - do { \ - uint32_t tt; \ - PERM_OP(r, l, tt, 4, 0x0f0f0f0fL); \ - PERM_OP(l, r, tt, 16, 0x0000ffffL); \ - PERM_OP(r, l, tt, 2, 0x33333333L); \ - PERM_OP(l, r, tt, 8, 0x00ff00ffL); \ - PERM_OP(r, l, tt, 1, 0x55555555L); \ - } while (0) - -#define FP(l, r) \ - do { \ - uint32_t tt; \ - PERM_OP(l, r, tt, 1, 0x55555555L); \ - PERM_OP(r, l, tt, 8, 0x00ff00ffL); \ - PERM_OP(l, r, tt, 2, 0x33333333L); \ - PERM_OP(r, l, tt, 16, 0x0000ffffL); \ - PERM_OP(l, r, tt, 4, 0x0f0f0f0fL); \ - } while (0) - -#define LOAD_DATA(ks, R, S, u, t, E0, E1) \ - do { \ - (u) = (R) ^ (ks)->subkeys[S][0]; \ - (t) = (R) ^ (ks)->subkeys[S][1]; \ - } while (0) - -#define D_ENCRYPT(ks, LL, R, S) \ - do { \ - LOAD_DATA(ks, R, S, u, t, E0, E1); \ - t = CRYPTO_rotr_u32(t, 4); \ - (LL) ^= \ - DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \ - DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \ - DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \ - DES_SPtrans[3][(t >> 10L) & 0x3f] ^ \ - DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \ - } while (0) -#define ITERATIONS 16 -#define HALF_ITERATIONS 8 +// Correctly-typed versions of DES functions. +// +// See https://crbug.com/boringssl/683. + +void DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule); +void DES_ecb_encrypt_ex(const uint8_t in[8], uint8_t out[8], + const DES_key_schedule *schedule, int is_encrypt); +void DES_ncbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *schedule, uint8_t ivec[8], + int enc); +void DES_ecb3_encrypt_ex(const uint8_t input[8], uint8_t output[8], + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, int enc); +void DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, uint8_t ivec[8], + int enc); + + +// Private functions. +// +// These functions are only exported for use in |decrepit|. + +OPENSSL_EXPORT void DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3); + +OPENSSL_EXPORT void DES_encrypt3(uint32_t data[2], const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3); #if defined(__cplusplus) diff --git a/Sources/CJWTKitBoringSSL/crypto/dh_extra/dh_asn1.c b/Sources/CJWTKitBoringSSL/crypto/dh_extra/dh_asn1.c index eaab1881..75dd9e74 100644 --- a/Sources/CJWTKitBoringSSL/crypto/dh_extra/dh_asn1.c +++ b/Sources/CJWTKitBoringSSL/crypto/dh_extra/dh_asn1.c @@ -110,6 +110,10 @@ DH *DH_parse_parameters(CBS *cbs) { goto err; } + if (!dh_check_params_fast(ret)) { + goto err; + } + return ret; err: diff --git a/Sources/CJWTKitBoringSSL/crypto/dh_extra/params.c b/Sources/CJWTKitBoringSSL/crypto/dh_extra/params.c index c50a1089..c17e860d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/dh_extra/params.c +++ b/Sources/CJWTKitBoringSSL/crypto/dh_extra/params.c @@ -337,6 +337,11 @@ int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, // It's just as OK (and in some sense better) to use a generator of the // order-q subgroup. + if (prime_bits <= 0 || prime_bits > OPENSSL_DH_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); + return 0; + } + BIGNUM *t1, *t2; int g, ok = 0; BN_CTX *ctx = NULL; diff --git a/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c b/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c index 223ab0e2..f473d246 100644 --- a/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c @@ -88,18 +88,14 @@ static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv, static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT; DSA *DSA_new(void) { - DSA *dsa = OPENSSL_malloc(sizeof(DSA)); + DSA *dsa = OPENSSL_zalloc(sizeof(DSA)); if (dsa == NULL) { return NULL; } - OPENSSL_memset(dsa, 0, sizeof(DSA)); - dsa->references = 1; - CRYPTO_MUTEX_init(&dsa->method_mont_lock); CRYPTO_new_ex_data(&dsa->ex_data); - return dsa; } @@ -533,16 +529,7 @@ int DSA_generate_key(DSA *dsa) { return ok; } -DSA_SIG *DSA_SIG_new(void) { - DSA_SIG *sig; - sig = OPENSSL_malloc(sizeof(DSA_SIG)); - if (!sig) { - return NULL; - } - sig->r = NULL; - sig->s = NULL; - return sig; -} +DSA_SIG *DSA_SIG_new(void) { return OPENSSL_zalloc(sizeof(DSA_SIG)); } void DSA_SIG_free(DSA_SIG *sig) { if (!sig) { diff --git a/Sources/CJWTKitBoringSSL/crypto/dsa/internal.h b/Sources/CJWTKitBoringSSL/crypto/dsa/internal.h index ae87177f..30cf1795 100644 --- a/Sources/CJWTKitBoringSSL/crypto/dsa/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/dsa/internal.h @@ -17,11 +17,31 @@ #include +#include + +#include "../internal.h" + #if defined(__cplusplus) extern "C" { #endif +struct dsa_st { + BIGNUM *p; + BIGNUM *q; + BIGNUM *g; + + BIGNUM *pub_key; + BIGNUM *priv_key; + + // Normally used to cache montgomery values + CRYPTO_MUTEX method_mont_lock; + BN_MONT_CTX *method_mont_p; + BN_MONT_CTX *method_mont_q; + CRYPTO_refcount_t references; + CRYPTO_EX_DATA ex_data; +}; + // dsa_check_key performs cheap self-checks on |dsa|, and ensures it is within // DoS bounds. It returns one on success and zero on error. int dsa_check_key(const DSA *dsa); diff --git a/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_asn1.c b/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_asn1.c index 405b9f78..9ecfbc48 100644 --- a/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_asn1.c +++ b/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_asn1.c @@ -72,6 +72,16 @@ static const CBS_ASN1_TAG kParametersTag = static const CBS_ASN1_TAG kPublicKeyTag = CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1; +// TODO(https://crbug.com/boringssl/497): Allow parsers to specify a list of +// acceptable groups, so parsers don't have to pull in all four. +typedef const EC_GROUP *(*ec_group_func)(void); +static const ec_group_func kAllGroups[] = { + &EC_group_p224, + &EC_group_p256, + &EC_group_p384, + &EC_group_p521, +}; + EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) { CBS ec_private_key, private_key; uint64_t version; @@ -84,7 +94,6 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) { } // Parse the optional parameters field. - EC_GROUP *inner_group = NULL; EC_KEY *ret = NULL; BIGNUM *priv_key = NULL; if (CBS_peek_asn1_tag(&ec_private_key, kParametersTag)) { @@ -97,7 +106,7 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) { OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR); goto err; } - inner_group = EC_KEY_parse_parameters(&child); + const EC_GROUP *inner_group = EC_KEY_parse_parameters(&child); if (inner_group == NULL) { goto err; } @@ -179,13 +188,11 @@ EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) { } BN_free(priv_key); - EC_GROUP_free(inner_group); return ret; err: EC_KEY_free(ret); BN_free(priv_key); - EC_GROUP_free(inner_group); return NULL; } @@ -244,9 +251,12 @@ int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key, // kPrimeFieldOID is the encoding of 1.2.840.10045.1.1. static const uint8_t kPrimeField[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01}; -static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a, - CBS *out_b, CBS *out_base_x, - CBS *out_base_y, CBS *out_order) { +struct explicit_prime_curve { + CBS prime, a, b, base_x, base_y, order; +}; + +static int parse_explicit_prime_curve(CBS *in, + struct explicit_prime_curve *out) { // See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an // ECParameters while RFC 5480 calls it a SpecifiedECDomain. CBS params, field_id, field_type, curve, base, cofactor; @@ -260,18 +270,18 @@ static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a, CBS_len(&field_type) != sizeof(kPrimeField) || OPENSSL_memcmp(CBS_data(&field_type), kPrimeField, sizeof(kPrimeField)) != 0 || - !CBS_get_asn1(&field_id, out_prime, CBS_ASN1_INTEGER) || - !CBS_is_unsigned_asn1_integer(out_prime) || + !CBS_get_asn1(&field_id, &out->prime, CBS_ASN1_INTEGER) || + !CBS_is_unsigned_asn1_integer(&out->prime) || CBS_len(&field_id) != 0 || !CBS_get_asn1(¶ms, &curve, CBS_ASN1_SEQUENCE) || - !CBS_get_asn1(&curve, out_a, CBS_ASN1_OCTETSTRING) || - !CBS_get_asn1(&curve, out_b, CBS_ASN1_OCTETSTRING) || + !CBS_get_asn1(&curve, &out->a, CBS_ASN1_OCTETSTRING) || + !CBS_get_asn1(&curve, &out->b, CBS_ASN1_OCTETSTRING) || // |curve| has an optional BIT STRING seed which we ignore. !CBS_get_optional_asn1(&curve, NULL, NULL, CBS_ASN1_BITSTRING) || CBS_len(&curve) != 0 || !CBS_get_asn1(¶ms, &base, CBS_ASN1_OCTETSTRING) || - !CBS_get_asn1(¶ms, out_order, CBS_ASN1_INTEGER) || - !CBS_is_unsigned_asn1_integer(out_order) || + !CBS_get_asn1(¶ms, &out->order, CBS_ASN1_INTEGER) || + !CBS_is_unsigned_asn1_integer(&out->order) || !CBS_get_optional_asn1(¶ms, &cofactor, &has_cofactor, CBS_ASN1_INTEGER) || CBS_len(¶ms) != 0) { @@ -300,25 +310,33 @@ static int parse_explicit_prime_curve(CBS *in, CBS *out_prime, CBS *out_a, return 0; } size_t field_len = CBS_len(&base) / 2; - CBS_init(out_base_x, CBS_data(&base), field_len); - CBS_init(out_base_y, CBS_data(&base) + field_len, field_len); + CBS_init(&out->base_x, CBS_data(&base), field_len); + CBS_init(&out->base_y, CBS_data(&base) + field_len, field_len); return 1; } -// integers_equal returns one if |a| and |b| are equal, up to leading zeros, and +// integers_equal returns one if |bytes| is a big-endian encoding of |bn|, and // zero otherwise. -static int integers_equal(const CBS *a, const uint8_t *b, size_t b_len) { - // Remove leading zeros from |a| and |b|. - CBS a_copy = *a; - while (CBS_len(&a_copy) > 0 && CBS_data(&a_copy)[0] == 0) { - CBS_skip(&a_copy, 1); +static int integers_equal(const CBS *bytes, const BIGNUM *bn) { + // Although, in SEC 1, Field-Element-to-Octet-String has a fixed width, + // OpenSSL mis-encodes the |a| and |b|, so we tolerate any number of leading + // zeros. (This matters for P-521 whose |b| has a leading 0.) + CBS copy = *bytes; + while (CBS_len(©) > 0 && CBS_data(©)[0] == 0) { + CBS_skip(©, 1); } - while (b_len > 0 && b[0] == 0) { - b++; - b_len--; + + if (CBS_len(©) > EC_MAX_BYTES) { + return 0; } - return CBS_mem_equal(&a_copy, b, b_len); + uint8_t buf[EC_MAX_BYTES]; + if (!BN_bn2bin_padded(buf, CBS_len(©), bn)) { + ERR_clear_error(); + return 0; + } + + return CBS_mem_equal(©, buf, CBS_len(©)); } EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) { @@ -329,13 +347,10 @@ EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) { } // Look for a matching curve. - const struct built_in_curves *const curves = OPENSSL_built_in_curves(); - for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) { - const struct built_in_curve *curve = &curves->curves[i]; - if (CBS_len(&named_curve) == curve->oid_len && - OPENSSL_memcmp(CBS_data(&named_curve), curve->oid, curve->oid_len) == - 0) { - return EC_GROUP_new_by_curve_name(curve->nid); + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kAllGroups); i++) { + const EC_GROUP *group = kAllGroups[i](); + if (CBS_mem_equal(&named_curve, group->oid, group->oid_len)) { + return (EC_GROUP *)group; } } @@ -344,25 +359,15 @@ EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) { } int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group) { - int nid = EC_GROUP_get_curve_name(group); - if (nid == NID_undef) { + if (group->oid_len == 0) { OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); return 0; } - const struct built_in_curves *const curves = OPENSSL_built_in_curves(); - for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) { - const struct built_in_curve *curve = &curves->curves[i]; - if (curve->nid == nid) { - CBB child; - return CBB_add_asn1(cbb, &child, CBS_ASN1_OBJECT) && - CBB_add_bytes(&child, curve->oid, curve->oid_len) && - CBB_flush(cbb); - } - } - - OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); - return 0; + CBB child; + return CBB_add_asn1(cbb, &child, CBS_ASN1_OBJECT) && + CBB_add_bytes(&child, group->oid, group->oid_len) && // + CBB_flush(cbb); } EC_GROUP *EC_KEY_parse_parameters(CBS *cbs) { @@ -374,34 +379,56 @@ EC_GROUP *EC_KEY_parse_parameters(CBS *cbs) { // of named curves. // // TODO(davidben): Remove support for this. - CBS prime, a, b, base_x, base_y, order; - if (!parse_explicit_prime_curve(cbs, &prime, &a, &b, &base_x, &base_y, - &order)) { + struct explicit_prime_curve curve; + if (!parse_explicit_prime_curve(cbs, &curve)) { return NULL; } - // Look for a matching prime curve. - const struct built_in_curves *const curves = OPENSSL_built_in_curves(); - for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) { - const struct built_in_curve *curve = &curves->curves[i]; - const unsigned param_len = curve->param_len; - // |curve->params| is ordered p, a, b, x, y, order, each component - // zero-padded up to the field length. Although SEC 1 states that the - // Field-Element-to-Octet-String conversion also pads, OpenSSL mis-encodes - // |a| and |b|, so this comparison must allow omitting leading zeros. (This - // is relevant for P-521 whose |b| has a leading 0.) - if (integers_equal(&prime, curve->params, param_len) && - integers_equal(&a, curve->params + param_len, param_len) && - integers_equal(&b, curve->params + param_len * 2, param_len) && - integers_equal(&base_x, curve->params + param_len * 3, param_len) && - integers_equal(&base_y, curve->params + param_len * 4, param_len) && - integers_equal(&order, curve->params + param_len * 5, param_len)) { - return EC_GROUP_new_by_curve_name(curve->nid); + const EC_GROUP *ret = NULL; + BIGNUM *p = BN_new(), *a = BN_new(), *b = BN_new(), *x = BN_new(), + *y = BN_new(); + if (p == NULL || a == NULL || b == NULL || x == NULL || y == NULL) { + goto err; + } + + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kAllGroups); i++) { + const EC_GROUP *group = kAllGroups[i](); + if (!integers_equal(&curve.order, EC_GROUP_get0_order(group))) { + continue; + } + + // The order alone uniquely identifies the group, but we check the other + // parameters to avoid misinterpreting the group. + if (!EC_GROUP_get_curve_GFp(group, p, a, b, NULL)) { + goto err; + } + if (!integers_equal(&curve.prime, p) || !integers_equal(&curve.a, a) || + !integers_equal(&curve.b, b)) { + break; + } + if (!EC_POINT_get_affine_coordinates_GFp( + group, EC_GROUP_get0_generator(group), x, y, NULL)) { + goto err; } + if (!integers_equal(&curve.base_x, x) || + !integers_equal(&curve.base_y, y)) { + break; + } + ret = group; + break; } - OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); - return NULL; + if (ret == NULL) { + OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); + } + +err: + BN_free(p); + BN_free(a); + BN_free(b); + BN_free(x); + BN_free(y); + return (EC_GROUP *)ret; } int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point, @@ -458,18 +485,16 @@ EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, long len) { CBS cbs; CBS_init(&cbs, *inp, (size_t)len); - EC_GROUP *group = EC_KEY_parse_parameters(&cbs); + const EC_GROUP *group = EC_KEY_parse_parameters(&cbs); if (group == NULL) { return NULL; } EC_KEY *ret = EC_KEY_new(); if (ret == NULL || !EC_KEY_set_group(ret, group)) { - EC_GROUP_free(group); EC_KEY_free(ret); return NULL; } - EC_GROUP_free(group); if (out_key != NULL) { EC_KEY_free(*out_key); @@ -532,3 +557,16 @@ int i2o_ECPublicKey(const EC_KEY *key, uint8_t **outp) { // Historically, this function used the wrong return value on error. return ret > 0 ? ret : 0; } + +size_t EC_get_builtin_curves(EC_builtin_curve *out_curves, + size_t max_num_curves) { + if (max_num_curves > OPENSSL_ARRAY_SIZE(kAllGroups)) { + max_num_curves = OPENSSL_ARRAY_SIZE(kAllGroups); + } + for (size_t i = 0; i < max_num_curves; i++) { + const EC_GROUP *group = kAllGroups[i](); + out_curves[i].nid = group->curve_name; + out_curves[i].comment = group->comment; + } + return OPENSSL_ARRAY_SIZE(kAllGroups); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_derive.c b/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_derive.c index 9b62820c..40953614 100644 --- a/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_derive.c +++ b/Sources/CJWTKitBoringSSL/crypto/ec_extra/ec_derive.c @@ -55,7 +55,8 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret, } uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES]; - size_t derived_len = BN_num_bytes(&group->order) + EC_KEY_DERIVE_EXTRA_BYTES; + size_t derived_len = + BN_num_bytes(EC_GROUP_get0_order(group)) + EC_KEY_DERIVE_EXTRA_BYTES; assert(derived_len <= sizeof(derived)); if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len, /*salt=*/NULL, /*salt_len=*/0, (const uint8_t *)info, @@ -74,10 +75,10 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret, // enough. 2^(num_bytes(order)) < 2^8 * order, so: // // priv < 2^8 * order * 2^128 < order * order < order * R - !BN_from_montgomery(priv, priv, group->order_mont, ctx) || + !BN_from_montgomery(priv, priv, &group->order, ctx) || // Multiply by R^2 and do another Montgomery reduction to compute // priv * R^-1 * R^2 * R^-1 = priv mod order. - !BN_to_montgomery(priv, priv, group->order_mont, ctx) || + !BN_to_montgomery(priv, priv, &group->order, ctx) || !EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) || !EC_KEY_set_group(key, group) || !EC_KEY_set_public_key(key, pub) || !EC_KEY_set_private_key(key, priv)) { diff --git a/Sources/CJWTKitBoringSSL/crypto/ec_extra/hash_to_curve.c b/Sources/CJWTKitBoringSSL/crypto/ec_extra/hash_to_curve.c index 0fdc3cce..02e2cb6d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/ec_extra/hash_to_curve.c +++ b/Sources/CJWTKitBoringSSL/crypto/ec_extra/hash_to_curve.c @@ -26,8 +26,7 @@ #include "../internal.h" -// This file implements hash-to-curve, as described in -// draft-irtf-cfrg-hash-to-curve-16. +// This file implements hash-to-curve, as described in RFC 9380. // // This hash-to-curve implementation is written generically with the // expectation that we will eventually wish to support other curves. If it @@ -48,8 +47,7 @@ // templates to make specializing more convenient. // expand_message_xmd implements the operation described in section 5.3.1 of -// draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// RFC 9380. It returns one on success and zero on error. static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, const uint8_t *msg, size_t msg_len, const uint8_t *dst, size_t dst_len) { @@ -138,7 +136,7 @@ static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, // num_bytes_to_derive determines the number of bytes to derive when hashing to // a number modulo |modulus|. See the hash_to_field operation defined in -// section 5.2 of draft-irtf-cfrg-hash-to-curve-16. +// section 5.2 of RFC 9380. static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { size_t bits = BN_num_bits(modulus); size_t L = (bits + k + 7) / 8; @@ -171,20 +169,19 @@ static void big_endian_to_words(BN_ULONG *out, size_t num_words, } // hash_to_field implements the operation described in section 5.2 -// of draft-irtf-cfrg-hash-to-curve-16, with count = 2. |k| is the security -// factor. +// of RFC 9380, with count = 2. |k| is the security factor. static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, size_t msg_len) { size_t L; uint8_t buf[4 * EC_MAX_BYTES]; - if (!num_bytes_to_derive(&L, &group->field, k) || + if (!num_bytes_to_derive(&L, &group->field.N, k) || !expand_message_xmd(md, buf, 2 * L, msg, msg_len, dst, dst_len)) { return 0; } BN_ULONG words[2 * EC_MAX_WORDS]; - size_t num_words = 2 * group->field.width; + size_t num_words = 2 * group->field.N.width; big_endian_to_words(words, num_words, buf, L); group->meth->felem_reduce(group, out1, words, num_words); big_endian_to_words(words, num_words, buf + L, L); @@ -197,15 +194,16 @@ static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, static int hash_to_scalar(const EC_GROUP *group, const EVP_MD *md, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, size_t msg_len) { + const BIGNUM *order = EC_GROUP_get0_order(group); size_t L; uint8_t buf[EC_MAX_BYTES * 2]; - if (!num_bytes_to_derive(&L, &group->order, k) || + if (!num_bytes_to_derive(&L, order, k) || !expand_message_xmd(md, buf, L, msg, msg_len, dst, dst_len)) { return 0; } BN_ULONG words[2 * EC_MAX_WORDS]; - size_t num_words = 2 * group->order.width; + size_t num_words = 2 * order->width; big_endian_to_words(words, num_words, buf, L); ec_scalar_reduce(group, out, words, num_words); return 1; @@ -220,8 +218,7 @@ static inline void mul_A(const EC_GROUP *group, EC_FELEM *out, ec_felem_sub(group, out, in, &tmp); // out = -3*in } -// sgn0 implements the operation described in section 4.1.2 of -// draft-irtf-cfrg-hash-to-curve-16. +// sgn0 implements the operation described in section 4.1.2 of RFC 9380. static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) { uint8_t buf[EC_MAX_BYTES]; size_t len; @@ -230,11 +227,11 @@ static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) { } OPENSSL_UNUSED static int is_3mod4(const EC_GROUP *group) { - return group->field.width > 0 && (group->field.d[0] & 3) == 3; + return group->field.N.width > 0 && (group->field.N.d[0] & 3) == 3; } // sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2 -// of draft-irtf-cfrg-hash-to-curve-16. +// of RFC 9380. static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_FELEM *out_y, @@ -269,8 +266,7 @@ static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, } // map_to_curve_simple_swu implements the operation described in section 6.6.2 -// of draft-irtf-cfrg-hash-to-curve-16, using the straight-line implementation -// in appendix F.2. +// of RFC 9380, using the straight-line implementation in appendix F.2. static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_JACOBIAN *out, @@ -285,12 +281,12 @@ static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z, group->meth->felem_sqr; EC_FELEM tv1, tv2, tv3, tv4, tv5, tv6, x, y, y1; - felem_sqr(group, &tv1, u); // 1. tv1 = u^2 - felem_mul(group, &tv1, Z, &tv1); // 2. tv1 = Z * tv1 - felem_sqr(group, &tv2, &tv1); // 3. tv2 = tv1^2 - ec_felem_add(group, &tv2, &tv2, &tv1); // 4. tv2 = tv2 + tv1 - ec_felem_add(group, &tv3, &tv2, &group->one); // 5. tv3 = tv2 + 1 - felem_mul(group, &tv3, &group->b, &tv3); // 6. tv3 = B * tv3 + felem_sqr(group, &tv1, u); // 1. tv1 = u^2 + felem_mul(group, &tv1, Z, &tv1); // 2. tv1 = Z * tv1 + felem_sqr(group, &tv2, &tv1); // 3. tv2 = tv1^2 + ec_felem_add(group, &tv2, &tv2, &tv1); // 4. tv2 = tv2 + tv1 + ec_felem_add(group, &tv3, &tv2, ec_felem_one(group)); // 5. tv3 = tv2 + 1 + felem_mul(group, &tv3, &group->b, &tv3); // 6. tv3 = B * tv3 // 7. tv4 = CMOV(Z, -tv2, tv2 != 0) const BN_ULONG tv2_non_zero = ec_felem_non_zero_mask(group, &tv2); @@ -353,8 +349,8 @@ static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md, // Compute |c1| = (p - 3) / 4. BN_ULONG c1[EC_MAX_WORDS]; - size_t num_c1 = group->field.width; - if (!bn_copy_words(c1, num_c1, &group->field)) { + size_t num_c1 = group->field.N.width; + if (!bn_copy_words(c1, num_c1, &group->field.N)) { return 0; } bn_rshift_words(c1, c1, /*shift=*/2, /*num=*/num_c1); @@ -370,7 +366,7 @@ static int hash_to_curve(const EC_GROUP *group, const EVP_MD *md, static int felem_from_u8(const EC_GROUP *group, EC_FELEM *out, uint8_t a) { uint8_t bytes[EC_MAX_BYTES] = {0}; - size_t len = BN_num_bytes(&group->field); + size_t len = BN_num_bytes(&group->field.N); bytes[len - 1] = a; return ec_felem_from_bytes(group, out, bytes, len); } @@ -404,7 +400,7 @@ int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; @@ -437,7 +433,7 @@ int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_secp384r1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; diff --git a/Sources/CJWTKitBoringSSL/crypto/ec_extra/internal.h b/Sources/CJWTKitBoringSSL/crypto/ec_extra/internal.h index fe5f6619..5d4aaf94 100644 --- a/Sources/CJWTKitBoringSSL/crypto/ec_extra/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/ec_extra/internal.h @@ -30,24 +30,22 @@ extern "C" { // ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group| // and writes the result to |out|, using the hash_to_field operation from the -// P384_XMD:SHA-384_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-16, but -// generating a value modulo the group order rather than a field element. +// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo +// the group order rather than a field element. OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384( const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); diff --git a/Sources/CJWTKitBoringSSL/crypto/engine/engine.c b/Sources/CJWTKitBoringSSL/crypto/engine/engine.c index d2ef9b73..b252d66a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/engine/engine.c +++ b/Sources/CJWTKitBoringSSL/crypto/engine/engine.c @@ -31,15 +31,7 @@ struct engine_st { ECDSA_METHOD *ecdsa_method; }; -ENGINE *ENGINE_new(void) { - ENGINE *engine = OPENSSL_malloc(sizeof(ENGINE)); - if (engine == NULL) { - return NULL; - } - - OPENSSL_memset(engine, 0, sizeof(ENGINE)); - return engine; -} +ENGINE *ENGINE_new(void) { return OPENSSL_zalloc(sizeof(ENGINE)); } int ENGINE_free(ENGINE *engine) { // Methods are currently required to be static so are not unref'ed. diff --git a/Sources/CJWTKitBoringSSL/crypto/err/err.c b/Sources/CJWTKitBoringSSL/crypto/err/err.c index 41a7b710..d4a35a9b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/err/err.c +++ b/Sources/CJWTKitBoringSSL/crypto/err/err.c @@ -146,13 +146,13 @@ struct err_error_st { // ERR_STATE contains the per-thread, error queue. typedef struct err_state_st { - // errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring - // buffer. + // errors contains up to ERR_NUM_ERRORS - 1 most recent errors, organised as a + // ring buffer. struct err_error_st errors[ERR_NUM_ERRORS]; - // top contains the index one past the most recent error. If |top| equals - // |bottom| then the queue is empty. + // top contains the index of the most recent error. If |top| equals |bottom| + // then the queue is empty. unsigned top; - // bottom contains the index of the last error in the queue. + // bottom contains the index before the least recent error in the queue. unsigned bottom; // to_free, if not NULL, contains a pointer owned by this structure that was @@ -192,8 +192,7 @@ static int global_next_library = ERR_NUM_LIBS; // global_next_library_mutex protects |global_next_library| from concurrent // updates. -static struct CRYPTO_STATIC_MUTEX global_next_library_mutex = - CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX global_next_library_mutex = CRYPTO_MUTEX_INIT; static void err_state_free(void *statep) { ERR_STATE *state = statep; @@ -367,9 +366,9 @@ void ERR_remove_thread_state(const CRYPTO_THREADID *tid) { int ERR_get_next_error_library(void) { int ret; - CRYPTO_STATIC_MUTEX_lock_write(&global_next_library_mutex); + CRYPTO_MUTEX_lock_write(&global_next_library_mutex); ret = global_next_library++; - CRYPTO_STATIC_MUTEX_unlock_write(&global_next_library_mutex); + CRYPTO_MUTEX_unlock_write(&global_next_library_mutex); return ret; } @@ -553,22 +552,21 @@ char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) { const char *lib_str = err_lib_error_string(packed_error); const char *reason_str = err_reason_error_string(packed_error); - char lib_buf[64], reason_buf[64]; + char lib_buf[32], reason_buf[32]; if (lib_str == NULL) { - BIO_snprintf(lib_buf, sizeof(lib_buf), "lib(%u)", lib); + snprintf(lib_buf, sizeof(lib_buf), "lib(%u)", lib); lib_str = lib_buf; } - if (reason_str == NULL) { - BIO_snprintf(reason_buf, sizeof(reason_buf), "reason(%u)", reason); + if (reason_str == NULL) { + snprintf(reason_buf, sizeof(reason_buf), "reason(%u)", reason); reason_str = reason_buf; } - BIO_snprintf(buf, len, "error:%08" PRIx32 ":%s:OPENSSL_internal:%s", - packed_error, lib_str, reason_str); - - if (strlen(buf) == len - 1) { - // output may be truncated; make sure we always have 5 colon-separated + int ret = snprintf(buf, len, "error:%08" PRIx32 ":%s:OPENSSL_internal:%s", + packed_error, lib_str, reason_str); + if (ret >= 0 && (size_t)ret >= len) { + // The output was truncated; make sure we always have 5 colon-separated // fields, i.e. 4 colons. static const unsigned num_colons = 4; unsigned i; @@ -618,8 +616,8 @@ void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) { } ERR_error_string_n(packed_error, buf, sizeof(buf)); - BIO_snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", thread_hash, buf, - file, line, (flags & ERR_FLAG_STRING) ? data : ""); + snprintf(buf2, sizeof(buf2), "%lu:%s:%s:%d:%s\n", thread_hash, buf, file, + line, (flags & ERR_FLAG_STRING) ? data : ""); if (callback(buf2, strlen(buf2), ctx) <= 0) { break; } @@ -867,6 +865,10 @@ void ERR_restore_state(const ERR_SAVE_STATE *state) { return; } + if (state->num_errors >= ERR_NUM_ERRORS) { + abort(); + } + ERR_STATE *const dst = err_get_state(); if (dst == NULL) { return; @@ -875,6 +877,6 @@ void ERR_restore_state(const ERR_SAVE_STATE *state) { for (size_t i = 0; i < state->num_errors; i++) { err_copy(&dst->errors[i], &state->errors[i]); } - dst->top = state->num_errors - 1; + dst->top = (unsigned)(state->num_errors - 1); dst->bottom = ERR_NUM_ERRORS - 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/err/err_data.c b/Sources/CJWTKitBoringSSL/crypto/err/err_data.c index aeadc76b..04c2e3a4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/err/err_data.c +++ b/Sources/CJWTKitBoringSSL/crypto/err/err_data.c @@ -81,7 +81,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x10339666, 0x10341679, 0x10348f93, - 0x10350ccc, + 0x10350cdf, 0x1035968c, 0x103616b6, 0x103696c9, @@ -103,7 +103,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x103e9839, 0x103f1850, 0x103f9863, - 0x10400c90, + 0x10400ca3, 0x10409876, 0x10411894, 0x104198a7, @@ -125,11 +125,12 @@ const uint32_t kOpenSSLReasonValues[] = { 0x104997d7, 0x104a16a1, 0x14320c73, - 0x14328c81, - 0x14330c90, - 0x14338ca2, + 0x14328c94, + 0x14330ca3, + 0x14338cb5, 0x143400b9, 0x143480f7, + 0x14350c81, 0x18320090, 0x18328fe9, 0x183300b9, @@ -163,7 +164,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x18411164, 0x1841912f, 0x1842114e, - 0x18428cd8, + 0x18428c81, 0x1843110a, 0x18439176, 0x18441028, @@ -185,60 +186,60 @@ const uint32_t kOpenSSLReasonValues[] = { 0x2438133b, 0x24389348, 0x2439135b, - 0x28320cc0, + 0x28320cd3, 0x28328ceb, - 0x28330c90, + 0x28330ca3, 0x28338cfe, - 0x28340ccc, + 0x28340cdf, 0x283480b9, 0x283500f7, - 0x28358cd8, + 0x28358c81, 0x2836099a, - 0x2c3232e0, + 0x2c3232e7, 0x2c329372, - 0x2c3332ee, - 0x2c33b300, - 0x2c343314, - 0x2c34b326, - 0x2c353341, - 0x2c35b353, - 0x2c363383, + 0x2c3332f5, + 0x2c33b307, + 0x2c34331b, + 0x2c34b32d, + 0x2c353348, + 0x2c35b35a, + 0x2c36338a, 0x2c36833a, - 0x2c373390, - 0x2c37b3bc, - 0x2c3833fa, - 0x2c38b411, - 0x2c39342f, - 0x2c39b43f, - 0x2c3a3451, - 0x2c3ab465, - 0x2c3b3476, - 0x2c3bb495, + 0x2c373397, + 0x2c37b3c3, + 0x2c383401, + 0x2c38b418, + 0x2c393436, + 0x2c39b446, + 0x2c3a3458, + 0x2c3ab46c, + 0x2c3b347d, + 0x2c3bb49c, 0x2c3c1384, 0x2c3c939a, - 0x2c3d34da, + 0x2c3d34e1, 0x2c3d93b3, - 0x2c3e3504, - 0x2c3eb512, - 0x2c3f352a, - 0x2c3fb542, - 0x2c40356c, + 0x2c3e350b, + 0x2c3eb519, + 0x2c3f3531, + 0x2c3fb549, + 0x2c403573, 0x2c409285, - 0x2c41357d, - 0x2c41b590, + 0x2c413584, + 0x2c41b597, 0x2c42124b, - 0x2c42b5a1, + 0x2c42b5a8, 0x2c43076d, - 0x2c43b487, - 0x2c4433cf, - 0x2c44b54f, - 0x2c453366, - 0x2c45b3a2, - 0x2c46341f, - 0x2c46b4a9, - 0x2c4734be, - 0x2c47b4f7, - 0x2c4833e1, + 0x2c43b48e, + 0x2c4433d6, + 0x2c44b556, + 0x2c45336d, + 0x2c45b3a9, + 0x2c463426, + 0x2c46b4b0, + 0x2c4734c5, + 0x2c47b4fe, + 0x2c4833e8, 0x30320000, 0x30328015, 0x3033001f, @@ -436,203 +437,203 @@ const uint32_t kOpenSSLReasonValues[] = { 0x404da092, 0x404e20a6, 0x404ea0b3, - 0x404f214d, - 0x404fa1c3, - 0x40502232, - 0x4050a246, - 0x40512279, - 0x40522289, - 0x4052a2ad, - 0x405322c5, - 0x4053a2d8, - 0x405422ed, - 0x4054a310, - 0x4055233b, - 0x4055a378, - 0x4056239d, - 0x4056a3b6, - 0x405723ce, - 0x4057a3e1, - 0x405823f6, - 0x4058a41d, - 0x4059244c, - 0x4059a479, - 0x405a248d, - 0x405aa49d, - 0x405b24b5, - 0x405ba4c6, - 0x405c24d9, - 0x405ca518, - 0x405d2525, - 0x405da54a, - 0x405e2588, + 0x404f2164, + 0x404fa1da, + 0x40502249, + 0x4050a25d, + 0x40512290, + 0x405222a0, + 0x4052a2c4, + 0x405322dc, + 0x4053a2ef, + 0x40542304, + 0x4054a327, + 0x40552352, + 0x4055a38f, + 0x405623b4, + 0x4056a3cd, + 0x405723e5, + 0x4057a3f8, + 0x4058240d, + 0x4058a434, + 0x40592463, + 0x4059a490, + 0x405aa4a4, + 0x405b24bc, + 0x405ba4cd, + 0x405c24e0, + 0x405ca51f, + 0x405d252c, + 0x405da551, + 0x405e258f, 0x405e8afe, - 0x405f25a9, - 0x405fa5b6, - 0x406025c4, - 0x4060a5e6, - 0x40612647, - 0x4061a67f, - 0x40622696, - 0x4062a6a7, - 0x406326f4, - 0x4063a709, - 0x40642720, - 0x4064a74c, - 0x40652767, - 0x4065a77e, - 0x40662796, - 0x4066a7c0, - 0x406727eb, - 0x4067a830, - 0x40682878, - 0x4068a899, - 0x406928cb, - 0x4069a8f9, - 0x406a291a, - 0x406aa93a, - 0x406b2ac2, - 0x406baae5, - 0x406c2afb, - 0x406cae05, - 0x406d2e34, - 0x406dae5c, - 0x406e2e8a, - 0x406eaed7, - 0x406f2f30, - 0x406faf68, - 0x40702f7b, - 0x4070af98, + 0x405f25b0, + 0x405fa5bd, + 0x406025cb, + 0x4060a5ed, + 0x4061264e, + 0x4061a686, + 0x4062269d, + 0x4062a6ae, + 0x406326fb, + 0x4063a710, + 0x40642727, + 0x4064a753, + 0x4065276e, + 0x4065a785, + 0x4066279d, + 0x4066a7c7, + 0x406727f2, + 0x4067a837, + 0x4068287f, + 0x4068a8a0, + 0x406928d2, + 0x4069a900, + 0x406a2921, + 0x406aa941, + 0x406b2ac9, + 0x406baaec, + 0x406c2b02, + 0x406cae0c, + 0x406d2e3b, + 0x406dae63, + 0x406e2e91, + 0x406eaede, + 0x406f2f37, + 0x406faf6f, + 0x40702f82, + 0x4070af9f, 0x4071084d, - 0x4071afaa, - 0x40722fbd, - 0x4072aff3, - 0x4073300b, + 0x4071afb1, + 0x40722fc4, + 0x4072affa, + 0x40733012, 0x4073959c, - 0x4074301f, - 0x4074b039, - 0x4075304a, - 0x4075b05e, - 0x4076306c, + 0x40743026, + 0x4074b040, + 0x40753051, + 0x4075b065, + 0x40763073, 0x40769348, - 0x40773091, - 0x4077b0d1, - 0x407830ec, - 0x4078b125, - 0x4079313c, - 0x4079b152, - 0x407a317e, - 0x407ab191, - 0x407b31a6, - 0x407bb1b8, - 0x407c31e9, - 0x407cb1f2, - 0x407d28b4, - 0x407da1eb, - 0x407e3101, - 0x407ea42d, + 0x40773098, + 0x4077b0d8, + 0x407830f3, + 0x4078b12c, + 0x40793143, + 0x4079b159, + 0x407a3185, + 0x407ab198, + 0x407b31ad, + 0x407bb1bf, + 0x407c31f0, + 0x407cb1f9, + 0x407d28bb, + 0x407da202, + 0x407e3108, + 0x407ea444, 0x407f1e27, 0x407f9ffa, - 0x4080215d, + 0x40802174, 0x40809e4f, - 0x4081229b, + 0x408122b2, 0x4081a101, - 0x40822e75, + 0x40822e7c, 0x40829ba2, - 0x40832408, - 0x4083a731, + 0x4083241f, + 0x4083a738, 0x40841e63, - 0x4084a465, - 0x408524ea, - 0x4085a60e, - 0x4086256a, - 0x4086a205, - 0x40872ebb, - 0x4087a65c, + 0x4084a47c, + 0x408524f1, + 0x4085a615, + 0x40862571, + 0x4086a21c, + 0x40872ec2, + 0x4087a663, 0x40881be0, - 0x4088a843, + 0x4088a84a, 0x40891c2f, 0x40899bbc, - 0x408a2b33, + 0x408a2b3a, 0x408a99b4, - 0x408b31cd, - 0x408baf45, - 0x408c24fa, + 0x408b31d4, + 0x408baf4c, + 0x408c2501, 0x408c99ec, 0x408d1f4b, 0x408d9e95, 0x408e207b, - 0x408ea358, - 0x408f2857, - 0x408fa62a, - 0x4090280c, - 0x4090a53c, - 0x40912b1b, + 0x408ea36f, + 0x408f285e, + 0x408fa631, + 0x40902813, + 0x4090a543, + 0x40912b22, 0x40919a12, 0x40921c7c, - 0x4092aef6, - 0x40932fd6, - 0x4093a216, + 0x4092aefd, + 0x40932fdd, + 0x4093a22d, 0x40941e77, - 0x4094ab4c, - 0x409526b8, - 0x4095b15e, - 0x40962ea2, - 0x4096a176, - 0x40972261, + 0x4094ab53, + 0x409526bf, + 0x4095b165, + 0x40962ea9, + 0x4096a18d, + 0x40972278, 0x4097a0ca, 0x40981cdc, - 0x4098a6cc, - 0x40992f12, - 0x4099a385, - 0x409a231e, + 0x4098a6d3, + 0x40992f19, + 0x4099a39c, + 0x409a2335, 0x409a99d0, 0x409b1ed1, 0x409b9efc, - 0x409c30b3, + 0x409c30ba, 0x409c9f24, - 0x409d2132, + 0x409d2149, 0x409da117, 0x409e1d6d, - 0x409ea1ab, - 0x409f2193, + 0x409ea1c2, + 0x409f21aa, 0x409f9ec4, - 0x40a021d3, + 0x40a021ea, 0x40a0a0e4, - 0x41f429ed, - 0x41f92a7f, - 0x41fe2972, - 0x41feac28, - 0x41ff2d56, - 0x42032a06, - 0x42082a28, - 0x4208aa64, - 0x42092956, - 0x4209aa9e, - 0x420a29ad, - 0x420aa98d, - 0x420b29cd, - 0x420baa46, - 0x420c2d72, - 0x420cab5c, - 0x420d2c0f, - 0x420dac46, - 0x42122c79, - 0x42172d39, - 0x4217acbb, - 0x421c2cdd, - 0x421f2c98, - 0x42212dea, - 0x42262d1c, - 0x422b2dc8, - 0x422babea, - 0x422c2daa, - 0x422cab9d, - 0x422d2b76, - 0x422dad89, - 0x422e2bc9, - 0x42302cf8, - 0x4230ac60, + 0x40a12132, + 0x41f429f4, + 0x41f92a86, + 0x41fe2979, + 0x41feac2f, + 0x41ff2d5d, + 0x42032a0d, + 0x42082a2f, + 0x4208aa6b, + 0x4209295d, + 0x4209aaa5, + 0x420a29b4, + 0x420aa994, + 0x420b29d4, + 0x420baa4d, + 0x420c2d79, + 0x420cab63, + 0x420d2c16, + 0x420dac4d, + 0x42122c80, + 0x42172d40, + 0x4217acc2, + 0x421c2ce4, + 0x421f2c9f, + 0x42212df1, + 0x42262d23, + 0x422b2dcf, + 0x422babf1, + 0x422c2db1, + 0x422caba4, + 0x422d2b7d, + 0x422dad90, + 0x422e2bd0, + 0x42302cff, + 0x4230ac67, 0x44320778, 0x44328787, 0x44330793, @@ -677,7 +678,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x4c3c1574, 0x4c3c9583, 0x4c3d159c, - 0x4c3d8cb3, + 0x4c3d8cc6, 0x4c3e1609, 0x4c3e95ab, 0x4c3f162b, @@ -688,71 +689,71 @@ const uint32_t kOpenSSLReasonValues[] = { 0x4c41947c, 0x4c4215e5, 0x4c4293c4, - 0x503235b3, - 0x5032b5c2, - 0x503335cd, - 0x5033b5dd, - 0x503435f6, - 0x5034b610, - 0x5035361e, - 0x5035b634, - 0x50363646, - 0x5036b65c, - 0x50373675, - 0x5037b688, - 0x503836a0, - 0x5038b6b1, - 0x503936c6, - 0x5039b6da, - 0x503a36fa, - 0x503ab710, - 0x503b3728, - 0x503bb73a, - 0x503c3756, - 0x503cb76d, - 0x503d3786, - 0x503db79c, - 0x503e37a9, - 0x503eb7bf, - 0x503f37d1, + 0x503235ba, + 0x5032b5c9, + 0x503335d4, + 0x5033b5e4, + 0x503435fd, + 0x5034b617, + 0x50353625, + 0x5035b63b, + 0x5036364d, + 0x5036b663, + 0x5037367c, + 0x5037b68f, + 0x503836a7, + 0x5038b6b8, + 0x503936cd, + 0x5039b6e1, + 0x503a3701, + 0x503ab717, + 0x503b372f, + 0x503bb741, + 0x503c375d, + 0x503cb774, + 0x503d378d, + 0x503db7a3, + 0x503e37b0, + 0x503eb7c6, + 0x503f37d8, 0x503f83b3, - 0x504037e4, - 0x5040b7f4, - 0x5041380e, - 0x5041b81d, - 0x50423837, - 0x5042b854, - 0x50433864, - 0x5043b874, - 0x50443891, + 0x504037eb, + 0x5040b7fb, + 0x50413815, + 0x5041b824, + 0x5042383e, + 0x5042b85b, + 0x5043386b, + 0x5043b87b, + 0x50443898, 0x50448469, - 0x504538a5, - 0x5045b8c3, - 0x504638d6, - 0x5046b8ec, - 0x504738fe, - 0x5047b913, - 0x50483939, - 0x5048b947, - 0x5049395a, - 0x5049b96f, - 0x504a3985, - 0x504ab995, - 0x504b39b5, - 0x504bb9c8, - 0x504c39eb, - 0x504cba19, - 0x504d3a46, - 0x504dba63, - 0x504e3a7e, - 0x504eba9a, - 0x504f3aac, - 0x504fbac3, - 0x50503ad2, + 0x504538ac, + 0x5045b8ca, + 0x504638dd, + 0x5046b8f3, + 0x50473905, + 0x5047b91a, + 0x50483940, + 0x5048b94e, + 0x50493961, + 0x5049b976, + 0x504a398c, + 0x504ab99c, + 0x504b39bc, + 0x504bb9cf, + 0x504c39f2, + 0x504cba20, + 0x504d3a4d, + 0x504dba6a, + 0x504e3a85, + 0x504ebaa1, + 0x504f3ab3, + 0x504fbaca, + 0x50503ad9, 0x50508729, - 0x50513ae5, - 0x5051b883, - 0x50523a2b, + 0x50513aec, + 0x5051b88a, + 0x50523a32, 0x58320fd1, 0x68320f93, 0x68328ceb, @@ -762,12 +763,12 @@ const uint32_t kOpenSSLReasonValues[] = { 0x683480f7, 0x6835099a, 0x6c320f59, - 0x6c328ca2, + 0x6c328cb5, 0x6c330f64, 0x6c338f7d, 0x74320a66, 0x743280b9, - 0x74330cb3, + 0x74330cc6, 0x783209cb, 0x783289e0, 0x783309ec, @@ -797,19 +798,19 @@ const uint32_t kOpenSSLReasonValues[] = { 0x7c321261, 0x8032148f, 0x80328090, - 0x803332af, + 0x803332b6, 0x803380b9, - 0x803432be, - 0x8034b226, - 0x80353244, - 0x8035b2d2, - 0x80363286, - 0x8036b235, - 0x80373278, - 0x8037b213, - 0x80383299, - 0x8038b255, - 0x8039326a, + 0x803432c5, + 0x8034b22d, + 0x8035324b, + 0x8035b2d9, + 0x8036328d, + 0x8036b23c, + 0x8037327f, + 0x8037b21a, + 0x803832a0, + 0x8038b25c, + 0x80393271, }; const size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]); @@ -982,13 +983,13 @@ const char kOpenSSLReasonStringData[] = "VARIABLE_EXPANSION_TOO_LONG\0" "VARIABLE_HAS_NO_VALUE\0" "BAD_GENERATOR\0" + "INVALID_PARAMETERS\0" "INVALID_PUBKEY\0" "MODULUS_TOO_LARGE\0" "NO_PRIVATE_VALUE\0" "UNKNOWN_HASH\0" "BAD_Q_VALUE\0" "BAD_VERSION\0" - "INVALID_PARAMETERS\0" "MISSING_PARAMETERS\0" "NEED_NEW_SETUP_VALUES\0" "BIGNUM_OUT_OF_RANGE\0" @@ -1230,6 +1231,7 @@ const char kOpenSSLReasonStringData[] = "INCONSISTENT_ECH_NEGOTIATION\0" "INVALID_ALPN_PROTOCOL\0" "INVALID_ALPN_PROTOCOL_LIST\0" + "INVALID_ALPS_CODEPOINT\0" "INVALID_CLIENT_HELLO_INNER\0" "INVALID_COMMAND\0" "INVALID_COMPRESSION_LIST\0" @@ -1268,7 +1270,6 @@ const char kOpenSSLReasonStringData[] = "NO_COMPRESSION_SPECIFIED\0" "NO_GROUPS_SPECIFIED\0" "NO_METHOD_SPECIFIED\0" - "NO_P256_SUPPORT\0" "NO_PRIVATE_KEY_ASSIGNED\0" "NO_RENEGOTIATION\0" "NO_REQUIRED_DIGEST\0" diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/evp.c b/Sources/CJWTKitBoringSSL/crypto/evp/evp.c index 0f6942a0..4ee49e42 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/evp.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/evp.c @@ -81,17 +81,13 @@ OPENSSL_DECLARE_ERROR_REASON(EVP, NOT_XOF_OR_INVALID_LENGTH) OPENSSL_DECLARE_ERROR_REASON(EVP, EMPTY_PSK) EVP_PKEY *EVP_PKEY_new(void) { - EVP_PKEY *ret; - - ret = OPENSSL_malloc(sizeof(EVP_PKEY)); + EVP_PKEY *ret = OPENSSL_zalloc(sizeof(EVP_PKEY)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EVP_PKEY)); ret->type = EVP_PKEY_NONE; ret->references = 1; - return ret; } @@ -229,6 +225,13 @@ static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) { } } +static void evp_pkey_set_method(EVP_PKEY *pkey, + const EVP_PKEY_ASN1_METHOD *method) { + free_it(pkey); + pkey->ameth = method; + pkey->type = pkey->ameth->pkey_id; +} + int EVP_PKEY_type(int nid) { const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(nid); if (meth == NULL) { @@ -246,7 +249,9 @@ int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { } int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) { - return EVP_PKEY_assign(pkey, EVP_PKEY_RSA, key); + evp_pkey_set_method(pkey, &rsa_asn1_meth); + pkey->pkey = key; + return key != NULL; } RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { @@ -274,7 +279,9 @@ int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { } int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key) { - return EVP_PKEY_assign(pkey, EVP_PKEY_DSA, key); + evp_pkey_set_method(pkey, &dsa_asn1_meth); + pkey->pkey = key; + return key != NULL; } DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) { @@ -302,7 +309,9 @@ int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { } int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { - return EVP_PKEY_assign(pkey, EVP_PKEY_EC, key); + evp_pkey_set_method(pkey, &ec_asn1_meth); + pkey->pkey = key; + return key != NULL; } EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { @@ -325,21 +334,32 @@ DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) { return NULL; } DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey) { return NULL; } int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { - if (!EVP_PKEY_set_type(pkey, type)) { - return 0; + // This function can only be used to assign RSA, DSA, and EC keys. Other key + // types have internal representations which are not exposed through the + // public API. + switch (type) { + case EVP_PKEY_RSA: + return EVP_PKEY_assign_RSA(pkey, key); + case EVP_PKEY_DSA: + return EVP_PKEY_assign_DSA(pkey, key); + case EVP_PKEY_EC: + return EVP_PKEY_assign_EC_KEY(pkey, key); } - pkey->pkey = key; - return key != NULL; + + OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); + ERR_add_error_dataf("algorithm %d", type); + return 0; } int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { - const EVP_PKEY_ASN1_METHOD *ameth; - if (pkey && pkey->pkey) { + // This isn't strictly necessary, but historically |EVP_PKEY_set_type| would + // clear |pkey| even if |evp_pkey_asn1_find| failed, so we preserve that + // behavior. free_it(pkey); } - ameth = evp_pkey_asn1_find(type); + const EVP_PKEY_ASN1_METHOD *ameth = evp_pkey_asn1_find(type); if (ameth == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); ERR_add_error_dataf("algorithm %d", type); @@ -347,8 +367,7 @@ int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { } if (pkey) { - pkey->ameth = ameth; - pkey->type = pkey->ameth->pkey_id; + evp_pkey_set_method(pkey, ameth); } return 1; diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/evp_ctx.c b/Sources/CJWTKitBoringSSL/crypto/evp/evp_ctx.c index 920bca02..8e9f2191 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/evp_ctx.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/evp_ctx.c @@ -86,11 +86,10 @@ static const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) { static EVP_PKEY_CTX *evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *e, const EVP_PKEY_METHOD *pmeth) { - EVP_PKEY_CTX *ret = OPENSSL_malloc(sizeof(EVP_PKEY_CTX)); + EVP_PKEY_CTX *ret = OPENSSL_zalloc(sizeof(EVP_PKEY_CTX)); if (!ret) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EVP_PKEY_CTX)); ret->engine = e; ret->pmeth = pmeth; @@ -156,13 +155,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx) { return NULL; } - EVP_PKEY_CTX *ret = OPENSSL_malloc(sizeof(EVP_PKEY_CTX)); + EVP_PKEY_CTX *ret = OPENSSL_zalloc(sizeof(EVP_PKEY_CTX)); if (!ret) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EVP_PKEY_CTX)); - ret->pmeth = ctx->pmeth; ret->engine = ctx->engine; ret->operation = ctx->operation; diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/p_ec.c b/Sources/CJWTKitBoringSSL/crypto/evp/p_ec.c index d6026748..11f9cbae 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/p_ec.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/p_ec.c @@ -75,20 +75,17 @@ typedef struct { // message digest const EVP_MD *md; - EC_GROUP *gen_group; + const EC_GROUP *gen_group; } EC_PKEY_CTX; static int pkey_ec_init(EVP_PKEY_CTX *ctx) { - EC_PKEY_CTX *dctx; - dctx = OPENSSL_malloc(sizeof(EC_PKEY_CTX)); + EC_PKEY_CTX *dctx = OPENSSL_zalloc(sizeof(EC_PKEY_CTX)); if (!dctx) { return 0; } - OPENSSL_memset(dctx, 0, sizeof(EC_PKEY_CTX)); ctx->data = dctx; - return 1; } @@ -111,7 +108,6 @@ static void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) { return; } - EC_GROUP_free(dctx->gen_group); OPENSSL_free(dctx); } @@ -195,11 +191,10 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { return 1; case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: { - EC_GROUP *group = EC_GROUP_new_by_curve_name(p1); + const EC_GROUP *group = EC_GROUP_new_by_curve_name(p1); if (group == NULL) { return 0; } - EC_GROUP_free(dctx->gen_group); dctx->gen_group = group; return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/p_ec_asn1.c b/Sources/CJWTKitBoringSSL/crypto/evp/p_ec_asn1.c index 0d194288..69b68590 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/p_ec_asn1.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/p_ec_asn1.c @@ -94,7 +94,7 @@ static int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { // The parameters are a named curve. EC_KEY *eckey = NULL; - EC_GROUP *group = EC_KEY_parse_curve_name(params); + const EC_GROUP *group = EC_KEY_parse_curve_name(params); if (group == NULL || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); goto err; @@ -107,12 +107,10 @@ static int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) { goto err; } - EC_GROUP_free(group); EVP_PKEY_assign_EC_KEY(out, eckey); return 1; err: - EC_GROUP_free(group); EC_KEY_free(eckey); return 0; } @@ -135,15 +133,13 @@ static int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { static int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) { // See RFC 5915. - EC_GROUP *group = EC_KEY_parse_parameters(params); + const EC_GROUP *group = EC_KEY_parse_parameters(params); if (group == NULL || CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); - EC_GROUP_free(group); return 0; } EC_KEY *ec_key = EC_KEY_parse_private_key(key, group); - EC_GROUP_free(group); if (ec_key == NULL || CBS_len(key) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); EC_KEY_free(ec_key); @@ -215,7 +211,7 @@ static int ec_bits(const EVP_PKEY *pkey) { ERR_clear_error(); return 0; } - return BN_num_bits(EC_GROUP_get0_order(group)); + return EC_GROUP_order_bits(group); } static int ec_missing_parameters(const EVP_PKEY *pkey) { diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/p_hkdf.c b/Sources/CJWTKitBoringSSL/crypto/evp/p_hkdf.c index 14830c9f..570f66c7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/p_hkdf.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/p_hkdf.c @@ -35,12 +35,11 @@ typedef struct { } HKDF_PKEY_CTX; static int pkey_hkdf_init(EVP_PKEY_CTX *ctx) { - HKDF_PKEY_CTX *hctx = OPENSSL_malloc(sizeof(HKDF_PKEY_CTX)); + HKDF_PKEY_CTX *hctx = OPENSSL_zalloc(sizeof(HKDF_PKEY_CTX)); if (hctx == NULL) { return 0; } - OPENSSL_memset(hctx, 0, sizeof(HKDF_PKEY_CTX)); if (!CBB_init(&hctx->info, 0)) { OPENSSL_free(hctx); return 0; diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/p_rsa.c b/Sources/CJWTKitBoringSSL/crypto/evp/p_rsa.c index 184fe5ef..66243e7b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/p_rsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/p_rsa.c @@ -97,12 +97,10 @@ typedef struct { } RSA_OAEP_LABEL_PARAMS; static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { - RSA_PKEY_CTX *rctx; - rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); + RSA_PKEY_CTX *rctx = OPENSSL_zalloc(sizeof(RSA_PKEY_CTX)); if (!rctx) { return 0; } - OPENSSL_memset(rctx, 0, sizeof(RSA_PKEY_CTX)); rctx->nbits = 2048; rctx->pad_mode = RSA_PKCS1_PADDING; diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/pbkdf.c b/Sources/CJWTKitBoringSSL/crypto/evp/pbkdf.c index abc20c83..3ad83ba8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/pbkdf.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/pbkdf.c @@ -63,7 +63,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, - const uint8_t *salt, size_t salt_len, unsigned iterations, + const uint8_t *salt, size_t salt_len, uint32_t iterations, const EVP_MD *digest, size_t key_len, uint8_t *out_key) { // See RFC 8018, section 5.2. int ret = 0; @@ -98,7 +98,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, } OPENSSL_memcpy(out_key, digest_tmp, todo); - for (unsigned j = 1; j < iterations; j++) { + for (uint32_t j = 1; j < iterations; j++) { // Compute the remaining U_* values and XOR. if (!HMAC_Init_ex(&hctx, NULL, 0, NULL, NULL) || !HMAC_Update(&hctx, digest_tmp, md_len) || @@ -139,7 +139,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, int PKCS5_PBKDF2_HMAC_SHA1(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, - unsigned iterations, size_t key_len, + uint32_t iterations, size_t key_len, uint8_t *out_key) { return PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, iterations, EVP_sha1(), key_len, out_key); diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/print.c b/Sources/CJWTKitBoringSSL/crypto/evp/print.c index 3486fcc4..6df35b83 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/print.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/print.c @@ -196,12 +196,12 @@ static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) { static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) { const BIGNUM *priv_key = NULL; if (ptype == 2) { - priv_key = x->priv_key; + priv_key = DSA_get0_priv_key(x); } const BIGNUM *pub_key = NULL; if (ptype > 0) { - pub_key = x->pub_key; + pub_key = DSA_get0_pub_key(x); } const char *ktype = "DSA-Parameters"; @@ -212,14 +212,15 @@ static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) { } if (!BIO_indent(bp, off, 128) || - BIO_printf(bp, "%s: (%u bit)\n", ktype, BN_num_bits(x->p)) <= 0 || + BIO_printf(bp, "%s: (%u bit)\n", ktype, BN_num_bits(DSA_get0_p(x))) <= + 0 || // |priv_key| and |pub_key| may be NULL, in which case |bn_print| will // silently skip them. !bn_print(bp, "priv:", priv_key, off) || !bn_print(bp, "pub:", pub_key, off) || - !bn_print(bp, "P:", x->p, off) || - !bn_print(bp, "Q:", x->q, off) || - !bn_print(bp, "G:", x->g, off)) { + !bn_print(bp, "P:", DSA_get0_p(x), off) || + !bn_print(bp, "Q:", DSA_get0_q(x), off) || + !bn_print(bp, "G:", DSA_get0_g(x), off)) { return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c b/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c index bd4c5761..4e1e13ae 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c @@ -170,12 +170,12 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which // is no bigger than uint64_t, so none of these operations may overflow. - static_assert(UINT64_MAX >= ((size_t)-1), "size_t exceeds uint64_t"); + static_assert(UINT64_MAX >= SIZE_MAX, "size_t exceeds uint64_t"); size_t B_blocks = p * 2 * r; size_t B_bytes = B_blocks * sizeof(block_t); size_t T_blocks = 2 * r; size_t V_blocks = N * 2 * r; - block_t *B = OPENSSL_malloc((B_blocks + T_blocks + V_blocks) * sizeof(block_t)); + block_t *B = OPENSSL_calloc(B_blocks + T_blocks + V_blocks, sizeof(block_t)); if (B == NULL) { return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/ex_data.c b/Sources/CJWTKitBoringSSL/crypto/ex_data.c index 198245b7..78386518 100644 --- a/Sources/CJWTKitBoringSSL/crypto/ex_data.c +++ b/Sources/CJWTKitBoringSSL/crypto/ex_data.c @@ -144,13 +144,13 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index, funcs->free_func = free_func; funcs->next = NULL; - CRYPTO_STATIC_MUTEX_lock_write(&ex_data_class->lock); + CRYPTO_MUTEX_lock_write(&ex_data_class->lock); uint32_t num_funcs = CRYPTO_atomic_load_u32(&ex_data_class->num_funcs); // The index must fit in |int|. if (num_funcs > (size_t)(INT_MAX - ex_data_class->num_reserved)) { OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); - CRYPTO_STATIC_MUTEX_unlock_write(&ex_data_class->lock); + CRYPTO_MUTEX_unlock_write(&ex_data_class->lock); return 0; } @@ -165,7 +165,7 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index, } CRYPTO_atomic_store_u32(&ex_data_class->num_funcs, num_funcs + 1); - CRYPTO_STATIC_MUTEX_unlock_write(&ex_data_class->lock); + CRYPTO_MUTEX_unlock_write(&ex_data_class->lock); *out_index = (int)num_funcs + ex_data_class->num_reserved; return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S index 0b6a7ef7..47ea31d8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .type _aesni_ctr32_ghash_6x,@function @@ -345,7 +338,7 @@ _aesni_ctr32_ghash_6x: vpxor 16+8(%rsp),%xmm8,%xmm8 vpxor %xmm4,%xmm8,%xmm8 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x .globl aesni_gcm_decrypt @@ -355,6 +348,7 @@ _aesni_ctr32_ghash_6x: aesni_gcm_decrypt: .cfi_startproc +_CET_ENDBR xorq %rax,%rax @@ -474,7 +468,7 @@ aesni_gcm_decrypt: .cfi_adjust_cfa_offset -8 .cfi_restore %rbp .Lgcm_dec_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesni_gcm_decrypt,.-aesni_gcm_decrypt @@ -545,7 +539,7 @@ _aesni_ctr32_6x: vmovups %xmm14,80(%rsi) leaq 96(%rsi),%rsi - .byte 0xf3,0xc3 + ret .align 32 .Lhandle_ctr32_2: vpshufb %xmm0,%xmm1,%xmm6 @@ -578,6 +572,7 @@ _aesni_ctr32_6x: aesni_gcm_encrypt: .cfi_startproc +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST .extern BORINGSSL_function_hit .hidden BORINGSSL_function_hit @@ -868,10 +863,10 @@ aesni_gcm_encrypt: .cfi_adjust_cfa_offset -8 .cfi_restore %rbp .Lgcm_enc_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size aesni_gcm_decrypt,.-aesni_gcm_decrypt +.size aesni_gcm_encrypt,.-aesni_gcm_encrypt .section .rodata .align 64 .Lbswap_mask: @@ -888,10 +883,6 @@ aesni_gcm_encrypt: .align 64 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S index 396477c5..a8ba1185 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -345,7 +338,7 @@ L$6x_done: vpxor 16+8(%rsp),%xmm8,%xmm8 vpxor %xmm4,%xmm8,%xmm8 - .byte 0xf3,0xc3 + ret .globl _aesni_gcm_decrypt @@ -355,6 +348,7 @@ L$6x_done: _aesni_gcm_decrypt: +_CET_ENDBR xorq %rax,%rax @@ -467,7 +461,7 @@ L$dec_no_key_aliasing: popq %rbp L$gcm_dec_abort: - .byte 0xf3,0xc3 + ret @@ -538,7 +532,7 @@ L$oop_ctr32: vmovups %xmm14,80(%rsi) leaq 96(%rsi),%rsi - .byte 0xf3,0xc3 + ret .p2align 5 L$handle_ctr32_2: vpshufb %xmm0,%xmm1,%xmm6 @@ -571,6 +565,7 @@ L$handle_ctr32_2: _aesni_gcm_encrypt: +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit+2(%rip) @@ -853,7 +848,7 @@ L$enc_no_key_aliasing: popq %rbp L$gcm_enc_abort: - .byte 0xf3,0xc3 + ret @@ -873,10 +868,6 @@ L$one_lsb: .p2align 6 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S index b614cc09..8e7e52c2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text #ifdef BORINGSSL_DISPATCH_TEST #endif @@ -2517,11 +2510,7 @@ aes_hw_set_decrypt_key: .byte 83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83 .byte 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 .byte 115,108,46,111,114,103,62,0 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S index 80124f8a..4c0c95dd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .extern OPENSSL_ia32cap_P .hidden OPENSSL_ia32cap_P @@ -22,6 +15,7 @@ .align 16 aes_hw_encrypt: .cfi_startproc +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST .extern BORINGSSL_function_hit .hidden BORINGSSL_function_hit @@ -44,7 +38,7 @@ aes_hw_encrypt: pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_encrypt,.-aes_hw_encrypt @@ -54,6 +48,7 @@ aes_hw_encrypt: .align 16 aes_hw_decrypt: .cfi_startproc +_CET_ENDBR movups (%rdi),%xmm2 movl 240(%rdx),%eax movups (%rdx),%xmm0 @@ -71,7 +66,7 @@ aes_hw_decrypt: pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_decrypt, .-aes_hw_decrypt .type _aesni_encrypt2,@function @@ -102,7 +97,7 @@ _aesni_encrypt2: .byte 102,15,56,220,217 .byte 102,15,56,221,208 .byte 102,15,56,221,216 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt2,.-_aesni_encrypt2 .type _aesni_decrypt2,@function @@ -133,7 +128,7 @@ _aesni_decrypt2: .byte 102,15,56,222,217 .byte 102,15,56,223,208 .byte 102,15,56,223,216 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt2,.-_aesni_decrypt2 .type _aesni_encrypt3,@function @@ -169,7 +164,7 @@ _aesni_encrypt3: .byte 102,15,56,221,208 .byte 102,15,56,221,216 .byte 102,15,56,221,224 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt3,.-_aesni_encrypt3 .type _aesni_decrypt3,@function @@ -205,7 +200,7 @@ _aesni_decrypt3: .byte 102,15,56,223,208 .byte 102,15,56,223,216 .byte 102,15,56,223,224 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt3,.-_aesni_decrypt3 .type _aesni_encrypt4,@function @@ -247,7 +242,7 @@ _aesni_encrypt4: .byte 102,15,56,221,216 .byte 102,15,56,221,224 .byte 102,15,56,221,232 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt4,.-_aesni_encrypt4 .type _aesni_decrypt4,@function @@ -289,7 +284,7 @@ _aesni_decrypt4: .byte 102,15,56,223,216 .byte 102,15,56,223,224 .byte 102,15,56,223,232 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt4,.-_aesni_decrypt4 .type _aesni_encrypt6,@function @@ -345,7 +340,7 @@ _aesni_encrypt6: .byte 102,15,56,221,232 .byte 102,15,56,221,240 .byte 102,15,56,221,248 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt6,.-_aesni_encrypt6 .type _aesni_decrypt6,@function @@ -401,7 +396,7 @@ _aesni_decrypt6: .byte 102,15,56,223,232 .byte 102,15,56,223,240 .byte 102,15,56,223,248 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt6,.-_aesni_decrypt6 .type _aesni_encrypt8,@function @@ -467,7 +462,7 @@ _aesni_encrypt8: .byte 102,15,56,221,248 .byte 102,68,15,56,221,192 .byte 102,68,15,56,221,200 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt8,.-_aesni_encrypt8 .type _aesni_decrypt8,@function @@ -533,7 +528,7 @@ _aesni_decrypt8: .byte 102,15,56,223,248 .byte 102,68,15,56,223,192 .byte 102,68,15,56,223,200 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt8,.-_aesni_decrypt8 .globl aes_hw_ecb_encrypt @@ -542,6 +537,7 @@ _aesni_decrypt8: .align 16 aes_hw_ecb_encrypt: .cfi_startproc +_CET_ENDBR andq $-16,%rdx jz .Lecb_ret @@ -878,7 +874,7 @@ aes_hw_ecb_encrypt: .Lecb_ret: xorps %xmm0,%xmm0 pxor %xmm1,%xmm1 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_ecb_encrypt,.-aes_hw_ecb_encrypt .globl aes_hw_ctr32_encrypt_blocks @@ -887,6 +883,7 @@ aes_hw_ecb_encrypt: .align 16 aes_hw_ctr32_encrypt_blocks: .cfi_startproc +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,BORINGSSL_function_hit(%rip) #endif @@ -976,10 +973,7 @@ aes_hw_ctr32_encrypt_blocks: leaq 7(%r8),%r9 movl %r10d,96+12(%rsp) bswapl %r9d - leaq OPENSSL_ia32cap_P(%rip),%r10 - movl 4(%r10),%r10d xorl %ebp,%r9d - andl $71303168,%r10d movl %r9d,112+12(%rsp) movups 16(%rcx),%xmm1 @@ -990,104 +984,10 @@ aes_hw_ctr32_encrypt_blocks: cmpq $8,%rdx jb .Lctr32_tail - subq $6,%rdx - cmpl $4194304,%r10d - je .Lctr32_6x - leaq 128(%rcx),%rcx - subq $2,%rdx + subq $8,%rdx jmp .Lctr32_loop8 -.align 16 -.Lctr32_6x: - shll $4,%eax - movl $48,%r10d - bswapl %ebp - leaq 32(%rcx,%rax,1),%rcx - subq %rax,%r10 - jmp .Lctr32_loop6 - -.align 16 -.Lctr32_loop6: - addl $6,%r8d - movups -48(%rcx,%r10,1),%xmm0 -.byte 102,15,56,220,209 - movl %r8d,%eax - xorl %ebp,%eax -.byte 102,15,56,220,217 -.byte 0x0f,0x38,0xf1,0x44,0x24,12 - leal 1(%r8),%eax -.byte 102,15,56,220,225 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,28 -.byte 102,15,56,220,233 - leal 2(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,241 -.byte 0x0f,0x38,0xf1,0x44,0x24,44 - leal 3(%r8),%eax -.byte 102,15,56,220,249 - movups -32(%rcx,%r10,1),%xmm1 - xorl %ebp,%eax - -.byte 102,15,56,220,208 -.byte 0x0f,0x38,0xf1,0x44,0x24,60 - leal 4(%r8),%eax -.byte 102,15,56,220,216 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,76 -.byte 102,15,56,220,224 - leal 5(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,232 -.byte 0x0f,0x38,0xf1,0x44,0x24,92 - movq %r10,%rax -.byte 102,15,56,220,240 -.byte 102,15,56,220,248 - movups -16(%rcx,%r10,1),%xmm0 - - call .Lenc_loop6 - - movdqu (%rdi),%xmm8 - movdqu 16(%rdi),%xmm9 - movdqu 32(%rdi),%xmm10 - movdqu 48(%rdi),%xmm11 - movdqu 64(%rdi),%xmm12 - movdqu 80(%rdi),%xmm13 - leaq 96(%rdi),%rdi - movups -64(%rcx,%r10,1),%xmm1 - pxor %xmm2,%xmm8 - movaps 0(%rsp),%xmm2 - pxor %xmm3,%xmm9 - movaps 16(%rsp),%xmm3 - pxor %xmm4,%xmm10 - movaps 32(%rsp),%xmm4 - pxor %xmm5,%xmm11 - movaps 48(%rsp),%xmm5 - pxor %xmm6,%xmm12 - movaps 64(%rsp),%xmm6 - pxor %xmm7,%xmm13 - movaps 80(%rsp),%xmm7 - movdqu %xmm8,(%rsi) - movdqu %xmm9,16(%rsi) - movdqu %xmm10,32(%rsi) - movdqu %xmm11,48(%rsi) - movdqu %xmm12,64(%rsi) - movdqu %xmm13,80(%rsi) - leaq 96(%rsi),%rsi - - subq $6,%rdx - jnc .Lctr32_loop6 - - addq $6,%rdx - jz .Lctr32_done - - leal -48(%r10),%eax - leaq -80(%rcx,%r10,1),%rcx - negl %eax - shrl $4,%eax - jmp .Lctr32_tail - .align 32 .Lctr32_loop8: addl $8,%r8d @@ -1463,7 +1363,7 @@ aes_hw_ctr32_encrypt_blocks: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lctr32_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks .globl aes_hw_cbc_encrypt @@ -1472,6 +1372,7 @@ aes_hw_ctr32_encrypt_blocks: .align 16 aes_hw_cbc_encrypt: .cfi_startproc +_CET_ENDBR testq %rdx,%rdx jz .Lcbc_ret @@ -1588,16 +1489,10 @@ aes_hw_cbc_encrypt: movdqa %xmm5,%xmm14 movdqu 80(%rdi),%xmm7 movdqa %xmm6,%xmm15 - leaq OPENSSL_ia32cap_P(%rip),%r9 - movl 4(%r9),%r9d cmpq $0x70,%rdx jbe .Lcbc_dec_six_or_seven - andl $71303168,%r9d - subq $0x50,%rdx - cmpl $4194304,%r9d - je .Lcbc_dec_loop6_enter - subq $0x20,%rdx + subq $0x70,%rdx leaq 112(%rcx),%rcx jmp .Lcbc_dec_loop8_enter .align 16 @@ -1868,51 +1763,6 @@ aes_hw_cbc_encrypt: pxor %xmm9,%xmm9 jmp .Lcbc_dec_tail_collected -.align 16 -.Lcbc_dec_loop6: - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - movdqu 0(%rdi),%xmm2 - movdqu 16(%rdi),%xmm3 - movdqa %xmm2,%xmm11 - movdqu 32(%rdi),%xmm4 - movdqa %xmm3,%xmm12 - movdqu 48(%rdi),%xmm5 - movdqa %xmm4,%xmm13 - movdqu 64(%rdi),%xmm6 - movdqa %xmm5,%xmm14 - movdqu 80(%rdi),%xmm7 - movdqa %xmm6,%xmm15 -.Lcbc_dec_loop6_enter: - leaq 96(%rdi),%rdi - movdqa %xmm7,%xmm8 - - call _aesni_decrypt6 - - pxor %xmm10,%xmm2 - movdqa %xmm8,%xmm10 - pxor %xmm11,%xmm3 - movdqu %xmm2,(%rsi) - pxor %xmm12,%xmm4 - movdqu %xmm3,16(%rsi) - pxor %xmm13,%xmm5 - movdqu %xmm4,32(%rsi) - pxor %xmm14,%xmm6 - movq %rbp,%rcx - movdqu %xmm5,48(%rsi) - pxor %xmm15,%xmm7 - movl %r10d,%eax - movdqu %xmm6,64(%rsi) - leaq 80(%rsi),%rsi - subq $0x60,%rdx - ja .Lcbc_dec_loop6 - - movdqa %xmm7,%xmm2 - addq $0x50,%rdx - jle .Lcbc_dec_clear_tail_collected - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - .Lcbc_dec_tail: movups (%rdi),%xmm2 subq $0x10,%rdx @@ -2056,7 +1906,7 @@ aes_hw_cbc_encrypt: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lcbc_ret: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_cbc_encrypt,.-aes_hw_cbc_encrypt .globl aes_hw_set_decrypt_key @@ -2065,6 +1915,7 @@ aes_hw_cbc_encrypt: .align 16 aes_hw_set_decrypt_key: .cfi_startproc +_CET_ENDBR .byte 0x48,0x83,0xEC,0x08 .cfi_adjust_cfa_offset 8 call __aesni_set_encrypt_key @@ -2100,7 +1951,7 @@ aes_hw_set_decrypt_key: .Ldec_key_ret: addq $8,%rsp .cfi_adjust_cfa_offset -8 - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_set_decrypt_key: .size aes_hw_set_decrypt_key,.-aes_hw_set_decrypt_key @@ -2111,6 +1962,7 @@ aes_hw_set_decrypt_key: aes_hw_set_encrypt_key: __aesni_set_encrypt_key: .cfi_startproc +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,BORINGSSL_function_hit+3(%rip) #endif @@ -2410,7 +2262,7 @@ __aesni_set_encrypt_key: pxor %xmm5,%xmm5 addq $8,%rsp .cfi_adjust_cfa_offset -8 - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_set_encrypt_key: @@ -2425,7 +2277,7 @@ __aesni_set_encrypt_key: xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .align 16 .Lkey_expansion_192a: @@ -2445,7 +2297,7 @@ __aesni_set_encrypt_key: pxor %xmm1,%xmm0 pshufd $255,%xmm0,%xmm3 pxor %xmm3,%xmm2 - .byte 0xf3,0xc3 + ret .align 16 .Lkey_expansion_192b: @@ -2468,7 +2320,7 @@ __aesni_set_encrypt_key: xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .align 16 .Lkey_expansion_256b: @@ -2481,7 +2333,7 @@ __aesni_set_encrypt_key: xorps %xmm4,%xmm2 shufps $170,%xmm1,%xmm1 xorps %xmm1,%xmm2 - .byte 0xf3,0xc3 + ret .size aes_hw_set_encrypt_key,.-aes_hw_set_encrypt_key .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key .section .rodata @@ -2509,10 +2361,6 @@ __aesni_set_encrypt_key: .align 64 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S index 765a42fa..a0fb2316 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text .globl _aes_hw_encrypt @@ -21,6 +14,7 @@ .p2align 4 _aes_hw_encrypt: +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit+1(%rip) @@ -42,7 +36,7 @@ L$oop_enc1_1: pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret @@ -52,6 +46,7 @@ L$oop_enc1_1: .p2align 4 _aes_hw_decrypt: +_CET_ENDBR movups (%rdi),%xmm2 movl 240(%rdx),%eax movups (%rdx),%xmm0 @@ -69,7 +64,7 @@ L$oop_dec1_2: pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret @@ -100,7 +95,7 @@ L$enc_loop2: .byte 102,15,56,220,217 .byte 102,15,56,221,208 .byte 102,15,56,221,216 - .byte 0xf3,0xc3 + ret @@ -131,7 +126,7 @@ L$dec_loop2: .byte 102,15,56,222,217 .byte 102,15,56,223,208 .byte 102,15,56,223,216 - .byte 0xf3,0xc3 + ret @@ -167,7 +162,7 @@ L$enc_loop3: .byte 102,15,56,221,208 .byte 102,15,56,221,216 .byte 102,15,56,221,224 - .byte 0xf3,0xc3 + ret @@ -203,7 +198,7 @@ L$dec_loop3: .byte 102,15,56,223,208 .byte 102,15,56,223,216 .byte 102,15,56,223,224 - .byte 0xf3,0xc3 + ret @@ -245,7 +240,7 @@ L$enc_loop4: .byte 102,15,56,221,216 .byte 102,15,56,221,224 .byte 102,15,56,221,232 - .byte 0xf3,0xc3 + ret @@ -287,7 +282,7 @@ L$dec_loop4: .byte 102,15,56,223,216 .byte 102,15,56,223,224 .byte 102,15,56,223,232 - .byte 0xf3,0xc3 + ret @@ -343,7 +338,7 @@ L$enc_loop6_enter: .byte 102,15,56,221,232 .byte 102,15,56,221,240 .byte 102,15,56,221,248 - .byte 0xf3,0xc3 + ret @@ -399,7 +394,7 @@ L$dec_loop6_enter: .byte 102,15,56,223,232 .byte 102,15,56,223,240 .byte 102,15,56,223,248 - .byte 0xf3,0xc3 + ret @@ -465,7 +460,7 @@ L$enc_loop8_enter: .byte 102,15,56,221,248 .byte 102,68,15,56,221,192 .byte 102,68,15,56,221,200 - .byte 0xf3,0xc3 + ret @@ -531,7 +526,7 @@ L$dec_loop8_enter: .byte 102,15,56,223,248 .byte 102,68,15,56,223,192 .byte 102,68,15,56,223,200 - .byte 0xf3,0xc3 + ret .globl _aes_hw_ecb_encrypt @@ -540,6 +535,7 @@ L$dec_loop8_enter: .p2align 4 _aes_hw_ecb_encrypt: +_CET_ENDBR andq $-16,%rdx jz L$ecb_ret @@ -876,7 +872,7 @@ L$ecb_dec_six: L$ecb_ret: xorps %xmm0,%xmm0 pxor %xmm1,%xmm1 - .byte 0xf3,0xc3 + ret .globl _aes_hw_ctr32_encrypt_blocks @@ -885,6 +881,7 @@ L$ecb_ret: .p2align 4 _aes_hw_ctr32_encrypt_blocks: +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit(%rip) #endif @@ -974,10 +971,7 @@ L$ctr32_bulk: leaq 7(%r8),%r9 movl %r10d,96+12(%rsp) bswapl %r9d - leaq _OPENSSL_ia32cap_P(%rip),%r10 - movl 4(%r10),%r10d xorl %ebp,%r9d - andl $71303168,%r10d movl %r9d,112+12(%rsp) movups 16(%rcx),%xmm1 @@ -988,104 +982,10 @@ L$ctr32_bulk: cmpq $8,%rdx jb L$ctr32_tail - subq $6,%rdx - cmpl $4194304,%r10d - je L$ctr32_6x - leaq 128(%rcx),%rcx - subq $2,%rdx + subq $8,%rdx jmp L$ctr32_loop8 -.p2align 4 -L$ctr32_6x: - shll $4,%eax - movl $48,%r10d - bswapl %ebp - leaq 32(%rcx,%rax,1),%rcx - subq %rax,%r10 - jmp L$ctr32_loop6 - -.p2align 4 -L$ctr32_loop6: - addl $6,%r8d - movups -48(%rcx,%r10,1),%xmm0 -.byte 102,15,56,220,209 - movl %r8d,%eax - xorl %ebp,%eax -.byte 102,15,56,220,217 -.byte 0x0f,0x38,0xf1,0x44,0x24,12 - leal 1(%r8),%eax -.byte 102,15,56,220,225 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,28 -.byte 102,15,56,220,233 - leal 2(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,241 -.byte 0x0f,0x38,0xf1,0x44,0x24,44 - leal 3(%r8),%eax -.byte 102,15,56,220,249 - movups -32(%rcx,%r10,1),%xmm1 - xorl %ebp,%eax - -.byte 102,15,56,220,208 -.byte 0x0f,0x38,0xf1,0x44,0x24,60 - leal 4(%r8),%eax -.byte 102,15,56,220,216 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,76 -.byte 102,15,56,220,224 - leal 5(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,232 -.byte 0x0f,0x38,0xf1,0x44,0x24,92 - movq %r10,%rax -.byte 102,15,56,220,240 -.byte 102,15,56,220,248 - movups -16(%rcx,%r10,1),%xmm0 - - call L$enc_loop6 - - movdqu (%rdi),%xmm8 - movdqu 16(%rdi),%xmm9 - movdqu 32(%rdi),%xmm10 - movdqu 48(%rdi),%xmm11 - movdqu 64(%rdi),%xmm12 - movdqu 80(%rdi),%xmm13 - leaq 96(%rdi),%rdi - movups -64(%rcx,%r10,1),%xmm1 - pxor %xmm2,%xmm8 - movaps 0(%rsp),%xmm2 - pxor %xmm3,%xmm9 - movaps 16(%rsp),%xmm3 - pxor %xmm4,%xmm10 - movaps 32(%rsp),%xmm4 - pxor %xmm5,%xmm11 - movaps 48(%rsp),%xmm5 - pxor %xmm6,%xmm12 - movaps 64(%rsp),%xmm6 - pxor %xmm7,%xmm13 - movaps 80(%rsp),%xmm7 - movdqu %xmm8,(%rsi) - movdqu %xmm9,16(%rsi) - movdqu %xmm10,32(%rsi) - movdqu %xmm11,48(%rsi) - movdqu %xmm12,64(%rsi) - movdqu %xmm13,80(%rsi) - leaq 96(%rsi),%rsi - - subq $6,%rdx - jnc L$ctr32_loop6 - - addq $6,%rdx - jz L$ctr32_done - - leal -48(%r10),%eax - leaq -80(%rcx,%r10,1),%rcx - negl %eax - shrl $4,%eax - jmp L$ctr32_tail - .p2align 5 L$ctr32_loop8: addl $8,%r8d @@ -1461,7 +1361,7 @@ L$ctr32_done: leaq (%r11),%rsp L$ctr32_epilogue: - .byte 0xf3,0xc3 + ret .globl _aes_hw_cbc_encrypt @@ -1470,6 +1370,7 @@ L$ctr32_epilogue: .p2align 4 _aes_hw_cbc_encrypt: +_CET_ENDBR testq %rdx,%rdx jz L$cbc_ret @@ -1586,16 +1487,10 @@ L$cbc_decrypt_bulk: movdqa %xmm5,%xmm14 movdqu 80(%rdi),%xmm7 movdqa %xmm6,%xmm15 - leaq _OPENSSL_ia32cap_P(%rip),%r9 - movl 4(%r9),%r9d cmpq $0x70,%rdx jbe L$cbc_dec_six_or_seven - andl $71303168,%r9d - subq $0x50,%rdx - cmpl $4194304,%r9d - je L$cbc_dec_loop6_enter - subq $0x20,%rdx + subq $0x70,%rdx leaq 112(%rcx),%rcx jmp L$cbc_dec_loop8_enter .p2align 4 @@ -1866,51 +1761,6 @@ L$cbc_dec_seven: pxor %xmm9,%xmm9 jmp L$cbc_dec_tail_collected -.p2align 4 -L$cbc_dec_loop6: - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - movdqu 0(%rdi),%xmm2 - movdqu 16(%rdi),%xmm3 - movdqa %xmm2,%xmm11 - movdqu 32(%rdi),%xmm4 - movdqa %xmm3,%xmm12 - movdqu 48(%rdi),%xmm5 - movdqa %xmm4,%xmm13 - movdqu 64(%rdi),%xmm6 - movdqa %xmm5,%xmm14 - movdqu 80(%rdi),%xmm7 - movdqa %xmm6,%xmm15 -L$cbc_dec_loop6_enter: - leaq 96(%rdi),%rdi - movdqa %xmm7,%xmm8 - - call _aesni_decrypt6 - - pxor %xmm10,%xmm2 - movdqa %xmm8,%xmm10 - pxor %xmm11,%xmm3 - movdqu %xmm2,(%rsi) - pxor %xmm12,%xmm4 - movdqu %xmm3,16(%rsi) - pxor %xmm13,%xmm5 - movdqu %xmm4,32(%rsi) - pxor %xmm14,%xmm6 - movq %rbp,%rcx - movdqu %xmm5,48(%rsi) - pxor %xmm15,%xmm7 - movl %r10d,%eax - movdqu %xmm6,64(%rsi) - leaq 80(%rsi),%rsi - subq $0x60,%rdx - ja L$cbc_dec_loop6 - - movdqa %xmm7,%xmm2 - addq $0x50,%rdx - jle L$cbc_dec_clear_tail_collected - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - L$cbc_dec_tail: movups (%rdi),%xmm2 subq $0x10,%rdx @@ -2054,7 +1904,7 @@ L$cbc_dec_ret: leaq (%r11),%rsp L$cbc_ret: - .byte 0xf3,0xc3 + ret .globl _aes_hw_set_decrypt_key @@ -2063,6 +1913,7 @@ L$cbc_ret: .p2align 4 _aes_hw_set_decrypt_key: +_CET_ENDBR .byte 0x48,0x83,0xEC,0x08 call __aesni_set_encrypt_key @@ -2098,7 +1949,7 @@ L$dec_key_inverse: L$dec_key_ret: addq $8,%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_set_decrypt_key: @@ -2109,6 +1960,7 @@ L$SEH_end_set_decrypt_key: _aes_hw_set_encrypt_key: __aesni_set_encrypt_key: +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit+3(%rip) #endif @@ -2408,7 +2260,7 @@ L$enc_key_ret: pxor %xmm5,%xmm5 addq $8,%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_set_encrypt_key: @@ -2423,7 +2275,7 @@ L$key_expansion_128_cold: xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .p2align 4 L$key_expansion_192a: @@ -2443,7 +2295,7 @@ L$key_expansion_192b_warm: pxor %xmm1,%xmm0 pshufd $255,%xmm0,%xmm3 pxor %xmm3,%xmm2 - .byte 0xf3,0xc3 + ret .p2align 4 L$key_expansion_192b: @@ -2466,7 +2318,7 @@ L$key_expansion_256a_cold: xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .p2align 4 L$key_expansion_256b: @@ -2479,7 +2331,7 @@ L$key_expansion_256b: xorps %xmm4,%xmm2 shufps $170,%xmm1,%xmm1 xorps %xmm1,%xmm2 - .byte 0xf3,0xc3 + ret .section __DATA,__const @@ -2507,10 +2359,6 @@ L$key_rcon1b: .p2align 6 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S index ec75d992..2a55b428 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) #include #if __ARM_MAX_ARCH__>=7 @@ -808,11 +800,7 @@ Lctr32_done: ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,pc} #endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S index 83c6e3e0..86983859 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) #include #if __ARM_MAX_ARCH__>=7 @@ -796,11 +788,7 @@ aes_hw_ctr32_encrypt_blocks: ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,pc} .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks #endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S index 28933996..3148dfee 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include #if __ARM_MAX_ARCH__>=7 @@ -798,11 +790,7 @@ Lctr32_done: ret #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S index b191cf2e..3d5b9da9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include #if __ARM_MAX_ARCH__>=7 @@ -798,11 +790,7 @@ aes_hw_ctr32_encrypt_blocks: ret .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S index 5d83e082..973ac490 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include #if __ARM_MAX_ARCH__ >= 8 @@ -1562,11 +1554,7 @@ Ldec_blocks_less_than_1: // blocks left <= 1 ret #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S index 12d24b83..20b0f1ce 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include #if __ARM_MAX_ARCH__ >= 8 @@ -1562,11 +1554,7 @@ aes_gcm_dec_kernel: ret .size aes_gcm_dec_kernel,.-aes_gcm_dec_kernel #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S index 4717f11c..68695eb0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) #include @ Silence ARMv8 deprecated IT instruction warnings. This file is used by both @@ -28,40 +20,16 @@ .code 32 #endif -#if __ARM_MAX_ARCH__>=7 -.align 5 -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lbn_mul_mont -#endif - -.globl _bn_mul_mont -.private_extern _bn_mul_mont +.globl _bn_mul_mont_nohw +.private_extern _bn_mul_mont_nohw #ifdef __thumb2__ -.thumb_func _bn_mul_mont +.thumb_func _bn_mul_mont_nohw #endif .align 5 -_bn_mul_mont: -Lbn_mul_mont: +_bn_mul_mont_nohw: ldr ip,[sp,#4] @ load num stmdb sp!,{r0,r2} @ sp points at argument block -#if __ARM_MAX_ARCH__>=7 - tst ip,#7 - bne Lialu - adr r0,Lbn_mul_mont - ldr r2,LOPENSSL_armcap - ldr r0,[r0,r2] -#ifdef __APPLE__ - ldr r0,[r0] -#endif - tst r0,#ARMV7_NEON @ NEON available? - ldmia sp, {r0,r2} - beq Lialu - add sp,sp,#8 - b bn_mul8x_mont_neon -.align 4 -Lialu: -#endif cmp ip,#2 mov r0,ip @ load num #ifdef __thumb2__ @@ -205,7 +173,7 @@ Lcopy: ldr r7,[r4] @ conditional copy add sp,sp,#2*4 @ skip over {r0,r2} mov r0,#1 Labrt: -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 bx lr @ bx lr #else tst lr,#1 @@ -217,11 +185,13 @@ Labrt: +.globl _bn_mul8x_mont_neon +.private_extern _bn_mul8x_mont_neon #ifdef __thumb2__ -.thumb_func bn_mul8x_mont_neon +.thumb_func _bn_mul8x_mont_neon #endif .align 5 -bn_mul8x_mont_neon: +_bn_mul8x_mont_neon: mov ip,sp stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11} vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so @@ -972,20 +942,7 @@ LNEON_copy_n_zap: #endif .byte 77,111,110,116,103,111,109,101,114,121,32,109,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 -.align 2 -#if __ARM_MAX_ARCH__>=7 -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S index d400d622..1abab6f8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) #include @ Silence ARMv8 deprecated IT instruction warnings. This file is used by both @@ -28,38 +20,14 @@ .code 32 #endif -#if __ARM_MAX_ARCH__>=7 -.align 5 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lbn_mul_mont -#endif - -.globl bn_mul_mont -.hidden bn_mul_mont -.type bn_mul_mont,%function +.globl bn_mul_mont_nohw +.hidden bn_mul_mont_nohw +.type bn_mul_mont_nohw,%function .align 5 -bn_mul_mont: -.Lbn_mul_mont: +bn_mul_mont_nohw: ldr ip,[sp,#4] @ load num stmdb sp!,{r0,r2} @ sp points at argument block -#if __ARM_MAX_ARCH__>=7 - tst ip,#7 - bne .Lialu - adr r0,.Lbn_mul_mont - ldr r2,.LOPENSSL_armcap - ldr r0,[r0,r2] -#ifdef __APPLE__ - ldr r0,[r0] -#endif - tst r0,#ARMV7_NEON @ NEON available? - ldmia sp, {r0,r2} - beq .Lialu - add sp,sp,#8 - b bn_mul8x_mont_neon -.align 4 -.Lialu: -#endif cmp ip,#2 mov r0,ip @ load num #ifdef __thumb2__ @@ -203,18 +171,20 @@ bn_mul_mont: add sp,sp,#2*4 @ skip over {r0,r2} mov r0,#1 .Labrt: -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 bx lr @ bx lr #else tst lr,#1 moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size bn_mul_mont,.-bn_mul_mont +.size bn_mul_mont_nohw,.-bn_mul_mont_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon +.globl bn_mul8x_mont_neon +.hidden bn_mul8x_mont_neon .type bn_mul8x_mont_neon,%function .align 5 bn_mul8x_mont_neon: @@ -968,16 +938,7 @@ bn_mul8x_mont_neon: #endif .byte 77,111,110,116,103,111,109,101,114,121,32,109,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 -.align 2 -#if __ARM_MAX_ARCH__>=7 -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S index 8c588791..060bb231 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include .text @@ -1432,11 +1424,7 @@ Lmul4x_done: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 4 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S index 87485298..18912f11 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include .text @@ -1432,11 +1424,7 @@ __bn_mul4x_mont: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 4 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S index 970e7c49..da539fb3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl bn_mul_add_words .hidden bn_mul_add_words @@ -1001,11 +994,7 @@ bn_sub_words: popl %ebp ret .size bn_sub_words,.-.L_bn_sub_words_begin -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S index 1f30dfb9..14d9d9a7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include .text @@ -96,11 +88,7 @@ Lsub_exit: cset x0, cc ret -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S index 7a174c53..64c785c8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include .text @@ -96,11 +88,7 @@ bn_sub_words: cset x0, cc ret .size bn_sub_words,.-bn_sub_words -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/add.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/add.c index 3130c9e5..e87c7a26 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/add.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/add.c @@ -117,10 +117,7 @@ int bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { BN_ULONG carry = bn_add_words(r->d, a->d, b->d, min); for (int i = min; i < max; i++) { - // |r| and |a| may alias, so use a temporary. - BN_ULONG tmp = carry + a->d[i]; - carry = tmp < a->d[i]; - r->d[i] = tmp; + r->d[i] = CRYPTO_addc_w(a->d[i], 0, carry, &carry); } r->d[max] = carry; @@ -241,10 +238,7 @@ int bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { BN_ULONG borrow = bn_sub_words(r->d, a->d, b->d, b_width); for (int i = b_width; i < a->width; i++) { - // |r| and |a| may alias, so use a temporary. - BN_ULONG tmp = a->d[i]; - r->d[i] = a->d[i] - borrow; - borrow = tmp < r->d[i]; + r->d[i] = CRYPTO_subc_w(a->d[i], 0, borrow, &borrow); } if (borrow) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bn.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bn.c index 01779936..24b004d0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bn.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bn.c @@ -361,7 +361,7 @@ int bn_wexpand(BIGNUM *bn, size_t words) { return 0; } - a = OPENSSL_malloc(sizeof(BN_ULONG) * words); + a = OPENSSL_calloc(words, sizeof(BN_ULONG)); if (a == NULL) { return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c index 79b9d474..928bec62 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c @@ -63,26 +63,31 @@ void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len) { - for (size_t i = 0; i < out_len; i++) { - if (in_len < sizeof(BN_ULONG)) { - // Load the last partial word. - BN_ULONG word = 0; - for (size_t j = 0; j < in_len; j++) { - word = (word << 8) | in[j]; - } - in_len = 0; - out[i] = word; - // Fill the remainder with zeros. - OPENSSL_memset(out + i + 1, 0, (out_len - i - 1) * sizeof(BN_ULONG)); - break; - } + // The caller should have sized |out| to fit |in| without truncating. This + // condition ensures we do not overflow |out|, so use a runtime check. + BSSL_CHECK(in_len <= out_len * sizeof(BN_ULONG)); + // Load whole words. + while (in_len >= sizeof(BN_ULONG)) { in_len -= sizeof(BN_ULONG); - out[i] = CRYPTO_load_word_be(in + in_len); + out[0] = CRYPTO_load_word_be(in + in_len); + out++; + out_len--; + } + + // Load the last partial word. + if (in_len != 0) { + BN_ULONG word = 0; + for (size_t i = 0; i < in_len; i++) { + word = (word << 8) | in[i]; + } + out[0] = word; + out++; + out_len--; } - // The caller should have sized the output to avoid truncation. - assert(in_len == 0); + // Fill the remainder with zeros. + OPENSSL_memset(out, 0, out_len * sizeof(BN_ULONG)); } BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { @@ -116,7 +121,7 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } -BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { +BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { BIGNUM *bn = NULL; if (ret == NULL) { bn = BN_new(); @@ -149,6 +154,10 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } +BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { + return BN_lebin2bn(in, len, ret); +} + // fits_in_bytes returns one if the |num_words| words in |words| can be // represented in |num_bytes| bytes. static int fits_in_bytes(const BN_ULONG *words, size_t num_words, diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/ctx.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/ctx.c index 5a74baca..7eed7dd9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/ctx.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/ctx.c @@ -210,7 +210,7 @@ static int BN_STACK_push(BN_STACK *st, size_t idx) { // This function intentionally does not push to the error queue on error. // Error-reporting is deferred to |BN_CTX_get|. size_t new_size = st->size != 0 ? st->size * 3 / 2 : BN_CTX_START_FRAMES; - if (new_size <= st->size || new_size > ((size_t)-1) / sizeof(size_t)) { + if (new_size <= st->size || new_size > SIZE_MAX / sizeof(size_t)) { return 0; } size_t *new_indexes = diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c index 4fdc7c13..b1a8614c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c @@ -711,15 +711,22 @@ int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, int bn_mod_lshift_consttime(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx) { - if (!BN_copy(r, a)) { + if (!BN_copy(r, a) || + !bn_resize_words(r, m->width)) { return 0; } - for (int i = 0; i < n; i++) { - if (!bn_mod_lshift1_consttime(r, r, m, ctx)) { - return 0; + + BN_CTX_start(ctx); + BIGNUM *tmp = bn_scratch_space_from_ctx(m->width, ctx); + int ok = tmp != NULL; + if (ok) { + for (int i = 0; i < n; i++) { + bn_mod_add_words(r->d, r->d, r->d, m->d, tmp->d, m->width); } + r->neg = 0; } - return 1; + BN_CTX_end(ctx); + return ok; } int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c index 4be4b730..7dee3df8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c @@ -724,7 +724,7 @@ void bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, const BN_ULONG *p, size_t num_p, const BN_MONT_CTX *mont) { if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS || - num_p > ((size_t)-1) / BN_BITS2) { + num_p > SIZE_MAX / BN_BITS2) { abort(); } assert(BN_is_odd(&mont->N)); @@ -898,7 +898,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; } - if (a->neg || BN_ucmp(a, m) >= 0) { + // |a| is secret, but it is required to be in range, so these comparisons may + // be leaked. + if (a->neg || constant_time_declassify_int(BN_ucmp(a, m) >= 0)) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd.c index 9ce49ca6..3d5f84a0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd.c @@ -263,15 +263,14 @@ int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, // Now Y*a == A (mod |n|). // Y*a == 1 (mod |n|) - if (!Y->neg && BN_ucmp(Y, n) < 0) { - if (!BN_copy(R, Y)) { - goto err; - } - } else { - if (!BN_nnmod(R, Y, n, ctx)) { + if (Y->neg || BN_ucmp(Y, n) >= 0) { + if (!BN_nnmod(Y, Y, n, ctx)) { goto err; } } + if (!BN_copy(R, Y)) { + goto err; + } ret = 1; @@ -328,7 +327,10 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx) { *out_no_inverse = 0; - if (BN_is_negative(a) || BN_cmp(a, &mont->N) >= 0) { + // |a| is secret, but it is required to be in range, so these comparisons may + // be leaked. + if (BN_is_negative(a) || + constant_time_declassify_int(BN_cmp(a, &mont->N) >= 0)) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } @@ -337,11 +339,29 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, BIGNUM blinding_factor; BN_init(&blinding_factor); - if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N) || - !BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx) || - !BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) || + // |BN_mod_inverse_odd| is leaky, so generate a secret blinding factor and + // blind |a|. This works because (ar)^-1 * r = a^-1, supposing r is + // invertible. If r is not invertible, this function will fail. However, we + // only use this in RSA, where stumbling on an uninvertible element means + // stumbling on the key's factorization. That is, if this function fails, the + // RSA key was not actually a product of two large primes. + // + // TODO(crbug.com/boringssl/677): When the PRNG output is marked secret by + // default, the explicit |bn_secret| call can be removed. + if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N)) { + goto err; + } + bn_secret(&blinding_factor); + if (!BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx)) { + goto err; + } + + // Once blinded, |out| is no longer secret, so it may be passed to a leaky + // mod inverse function. Note |blinding_factor| is secret, so |out| will be + // secret again after multiplying. + bn_declassify(out); + if (!BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) || !BN_mod_mul_montgomery(out, &blinding_factor, out, mont, ctx)) { - OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB); goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/generic.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/generic.c index 2ee0d5df..0aa005f6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/generic.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/generic.c @@ -567,37 +567,6 @@ void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) { #if !defined(BN_ADD_ASM) -// bn_add_with_carry returns |x + y + carry|, and sets |*out_carry| to the -// carry bit. |carry| must be zero or one. -static inline BN_ULONG bn_add_with_carry(BN_ULONG x, BN_ULONG y, BN_ULONG carry, - BN_ULONG *out_carry) { - assert(carry == 0 || carry == 1); -#if defined(BN_ULLONG) - BN_ULLONG ret = carry; - ret += (BN_ULLONG)x + y; - *out_carry = (BN_ULONG)(ret >> BN_BITS2); - return (BN_ULONG)ret; -#else - x += carry; - carry = x < carry; - BN_ULONG ret = x + y; - carry += ret < x; - *out_carry = carry; - return ret; -#endif -} - -// bn_sub_with_borrow returns |x - y - borrow|, and sets |*out_borrow| to the -// borrow bit. |borrow| must be zero or one. -static inline BN_ULONG bn_sub_with_borrow(BN_ULONG x, BN_ULONG y, - BN_ULONG borrow, - BN_ULONG *out_borrow) { - assert(borrow == 0 || borrow == 1); - BN_ULONG ret = x - y - borrow; - *out_borrow = (x < y) | ((x == y) & borrow); - return ret; -} - BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, size_t n) { if (n == 0) { @@ -606,17 +575,17 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG carry = 0; while (n & ~3) { - r[0] = bn_add_with_carry(a[0], b[0], carry, &carry); - r[1] = bn_add_with_carry(a[1], b[1], carry, &carry); - r[2] = bn_add_with_carry(a[2], b[2], carry, &carry); - r[3] = bn_add_with_carry(a[3], b[3], carry, &carry); + r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry); + r[1] = CRYPTO_addc_w(a[1], b[1], carry, &carry); + r[2] = CRYPTO_addc_w(a[2], b[2], carry, &carry); + r[3] = CRYPTO_addc_w(a[3], b[3], carry, &carry); a += 4; b += 4; r += 4; n -= 4; } while (n) { - r[0] = bn_add_with_carry(a[0], b[0], carry, &carry); + r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry); a++; b++; r++; @@ -633,17 +602,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG borrow = 0; while (n & ~3) { - r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow); - r[1] = bn_sub_with_borrow(a[1], b[1], borrow, &borrow); - r[2] = bn_sub_with_borrow(a[2], b[2], borrow, &borrow); - r[3] = bn_sub_with_borrow(a[3], b[3], borrow, &borrow); + r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow); + r[1] = CRYPTO_subc_w(a[1], b[1], borrow, &borrow); + r[2] = CRYPTO_subc_w(a[2], b[2], borrow, &borrow); + r[3] = CRYPTO_subc_w(a[3], b[3], borrow, &borrow); a += 4; b += 4; r += 4; n -= 4; } while (n) { - r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow); + r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow); a++; b++; r++; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h index 515d9cde..316132d1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h @@ -149,6 +149,7 @@ extern "C" { #endif #define BN_BITS2 64 +#define BN_BITS2_LG 6 #define BN_BYTES 8 #define BN_BITS4 32 #define BN_MASK2 (0xffffffffffffffffUL) @@ -165,6 +166,7 @@ extern "C" { #define BN_ULLONG uint64_t #define BN_CAN_DIVIDE_ULLONG #define BN_BITS2 32 +#define BN_BITS2_LG 5 #define BN_BYTES 4 #define BN_BITS4 16 #define BN_MASK2 (0xffffffffUL) @@ -269,6 +271,18 @@ int bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn); // validation. void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num); +// bn_secret marks |bn|'s contents, but not its width or sign, as secret. See +// |CONSTTIME_SECRET| for details. +OPENSSL_INLINE void bn_secret(BIGNUM *bn) { + CONSTTIME_SECRET(bn->d, bn->width * sizeof(BN_ULONG)); +} + +// bn_declassify marks |bn|'s value as public. See |CONSTTIME_DECLASSIFY| for +// details. +OPENSSL_INLINE void bn_declassify(BIGNUM *bn) { + CONSTTIME_DECLASSIFY(bn->d, bn->width * sizeof(BN_ULONG)); +} + // bn_mul_add_words multiples |ap| by |w|, adds the result to |rp|, and places // the result in |rp|. |ap| and |rp| must both be |num| words long. It returns // the carry word of the operation. |ap| and |rp| may be equal but otherwise may @@ -386,8 +400,41 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive, // inputs. int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, size_t num); + +#if defined(OPENSSL_X86_64) +OPENSSL_INLINE int bn_mulx_adx_capable(void) { + // MULX is in BMI2. + return CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable(); +} +int bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +OPENSSL_INLINE int bn_mul4x_mont_capable(size_t num) { + return num >= 8 && (num & 3) == 0; +} +int bn_mul4x_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +OPENSSL_INLINE int bn_mulx4x_mont_capable(size_t num) { + return bn_mul4x_mont_capable(num) && bn_mulx_adx_capable(); +} +int bn_mulx4x_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +OPENSSL_INLINE int bn_sqr8x_mont_capable(size_t num) { + return num >= 8 && (num & 7) == 0; +} +int bn_sqr8x_mont(BN_ULONG *rp, const BN_ULONG *ap, BN_ULONG mulx_adx_capable, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +#elif defined(OPENSSL_ARM) +OPENSSL_INLINE int bn_mul8x_mont_neon_capable(size_t num) { + return (num & 7) == 0 && CRYPTO_is_NEON_capable(); +} +int bn_mul8x_mont_neon(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +int bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); #endif +#endif // OPENSSL_BN_ASM_MONT + #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) #define OPENSSL_BN_ASM_MONT5 @@ -431,12 +478,11 @@ void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, uint64_t bn_mont_n0(const BIGNUM *n); -// bn_mod_exp_base_2_consttime calculates r = 2**p (mod n). |p| must be larger -// than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and -// odd. |p| and the bit width of |n| are assumed public, but |n| is otherwise -// treated as secret. -int bn_mod_exp_base_2_consttime(BIGNUM *r, unsigned p, const BIGNUM *n, - BN_CTX *ctx); +// bn_mont_ctx_set_RR_consttime initializes |mont->RR|. It returns one on +// success and zero on error. |mont->N| and |mont->n0| must have been +// initialized already. The bit width of |mont->N| is assumed public, but +// |mont->N| is otherwise treated as secret. +int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx); #if defined(_MSC_VER) #if defined(OPENSSL_X86_64) @@ -600,6 +646,13 @@ OPENSSL_EXPORT int bn_is_relatively_prime(int *out_relatively_prime, OPENSSL_EXPORT int bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +// bn_mont_ctx_init zero-initialies |mont|. +void bn_mont_ctx_init(BN_MONT_CTX *mont); + +// bn_mont_ctx_cleanup releases memory associated with |mont|, without freeing +// |mont| itself. +void bn_mont_ctx_cleanup(BN_MONT_CTX *mont); + // Constant-time modular arithmetic. // @@ -748,8 +801,8 @@ void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, // bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian, // unsigned integer and writes the result to |out_len| words in |out|. |out_len| -// must be large enough to represent any |in_len|-byte value. That is, |out_len| -// must be at least |BN_BYTES * in_len|. +// must be large enough to represent any |in_len|-byte value. That is, |in_len| +// must be at most |BN_BYTES * out_len|. void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery.c index fe7af3eb..761aa27e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery.c @@ -121,17 +121,24 @@ #include "../../internal.h" +void bn_mont_ctx_init(BN_MONT_CTX *mont) { + OPENSSL_memset(mont, 0, sizeof(BN_MONT_CTX)); + BN_init(&mont->RR); + BN_init(&mont->N); +} + +void bn_mont_ctx_cleanup(BN_MONT_CTX *mont) { + BN_free(&mont->RR); + BN_free(&mont->N); +} + BN_MONT_CTX *BN_MONT_CTX_new(void) { BN_MONT_CTX *ret = OPENSSL_malloc(sizeof(BN_MONT_CTX)); - if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BN_MONT_CTX)); - BN_init(&ret->RR); - BN_init(&ret->N); - + bn_mont_ctx_init(ret); return ret; } @@ -140,8 +147,7 @@ void BN_MONT_CTX_free(BN_MONT_CTX *mont) { return; } - BN_free(&mont->RR); - BN_free(&mont->N); + bn_mont_ctx_cleanup(mont); OPENSSL_free(mont); } @@ -248,19 +254,12 @@ BN_MONT_CTX *BN_MONT_CTX_new_for_modulus(const BIGNUM *mod, BN_CTX *ctx) { BN_MONT_CTX *BN_MONT_CTX_new_consttime(const BIGNUM *mod, BN_CTX *ctx) { BN_MONT_CTX *mont = BN_MONT_CTX_new(); if (mont == NULL || - !bn_mont_ctx_set_N_and_n0(mont, mod)) { - goto err; - } - unsigned lgBigR = mont->N.width * BN_BITS2; - if (!bn_mod_exp_base_2_consttime(&mont->RR, lgBigR * 2, &mont->N, ctx) || - !bn_resize_words(&mont->RR, mont->N.width)) { - goto err; + !bn_mont_ctx_set_N_and_n0(mont, mod) || + !bn_mont_ctx_set_RR_consttime(mont, ctx)) { + BN_MONT_CTX_free(mont); + return NULL; } return mont; - -err: - BN_MONT_CTX_free(mont); - return NULL; } int BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock, @@ -505,3 +504,29 @@ void bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a, } OPENSSL_cleanse(tmp, 2 * num * sizeof(BN_ULONG)); } + +#if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_X86_64) +int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num) { + if (ap == bp && bn_sqr8x_mont_capable(num)) { + return bn_sqr8x_mont(rp, ap, bn_mulx_adx_capable(), np, n0, num); + } + if (bn_mulx4x_mont_capable(num)) { + return bn_mulx4x_mont(rp, ap, bp, np, n0, num); + } + if (bn_mul4x_mont_capable(num)) { + return bn_mul4x_mont(rp, ap, bp, np, n0, num); + } + return bn_mul_mont_nohw(rp, ap, bp, np, n0, num); +} +#endif + +#if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_ARM) +int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num) { + if (bn_mul8x_mont_neon_capable(num)) { + return bn_mul8x_mont_neon(rp, ap, bp, np, n0, num); + } + return bn_mul_mont_nohw(rp, ap, bp, np, n0, num); +} +#endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c index 4c51954b..a82f45bd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c @@ -159,27 +159,64 @@ static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) { return v; } -int bn_mod_exp_base_2_consttime(BIGNUM *r, unsigned p, const BIGNUM *n, - BN_CTX *ctx) { - assert(!BN_is_zero(n)); - assert(!BN_is_negative(n)); - assert(BN_is_odd(n)); +int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx) { + assert(!BN_is_zero(&mont->N)); + assert(!BN_is_negative(&mont->N)); + assert(BN_is_odd(&mont->N)); + assert(bn_minimal_width(&mont->N) == mont->N.width); - BN_zero(r); - - unsigned n_bits = BN_num_bits(n); + unsigned n_bits = BN_num_bits(&mont->N); assert(n_bits != 0); - assert(p > n_bits); if (n_bits == 1) { - return 1; + BN_zero(&mont->RR); + return bn_resize_words(&mont->RR, mont->N.width); } - // Set |r| to the larger power of two smaller than |n|, then shift with - // reductions the rest of the way. - if (!BN_set_bit(r, n_bits - 1) || - !bn_mod_lshift_consttime(r, r, p - (n_bits - 1), n, ctx)) { + unsigned lgBigR = mont->N.width * BN_BITS2; + assert(lgBigR >= n_bits); + + // RR is R, or 2^lgBigR, in the Montgomery domain. We can compute 2 in the + // Montgomery domain, 2R or 2^(lgBigR+1), and then use Montgomery + // square-and-multiply to exponentiate. + // + // The square steps take 2^n R to (2^n)*(2^n) R = 2^2n R. This is the same as + // doubling 2^n R, n times (doubling any x, n times, computes 2^n * x). When n + // is below some threshold, doubling is faster; when above, squaring is + // faster. From benchmarking various 32-bit and 64-bit architectures, the word + // count seems to work well as a threshold. (Doubling scales linearly and + // Montgomery reduction scales quadratically, so the threshold should scale + // roughly linearly.) + // + // The multiply steps take 2^n R to 2*2^n R = 2^(n+1) R. It is faster to + // double the value instead, so the square-and-multiply exponentiation would + // become square-and-double. However, when using the word count as the + // threshold, it turns out that no multiply/double steps will be needed at + // all, because squaring any x, i times, computes x^(2^i): + // + // (2^threshold)^(2^BN_BITS2_LG) R + // (2^mont->N.width)^BN_BITS2 R + // = 2^(mont->N.width*BN_BITS2) R + // = 2^lgBigR R + // = RR + int threshold = mont->N.width; + + // Calculate 2^threshold R = 2^(threshold + lgBigR) by doubling. The + // first n_bits - 1 doubles can be skipped because we don't need to reduce. + if (!BN_set_bit(&mont->RR, n_bits - 1) || + !bn_mod_lshift_consttime(&mont->RR, &mont->RR, + threshold + (lgBigR - (n_bits - 1)), + &mont->N, ctx)) { return 0; } - return 1; + // The above steps are the same regardless of the threshold. The steps below + // need to be modified if the threshold changes. + assert(threshold == mont->N.width); + for (unsigned i = 0; i < BN_BITS2_LG; i++) { + if (!BN_mod_mul_montgomery(&mont->RR, &mont->RR, &mont->RR, mont, ctx)) { + return 0; + } + } + + return bn_resize_words(&mont->RR, mont->N.width); } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/mul.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/mul.c index 559b2d6d..c0e170ec 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/mul.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/mul.c @@ -143,17 +143,13 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, // in |a| were zeros. dl = -dl; for (int i = 0; i < dl; i++) { - r[i] = 0u - b[i] - borrow; - borrow |= r[i] != 0; + r[i] = CRYPTO_subc_w(0, b[i], borrow, &borrow); } } else { // |b| is shorter than |a|. Complete the subtraction as if the excess words // in |b| were zeros. for (int i = 0; i < dl; i++) { - // |r| and |a| may alias, so use a temporary. - BN_ULONG tmp = a[i]; - r[i] = a[i] - borrow; - borrow = tmp < r[i]; + r[i] = CRYPTO_subc_w(a[i], 0, borrow, &borrow); } } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c index 3f6b0515..dd53dfe8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c @@ -359,14 +359,7 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); -BN_GENCB *BN_GENCB_new(void) { - BN_GENCB *callback = OPENSSL_malloc(sizeof(BN_GENCB)); - if (callback == NULL) { - return NULL; - } - OPENSSL_memset(callback, 0, sizeof(BN_GENCB)); - return callback; -} +BN_GENCB *BN_GENCB_new(void) { return OPENSSL_zalloc(sizeof(BN_GENCB)); } void BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/random.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/random.c index c1deda92..88985f2e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/random.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/random.c @@ -281,8 +281,14 @@ int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive, out[words - 1] &= mask; // If out >= max_exclusive or out < min_inclusive, retry. This implements - // the equivalent of steps 6 and 7 without leaking the value of |out|. - } while (!bn_in_range_words(out, min_inclusive, max_exclusive, words)); + // the equivalent of steps 6 and 7 without leaking the value of |out|. The + // result of this comparison may be treated as public. It only reveals how + // many attempts were needed before we found a value in range. This is + // independent of the final secret output, and has a distribution that + // depends only on |min_inclusive| and |max_exclusive|, both of which are + // public. + } while (!constant_time_declassify_int( + bn_in_range_words(out, min_inclusive, max_exclusive, words))); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c index 6e125c4b..8f9295ae 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c @@ -24,13 +24,13 @@ #include "../../internal.h" -// one is 1 in RSAZ's representation. -alignas(64) static const BN_ULONG one[40] = { +// rsaz_one is 1 in RSAZ's representation. +alignas(64) static const BN_ULONG rsaz_one[40] = { 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -// two80 is 2^80 in RSAZ's representation. Note RSAZ uses base 2^29, so this is +// rsaz_two80 is 2^80 in RSAZ's representation. Note RSAZ uses base 2^29, so this is // 2^(29*2 + 22) = 2^80, not 2^(64*2 + 22). -alignas(64) static const BN_ULONG two80[40] = { +alignas(64) static const BN_ULONG rsaz_two80[40] = { 0, 0, 1 << 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; @@ -64,12 +64,12 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], // giving R = 2^(36*29) = 2^1044. rsaz_1024_mul_avx2(R2, R2, R2, m, k0); // R2 = 2^2048 * 2^2048 / 2^1044 = 2^3052 - rsaz_1024_mul_avx2(R2, R2, two80, m, k0); + rsaz_1024_mul_avx2(R2, R2, rsaz_two80, m, k0); // R2 = 2^3052 * 2^80 / 2^1044 = 2^2088 = (2^1044)^2 // table[0] = 1 // table[1] = a_inv^1 - rsaz_1024_mul_avx2(result, R2, one, m, k0); + rsaz_1024_mul_avx2(result, R2, rsaz_one, m, k0); rsaz_1024_mul_avx2(a_inv, a_inv, R2, m, k0); rsaz_1024_scatter5_avx2(table_s, result, 0); rsaz_1024_scatter5_avx2(table_s, a_inv, 1); @@ -125,7 +125,7 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], rsaz_1024_mul_avx2(result, result, a_inv, m, k0); // Convert from Montgomery. - rsaz_1024_mul_avx2(result, result, one, m, k0); + rsaz_1024_mul_avx2(result, result, rsaz_one, m, k0); rsaz_1024_red2norm_avx2(result_norm, result); BN_ULONG scratch[16]; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S index abb26c2f..a583109b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) @ Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. @ @ Licensed under the OpenSSL license (the "License"). You may not use @@ -77,7 +69,6 @@ # define VFP_ABI_FRAME 0 # define BSAES_ASM_EXTENDED_KEY # define XTS_CHAIN_TWEAK -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -1535,11 +1526,7 @@ Lctr_enc_bzero:@ wipe key schedule [if any] @ out to retain a constant-time implementation. #endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S index cf4188f8..213f31e6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) @ Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. @ @ Licensed under the OpenSSL license (the "License"). You may not use @@ -77,7 +69,6 @@ # define VFP_ABI_FRAME 0 # define BSAES_ASM_EXTENDED_KEY # define XTS_CHAIN_TWEAK -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -1525,11 +1516,7 @@ bsaes_ctr32_encrypt_blocks: @ out to retain a constant-time implementation. .size bsaes_ctr32_encrypt_blocks,.-bsaes_ctr32_encrypt_blocks #endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c index f9b6e75d..ffd4cfe8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c @@ -113,12 +113,11 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX)); if (in->cipher_data && in->cipher->ctx_size) { - out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); + out->cipher_data = OPENSSL_memdup(in->cipher_data, in->cipher->ctx_size); if (!out->cipher_data) { out->cipher = NULL; return 0; } - OPENSSL_memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); } if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { @@ -586,6 +585,16 @@ unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { } unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { + if (EVP_CIPHER_mode(ctx->cipher) == EVP_CIPH_GCM_MODE) { + int length; + int res = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0, + &length); + // EVP_CIPHER_CTX_ctrl returning an error should be impossible under this + // circumstance. If it somehow did, fallback to the static cipher iv_len. + if (res == 1) { + return length; + } + } return ctx->cipher->iv_len; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c index 90da5d3f..16c1c9d0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c @@ -408,22 +408,6 @@ static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) { } } -// increment counter (64-bit int) by 1 -static void ctr64_inc(uint8_t *counter) { - int n = 8; - uint8_t c; - - do { - --n; - c = counter[n]; - ++c; - counter[n] = c; - if (c) { - return; - } - } while (n); -} - static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c); switch (type) { @@ -454,6 +438,10 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { gctx->ivlen = arg; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = gctx->ivlen; + return 1; + case EVP_CTRL_AEAD_SET_TAG: if (arg <= 0 || arg > 16 || c->encrypt) { return 0; @@ -481,9 +469,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { if (arg < 4 || (gctx->ivlen - arg) < 8) { return 0; } - if (arg) { - OPENSSL_memcpy(gctx->iv, ptr, arg); - } + OPENSSL_memcpy(gctx->iv, ptr, arg); if (c->encrypt) { // |RAND_bytes| calls within the fipsmodule should be wrapped with state // lock functions to avoid updating the service indicator with the DRBG @@ -495,7 +481,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { gctx->iv_gen = 1; return 1; - case EVP_CTRL_GCM_IV_GEN: + case EVP_CTRL_GCM_IV_GEN: { if (gctx->iv_gen == 0 || gctx->key_set == 0) { return 0; } @@ -504,12 +490,13 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { arg = gctx->ivlen; } OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); - // Invocation field will be at least 8 bytes in size and - // so no need to check wrap around or increment more than - // last 8 bytes. - ctr64_inc(gctx->iv + gctx->ivlen - 8); + // Invocation field will be at least 8 bytes in size, so no need to check + // wrap around or increment more than last 8 bytes. + uint8_t *ctr = gctx->iv + gctx->ivlen - 8; + CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1); gctx->iv_set = 1; return 1; + } case EVP_CTRL_GCM_SET_IV_INV: if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c index e7a36f43..8a2dc56f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c @@ -55,6 +55,7 @@ #include #include "../delocate.h" +#include "../modes/internal.h" #include "../service_indicator/internal.h" #include "internal.h" @@ -66,10 +67,8 @@ struct ccm128_context { }; struct ccm128_state { - union { - uint64_t u[2]; - uint8_t c[16]; - } nonce, cmac; + alignas(16) uint8_t nonce[16]; + alignas(16) uint8_t cmac[16]; }; static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key, @@ -86,7 +85,7 @@ static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key, } static size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) { - return ctx->L >= sizeof(size_t) ? (size_t)-1 + return ctx->L >= sizeof(size_t) ? SIZE_MAX : (((size_t)1) << (ctx->L * 8)) - 1; } @@ -107,16 +106,16 @@ static int ccm128_init_state(const struct ccm128_context *ctx, // Assemble the first block for computing the MAC. OPENSSL_memset(state, 0, sizeof(*state)); - state->nonce.c[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3); + state->nonce[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3); if (aad_len != 0) { - state->nonce.c[0] |= 0x40; // Set AAD Flag + state->nonce[0] |= 0x40; // Set AAD Flag } - OPENSSL_memcpy(&state->nonce.c[1], nonce, nonce_len); + OPENSSL_memcpy(&state->nonce[1], nonce, nonce_len); for (unsigned i = 0; i < L; i++) { - state->nonce.c[15 - i] = (uint8_t)(plaintext_len >> (8 * i)); + state->nonce[15 - i] = (uint8_t)(plaintext_len >> (8 * i)); } - (*block)(state->nonce.c, state->cmac.c, key); + (*block)(state->nonce, state->cmac, key); size_t blocks = 1; if (aad_len != 0) { @@ -124,38 +123,38 @@ static int ccm128_init_state(const struct ccm128_context *ctx, // Cast to u64 to avoid the compiler complaining about invalid shifts. uint64_t aad_len_u64 = aad_len; if (aad_len_u64 < 0x10000 - 0x100) { - state->cmac.c[0] ^= (uint8_t)(aad_len_u64 >> 8); - state->cmac.c[1] ^= (uint8_t)aad_len_u64; + state->cmac[0] ^= (uint8_t)(aad_len_u64 >> 8); + state->cmac[1] ^= (uint8_t)aad_len_u64; i = 2; } else if (aad_len_u64 <= 0xffffffff) { - state->cmac.c[0] ^= 0xff; - state->cmac.c[1] ^= 0xfe; - state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 24); - state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 16); - state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 8); - state->cmac.c[5] ^= (uint8_t)aad_len_u64; + state->cmac[0] ^= 0xff; + state->cmac[1] ^= 0xfe; + state->cmac[2] ^= (uint8_t)(aad_len_u64 >> 24); + state->cmac[3] ^= (uint8_t)(aad_len_u64 >> 16); + state->cmac[4] ^= (uint8_t)(aad_len_u64 >> 8); + state->cmac[5] ^= (uint8_t)aad_len_u64; i = 6; } else { - state->cmac.c[0] ^= 0xff; - state->cmac.c[1] ^= 0xff; - state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 56); - state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 48); - state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 40); - state->cmac.c[5] ^= (uint8_t)(aad_len_u64 >> 32); - state->cmac.c[6] ^= (uint8_t)(aad_len_u64 >> 24); - state->cmac.c[7] ^= (uint8_t)(aad_len_u64 >> 16); - state->cmac.c[8] ^= (uint8_t)(aad_len_u64 >> 8); - state->cmac.c[9] ^= (uint8_t)aad_len_u64; + state->cmac[0] ^= 0xff; + state->cmac[1] ^= 0xff; + state->cmac[2] ^= (uint8_t)(aad_len_u64 >> 56); + state->cmac[3] ^= (uint8_t)(aad_len_u64 >> 48); + state->cmac[4] ^= (uint8_t)(aad_len_u64 >> 40); + state->cmac[5] ^= (uint8_t)(aad_len_u64 >> 32); + state->cmac[6] ^= (uint8_t)(aad_len_u64 >> 24); + state->cmac[7] ^= (uint8_t)(aad_len_u64 >> 16); + state->cmac[8] ^= (uint8_t)(aad_len_u64 >> 8); + state->cmac[9] ^= (uint8_t)aad_len_u64; i = 10; } do { for (; i < 16 && aad_len != 0; i++) { - state->cmac.c[i] ^= *aad; + state->cmac[i] ^= *aad; aad++; aad_len--; } - (*block)(state->cmac.c, state->cmac.c, key); + (*block)(state->cmac, state->cmac, key); blocks++; i = 0; } while (aad_len != 0); @@ -174,7 +173,7 @@ static int ccm128_init_state(const struct ccm128_context *ctx, // Assemble the first block for encrypting and decrypting. The bottom |L| // bytes are replaced with a counter and all bit the encoding of |L| is // cleared in the first byte. - state->nonce.c[0] &= 7; + state->nonce[0] &= 7; return 1; } @@ -183,17 +182,17 @@ static int ccm128_encrypt(const struct ccm128_context *ctx, uint8_t *out, const uint8_t *in, size_t len) { // The counter for encryption begins at one. for (unsigned i = 0; i < ctx->L; i++) { - state->nonce.c[15 - i] = 0; + state->nonce[15 - i] = 0; } - state->nonce.c[15] = 1; + state->nonce[15] = 1; uint8_t partial_buf[16]; unsigned num = 0; if (ctx->ctr != NULL) { - CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce.c, partial_buf, + CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce, partial_buf, &num, ctx->ctr); } else { - CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce.c, partial_buf, &num, + CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce, partial_buf, &num, ctx->block); } return 1; @@ -209,34 +208,28 @@ static int ccm128_compute_mac(const struct ccm128_context *ctx, } // Incorporate |in| into the MAC. - union { - uint64_t u[2]; - uint8_t c[16]; - } tmp; while (len >= 16) { - OPENSSL_memcpy(tmp.c, in, 16); - state->cmac.u[0] ^= tmp.u[0]; - state->cmac.u[1] ^= tmp.u[1]; - (*block)(state->cmac.c, state->cmac.c, key); + CRYPTO_xor16(state->cmac, state->cmac, in); + (*block)(state->cmac, state->cmac, key); in += 16; len -= 16; } if (len > 0) { for (size_t i = 0; i < len; i++) { - state->cmac.c[i] ^= in[i]; + state->cmac[i] ^= in[i]; } - (*block)(state->cmac.c, state->cmac.c, key); + (*block)(state->cmac, state->cmac, key); } // Encrypt the MAC with counter zero. for (unsigned i = 0; i < ctx->L; i++) { - state->nonce.c[15 - i] = 0; + state->nonce[15 - i] = 0; } - (*block)(state->nonce.c, tmp.c, key); - state->cmac.u[0] ^= tmp.u[0]; - state->cmac.u[1] ^= tmp.u[1]; + alignas(16) uint8_t tmp[16]; + (*block)(state->nonce, tmp, key); + CRYPTO_xor16(state->cmac, state->cmac, tmp); - OPENSSL_memcpy(out_tag, state->cmac.c, tag_len); + OPENSSL_memcpy(out_tag, state->cmac, tag_len); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S index c2108489..5b2d8b42 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl bn_mul_comba8 .hidden bn_mul_comba8 @@ -1270,11 +1263,7 @@ bn_sqr_comba4: popl %esi ret .size bn_sqr_comba4,.-.L_bn_sqr_comba4_begin -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/delocate.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/delocate.h index 57763fd4..7bfeb730 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/delocate.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/delocate.h @@ -27,9 +27,8 @@ type *name##_bss_get(void) __attribute__((const)); // For FIPS builds we require that CRYPTO_ONCE_INIT be zero. #define DEFINE_STATIC_ONCE(name) DEFINE_BSS_GET(CRYPTO_once_t, name) -// For FIPS builds we require that CRYPTO_STATIC_MUTEX_INIT be zero. -#define DEFINE_STATIC_MUTEX(name) \ - DEFINE_BSS_GET(struct CRYPTO_STATIC_MUTEX, name) +// For FIPS builds we require that CRYPTO_MUTEX_INIT be zero. +#define DEFINE_STATIC_MUTEX(name) DEFINE_BSS_GET(CRYPTO_MUTEX, name) // For FIPS builds we require that CRYPTO_EX_DATA_CLASS_INIT be zero. #define DEFINE_STATIC_EX_DATA_CLASS(name) \ DEFINE_BSS_GET(CRYPTO_EX_DATA_CLASS, name) @@ -40,9 +39,9 @@ #define DEFINE_STATIC_ONCE(name) \ static CRYPTO_once_t name = CRYPTO_ONCE_INIT; \ static CRYPTO_once_t *name##_bss_get(void) { return &name; } -#define DEFINE_STATIC_MUTEX(name) \ - static struct CRYPTO_STATIC_MUTEX name = CRYPTO_STATIC_MUTEX_INIT; \ - static struct CRYPTO_STATIC_MUTEX *name##_bss_get(void) { return &name; } +#define DEFINE_STATIC_MUTEX(name) \ + static CRYPTO_MUTEX name = CRYPTO_MUTEX_INIT; \ + static CRYPTO_MUTEX *name##_bss_get(void) { return &name; } #define DEFINE_STATIC_EX_DATA_CLASS(name) \ static CRYPTO_EX_DATA_CLASS name = CRYPTO_EX_DATA_CLASS_INIT; \ static CRYPTO_EX_DATA_CLASS *name##_bss_get(void) { return &name; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/check.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/check.c index 993e02d7..bca8133e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/check.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/check.c @@ -57,12 +57,40 @@ #include #include +#include #include "internal.h" +int dh_check_params_fast(const DH *dh) { + // Most operations scale with p and q. + if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) || + BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + // q must be bounded by p. + if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + // g must be an element of p's multiplicative group. + if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || + BN_ucmp(dh->g, dh->p) >= 0) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + return 1; +} + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { *out_flags = 0; + if (!dh_check_params_fast(dh)) { + return 0; + } BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { @@ -73,17 +101,14 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { int ok = 0; // Check |pub_key| is greater than 1. - BIGNUM *tmp = BN_CTX_get(ctx); - if (tmp == NULL || - !BN_set_word(tmp, 1)) { - goto err; - } - if (BN_cmp(pub_key, tmp) <= 0) { + if (BN_cmp(pub_key, BN_value_one()) <= 0) { *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL; } // Check |pub_key| is less than |dh->p| - 1. - if (!BN_copy(tmp, dh->p) || + BIGNUM *tmp = BN_CTX_get(ctx); + if (tmp == NULL || + !BN_copy(tmp, dh->p) || !BN_sub_word(tmp, 1)) { goto err; } @@ -113,6 +138,11 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { int DH_check(const DH *dh, int *out_flags) { + *out_flags = 0; + if (!dh_check_params_fast(dh)) { + return 0; + } + // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a // suitable generator where: // for 2, p mod 24 == 11 @@ -124,7 +154,6 @@ int DH_check(const DH *dh, int *out_flags) { BN_ULONG l; BIGNUM *t1 = NULL, *t2 = NULL; - *out_flags = 0; ctx = BN_CTX_new(); if (ctx == NULL) { goto err; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c index bf28215f..445ac755 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c @@ -70,20 +70,14 @@ #include "internal.h" -#define OPENSSL_DH_MAX_MODULUS_BITS 10000 - DH *DH_new(void) { - DH *dh = OPENSSL_malloc(sizeof(DH)); + DH *dh = OPENSSL_zalloc(sizeof(DH)); if (dh == NULL) { return NULL; } - OPENSSL_memset(dh, 0, sizeof(DH)); - CRYPTO_MUTEX_init(&dh->method_mont_p_lock); - dh->references = 1; - return dh; } @@ -191,15 +185,14 @@ int DH_set_length(DH *dh, unsigned priv_length) { int DH_generate_key(DH *dh) { boringssl_ensure_ffdh_self_test(); + if (!dh_check_params_fast(dh)) { + return 0; + } + int ok = 0; int generate_new_key = 0; BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); - goto err; - } + BIGNUM *pub_key = NULL, *priv_key = NULL, *priv_key_limit = NULL; ctx = BN_CTX_new(); if (ctx == NULL) { @@ -232,22 +225,44 @@ int DH_generate_key(DH *dh) { if (generate_new_key) { if (dh->q) { - if (!BN_rand_range_ex(priv_key, 2, dh->q)) { + // Section 5.6.1.1.4 of SP 800-56A Rev3 generates a private key uniformly + // from [1, min(2^N-1, q-1)]. + // + // Although SP 800-56A Rev3 now permits a private key length N, + // |dh->priv_length| historically was ignored when q is available. We + // continue to ignore it and interpret such a configuration as N = len(q). + if (!BN_rand_range_ex(priv_key, 1, dh->q)) { goto err; } } else { - // secret exponent length - unsigned priv_bits = dh->priv_length; - if (priv_bits == 0) { - const unsigned p_bits = BN_num_bits(dh->p); - if (p_bits == 0) { + // If q is unspecified, we expect p to be a safe prime, with g generating + // the (p-1)/2 subgroup. So, we use q = (p-1)/2. (If g generates a smaller + // prime-order subgroup, q will still divide (p-1)/2.) + // + // We set N from |dh->priv_length|. Section 5.6.1.1.4 of SP 800-56A Rev3 + // says to reject N > len(q), or N > num_bits(p) - 1. However, this logic + // originally aligned with PKCS#3, which allows num_bits(p). Instead, we + // clamp |dh->priv_length| before invoking the algorithm. + + // Compute M = min(2^N, q). + priv_key_limit = BN_new(); + if (priv_key_limit == NULL) { + goto err; + } + if (dh->priv_length == 0 || dh->priv_length >= BN_num_bits(dh->p) - 1) { + // M = q = (p - 1) / 2. + if (!BN_rshift1(priv_key_limit, dh->p)) { + goto err; + } + } else { + // M = 2^N. + if (!BN_set_bit(priv_key_limit, dh->priv_length)) { goto err; } - - priv_bits = p_bits - 1; } - if (!BN_rand(priv_key, priv_bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) { + // Choose a private key uniformly from [1, M-1]. + if (!BN_rand_range_ex(priv_key, 1, priv_key_limit)) { goto err; } } @@ -273,14 +288,14 @@ int DH_generate_key(DH *dh) { if (dh->priv_key == NULL) { BN_free(priv_key); } + BN_free(priv_key_limit); BN_CTX_free(ctx); return ok; } static int dh_compute_key(DH *dh, BIGNUM *out_shared_key, const BIGNUM *peers_key, BN_CTX *ctx) { - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); + if (!dh_check_params_fast(dh)) { return 0; } @@ -379,7 +394,7 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, size_t max_out_len, const BIGNUM *peers_key, const EVP_MD *digest) { - *out_len = (size_t)-1; + *out_len = SIZE_MAX; const size_t digest_len = EVP_MD_size(digest); if (digest_len > max_out_len) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h index 7e07652c..5b259730 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h @@ -19,11 +19,15 @@ #include +#include "../../internal.h" + #if defined(__cplusplus) extern "C" { #endif +#define OPENSSL_DH_MAX_MODULUS_BITS 10000 + struct dh_st { BIGNUM *p; BIGNUM *g; @@ -42,6 +46,11 @@ struct dh_st { CRYPTO_refcount_t references; }; +// dh_check_params_fast checks basic invariants on |dh|'s domain parameters. It +// does not check that |dh| forms a valid group, only that the sizes are within +// DoS bounds. +int dh_check_params_fast(const DH *dh); + // dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|, // but doesn't try to run the self-test first. This is for use in the self tests // themselves, to prevent an infinite loop. diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c index 5ddc50f0..c7eec59d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c @@ -185,6 +185,10 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { void EVP_MD_CTX_move(EVP_MD_CTX *out, EVP_MD_CTX *in) { EVP_MD_CTX_cleanup(out); // While not guaranteed, |EVP_MD_CTX| is currently safe to move with |memcpy|. + // bssl-crypto currently relies on this, however, so if we change this, we + // need to box the |HMAC_CTX|. (Relying on this is only fine because we assume + // BoringSSL and bssl-crypto will always be updated atomically. We do not + // allow any version skew between the two.) OPENSSL_memcpy(out, in, sizeof(EVP_MD_CTX)); EVP_MD_CTX_init(in); } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/builtin_curves.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/builtin_curves.h new file mode 100644 index 00000000..0b489ab5 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/builtin_curves.h @@ -0,0 +1,277 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +// This file is generated by make_tables.go. + +// P-224 +OPENSSL_UNUSED static const uint64_t kP224FieldN0 = 0xffffffffffffffff; +OPENSSL_UNUSED static const uint64_t kP224OrderN0 = 0xd6e242706a1fc2eb; +#if defined(OPENSSL_64_BIT) +OPENSSL_UNUSED static const uint64_t kP224Field[] = { + 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, + 0x00000000ffffffff}; +OPENSSL_UNUSED static const uint64_t kP224Order[] = { + 0x13dd29455c5c2a3d, 0xffff16a2e0b8f03e, 0xffffffffffffffff, + 0x00000000ffffffff}; +OPENSSL_UNUSED static const uint64_t kP224B[] = { + 0x270b39432355ffb4, 0x5044b0b7d7bfd8ba, 0x0c04b3abf5413256, + 0x00000000b4050a85}; +OPENSSL_UNUSED static const uint64_t kP224GX[] = { + 0x343280d6115c1d21, 0x4a03c1d356c21122, 0x6bb4bf7f321390b9, + 0x00000000b70e0cbd}; +OPENSSL_UNUSED static const uint64_t kP224GY[] = { + 0x44d5819985007e34, 0xcd4375a05a074764, 0xb5f723fb4c22dfe6, + 0x00000000bd376388}; +OPENSSL_UNUSED static const uint64_t kP224FieldR[] = { + 0xffffffff00000000, 0xffffffffffffffff, 0x0000000000000000, + 0x0000000000000000}; +OPENSSL_UNUSED static const uint64_t kP224FieldRR[] = { + 0xffffffff00000001, 0xffffffff00000000, 0xfffffffe00000000, + 0x00000000ffffffff}; +OPENSSL_UNUSED static const uint64_t kP224OrderRR[] = { + 0x29947a695f517d15, 0xabc8ff5931d63f4b, 0x6ad15f7cd9714856, + 0x00000000b1e97961}; +OPENSSL_UNUSED static const uint64_t kP224MontB[] = { + 0xe768cdf663c059cd, 0x107ac2f3ccf01310, 0x3dceba98c8528151, + 0x000000007fc02f93}; +OPENSSL_UNUSED static const uint64_t kP224MontGX[] = { + 0xbc9052266d0a4aea, 0x852597366018bfaa, 0x6dd3af9bf96bec05, + 0x00000000a21b5e60}; +OPENSSL_UNUSED static const uint64_t kP224MontGY[] = { + 0x2edca1e5eff3ede8, 0xf8cd672b05335a6b, 0xaea9c5ae03dfe878, + 0x00000000614786f1}; +#elif defined(OPENSSL_32_BIT) +OPENSSL_UNUSED static const uint32_t kP224Field[] = { + 0x00000001, 0x00000000, 0x00000000, 0xffffffff, 0xffffffff, 0xffffffff, + 0xffffffff}; +OPENSSL_UNUSED static const uint32_t kP224Order[] = { + 0x5c5c2a3d, 0x13dd2945, 0xe0b8f03e, 0xffff16a2, 0xffffffff, 0xffffffff, + 0xffffffff}; +OPENSSL_UNUSED static const uint32_t kP224B[] = { + 0x2355ffb4, 0x270b3943, 0xd7bfd8ba, 0x5044b0b7, 0xf5413256, 0x0c04b3ab, + 0xb4050a85}; +OPENSSL_UNUSED static const uint32_t kP224GX[] = { + 0x115c1d21, 0x343280d6, 0x56c21122, 0x4a03c1d3, 0x321390b9, 0x6bb4bf7f, + 0xb70e0cbd}; +OPENSSL_UNUSED static const uint32_t kP224GY[] = { + 0x85007e34, 0x44d58199, 0x5a074764, 0xcd4375a0, 0x4c22dfe6, 0xb5f723fb, + 0xbd376388}; +OPENSSL_UNUSED static const uint32_t kP224FieldR[] = { + 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, 0x00000000, 0x00000000, + 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP224FieldRR[] = { + 0x00000001, 0x00000000, 0x00000000, 0xfffffffe, 0xffffffff, 0xffffffff, + 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP224OrderRR[] = { + 0x3ad01289, 0x6bdaae6c, 0x97a54552, 0x6ad09d91, 0xb1e97961, 0x1822bc47, + 0xd4baa4cf}; +OPENSSL_UNUSED static const uint32_t kP224MontB[] = { + 0xe768cdf7, 0xccf01310, 0x743b1cc0, 0xc8528150, 0x3dceba98, 0x7fc02f93, + 0x9c3fa633}; +OPENSSL_UNUSED static const uint32_t kP224MontGX[] = { + 0xbc905227, 0x6018bfaa, 0xf22fe220, 0xf96bec04, 0x6dd3af9b, 0xa21b5e60, + 0x92f5b516}; +OPENSSL_UNUSED static const uint32_t kP224MontGY[] = { + 0x2edca1e6, 0x05335a6b, 0xe8c15513, 0x03dfe878, 0xaea9c5ae, 0x614786f1, + 0x100c1218}; +#else +#error "unknown word size" +#endif + +// P-256 +OPENSSL_UNUSED static const uint64_t kP256FieldN0 = 0x0000000000000001; +OPENSSL_UNUSED static const uint64_t kP256OrderN0 = 0xccd1c8aaee00bc4f; +#if defined(OPENSSL_64_BIT) +OPENSSL_UNUSED static const uint64_t kP256Field[] = { + 0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, + 0xffffffff00000001}; +OPENSSL_UNUSED static const uint64_t kP256Order[] = { + 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, + 0xffffffff00000000}; +OPENSSL_UNUSED static const uint64_t kP256FieldR[] = { + 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, + 0x00000000fffffffe}; +OPENSSL_UNUSED static const uint64_t kP256FieldRR[] = { + 0x0000000000000003, 0xfffffffbffffffff, 0xfffffffffffffffe, + 0x00000004fffffffd}; +OPENSSL_UNUSED static const uint64_t kP256OrderRR[] = { + 0x83244c95be79eea2, 0x4699799c49bd6fa6, 0x2845b2392b6bec59, + 0x66e12d94f3d95620}; +OPENSSL_UNUSED static const uint64_t kP256MontB[] = { + 0xd89cdf6229c4bddf, 0xacf005cd78843090, 0xe5a220abf7212ed6, + 0xdc30061d04874834}; +OPENSSL_UNUSED static const uint64_t kP256MontGX[] = { + 0x79e730d418a9143c, 0x75ba95fc5fedb601, 0x79fb732b77622510, + 0x18905f76a53755c6}; +OPENSSL_UNUSED static const uint64_t kP256MontGY[] = { + 0xddf25357ce95560a, 0x8b4ab8e4ba19e45c, 0xd2e88688dd21f325, + 0x8571ff1825885d85}; +#elif defined(OPENSSL_32_BIT) +OPENSSL_UNUSED static const uint32_t kP256Field[] = { + 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, 0x00000000, 0x00000000, + 0x00000001, 0xffffffff}; +OPENSSL_UNUSED static const uint32_t kP256Order[] = { + 0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, 0xffffffff, 0xffffffff, + 0x00000000, 0xffffffff}; +OPENSSL_UNUSED static const uint32_t kP256FieldR[] = { + 0x00000001, 0x00000000, 0x00000000, 0xffffffff, 0xffffffff, 0xffffffff, + 0xfffffffe, 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP256FieldRR[] = { + 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb, 0xfffffffe, 0xffffffff, + 0xfffffffd, 0x00000004}; +OPENSSL_UNUSED static const uint32_t kP256OrderRR[] = { + 0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c, 0x2b6bec59, 0x2845b239, + 0xf3d95620, 0x66e12d94}; +OPENSSL_UNUSED static const uint32_t kP256MontB[] = { + 0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd, 0xf7212ed6, 0xe5a220ab, + 0x04874834, 0xdc30061d}; +OPENSSL_UNUSED static const uint32_t kP256MontGX[] = { + 0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc, 0x77622510, 0x79fb732b, + 0xa53755c6, 0x18905f76}; +OPENSSL_UNUSED static const uint32_t kP256MontGY[] = { + 0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4, 0xdd21f325, 0xd2e88688, + 0x25885d85, 0x8571ff18}; +#else +#error "unknown word size" +#endif + +// P-384 +OPENSSL_UNUSED static const uint64_t kP384FieldN0 = 0x0000000100000001; +OPENSSL_UNUSED static const uint64_t kP384OrderN0 = 0x6ed46089e88fdc45; +#if defined(OPENSSL_64_BIT) +OPENSSL_UNUSED static const uint64_t kP384Field[] = { + 0x00000000ffffffff, 0xffffffff00000000, 0xfffffffffffffffe, + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; +OPENSSL_UNUSED static const uint64_t kP384Order[] = { + 0xecec196accc52973, 0x581a0db248b0a77a, 0xc7634d81f4372ddf, + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; +OPENSSL_UNUSED static const uint64_t kP384FieldR[] = { + 0xffffffff00000001, 0x00000000ffffffff, 0x0000000000000001, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}; +OPENSSL_UNUSED static const uint64_t kP384FieldRR[] = { + 0xfffffffe00000001, 0x0000000200000000, 0xfffffffe00000000, + 0x0000000200000000, 0x0000000000000001, 0x0000000000000000}; +OPENSSL_UNUSED static const uint64_t kP384OrderRR[] = { + 0x2d319b2419b409a9, 0xff3d81e5df1aa419, 0xbc3e483afcb82947, + 0xd40d49174aab1cc5, 0x3fb05b7a28266895, 0x0c84ee012b39bf21}; +OPENSSL_UNUSED static const uint64_t kP384MontB[] = { + 0x081188719d412dcc, 0xf729add87a4c32ec, 0x77f2209b1920022e, + 0xe3374bee94938ae2, 0xb62b21f41f022094, 0xcd08114b604fbff9}; +OPENSSL_UNUSED static const uint64_t kP384MontGX[] = { + 0x3dd0756649c0b528, 0x20e378e2a0d6ce38, 0x879c3afc541b4d6e, + 0x6454868459a30eff, 0x812ff723614ede2b, 0x4d3aadc2299e1513}; +OPENSSL_UNUSED static const uint64_t kP384MontGY[] = { + 0x23043dad4b03a4fe, 0xa1bfa8bf7bb4a9ac, 0x8bade7562e83b050, + 0xc6c3521968f4ffd9, 0xdd8002263969a840, 0x2b78abc25a15c5e9}; +#elif defined(OPENSSL_32_BIT) +OPENSSL_UNUSED static const uint32_t kP384Field[] = { + 0xffffffff, 0x00000000, 0x00000000, 0xffffffff, 0xfffffffe, 0xffffffff, + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff}; +OPENSSL_UNUSED static const uint32_t kP384Order[] = { + 0xccc52973, 0xecec196a, 0x48b0a77a, 0x581a0db2, 0xf4372ddf, 0xc7634d81, + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff}; +OPENSSL_UNUSED static const uint32_t kP384FieldR[] = { + 0x00000001, 0xffffffff, 0xffffffff, 0x00000000, 0x00000001, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP384FieldRR[] = { + 0x00000001, 0xfffffffe, 0x00000000, 0x00000002, 0x00000000, 0xfffffffe, + 0x00000000, 0x00000002, 0x00000001, 0x00000000, 0x00000000, 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP384OrderRR[] = { + 0x19b409a9, 0x2d319b24, 0xdf1aa419, 0xff3d81e5, 0xfcb82947, 0xbc3e483a, + 0x4aab1cc5, 0xd40d4917, 0x28266895, 0x3fb05b7a, 0x2b39bf21, 0x0c84ee01}; +OPENSSL_UNUSED static const uint32_t kP384MontB[] = { + 0x9d412dcc, 0x08118871, 0x7a4c32ec, 0xf729add8, 0x1920022e, 0x77f2209b, + 0x94938ae2, 0xe3374bee, 0x1f022094, 0xb62b21f4, 0x604fbff9, 0xcd08114b}; +OPENSSL_UNUSED static const uint32_t kP384MontGX[] = { + 0x49c0b528, 0x3dd07566, 0xa0d6ce38, 0x20e378e2, 0x541b4d6e, 0x879c3afc, + 0x59a30eff, 0x64548684, 0x614ede2b, 0x812ff723, 0x299e1513, 0x4d3aadc2}; +OPENSSL_UNUSED static const uint32_t kP384MontGY[] = { + 0x4b03a4fe, 0x23043dad, 0x7bb4a9ac, 0xa1bfa8bf, 0x2e83b050, 0x8bade756, + 0x68f4ffd9, 0xc6c35219, 0x3969a840, 0xdd800226, 0x5a15c5e9, 0x2b78abc2}; +#else +#error "unknown word size" +#endif + +// P-521 +OPENSSL_UNUSED static const uint64_t kP521FieldN0 = 0x0000000000000001; +OPENSSL_UNUSED static const uint64_t kP521OrderN0 = 0x1d2f5ccd79a995c7; +#if defined(OPENSSL_64_BIT) +OPENSSL_UNUSED static const uint64_t kP521Field[] = { + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff, 0x00000000000001ff}; +OPENSSL_UNUSED static const uint64_t kP521Order[] = { + 0xbb6fb71e91386409, 0x3bb5c9b8899c47ae, 0x7fcc0148f709a5d0, + 0x51868783bf2f966b, 0xfffffffffffffffa, 0xffffffffffffffff, + 0xffffffffffffffff, 0xffffffffffffffff, 0x00000000000001ff}; +OPENSSL_UNUSED static const uint64_t kP521FieldR[] = { + 0x0080000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}; +OPENSSL_UNUSED static const uint64_t kP521FieldRR[] = { + 0x0000000000000000, 0x0000400000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000, + 0x0000000000000000, 0x0000000000000000, 0x0000000000000000}; +OPENSSL_UNUSED static const uint64_t kP521OrderRR[] = { + 0x137cd04dcf15dd04, 0xf707badce5547ea3, 0x12a78d38794573ff, + 0xd3721ef557f75e06, 0xdd6e23d82e49c7db, 0xcff3d142b7756e3e, + 0x5bcc6d61a8e567bc, 0x2d8e03d1492d0d45, 0x000000000000003d}; +OPENSSL_UNUSED static const uint64_t kP521MontB[] = { + 0x8014654fae586387, 0x78f7a28fea35a81f, 0x839ab9efc41e961a, + 0xbd8b29605e9dd8df, 0xf0ab0c9ca8f63f49, 0xf9dc5a44c8c77884, + 0x77516d392dccd98a, 0x0fc94d10d05b42a0, 0x000000000000004d}; +OPENSSL_UNUSED static const uint64_t kP521MontGX[] = { + 0xb331a16381adc101, 0x4dfcbf3f18e172de, 0x6f19a459e0c2b521, + 0x947f0ee093d17fd4, 0xdd50a5af3bf7f3ac, 0x90fc1457b035a69e, + 0x214e32409c829fda, 0xe6cf1f65b311cada, 0x0000000000000074}; +OPENSSL_UNUSED static const uint64_t kP521MontGY[] = { + 0x28460e4a5a9e268e, 0x20445f4a3b4fe8b3, 0xb09a9e3843513961, + 0x2062a85c809fd683, 0x164bf7394caf7a13, 0x340bd7de8b939f33, + 0xeccc7aa224abcda2, 0x022e452fda163e8d, 0x00000000000001e0}; +#elif defined(OPENSSL_32_BIT) +OPENSSL_UNUSED static const uint32_t kP521Field[] = { + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x000001ff}; +OPENSSL_UNUSED static const uint32_t kP521Order[] = { + 0x91386409, 0xbb6fb71e, 0x899c47ae, 0x3bb5c9b8, 0xf709a5d0, 0x7fcc0148, + 0xbf2f966b, 0x51868783, 0xfffffffa, 0xffffffff, 0xffffffff, 0xffffffff, + 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x000001ff}; +OPENSSL_UNUSED static const uint32_t kP521FieldR[] = { + 0x00800000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP521FieldRR[] = { + 0x00000000, 0x00004000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, + 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000}; +OPENSSL_UNUSED static const uint32_t kP521OrderRR[] = { + 0x61c64ca7, 0x1163115a, 0x4374a642, 0x18354a56, 0x0791d9dc, 0x5d4dd6d3, + 0xd3402705, 0x4fb35b72, 0xb7756e3a, 0xcff3d142, 0xa8e567bc, 0x5bcc6d61, + 0x492d0d45, 0x2d8e03d1, 0x8c44383d, 0x5b5a3afe, 0x0000019a}; +OPENSSL_UNUSED static const uint32_t kP521MontB[] = { + 0x8014654f, 0xea35a81f, 0x78f7a28f, 0xc41e961a, 0x839ab9ef, 0x5e9dd8df, + 0xbd8b2960, 0xa8f63f49, 0xf0ab0c9c, 0xc8c77884, 0xf9dc5a44, 0x2dccd98a, + 0x77516d39, 0xd05b42a0, 0x0fc94d10, 0xb0c70e4d, 0x0000015c}; +OPENSSL_UNUSED static const uint32_t kP521MontGX[] = { + 0xb331a163, 0x18e172de, 0x4dfcbf3f, 0xe0c2b521, 0x6f19a459, 0x93d17fd4, + 0x947f0ee0, 0x3bf7f3ac, 0xdd50a5af, 0xb035a69e, 0x90fc1457, 0x9c829fda, + 0x214e3240, 0xb311cada, 0xe6cf1f65, 0x5b820274, 0x00000103}; +OPENSSL_UNUSED static const uint32_t kP521MontGY[] = { + 0x28460e4a, 0x3b4fe8b3, 0x20445f4a, 0x43513961, 0xb09a9e38, 0x809fd683, + 0x2062a85c, 0x4caf7a13, 0x164bf739, 0x8b939f33, 0x340bd7de, 0x24abcda2, + 0xeccc7aa2, 0xda163e8d, 0x022e452f, 0x3c4d1de0, 0x000000b5}; +#else +#error "unknown word size" +#endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c index 82eedd63..ee17cb84 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c @@ -80,270 +80,147 @@ #include "../bn/internal.h" #include "../delocate.h" +#include "builtin_curves.h" -static void ec_point_free(EC_POINT *point, int free_group); - -static const uint8_t kP224Params[6 * 28] = { - // p = 2^224 - 2^96 + 1 - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, - // a - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, - // b - 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, - 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, - 0x23, 0x55, 0xFF, 0xB4, - // x - 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, - 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, - 0x11, 0x5C, 0x1D, 0x21, - // y - 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, - 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, - 0x85, 0x00, 0x7e, 0x34, - // order - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, - 0x5C, 0x5C, 0x2A, 0x3D, -}; - -static const uint8_t kP256Params[6 * 32] = { - // p = 2^256 - 2^224 + 2^192 + 2^96 - 1 - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - // a - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - // b - 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, - 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, - 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B, - // x - 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, - 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, - 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, - // y - 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, - 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, - 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, - // order - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, - 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51, -}; - -static const uint8_t kP384Params[6 * 48] = { - // p = 2^384 - 2^128 - 2^96 + 2^32 - 1 - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - // a - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, - // b - 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, - 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, - 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, - 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, - // x - 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, - 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, - 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, - 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, - // y - 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, - 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, - 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, - 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, - // order - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, - 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73, -}; - -static const uint8_t kP521Params[6 * 66] = { - // p = 2^521 - 1 - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - // a - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - // b - 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, - 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, - 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, - 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, - 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, - 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, - // x - 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, - 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, - 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, - 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, - 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, - 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, - // y - 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, - 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, - 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, - 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, - 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, - 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - // order - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, - 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, - 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, - 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09, -}; - -DEFINE_METHOD_FUNCTION(struct built_in_curves, OPENSSL_built_in_curves) { - // 1.3.132.0.35 - static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23}; - out->curves[0].nid = NID_secp521r1; - out->curves[0].oid = kOIDP521; - out->curves[0].oid_len = sizeof(kOIDP521); - out->curves[0].comment = "NIST P-521"; - out->curves[0].param_len = 66; - out->curves[0].params = kP521Params; - out->curves[0].method = EC_GFp_mont_method(); - // 1.3.132.0.34 - static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22}; - out->curves[1].nid = NID_secp384r1; - out->curves[1].oid = kOIDP384; - out->curves[1].oid_len = sizeof(kOIDP384); - out->curves[1].comment = "NIST P-384"; - out->curves[1].param_len = 48; - out->curves[1].params = kP384Params; - out->curves[1].method = EC_GFp_mont_method(); +static void ec_point_free(EC_POINT *point, int free_group); - // 1.2.840.10045.3.1.7 - static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce, - 0x3d, 0x03, 0x01, 0x07}; - out->curves[2].nid = NID_X9_62_prime256v1; - out->curves[2].oid = kOIDP256; - out->curves[2].oid_len = sizeof(kOIDP256); - out->curves[2].comment = "NIST P-256"; - out->curves[2].param_len = 32; - out->curves[2].params = kP256Params; - out->curves[2].method = -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_SMALL) - EC_GFp_nistz256_method(); +static void ec_group_init_static_mont(BN_MONT_CTX *mont, size_t num_words, + const BN_ULONG *modulus, + const BN_ULONG *rr, uint64_t n0) { + bn_set_static_words(&mont->N, modulus, num_words); + bn_set_static_words(&mont->RR, rr, num_words); +#if defined(OPENSSL_64_BIT) + mont->n0[0] = n0; +#elif defined(OPENSSL_32_BIT) + mont->n0[0] = (uint32_t)n0; + mont->n0[1] = (uint32_t)(n0 >> 32); #else - EC_GFp_nistp256_method(); +#error "unknown word length" #endif +} +static void ec_group_set_a_minus3(EC_GROUP *group) { + const EC_FELEM *one = ec_felem_one(group); + group->a_is_minus3 = 1; + ec_felem_neg(group, &group->a, one); + ec_felem_sub(group, &group->a, &group->a, one); + ec_felem_sub(group, &group->a, &group->a, one); +} + +DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p224) { + out->curve_name = NID_secp224r1; + out->comment = "NIST P-224"; // 1.3.132.0.33 static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21}; - out->curves[3].nid = NID_secp224r1; - out->curves[3].oid = kOIDP224; - out->curves[3].oid_len = sizeof(kOIDP224); - out->curves[3].comment = "NIST P-224"; - out->curves[3].param_len = 28; - out->curves[3].params = kP224Params; - out->curves[3].method = + OPENSSL_memcpy(out->oid, kOIDP224, sizeof(kOIDP224)); + out->oid_len = sizeof(kOIDP224); + + ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP224Field), + kP224Field, kP224FieldRR, kP224FieldN0); + ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP224Order), + kP224Order, kP224OrderRR, kP224OrderN0); + #if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL) - EC_GFp_nistp224_method(); + out->meth = EC_GFp_nistp224_method(); + OPENSSL_memcpy(out->generator.raw.X.words, kP224GX, sizeof(kP224GX)); + OPENSSL_memcpy(out->generator.raw.Y.words, kP224GY, sizeof(kP224GY)); + out->generator.raw.Z.words[0] = 1; + OPENSSL_memcpy(out->b.words, kP224B, sizeof(kP224B)); #else - EC_GFp_mont_method(); + out->meth = EC_GFp_mont_method(); + OPENSSL_memcpy(out->generator.raw.X.words, kP224MontGX, sizeof(kP224MontGX)); + OPENSSL_memcpy(out->generator.raw.Y.words, kP224MontGY, sizeof(kP224MontGY)); + OPENSSL_memcpy(out->generator.raw.Z.words, kP224FieldR, sizeof(kP224FieldR)); + OPENSSL_memcpy(out->b.words, kP224MontB, sizeof(kP224MontB)); #endif -} - -EC_GROUP *ec_group_new(const EC_METHOD *meth) { - EC_GROUP *ret; - - if (meth == NULL) { - OPENSSL_PUT_ERROR(EC, EC_R_SLOT_FULL); - return NULL; - } + out->generator.group = out; - if (meth->group_init == 0) { - OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return NULL; - } - - ret = OPENSSL_malloc(sizeof(EC_GROUP)); - if (ret == NULL) { - return NULL; - } - OPENSSL_memset(ret, 0, sizeof(EC_GROUP)); - - ret->references = 1; - ret->meth = meth; - BN_init(&ret->order); - - if (!meth->group_init(ret)) { - OPENSSL_free(ret); - return NULL; - } - - return ret; + ec_group_set_a_minus3(out); + out->has_order = 1; + out->field_greater_than_order = 1; } -static int ec_group_set_generator(EC_GROUP *group, const EC_AFFINE *generator, - const BIGNUM *order) { - assert(group->generator == NULL); - - if (!BN_copy(&group->order, order)) { - return 0; - } - // Store the order in minimal form, so it can be used with |BN_ULONG| arrays. - bn_set_minimal_width(&group->order); +DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p256) { + out->curve_name = NID_X9_62_prime256v1; + out->comment = "NIST P-256"; + // 1.2.840.10045.3.1.7 + static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce, + 0x3d, 0x03, 0x01, 0x07}; + OPENSSL_memcpy(out->oid, kOIDP256, sizeof(kOIDP256)); + out->oid_len = sizeof(kOIDP256); - BN_MONT_CTX_free(group->order_mont); - group->order_mont = BN_MONT_CTX_new_for_modulus(&group->order, NULL); - if (group->order_mont == NULL) { - return 0; - } + ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP256Field), + kP256Field, kP256FieldRR, kP256FieldN0); + ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP256Order), + kP256Order, kP256OrderRR, kP256OrderN0); - group->field_greater_than_order = BN_cmp(&group->field, order) > 0; - if (group->field_greater_than_order) { - BIGNUM tmp; - BN_init(&tmp); - int ok = - BN_sub(&tmp, &group->field, order) && - bn_copy_words(group->field_minus_order.words, group->field.width, &tmp); - BN_free(&tmp); - if (!ok) { - return 0; - } - } - - group->generator = EC_POINT_new(group); - if (group->generator == NULL) { - return 0; - } - ec_affine_to_jacobian(group, &group->generator->raw, generator); - assert(ec_felem_equal(group, &group->one, &group->generator->raw.Z)); +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ + !defined(OPENSSL_SMALL) + out->meth = EC_GFp_nistz256_method(); +#else + out->meth = EC_GFp_nistp256_method(); +#endif + out->generator.group = out; + OPENSSL_memcpy(out->generator.raw.X.words, kP256MontGX, sizeof(kP256MontGX)); + OPENSSL_memcpy(out->generator.raw.Y.words, kP256MontGY, sizeof(kP256MontGY)); + OPENSSL_memcpy(out->generator.raw.Z.words, kP256FieldR, sizeof(kP256FieldR)); + OPENSSL_memcpy(out->b.words, kP256MontB, sizeof(kP256MontB)); + + ec_group_set_a_minus3(out); + out->has_order = 1; + out->field_greater_than_order = 1; +} - // Avoid a reference cycle. |group->generator| does not maintain an owning - // pointer to |group|. - int is_zero = CRYPTO_refcount_dec_and_test_zero(&group->references); +DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p384) { + out->curve_name = NID_secp384r1; + out->comment = "NIST P-384"; + // 1.3.132.0.34 + static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22}; + OPENSSL_memcpy(out->oid, kOIDP384, sizeof(kOIDP384)); + out->oid_len = sizeof(kOIDP384); + + ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP384Field), + kP384Field, kP384FieldRR, kP384FieldN0); + ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP384Order), + kP384Order, kP384OrderRR, kP384OrderN0); + + out->meth = EC_GFp_mont_method(); + out->generator.group = out; + OPENSSL_memcpy(out->generator.raw.X.words, kP384MontGX, sizeof(kP384MontGX)); + OPENSSL_memcpy(out->generator.raw.Y.words, kP384MontGY, sizeof(kP384MontGY)); + OPENSSL_memcpy(out->generator.raw.Z.words, kP384FieldR, sizeof(kP384FieldR)); + OPENSSL_memcpy(out->b.words, kP384MontB, sizeof(kP384MontB)); + + ec_group_set_a_minus3(out); + out->has_order = 1; + out->field_greater_than_order = 1; +} - assert(!is_zero); - (void)is_zero; - return 1; +DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p521) { + out->curve_name = NID_secp521r1; + out->comment = "NIST P-521"; + // 1.3.132.0.35 + static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23}; + OPENSSL_memcpy(out->oid, kOIDP521, sizeof(kOIDP521)); + out->oid_len = sizeof(kOIDP521); + + ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP521Field), + kP521Field, kP521FieldRR, kP521FieldN0); + ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP521Order), + kP521Order, kP521OrderRR, kP521OrderN0); + + out->meth = EC_GFp_mont_method(); + out->generator.group = out; + OPENSSL_memcpy(out->generator.raw.X.words, kP521MontGX, sizeof(kP521MontGX)); + OPENSSL_memcpy(out->generator.raw.Y.words, kP521MontGY, sizeof(kP521MontGY)); + OPENSSL_memcpy(out->generator.raw.Z.words, kP521FieldR, sizeof(kP521FieldR)); + OPENSSL_memcpy(out->b.words, kP521MontB, sizeof(kP521MontB)); + + ec_group_set_a_minus3(out); + out->has_order = 1; + out->field_greater_than_order = 1; } EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, @@ -373,9 +250,16 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, goto err; } - ret = ec_group_new(EC_GFp_mont_method()); - if (ret == NULL || - !ret->meth->group_set_curve(ret, p, a_reduced, b_reduced, ctx)) { + ret = OPENSSL_zalloc(sizeof(EC_GROUP)); + if (ret == NULL) { + return NULL; + } + ret->references = 1; + ret->meth = EC_GFp_mont_method(); + bn_mont_ctx_init(&ret->field); + bn_mont_ctx_init(&ret->order); + ret->generator.group = ret; + if (!ec_GFp_simple_group_set_curve(ret, p, a_reduced, b_reduced, ctx)) { EC_GROUP_free(ret); ret = NULL; goto err; @@ -389,7 +273,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) { - if (group->curve_name != NID_undef || group->generator != NULL || + if (group->curve_name != NID_undef || group->has_order || generator->group != group) { // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by // |EC_GROUP_new_curve_GFp| and may only used once on each group. @@ -421,17 +305,22 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, !BN_lshift1(tmp, order)) { goto err; } - if (BN_cmp(tmp, &group->field) <= 0) { + if (BN_cmp(tmp, &group->field.N) <= 0) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); goto err; } EC_AFFINE affine; if (!ec_jacobian_to_affine(group, &affine, &generator->raw) || - !ec_group_set_generator(group, &affine, order)) { + !BN_MONT_CTX_set(&group->order, order, NULL)) { goto err; } + group->field_greater_than_order = BN_cmp(&group->field.N, order) > 0; + group->generator.raw.X = affine.X; + group->generator.raw.Y = affine.Y; + // |raw.Z| was set to 1 by |EC_GROUP_new_curve_GFp|. + group->has_order = 1; ret = 1; err: @@ -439,114 +328,20 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, return ret; } -static EC_GROUP *ec_group_new_from_data(const struct built_in_curve *curve) { - EC_GROUP *group = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *order = NULL; - int ok = 0; - - BN_CTX *ctx = BN_CTX_new(); - if (ctx == NULL) { - goto err; - } - - const unsigned param_len = curve->param_len; - const uint8_t *params = curve->params; - - if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) || - !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) || - !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) || - !(order = BN_bin2bn(params + 5 * param_len, param_len, NULL))) { - OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); - goto err; - } - - group = ec_group_new(curve->method); - if (group == NULL || - !group->meth->group_set_curve(group, p, a, b, ctx)) { - OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); - goto err; - } - - EC_AFFINE G; - EC_FELEM x, y; - if (!ec_felem_from_bytes(group, &x, params + 3 * param_len, param_len) || - !ec_felem_from_bytes(group, &y, params + 4 * param_len, param_len) || - !ec_point_set_affine_coordinates(group, &G, &x, &y)) { - goto err; - } - - if (!ec_group_set_generator(group, &G, order)) { - goto err; - } - - ok = 1; - -err: - if (!ok) { - EC_GROUP_free(group); - group = NULL; - } - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(order); - return group; -} - -// Built-in groups are allocated lazily and static once allocated. -// TODO(davidben): Make these actually static. https://crbug.com/boringssl/20. -struct built_in_groups_st { - EC_GROUP *groups[OPENSSL_NUM_BUILT_IN_CURVES]; -}; -DEFINE_BSS_GET(struct built_in_groups_st, built_in_groups) -DEFINE_STATIC_MUTEX(built_in_groups_lock) - EC_GROUP *EC_GROUP_new_by_curve_name(int nid) { - struct built_in_groups_st *groups = built_in_groups_bss_get(); - EC_GROUP **group_ptr = NULL; - const struct built_in_curves *const curves = OPENSSL_built_in_curves(); - const struct built_in_curve *curve = NULL; - for (size_t i = 0; i < OPENSSL_NUM_BUILT_IN_CURVES; i++) { - if (curves->curves[i].nid == nid) { - curve = &curves->curves[i]; - group_ptr = &groups->groups[i]; - break; - } - } - - if (curve == NULL) { - OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); - return NULL; - } - - CRYPTO_STATIC_MUTEX_lock_read(built_in_groups_lock_bss_get()); - EC_GROUP *ret = *group_ptr; - CRYPTO_STATIC_MUTEX_unlock_read(built_in_groups_lock_bss_get()); - if (ret != NULL) { - return ret; - } - - ret = ec_group_new_from_data(curve); - if (ret == NULL) { - return NULL; - } - - EC_GROUP *to_free = NULL; - CRYPTO_STATIC_MUTEX_lock_write(built_in_groups_lock_bss_get()); - if (*group_ptr == NULL) { - *group_ptr = ret; - // Filling in |ret->curve_name| makes |EC_GROUP_free| and |EC_GROUP_dup| - // into no-ops. At this point, |ret| is considered static. - ret->curve_name = nid; - } else { - to_free = ret; - ret = *group_ptr; + switch (nid) { + case NID_secp224r1: + return (EC_GROUP *)EC_group_p224(); + case NID_X9_62_prime256v1: + return (EC_GROUP *)EC_group_p256(); + case NID_secp384r1: + return (EC_GROUP *)EC_group_p384(); + case NID_secp521r1: + return (EC_GROUP *)EC_group_p521(); + default: + OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP); + return NULL; } - CRYPTO_STATIC_MUTEX_unlock_write(built_in_groups_lock_bss_get()); - - EC_GROUP_free(to_free); - return ret; } void EC_GROUP_free(EC_GROUP *group) { @@ -557,14 +352,8 @@ void EC_GROUP_free(EC_GROUP *group) { return; } - if (group->meth->group_finish != NULL) { - group->meth->group_finish(group); - } - - ec_point_free(group->generator, 0 /* don't free group */); - BN_free(&group->order); - BN_MONT_CTX_free(group->order_mont); - + bn_mont_ctx_cleanup(&group->order); + bn_mont_ctx_cleanup(&group->field); OPENSSL_free(group); } @@ -599,23 +388,22 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) { // structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes, // custom curve construction is sadly done in two parts) but otherwise not the // same object, we consider them always unequal. - return a->meth != b->meth || - a->generator == NULL || - b->generator == NULL || - BN_cmp(&a->order, &b->order) != 0 || - BN_cmp(&a->field, &b->field) != 0 || - !ec_felem_equal(a, &a->a, &b->a) || + return a->meth != b->meth || // + !a->has_order || !b->has_order || + BN_cmp(&a->order.N, &b->order.N) != 0 || + BN_cmp(&a->field.N, &b->field.N) != 0 || + !ec_felem_equal(a, &a->a, &b->a) || // !ec_felem_equal(a, &a->b, &b->b) || - !ec_GFp_simple_points_equal(a, &a->generator->raw, &b->generator->raw); + !ec_GFp_simple_points_equal(a, &a->generator.raw, &b->generator.raw); } const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) { - return group->generator; + return group->has_order ? &group->generator : NULL; } const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) { - assert(!BN_is_zero(&group->order)); - return &group->order; + assert(group->has_order); + return &group->order.N; } int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { @@ -626,7 +414,7 @@ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { } int EC_GROUP_order_bits(const EC_GROUP *group) { - return BN_num_bits(&group->order); + return BN_num_bits(&group->order.N); } int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, @@ -643,7 +431,7 @@ int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a, int EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; } unsigned EC_GROUP_get_degree(const EC_GROUP *group) { - return BN_num_bits(&group->field); + return BN_num_bits(&group->field.N); } const char *EC_curve_nid2nist(int nid) { @@ -805,7 +593,7 @@ void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, const EC_AFFINE *p) { out->X = p->X; out->Y = p->Y; - out->Z = group->one; + out->Z = *ec_felem_one(group); } int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, @@ -842,10 +630,9 @@ int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, // return value by setting a known safe value. Note this may not be possible // if the caller is in the process of constructing an arbitrary group and // the generator is missing. - if (group->generator != NULL) { - assert(ec_felem_equal(group, &group->one, &group->generator->raw.Z)); - out->X = group->generator->raw.X; - out->Y = group->generator->raw.Y; + if (group->has_order) { + out->X = group->generator.raw.X; + out->Y = group->generator.raw.Y; } return 0; } @@ -931,11 +718,10 @@ static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, ERR_clear_error(); // This is an unusual input, so we do not guarantee constant-time processing. - const BIGNUM *order = &group->order; BN_CTX_start(ctx); BIGNUM *tmp = BN_CTX_get(ctx); int ok = tmp != NULL && - BN_nnmod(tmp, in, order, ctx) && + BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) && ec_bignum_to_scalar(group, out, tmp); BN_CTX_end(ctx); return ok; @@ -1193,7 +979,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, // // Additionally, one can manually check this property for built-in curves. It // is enforced for legacy custom curves in |EC_GROUP_set_generator|. - const BIGNUM *order = &group->order; + const BIGNUM *order = EC_GROUP_get0_order(group); BN_ULONG words[EC_MAX_WORDS + 1] = {0}; bn_big_endian_to_words(words, order->width + 1, bytes, len); bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d, @@ -1204,7 +990,7 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, size_t max_out, const EC_JACOBIAN *p) { - size_t len = BN_num_bytes(&group->field); + size_t len = BN_num_bytes(&group->field.N); assert(len <= EC_MAX_BYTES); if (max_out < len) { OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); @@ -1222,8 +1008,8 @@ int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, } void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) { - if (group->generator != NULL) { - ec_GFp_simple_point_copy(out, &group->generator->raw); + if (group->has_order) { + ec_GFp_simple_point_copy(out, &group->generator.raw); } else { // The generator can be missing if the caller is in the process of // constructing an arbitrary group. In this case, we give up and use the @@ -1255,16 +1041,3 @@ void EC_GROUP_set_point_conversion_form(EC_GROUP *group, abort(); } } - -size_t EC_get_builtin_curves(EC_builtin_curve *out_curves, - size_t max_num_curves) { - const struct built_in_curves *const curves = OPENSSL_built_in_curves(); - - for (size_t i = 0; i < max_num_curves && i < OPENSSL_NUM_BUILT_IN_CURVES; - i++) { - out_curves[i].comment = curves->curves[i].comment; - out_curves[i].nid = curves->curves[i].nid; - } - - return OPENSSL_NUM_BUILT_IN_CURVES; -} diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c index 59f26187..62a0d2d9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c @@ -86,15 +86,14 @@ DEFINE_STATIC_EX_DATA_CLASS(g_ec_ex_data_class) static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) { - EC_WRAPPED_SCALAR *wrapped = OPENSSL_malloc(sizeof(EC_WRAPPED_SCALAR)); + EC_WRAPPED_SCALAR *wrapped = OPENSSL_zalloc(sizeof(EC_WRAPPED_SCALAR)); if (wrapped == NULL) { return NULL; } - OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR)); wrapped->bignum.d = wrapped->scalar.words; - wrapped->bignum.width = group->order.width; - wrapped->bignum.dmax = group->order.width; + wrapped->bignum.width = group->order.N.width; + wrapped->bignum.dmax = group->order.N.width; wrapped->bignum.flags = BN_FLG_STATIC_DATA; return wrapped; } @@ -106,13 +105,11 @@ static void ec_wrapped_scalar_free(EC_WRAPPED_SCALAR *scalar) { EC_KEY *EC_KEY_new(void) { return EC_KEY_new_method(NULL); } EC_KEY *EC_KEY_new_method(const ENGINE *engine) { - EC_KEY *ret = OPENSSL_malloc(sizeof(EC_KEY)); + EC_KEY *ret = OPENSSL_zalloc(sizeof(EC_KEY)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EC_KEY)); - if (engine) { ret->ecdsa_meth = ENGINE_get_ECDSA_method(engine); } @@ -166,12 +163,12 @@ void EC_KEY_free(EC_KEY *r) { METHOD_unref(r->ecdsa_meth); } + CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data); + EC_GROUP_free(r->group); EC_POINT_free(r->pub_key); ec_wrapped_scalar_free(r->priv_key); - CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data); - OPENSSL_free(r); } @@ -317,8 +314,10 @@ int EC_KEY_check_key(const EC_KEY *eckey) { OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); return 0; } - if (!ec_GFp_simple_points_equal(eckey->group, &point, - &eckey->pub_key->raw)) { + // Leaking this comparison only leaks whether |eckey|'s public key was + // correct. + if (!constant_time_declassify_int(ec_GFp_simple_points_equal( + eckey->group, &point, &eckey->pub_key->raw))) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY); return 0; } @@ -485,7 +484,7 @@ int EC_KEY_generate_key(EC_KEY *key) { } // Check that the group order is FIPS compliant (FIPS 186-4 B.4.2). - if (BN_num_bits(EC_GROUP_get0_order(key->group)) < 160) { + if (EC_GROUP_order_bits(key->group) < 160) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); return 0; } @@ -503,6 +502,14 @@ int EC_KEY_generate_key(EC_KEY *key) { return 0; } + // The public key is derived from the private key, but it is public. + // + // TODO(crbug.com/boringssl/677): This isn't quite right. While |pub_key| + // represents a public point, it is still in Jacobian form and the exact + // Jacobian representation is secret. We need to make it affine first. See + // discussion in the bug. + CONSTTIME_DECLASSIFY(&pub_key->raw, sizeof(pub_key->raw)); + ec_wrapped_scalar_free(key->priv_key); key->priv_key = priv_key; EC_POINT_free(key->pub_key); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c index e285bd40..44b831a6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c @@ -76,67 +76,35 @@ #include "internal.h" -int ec_GFp_mont_group_init(EC_GROUP *group) { - int ok; - - ok = ec_GFp_simple_group_init(group); - group->mont = NULL; - return ok; -} - -void ec_GFp_mont_group_finish(EC_GROUP *group) { - BN_MONT_CTX_free(group->mont); - group->mont = NULL; - ec_GFp_simple_group_finish(group); -} - -int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { - BN_MONT_CTX_free(group->mont); - group->mont = BN_MONT_CTX_new_for_modulus(p, ctx); - if (group->mont == NULL) { - OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB); - return 0; - } - - if (!ec_GFp_simple_group_set_curve(group, p, a, b, ctx)) { - BN_MONT_CTX_free(group->mont); - group->mont = NULL; - return 0; - } - - return 1; -} - static void ec_GFp_mont_felem_to_montgomery(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *in) { - bn_to_montgomery_small(out->words, in->words, group->field.width, - group->mont); + bn_to_montgomery_small(out->words, in->words, group->field.N.width, + &group->field); } static void ec_GFp_mont_felem_from_montgomery(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *in) { - bn_from_montgomery_small(out->words, group->field.width, in->words, - group->field.width, group->mont); + bn_from_montgomery_small(out->words, group->field.N.width, in->words, + group->field.N.width, &group->field); } static void ec_GFp_mont_felem_inv0(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a) { - bn_mod_inverse0_prime_mont_small(out->words, a->words, group->field.width, - group->mont); + bn_mod_inverse0_prime_mont_small(out->words, a->words, group->field.N.width, + &group->field); } void ec_GFp_mont_felem_mul(const EC_GROUP *group, EC_FELEM *r, const EC_FELEM *a, const EC_FELEM *b) { - bn_mod_mul_montgomery_small(r->words, a->words, b->words, group->field.width, - group->mont); + bn_mod_mul_montgomery_small(r->words, a->words, b->words, + group->field.N.width, &group->field); } void ec_GFp_mont_felem_sqr(const EC_GROUP *group, EC_FELEM *r, const EC_FELEM *a) { - bn_mod_mul_montgomery_small(r->words, a->words, a->words, group->field.width, - group->mont); + bn_mod_mul_montgomery_small(r->words, a->words, a->words, + group->field.N.width, &group->field); } void ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out, @@ -159,8 +127,8 @@ int ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out, const BN_ULONG *words, size_t num) { // Convert "from" Montgomery form so the value is reduced mod p. - bn_from_montgomery_small(out->words, group->field.width, words, num, - group->mont); + bn_from_montgomery_small(out->words, group->field.N.width, words, num, + &group->field); // Convert "to" Montgomery form to remove the R^-1 factor added. ec_GFp_mont_felem_to_montgomery(group, out, out); // Convert to Montgomery form to match this implementation's representation. @@ -170,8 +138,8 @@ void ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out, void ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, const BN_ULONG *exp, size_t num_exp) { - bn_mod_exp_mont_small(out->words, a->words, group->field.width, exp, num_exp, - group->mont); + bn_mod_exp_mont_small(out->words, a->words, group->field.N.width, exp, + num_exp, &group->field); } static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group, @@ -457,7 +425,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r) { if (!group->field_greater_than_order || - group->field.width != group->order.width) { + group->field.N.width != group->order.N.width) { // Do not bother optimizing this case. p > order in all commonly-used // curves. return ec_GFp_simple_cmp_x_coordinate(group, p, r); @@ -473,7 +441,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group, EC_FELEM r_Z2, Z2_mont, X; ec_GFp_mont_felem_mul(group, &Z2_mont, &p->Z, &p->Z); // r < order < p, so this is valid. - OPENSSL_memcpy(r_Z2.words, r->words, group->field.width * sizeof(BN_ULONG)); + OPENSSL_memcpy(r_Z2.words, r->words, group->field.N.width * sizeof(BN_ULONG)); ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont); ec_GFp_mont_felem_from_montgomery(group, &X, &p->X); @@ -485,10 +453,11 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group, // Therefore there is a small possibility, less than 1/2^128, that group_order // < p.x < P. in that case we need not only to compare against |r| but also to // compare against r+group_order. - if (bn_less_than_words(r->words, group->field_minus_order.words, - group->field.width)) { - // We can ignore the carry because: r + group_order < p < 2^256. - bn_add_words(r_Z2.words, r->words, group->order.d, group->field.width); + BN_ULONG carry = bn_add_words(r_Z2.words, r->words, group->order.N.d, + group->field.N.width); + if (carry == 0 && + bn_less_than_words(r_Z2.words, group->field.N.d, group->field.N.width)) { + // r + group_order < p, so compare (r + group_order) * Z^2 against X. ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont); if (ec_felem_equal(group, &r_Z2, &X)) { return 1; @@ -499,9 +468,6 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group, } DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_mont_method) { - out->group_init = ec_GFp_mont_group_init; - out->group_finish = ec_GFp_mont_group_finish; - out->group_set_curve = ec_GFp_mont_group_set_curve; out->point_get_affine_coordinates = ec_GFp_mont_point_get_affine_coordinates; out->jacobian_to_affine_batch = ec_GFp_mont_jacobian_to_affine_batch; out->add = ec_GFp_mont_add; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/felem.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/felem.c index 1b01d3db..652e258d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/felem.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/felem.c @@ -23,12 +23,16 @@ #include "../../internal.h" +const EC_FELEM *ec_felem_one(const EC_GROUP *group) { + // We reuse generator.Z as a cache for 1 in the field. + return &group->generator.raw.Z; +} + int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in) { uint8_t bytes[EC_MAX_BYTES]; - size_t len = BN_num_bytes(&group->field); + size_t len = BN_num_bytes(&group->field.N); assert(sizeof(bytes) >= len); - if (BN_is_negative(in) || - BN_cmp(in, &group->field) >= 0 || + if (BN_is_negative(in) || BN_cmp(in, &group->field.N) >= 0 || !BN_bn2bin_padded(bytes, len, in)) { OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE); return 0; @@ -57,11 +61,11 @@ int ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a) { // -a is zero if a is zero and p-a otherwise. BN_ULONG mask = ec_felem_non_zero_mask(group, a); - BN_ULONG borrow = - bn_sub_words(out->words, group->field.d, a->words, group->field.width); + BN_ULONG borrow = bn_sub_words(out->words, group->field.N.d, a->words, + group->field.N.width); assert(borrow == 0); (void)borrow; - for (int i = 0; i < group->field.width; i++) { + for (int i = 0; i < group->field.N.width; i++) { out->words[i] &= mask; } } @@ -69,20 +73,20 @@ void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a) { void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, const EC_FELEM *b) { EC_FELEM tmp; - bn_mod_add_words(out->words, a->words, b->words, group->field.d, tmp.words, - group->field.width); + bn_mod_add_words(out->words, a->words, b->words, group->field.N.d, tmp.words, + group->field.N.width); } void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, const EC_FELEM *b) { EC_FELEM tmp; - bn_mod_sub_words(out->words, a->words, b->words, group->field.d, tmp.words, - group->field.width); + bn_mod_sub_words(out->words, a->words, b->words, group->field.N.d, tmp.words, + group->field.N.width); } BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a) { BN_ULONG mask = 0; - for (int i = 0; i < group->field.width; i++) { + for (int i = 0; i < group->field.N.width; i++) { mask |= a->words[i]; } return ~constant_time_is_zero_w(mask); @@ -90,11 +94,11 @@ BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a) { void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask, const EC_FELEM *a, const EC_FELEM *b) { - bn_select_words(out->words, mask, a->words, b->words, group->field.width); + bn_select_words(out->words, mask, a->words, b->words, group->field.N.width); } int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b) { return CRYPTO_memcmp(a->words, b->words, - group->field.width * sizeof(BN_ULONG)) == 0; + group->field.N.width * sizeof(BN_ULONG)) == 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h index 3bdb9cfb..3a88a753 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h @@ -197,6 +197,9 @@ typedef struct { BN_ULONG words[EC_MAX_WORDS]; } EC_FELEM; +// ec_felem_one returns one in |group|'s field. +const EC_FELEM *ec_felem_one(const EC_GROUP *group); + // ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success // and zero if |in| is out of range. int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in); @@ -421,7 +424,7 @@ void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, // ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group // order, with |r|. It returns one if the values match and zero if |p| is the -// point at infinity of the values do not match. +// point at infinity of the values do not match. |p| is treated as public. int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r); @@ -472,11 +475,6 @@ int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, // Implementation details. struct ec_method_st { - int (*group_init)(EC_GROUP *); - void (*group_finish)(EC_GROUP *); - int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); - // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success // and zero if |p| is the point at infinity. It leaks whether |p| was the @@ -588,60 +586,54 @@ struct ec_method_st { const EC_METHOD *EC_GFp_mont_method(void); +struct ec_point_st { + // group is an owning reference to |group|, unless this is + // |group->generator|. + EC_GROUP *group; + // raw is the group-specific point data. Functions that take |EC_POINT| + // typically check consistency with |EC_GROUP| while functions that take + // |EC_JACOBIAN| do not. Thus accesses to this field should be externally + // checked for consistency. + EC_JACOBIAN raw; +} /* EC_POINT */; + struct ec_group_st { const EC_METHOD *meth; // Unlike all other |EC_POINT|s, |generator| does not own |generator->group| // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X - // and Y are suitable for use as an |EC_AFFINE|. - EC_POINT *generator; - BIGNUM order; - - int curve_name; // optional NID for named curve + // and Y are suitable for use as an |EC_AFFINE|. Before |has_order| is set, Z + // is one, but X and Y are uninitialized. + EC_POINT generator; - BN_MONT_CTX *order_mont; // data for ECDSA inverse + BN_MONT_CTX order; + BN_MONT_CTX field; - // The following members are handled by the method functions, - // even if they appear generic + EC_FELEM a, b; // Curve coefficients. - BIGNUM field; // For curves over GF(p), this is the modulus. + // comment is a human-readable string describing the curve. + const char *comment; - EC_FELEM a, b; // Curve coefficients. + int curve_name; // optional NID for named curve + uint8_t oid[9]; + uint8_t oid_len; // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point // arithmetic is optimized for -3. int a_is_minus3; + // has_order is one if |generator| and |order| have been initialized. + int has_order; + // field_greater_than_order is one if |field| is greate than |order| and zero // otherwise. int field_greater_than_order; - // field_minus_order, if |field_greater_than_order| is true, is |field| minus - // |order| represented as an |EC_FELEM|. Otherwise, it is zero. - // - // Note: unlike |EC_FELEM|s used as intermediate values internal to the - // |EC_METHOD|, this value is not encoded in Montgomery form. - EC_FELEM field_minus_order; - CRYPTO_refcount_t references; - - BN_MONT_CTX *mont; // Montgomery structure. - - EC_FELEM one; // The value one. } /* EC_GROUP */; -struct ec_point_st { - // group is an owning reference to |group|, unless this is - // |group->generator|. - EC_GROUP *group; - // raw is the group-specific point data. Functions that take |EC_POINT| - // typically check consistency with |EC_GROUP| while functions that take - // |EC_JACOBIAN| do not. Thus accesses to this field should be externally - // checked for consistency. - EC_JACOBIAN raw; -} /* EC_POINT */; - -EC_GROUP *ec_group_new(const EC_METHOD *meth); +EC_GROUP *ec_group_new(const EC_METHOD *meth, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx); void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar); @@ -680,8 +672,6 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalars, size_t num); // method functions in simple.c -int ec_GFp_simple_group_init(EC_GROUP *); -void ec_GFp_simple_group_finish(EC_GROUP *); int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, @@ -713,10 +703,6 @@ int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, size_t len); // method functions in montgomery.c -int ec_GFp_mont_group_init(EC_GROUP *); -int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *); -void ec_GFp_mont_group_finish(EC_GROUP *); void ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a, const EC_FELEM *b); void ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a); @@ -762,31 +748,6 @@ struct ec_key_st { CRYPTO_EX_DATA ex_data; } /* EC_KEY */; -struct built_in_curve { - int nid; - const uint8_t *oid; - uint8_t oid_len; - // comment is a human-readable string describing the curve. - const char *comment; - // param_len is the number of bytes needed to store a field element. - uint8_t param_len; - // params points to an array of 6*|param_len| bytes which hold the field - // elements of the following (in big-endian order): prime, a, b, generator x, - // generator y, order. - const uint8_t *params; - const EC_METHOD *method; -}; - -#define OPENSSL_NUM_BUILT_IN_CURVES 4 - -struct built_in_curves { - struct built_in_curve curves[OPENSSL_NUM_BUILT_IN_CURVES]; -}; - -// OPENSSL_built_in_curves returns a pointer to static information about -// standard curves. The array is terminated with an entry where |nid| is -// |NID_undef|. -const struct built_in_curves *OPENSSL_built_in_curves(void); #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/oct.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/oct.c index 5dbe910e..8b254fb8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/oct.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/oct.c @@ -80,7 +80,7 @@ size_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form) { return 0; } - const size_t field_len = BN_num_bytes(&group->field); + const size_t field_len = BN_num_bytes(&group->field.N); size_t output_len = 1 /* type byte */ + field_len; if (form == POINT_CONVERSION_UNCOMPRESSED) { // Uncompressed points have a second coordinate. @@ -100,11 +100,11 @@ size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, size_t field_len; ec_felem_to_bytes(group, buf + 1, &field_len, &point->X); - assert(field_len == BN_num_bytes(&group->field)); + assert(field_len == BN_num_bytes(&group->field.N)); if (form == POINT_CONVERSION_UNCOMPRESSED) { ec_felem_to_bytes(group, buf + 1 + field_len, &field_len, &point->Y); - assert(field_len == BN_num_bytes(&group->field)); + assert(field_len == BN_num_bytes(&group->field.N)); buf[0] = form; } else { uint8_t y_buf[EC_MAX_BYTES]; @@ -117,7 +117,7 @@ size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, const uint8_t *in, size_t len) { - const size_t field_len = BN_num_bytes(&group->field); + const size_t field_len = BN_num_bytes(&group->field.N); if (len != 1 + 2 * field_len || in[0] != POINT_CONVERSION_UNCOMPRESSED) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING); return 0; @@ -155,7 +155,7 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } const int y_bit = form & 1; - const size_t field_len = BN_num_bytes(&group->field); + const size_t field_len = BN_num_bytes(&group->field.N); form = form & ~1u; if (form != POINT_CONVERSION_COMPRESSED || len != 1 /* type byte */ + field_len) { @@ -182,7 +182,7 @@ static int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, if (x == NULL || !BN_bin2bn(buf + 1, field_len, x)) { goto err; } - if (BN_ucmp(x, &group->field) >= 0) { + if (BN_ucmp(x, &group->field.N) >= 0) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING); goto err; } @@ -260,7 +260,8 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, return 0; } - if (BN_is_negative(x) || BN_cmp(x, &group->field) >= 0) { + const BIGNUM *field = &group->field.N; + if (BN_is_negative(x) || BN_cmp(x, field) >= 0) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT); return 0; } @@ -295,31 +296,31 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, // so y is one of the square roots of x^3 + a*x + b. // tmp1 := x^3 - if (!BN_mod_sqr(tmp2, x, &group->field, ctx) || - !BN_mod_mul(tmp1, tmp2, x, &group->field, ctx)) { + if (!BN_mod_sqr(tmp2, x, field, ctx) || + !BN_mod_mul(tmp1, tmp2, x, field, ctx)) { goto err; } // tmp1 := tmp1 + a*x if (group->a_is_minus3) { - if (!bn_mod_lshift1_consttime(tmp2, x, &group->field, ctx) || - !bn_mod_add_consttime(tmp2, tmp2, x, &group->field, ctx) || - !bn_mod_sub_consttime(tmp1, tmp1, tmp2, &group->field, ctx)) { + if (!bn_mod_lshift1_consttime(tmp2, x, field, ctx) || + !bn_mod_add_consttime(tmp2, tmp2, x, field, ctx) || + !bn_mod_sub_consttime(tmp1, tmp1, tmp2, field, ctx)) { goto err; } } else { - if (!BN_mod_mul(tmp2, a, x, &group->field, ctx) || - !bn_mod_add_consttime(tmp1, tmp1, tmp2, &group->field, ctx)) { + if (!BN_mod_mul(tmp2, a, x, field, ctx) || + !bn_mod_add_consttime(tmp1, tmp1, tmp2, field, ctx)) { goto err; } } // tmp1 := tmp1 + b - if (!bn_mod_add_consttime(tmp1, tmp1, b, &group->field, ctx)) { + if (!bn_mod_add_consttime(tmp1, tmp1, b, field, ctx)) { goto err; } - if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) { + if (!BN_mod_sqrt(y, tmp1, field, ctx)) { uint32_t err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) { @@ -336,7 +337,7 @@ int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT); goto err; } - if (!BN_usub(y, &group->field, y)) { + if (!BN_usub(y, field, y)) { goto err; } } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c index 416619bf..9d4aafdc 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c @@ -24,6 +24,7 @@ #include #include +#include #include #include "internal.h" @@ -836,12 +837,12 @@ static void p224_select_point(const uint64_t idx, size_t size, for (size_t i = 0; i < size; i++) { const p224_limb *inlimbs = &pre_comp[i][0][0]; - uint64_t mask = i ^ idx; - mask |= mask >> 4; - mask |= mask >> 2; - mask |= mask >> 1; - mask &= 1; - mask--; + static_assert(sizeof(uint64_t) <= sizeof(crypto_word_t), + "crypto_word_t too small"); + static_assert(sizeof(size_t) <= sizeof(crypto_word_t), + "crypto_word_t too small"); + // Without a value barrier, Clang adds a branch here. + uint64_t mask = value_barrier_w(constant_time_eq_w(i, idx)); for (size_t j = 0; j < 4 * 3; j++) { outlimbs[j] |= inlimbs[j] & mask; } @@ -1142,9 +1143,6 @@ static void ec_GFp_nistp224_felem_sqr(const EC_GROUP *group, EC_FELEM *r, } DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) { - out->group_init = ec_GFp_simple_group_init; - out->group_finish = ec_GFp_simple_group_finish; - out->group_set_curve = ec_GFp_simple_group_set_curve; out->point_get_affine_coordinates = ec_GFp_nistp224_point_get_affine_coordinates; out->add = ec_GFp_nistp224_add; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c index 0dbd0f51..bd121ed5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c @@ -191,7 +191,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, const EC_SCALAR *p_scalar) { assert(p != NULL); assert(p_scalar != NULL); - assert(group->field.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); static const size_t kWindowSize = 5; static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1; @@ -208,7 +208,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, // not stored. All other values are actually stored with an offset of -1 in // table. P256_POINT *row = table; - assert(group->field.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); OPENSSL_memcpy(row[1 - 1].X, p->X.words, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(row[1 - 1].Y, p->Y.words, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(row[1 - 1].Z, p->Z.words, P256_LIMBS * sizeof(BN_ULONG)); @@ -305,7 +305,7 @@ static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, alignas(32) P256_POINT out; ecp_nistz256_windowed_mul(group, &out, p, scalar); - assert(group->field.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); OPENSSL_memcpy(r->X.words, out.X, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(r->Y.words, out.Y, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG)); @@ -349,7 +349,7 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, ecp_nistz256_point_add_affine(&p, &p, &t); } - assert(group->field.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG)); @@ -413,7 +413,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, ecp_nistz256_windowed_mul(group, &tmp, p_, p_scalar); ecp_nistz256_point_add(&p, &p, &tmp); - assert(group->field.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG)); OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG)); @@ -429,7 +429,7 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, } BN_ULONG z_inv2[P256_LIMBS]; - assert(group->field.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words); if (x != NULL) { @@ -563,8 +563,8 @@ static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, } #endif - assert(group->order.width == P256_LIMBS); - if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) { + assert(group->order.N.width == P256_LIMBS); + if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.N.d)) { return 0; } @@ -580,8 +580,8 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group, return 0; } - assert(group->order.width == P256_LIMBS); - assert(group->field.width == P256_LIMBS); + assert(group->order.N.width == P256_LIMBS); + assert(group->field.N.width == P256_LIMBS); // We wish to compare X/Z^2 with r. This is equivalent to comparing X with // r*Z^2. Note that X and Z are represented in Montgomery form, while r is @@ -599,10 +599,9 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group, // Therefore there is a small possibility, less than 1/2^128, that group_order // < p.x < P. in that case we need not only to compare against |r| but also to // compare against r+group_order. - if (bn_less_than_words(r->words, group->field_minus_order.words, - P256_LIMBS)) { - // We can ignore the carry because: r + group_order < p < 2^256. - bn_add_words(r_Z2, r->words, group->order.d, P256_LIMBS); + BN_ULONG carry = bn_add_words(r_Z2, r->words, group->order.N.d, P256_LIMBS); + if (carry == 0 && bn_less_than_words(r_Z2, group->field.N.d, P256_LIMBS)) { + // r + group_order < p, so compare (r + group_order) * Z^2 against X. ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont); if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) { return 1; @@ -613,9 +612,6 @@ static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group, } DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) { - out->group_init = ec_GFp_mont_group_init; - out->group_finish = ec_GFp_mont_group_finish; - out->group_set_curve = ec_GFp_mont_group_set_curve; out->point_get_affine_coordinates = ecp_nistz256_get_affine; out->add = ecp_nistz256_add; out->dbl = ecp_nistz256_dbl; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c index 6d9c6034..c929972c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c @@ -710,12 +710,12 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, // Therefore there is a small possibility, less than 1/2^128, that group_order // < p.x < P. in that case we need not only to compare against |r| but also to // compare against r+group_order. - assert(group->field.width == group->order.width); - if (bn_less_than_words(r->words, group->field_minus_order.words, - group->field.width)) { - // We can ignore the carry because: r + group_order < p < 2^256. - EC_FELEM tmp; - bn_add_words(tmp.words, r->words, group->order.d, group->order.width); + assert(group->field.N.width == group->order.N.width); + EC_FELEM tmp; + BN_ULONG carry = + bn_add_words(tmp.words, r->words, group->order.N.d, group->field.N.width); + if (carry == 0 && + bn_less_than_words(tmp.words, group->field.N.d, group->field.N.width)) { fiat_p256_from_generic(r_Z2, &tmp); fiat_p256_mul(r_Z2, r_Z2, Z2_mont); if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) { @@ -727,9 +727,6 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, } DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { - out->group_init = ec_GFp_mont_group_init; - out->group_finish = ec_GFp_mont_group_finish; - out->group_set_curve = ec_GFp_mont_group_set_curve; out->point_get_affine_coordinates = ec_GFp_nistp256_point_get_affine_coordinates; out->add = ec_GFp_nistp256_add; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c index 71c801b8..4d0d947b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c @@ -23,8 +23,8 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in) { - if (!bn_copy_words(out->words, group->order.width, in) || - !bn_less_than_words(out->words, group->order.d, group->order.width)) { + if (!bn_copy_words(out->words, group->order.N.width, in) || + !bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); return 0; } @@ -34,12 +34,12 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, const EC_SCALAR *b) { return OPENSSL_memcmp(a->words, b->words, - group->order.width * sizeof(BN_ULONG)) == 0; + group->order.N.width * sizeof(BN_ULONG)) == 0; } int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) { BN_ULONG mask = 0; - for (int i = 0; i < group->order.width; i++) { + for (int i = 0; i < group->order.N.width; i++) { mask |= a->words[i]; } return mask == 0; @@ -47,27 +47,27 @@ int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) { int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t additional_data[32]) { - return bn_rand_range_words(out->words, 1, group->order.d, group->order.width, - additional_data); + return bn_rand_range_words(out->words, 1, group->order.N.d, + group->order.N.width, additional_data); } void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_SCALAR *in) { - size_t len = BN_num_bytes(&group->order); - bn_words_to_big_endian(out, len, in->words, group->order.width); + size_t len = BN_num_bytes(&group->order.N); + bn_words_to_big_endian(out, len, in->words, group->order.N.width); *out_len = len; } int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, const uint8_t *in, size_t len) { - if (len != BN_num_bytes(&group->order)) { + if (len != BN_num_bytes(&group->order.N)) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); return 0; } - bn_big_endian_to_words(out->words, group->order.width, in, len); + bn_big_endian_to_words(out->words, group->order.N.width, in, len); - if (!bn_less_than_words(out->words, group->order.d, group->order.width)) { + if (!bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); return 0; } @@ -78,15 +78,15 @@ int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, const BN_ULONG *words, size_t num) { // Convert "from" Montgomery form so the value is reduced modulo the order. - bn_from_montgomery_small(out->words, group->order.width, words, num, - group->order_mont); + bn_from_montgomery_small(out->words, group->order.N.width, words, num, + &group->order); // Convert "to" Montgomery form to remove the R^-1 factor added. ec_scalar_to_montgomery(group, out, out); } void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, const EC_SCALAR *b) { - const BIGNUM *order = &group->order; + const BIGNUM *order = &group->order.N; BN_ULONG tmp[EC_MAX_WORDS]; bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width); OPENSSL_cleanse(tmp, sizeof(tmp)); @@ -94,7 +94,7 @@ void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, const EC_SCALAR *b) { - const BIGNUM *order = &group->order; + const BIGNUM *order = &group->order.N; BN_ULONG tmp[EC_MAX_WORDS]; bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width); OPENSSL_cleanse(tmp, sizeof(tmp)); @@ -108,35 +108,35 @@ void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) { void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, const EC_SCALAR *a, const EC_SCALAR *b) { - const BIGNUM *order = &group->order; + const BIGNUM *order = &group->order.N; bn_select_words(out->words, mask, a->words, b->words, order->width); } void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) { - const BIGNUM *order = &group->order; - bn_to_montgomery_small(r->words, a->words, order->width, group->order_mont); + const BIGNUM *order = &group->order.N; + bn_to_montgomery_small(r->words, a->words, order->width, &group->order); } void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) { - const BIGNUM *order = &group->order; + const BIGNUM *order = &group->order.N; bn_from_montgomery_small(r->words, order->width, a->words, order->width, - group->order_mont); + &group->order); } void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, const EC_SCALAR *b) { - const BIGNUM *order = &group->order; + const BIGNUM *order = &group->order.N; bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width, - group->order_mont); + &group->order); } void ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) { - const BIGNUM *order = &group->order; + const BIGNUM *order = &group->order.N; bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width, - group->order_mont); + &group->order); } int ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c index 8d87ce80..8060c709 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c @@ -88,16 +88,6 @@ // used, it is a Montgomery representation (i.e. 'encoding' means multiplying // by some factor R). -int ec_GFp_simple_group_init(EC_GROUP *group) { - BN_init(&group->field); - group->a_is_minus3 = 0; - return 1; -} - -void ec_GFp_simple_group_finish(EC_GROUP *group) { - BN_free(&group->field); -} - int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { @@ -114,17 +104,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p, goto err; } - // group->field - if (!BN_copy(&group->field, p)) { - goto err; - } - BN_set_negative(&group->field, 0); - // Store the field in minimal form, so it can be used with |BN_ULONG| arrays. - bn_set_minimal_width(&group->field); - - if (!ec_bignum_to_felem(group, &group->a, a) || + if (!BN_MONT_CTX_set(&group->field, p, ctx) || + !ec_bignum_to_felem(group, &group->a, a) || !ec_bignum_to_felem(group, &group->b, b) || - !ec_bignum_to_felem(group, &group->one, BN_value_one())) { + // Reuse Z from the generator to cache the value one. + !ec_bignum_to_felem(group, &group->generator.raw.Z, BN_value_one())) { goto err; } @@ -133,7 +117,7 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p, !BN_add_word(tmp, 3)) { goto err; } - group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field)); + group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field.N)); ret = 1; @@ -144,7 +128,7 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p, int ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b) { - if ((p != NULL && !BN_copy(p, &group->field)) || + if ((p != NULL && !BN_copy(p, &group->field.N)) || (a != NULL && !ec_felem_to_bignum(group, a, &group->a)) || (b != NULL && !ec_felem_to_bignum(group, b, &group->b))) { return 0; @@ -329,21 +313,21 @@ int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_FELEM *in) { - size_t len = BN_num_bytes(&group->field); - bn_words_to_big_endian(out, len, in->words, group->field.width); + size_t len = BN_num_bytes(&group->field.N); + bn_words_to_big_endian(out, len, in->words, group->field.N.width); *out_len = len; } int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, size_t len) { - if (len != BN_num_bytes(&group->field)) { + if (len != BN_num_bytes(&group->field.N)) { OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR); return 0; } - bn_big_endian_to_words(out->words, group->field.width, in, len); + bn_big_endian_to_words(out->words, group->field.N.width, in, len); - if (!bn_less_than_words(out->words, group->field.d, group->field.width)) { + if (!bn_less_than_words(out->words, group->field.N.d, group->field.N.width)) { OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR); return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple_mul.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple_mul.c index 34c925f6..427fb1fd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple_mul.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple_mul.c @@ -40,7 +40,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, } // Divide bits in |scalar| into windows. - unsigned bits = BN_num_bits(&group->order); + unsigned bits = EC_GROUP_order_bits(group); int r_is_at_infinity = 1; for (unsigned i = bits - 1; i < bits; i--) { if (!r_is_at_infinity) { @@ -48,7 +48,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, } if (i % 5 == 0) { // Compute the next window value. - const size_t width = group->order.width; + const size_t width = group->order.N.width; uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4; window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3; window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2; @@ -78,7 +78,7 @@ void ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, void ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar) { - ec_GFp_mont_mul(group, r, &group->generator->raw, scalar); + ec_GFp_mont_mul(group, r, &group->generator.raw, scalar); } static void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_JACOBIAN *out, @@ -99,7 +99,7 @@ static void ec_GFp_mont_batch_get_window(const EC_GROUP *group, EC_JACOBIAN *out, const EC_JACOBIAN precomp[17], const EC_SCALAR *scalar, unsigned i) { - const size_t width = group->order.width; + const size_t width = group->order.N.width; uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5; window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 4; window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 3; @@ -138,7 +138,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r, } // Divide bits in |scalar| into windows. - unsigned bits = BN_num_bits(&group->order); + unsigned bits = EC_GROUP_order_bits(group); int r_is_at_infinity = 1; for (unsigned i = bits; i <= bits; i--) { if (!r_is_at_infinity) { @@ -169,7 +169,7 @@ void ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r, } static unsigned ec_GFp_mont_comb_stride(const EC_GROUP *group) { - return (BN_num_bits(&group->field) + EC_MONT_PRECOMP_COMB_SIZE - 1) / + return (EC_GROUP_get_degree(group) + EC_MONT_PRECOMP_COMB_SIZE - 1) / EC_MONT_PRECOMP_COMB_SIZE; } @@ -212,7 +212,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, EC_JACOBIAN *out, const EC_PRECOMP *precomp, const EC_SCALAR *scalar, unsigned i) { - const size_t width = group->order.width; + const size_t width = group->order.N.width; unsigned stride = ec_GFp_mont_comb_stride(group); // Select the bits corresponding to the comb shifted up by |i|. unsigned window = 0; @@ -230,7 +230,7 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, ec_felem_select(group, &out->Y, match, &precomp->comb[j].Y, &out->Y); } BN_ULONG is_infinity = constant_time_is_zero_w(window); - ec_felem_select(group, &out->Z, is_infinity, &out->Z, &group->one); + ec_felem_select(group, &out->Z, is_infinity, &out->Z, ec_felem_one(group)); } void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r, diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/wnaf.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/wnaf.c index 436ffe55..65f430ec 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/wnaf.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/wnaf.c @@ -138,8 +138,8 @@ void ec_compute_wNAF(const EC_GROUP *group, int8_t *out, // we shift and add at most one copy of |bit|, this will continue to hold // afterwards. window_val >>= 1; - window_val += - bit * bn_is_bit_set_words(scalar->words, group->order.width, j + w + 1); + window_val += bit * bn_is_bit_set_words(scalar->words, group->order.N.width, + j + w + 1); assert(window_val <= next_bit); } @@ -183,7 +183,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *g_scalar, const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num) { - size_t bits = BN_num_bits(&group->order); + size_t bits = EC_GROUP_order_bits(group); size_t wNAF_len = bits + 1; int ret = 0; @@ -197,13 +197,8 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, wNAF = wNAF_stack; precomp = precomp_stack; } else { - if (num >= ((size_t)-1) / sizeof(wNAF_alloc[0]) || - num >= ((size_t)-1) / sizeof(precomp_alloc[0])) { - OPENSSL_PUT_ERROR(EC, ERR_R_OVERFLOW); - goto err; - } - wNAF_alloc = OPENSSL_malloc(num * sizeof(wNAF_alloc[0])); - precomp_alloc = OPENSSL_malloc(num * sizeof(precomp_alloc[0])); + wNAF_alloc = OPENSSL_calloc(num, sizeof(wNAF_alloc[0])); + precomp_alloc = OPENSSL_calloc(num, sizeof(precomp_alloc[0])); if (wNAF_alloc == NULL || precomp_alloc == NULL) { goto err; } @@ -214,7 +209,7 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, int8_t g_wNAF[EC_MAX_BYTES * 8 + 1]; EC_JACOBIAN g_precomp[EC_WNAF_TABLE_SIZE]; assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF)); - const EC_JACOBIAN *g = &group->generator->raw; + const EC_JACOBIAN *g = &group->generator.raw; if (g_scalar != NULL) { ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS); compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c index 366615dd..daa87e49 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c @@ -71,7 +71,7 @@ // ECDSA. static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t *digest, size_t digest_len) { - const BIGNUM *order = &group->order; + const BIGNUM *order = EC_GROUP_get0_order(group); size_t num_bits = BN_num_bits(order); // Need to truncate digest if it is too long: first truncate whole bytes. size_t num_bytes = (num_bits + 7) / 8; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S index 9a967a0e..56663108 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) #include @ Silence ARMv8 deprecated IT instruction warnings. This file is used by both @@ -257,11 +249,7 @@ Lgmult_neon: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S index ce4f6381..7fb8e451 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) #include @ Silence ARMv8 deprecated IT instruction warnings. This file is used by both @@ -251,11 +243,7 @@ gcm_ghash_neon: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S index 1ce9d45f..ca5baa4b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include .text @@ -342,11 +334,7 @@ Lmasks: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S index 6c62c593..a5743530 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include .text @@ -342,11 +334,7 @@ gcm_ghash_neon: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S index 5ad69e49..3bf1f510 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl gcm_gmult_ssse3 .hidden gcm_gmult_ssse3 @@ -298,11 +291,7 @@ gcm_ghash_ssse3: .align 16 .Llow4_mask: .long 252645135,252645135,252645135,252645135 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S index 1c5ca41e..506fb75a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text @@ -26,6 +19,7 @@ gcm_gmult_ssse3: .cfi_startproc +_CET_ENDBR movdqu (%rdi),%xmm0 movdqa .Lreverse_bytes(%rip),%xmm10 movdqa .Llow4_mask(%rip),%xmm2 @@ -200,7 +194,7 @@ gcm_gmult_ssse3: pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_gmult_ssse3,.-gcm_gmult_ssse3 @@ -216,6 +210,7 @@ gcm_gmult_ssse3: gcm_ghash_ssse3: .cfi_startproc +_CET_ENDBR movdqu (%rdi),%xmm0 movdqa .Lreverse_bytes(%rip),%xmm10 movdqa .Llow4_mask(%rip),%xmm11 @@ -412,7 +407,7 @@ gcm_ghash_ssse3: pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_ghash_ssse3,.-gcm_ghash_ssse3 @@ -428,10 +423,6 @@ gcm_ghash_ssse3: .quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S index da6a7726..9a0d6744 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -26,6 +19,7 @@ _gcm_gmult_ssse3: +_CET_ENDBR movdqu (%rdi),%xmm0 movdqa L$reverse_bytes(%rip),%xmm10 movdqa L$low4_mask(%rip),%xmm2 @@ -200,7 +194,7 @@ L$oop_row_3: pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret @@ -216,6 +210,7 @@ L$oop_row_3: _gcm_ghash_ssse3: +_CET_ENDBR movdqu (%rdi),%xmm0 movdqa L$reverse_bytes(%rip),%xmm10 movdqa L$low4_mask(%rip),%xmm11 @@ -412,7 +407,7 @@ L$oop_row_6: pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret @@ -428,10 +423,6 @@ L$low4_mask: .quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S index d568b702..3768cb64 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl gcm_init_clmul .hidden gcm_init_clmul @@ -334,11 +327,7 @@ gcm_ghash_clmul: .byte 82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112 .byte 112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62 .byte 0 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S index 0b5d1dc8..0fe90477 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S @@ -3,19 +3,10 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P .globl gcm_init_clmul .hidden gcm_init_clmul .type gcm_init_clmul,@function @@ -23,6 +14,7 @@ gcm_init_clmul: .cfi_startproc +_CET_ENDBR .L_init_clmul: movdqu (%rsi),%xmm2 pshufd $78,%xmm2,%xmm2 @@ -173,7 +165,7 @@ gcm_init_clmul: movdqu %xmm0,64(%rdi) .byte 102,15,58,15,227,8 movdqu %xmm4,80(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_init_clmul,.-gcm_init_clmul @@ -183,6 +175,7 @@ gcm_init_clmul: .align 16 gcm_gmult_clmul: .cfi_startproc +_CET_ENDBR .L_gmult_clmul: movdqu (%rdi),%xmm0 movdqa .Lbswap_mask(%rip),%xmm5 @@ -228,7 +221,7 @@ gcm_gmult_clmul: pxor %xmm1,%xmm0 .byte 102,15,56,0,197 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_gmult_clmul,.-gcm_gmult_clmul .globl gcm_ghash_clmul @@ -238,6 +231,7 @@ gcm_gmult_clmul: gcm_ghash_clmul: .cfi_startproc +_CET_ENDBR .L_ghash_clmul: movdqa .Lbswap_mask(%rip),%xmm10 @@ -250,15 +244,9 @@ gcm_ghash_clmul: jz .Lodd_tail movdqu 16(%rsi),%xmm6 - leaq OPENSSL_ia32cap_P(%rip),%rax - movl 4(%rax),%eax cmpq $0x30,%rcx jb .Lskip4x - andl $71303168,%eax - cmpl $4194304,%eax - je .Lskip4x - subq $0x30,%rcx movq $0xA040608020C0E000,%rax movdqu 48(%rsi),%xmm14 @@ -616,7 +604,7 @@ gcm_ghash_clmul: .Ldone: .byte 102,65,15,56,0,194 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_ghash_clmul,.-gcm_ghash_clmul @@ -626,6 +614,7 @@ gcm_ghash_clmul: .align 32 gcm_init_avx: .cfi_startproc +_CET_ENDBR vzeroupper vmovdqu (%rsi),%xmm2 @@ -727,7 +716,7 @@ gcm_init_avx: vmovdqu %xmm5,-16(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_init_avx,.-gcm_init_avx @@ -737,6 +726,7 @@ gcm_init_avx: .align 32 gcm_gmult_avx: .cfi_startproc +_CET_ENDBR jmp .L_gmult_clmul .cfi_endproc .size gcm_gmult_avx,.-gcm_gmult_avx @@ -746,6 +736,7 @@ gcm_gmult_avx: .align 32 gcm_ghash_avx: .cfi_startproc +_CET_ENDBR vzeroupper vmovdqu (%rdi),%xmm10 @@ -1116,7 +1107,7 @@ gcm_ghash_avx: vpshufb %xmm13,%xmm10,%xmm10 vmovdqu %xmm10,(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_ghash_avx,.-gcm_ghash_avx @@ -1134,10 +1125,6 @@ gcm_ghash_avx: .align 64 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S index 1b8db43f..1efd8f68 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S @@ -3,18 +3,10 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - .globl _gcm_init_clmul .private_extern _gcm_init_clmul @@ -22,6 +14,7 @@ _gcm_init_clmul: +_CET_ENDBR L$_init_clmul: movdqu (%rsi),%xmm2 pshufd $78,%xmm2,%xmm2 @@ -172,7 +165,7 @@ L$_init_clmul: movdqu %xmm0,64(%rdi) .byte 102,15,58,15,227,8 movdqu %xmm4,80(%rdi) - .byte 0xf3,0xc3 + ret @@ -182,6 +175,7 @@ L$_init_clmul: .p2align 4 _gcm_gmult_clmul: +_CET_ENDBR L$_gmult_clmul: movdqu (%rdi),%xmm0 movdqa L$bswap_mask(%rip),%xmm5 @@ -227,7 +221,7 @@ L$_gmult_clmul: pxor %xmm1,%xmm0 .byte 102,15,56,0,197 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .globl _gcm_ghash_clmul @@ -237,6 +231,7 @@ L$_gmult_clmul: _gcm_ghash_clmul: +_CET_ENDBR L$_ghash_clmul: movdqa L$bswap_mask(%rip),%xmm10 @@ -249,15 +244,9 @@ L$_ghash_clmul: jz L$odd_tail movdqu 16(%rsi),%xmm6 - leaq _OPENSSL_ia32cap_P(%rip),%rax - movl 4(%rax),%eax cmpq $0x30,%rcx jb L$skip4x - andl $71303168,%eax - cmpl $4194304,%eax - je L$skip4x - subq $0x30,%rcx movq $0xA040608020C0E000,%rax movdqu 48(%rsi),%xmm14 @@ -615,7 +604,7 @@ L$odd_tail: L$done: .byte 102,65,15,56,0,194 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret @@ -625,6 +614,7 @@ L$done: .p2align 5 _gcm_init_avx: +_CET_ENDBR vzeroupper vmovdqu (%rsi),%xmm2 @@ -726,7 +716,7 @@ L$init_start_avx: vmovdqu %xmm5,-16(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret @@ -736,6 +726,7 @@ L$init_start_avx: .p2align 5 _gcm_gmult_avx: +_CET_ENDBR jmp L$_gmult_clmul @@ -745,6 +736,7 @@ _gcm_gmult_avx: .p2align 5 _gcm_ghash_avx: +_CET_ENDBR vzeroupper vmovdqu (%rdi),%xmm10 @@ -1115,7 +1107,7 @@ L$tail_no_xor_avx: vpshufb %xmm13,%xmm10,%xmm10 vmovdqu %xmm10,(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret @@ -1133,10 +1125,6 @@ L$7_mask: .p2align 6 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S index 0bf6ac42..c8db8c8b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) #include #if __ARM_MAX_ARCH__>=7 @@ -259,11 +251,7 @@ Ldone_v8: .align 2 .align 2 #endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S index 6d608686..80f91b14 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) #include #if __ARM_MAX_ARCH__>=7 @@ -253,11 +245,7 @@ gcm_ghash_v8: .align 2 .align 2 #endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S index 50f27fd7..48d4c76f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include #if __ARM_MAX_ARCH__>=7 @@ -572,11 +564,7 @@ Ldone4x: .align 2 .align 2 #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S index 2d1a101b..741d46a2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include #if __ARM_MAX_ARCH__>=7 @@ -572,11 +564,7 @@ gcm_ghash_v8_4x: .align 2 .align 2 #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S index 26498a95..4e05a222 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl md5_block_asm_data_order .hidden md5_block_asm_data_order @@ -692,11 +685,7 @@ md5_block_asm_data_order: popl %esi ret .size md5_block_asm_data_order,.-.L_md5_block_asm_data_order_begin -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S index 0fad9dfd..28423a1a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .align 16 @@ -21,6 +14,7 @@ .type md5_block_asm_data_order,@function md5_block_asm_data_order: .cfi_startproc +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset rbp,-16 @@ -697,14 +691,10 @@ md5_block_asm_data_order: addq $40,%rsp .cfi_adjust_cfa_offset -40 .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size md5_block_asm_data_order,.-md5_block_asm_data_order #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S index ed26ace1..f46d3fb8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text .p2align 4 @@ -21,6 +14,7 @@ _md5_block_asm_data_order: +_CET_ENDBR pushq %rbp pushq %rbx @@ -692,13 +686,9 @@ L$end: addq $40,%rsp L$epilogue: - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S index 1fc91c9d..3a3fd34f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include "CJWTKitBoringSSL_arm_arch.h" .section __TEXT,__const @@ -1733,11 +1725,7 @@ Lselect_w7_loop: ret -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S index 6f9f2451..4ff55b75 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include "CJWTKitBoringSSL_arm_arch.h" .section .rodata @@ -1733,11 +1725,7 @@ ecp_nistz256_select_w7: ret .size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S index 0d24dd85..220cef37 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .extern OPENSSL_ia32cap_P .hidden OPENSSL_ia32cap_P @@ -47,6 +40,7 @@ .align 32 ecp_nistz256_neg: .cfi_startproc +_CET_ENDBR pushq %r12 .cfi_adjust_cfa_offset 8 .cfi_offset %r12,-16 @@ -94,7 +88,7 @@ ecp_nistz256_neg: leaq 16(%rsp),%rsp .cfi_adjust_cfa_offset -16 .Lneg_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_neg,.-ecp_nistz256_neg @@ -109,6 +103,7 @@ ecp_nistz256_neg: .align 32 ecp_nistz256_ord_mul_mont: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -427,7 +422,7 @@ ecp_nistz256_ord_mul_mont: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_mul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont @@ -443,6 +438,7 @@ ecp_nistz256_ord_mul_mont: .align 32 ecp_nistz256_ord_sqr_mont: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -731,7 +727,7 @@ ecp_nistz256_ord_sqr_mont: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_sqr_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont @@ -973,7 +969,7 @@ ecp_nistz256_ord_mul_montx: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_mulx_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_mul_montx,.-ecp_nistz256_ord_mul_montx @@ -1187,7 +1183,7 @@ ecp_nistz256_ord_sqr_montx: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_sqrx_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_sqr_montx,.-ecp_nistz256_ord_sqr_montx @@ -1202,6 +1198,7 @@ ecp_nistz256_ord_sqr_montx: .align 32 ecp_nistz256_mul_mont: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -1264,7 +1261,7 @@ ecp_nistz256_mul_mont: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lmul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont @@ -1482,7 +1479,7 @@ __ecp_nistz256_mul_montq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq @@ -1499,6 +1496,7 @@ __ecp_nistz256_mul_montq: .align 32 ecp_nistz256_sqr_mont: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -1556,7 +1554,7 @@ ecp_nistz256_sqr_mont: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lsqr_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont @@ -1720,7 +1718,7 @@ __ecp_nistz256_sqr_montq: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq .type __ecp_nistz256_mul_montx,@function @@ -1888,7 +1886,7 @@ __ecp_nistz256_mul_montx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx @@ -2018,7 +2016,7 @@ __ecp_nistz256_sqr_montx: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx @@ -2029,6 +2027,7 @@ __ecp_nistz256_sqr_montx: .align 32 ecp_nistz256_select_w5: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rax movq 8(%rax),%rax testl $32,%eax @@ -2083,7 +2082,7 @@ ecp_nistz256_select_w5: movdqu %xmm5,48(%rdi) movdqu %xmm6,64(%rdi) movdqu %xmm7,80(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_select_w5: .size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5 @@ -2096,6 +2095,7 @@ ecp_nistz256_select_w5: .align 32 ecp_nistz256_select_w7: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rax movq 8(%rax),%rax testl $32,%eax @@ -2139,7 +2139,7 @@ ecp_nistz256_select_w7: movdqu %xmm3,16(%rdi) movdqu %xmm4,32(%rdi) movdqu %xmm5,48(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_select_w7: .size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 @@ -2202,7 +2202,7 @@ ecp_nistz256_avx2_select_w5: vmovdqu %ymm3,32(%rdi) vmovdqu %ymm4,64(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_avx2_select_w5: .size ecp_nistz256_avx2_select_w5,.-ecp_nistz256_avx2_select_w5 @@ -2216,6 +2216,7 @@ ecp_nistz256_avx2_select_w5: ecp_nistz256_avx2_select_w7: .cfi_startproc .Lavx2_select_w7: +_CET_ENDBR vzeroupper vmovdqa .LThree(%rip),%ymm0 @@ -2283,7 +2284,7 @@ ecp_nistz256_avx2_select_w7: vmovdqu %ymm2,0(%rdi) vmovdqu %ymm3,32(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_avx2_select_w7: .size ecp_nistz256_avx2_select_w7,.-ecp_nistz256_avx2_select_w7 @@ -2317,7 +2318,7 @@ __ecp_nistz256_add_toq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq @@ -2350,7 +2351,7 @@ __ecp_nistz256_sub_fromq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq @@ -2379,7 +2380,7 @@ __ecp_nistz256_subq: cmovnzq %rcx,%r8 cmovnzq %r10,%r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_subq,.-__ecp_nistz256_subq @@ -2413,7 +2414,7 @@ __ecp_nistz256_mul_by_2q: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q .globl ecp_nistz256_point_double @@ -2422,6 +2423,7 @@ __ecp_nistz256_mul_by_2q: .align 32 ecp_nistz256_point_double: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -2647,7 +2649,7 @@ ecp_nistz256_point_double: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_doubleq_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_double,.-ecp_nistz256_point_double .globl ecp_nistz256_point_add @@ -2656,6 +2658,7 @@ ecp_nistz256_point_double: .align 32 ecp_nistz256_point_add: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -3084,7 +3087,7 @@ ecp_nistz256_point_add: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_addq_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_add,.-ecp_nistz256_point_add .globl ecp_nistz256_point_add_affine @@ -3093,6 +3096,7 @@ ecp_nistz256_point_add: .align 32 ecp_nistz256_point_add_affine: .cfi_startproc +_CET_ENDBR leaq OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -3418,7 +3422,7 @@ ecp_nistz256_point_add_affine: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Ladd_affineq_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine .type __ecp_nistz256_add_tox,@function @@ -3452,7 +3456,7 @@ __ecp_nistz256_add_tox: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox @@ -3487,7 +3491,7 @@ __ecp_nistz256_sub_fromx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx @@ -3518,7 +3522,7 @@ __ecp_nistz256_subx: cmovcq %rcx,%r8 cmovcq %r10,%r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_subx,.-__ecp_nistz256_subx @@ -3553,7 +3557,7 @@ __ecp_nistz256_mul_by_2x: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x .type ecp_nistz256_point_doublex,@function @@ -3781,7 +3785,7 @@ ecp_nistz256_point_doublex: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_doublex_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_doublex,.-ecp_nistz256_point_doublex .type ecp_nistz256_point_addx,@function @@ -4212,7 +4216,7 @@ ecp_nistz256_point_addx: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_addx_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_addx,.-ecp_nistz256_point_addx .type ecp_nistz256_point_add_affinex,@function @@ -4540,14 +4544,10 @@ ecp_nistz256_point_add_affinex: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Ladd_affinex_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_add_affinex,.-ecp_nistz256_point_add_affinex #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S index 5c9b3a49..3f8180f7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -46,6 +39,7 @@ L$ordK: .p2align 5 _ecp_nistz256_neg: +_CET_ENDBR pushq %r12 pushq %r13 @@ -91,7 +85,7 @@ L$neg_body: leaq 16(%rsp),%rsp L$neg_epilogue: - .byte 0xf3,0xc3 + ret @@ -106,6 +100,7 @@ L$neg_epilogue: .p2align 5 _ecp_nistz256_ord_mul_mont: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -418,7 +413,7 @@ L$ord_mul_body: leaq 48(%rsp),%rsp L$ord_mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -434,6 +429,7 @@ L$ord_mul_epilogue: .p2align 5 _ecp_nistz256_ord_sqr_mont: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -716,7 +712,7 @@ L$oop_ord_sqr: leaq 48(%rsp),%rsp L$ord_sqr_epilogue: - .byte 0xf3,0xc3 + ret @@ -952,7 +948,7 @@ L$ord_mulx_body: leaq 48(%rsp),%rsp L$ord_mulx_epilogue: - .byte 0xf3,0xc3 + ret @@ -1160,7 +1156,7 @@ L$oop_ord_sqrx: leaq 48(%rsp),%rsp L$ord_sqrx_epilogue: - .byte 0xf3,0xc3 + ret @@ -1175,6 +1171,7 @@ L$ord_sqrx_epilogue: .p2align 5 _ecp_nistz256_mul_mont: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -1231,7 +1228,7 @@ L$mul_mont_done: leaq 48(%rsp),%rsp L$mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -1449,7 +1446,7 @@ __ecp_nistz256_mul_montq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1466,6 +1463,7 @@ __ecp_nistz256_mul_montq: .p2align 5 _ecp_nistz256_sqr_mont: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -1517,7 +1515,7 @@ L$sqr_mont_done: leaq 48(%rsp),%rsp L$sqr_epilogue: - .byte 0xf3,0xc3 + ret @@ -1681,7 +1679,7 @@ __ecp_nistz256_sqr_montq: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1849,7 +1847,7 @@ __ecp_nistz256_mul_montx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1979,7 +1977,7 @@ __ecp_nistz256_sqr_montx: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1990,6 +1988,7 @@ __ecp_nistz256_sqr_montx: .p2align 5 _ecp_nistz256_select_w5: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rax movq 8(%rax),%rax testl $32,%eax @@ -2044,7 +2043,7 @@ L$select_loop_sse_w5: movdqu %xmm5,48(%rdi) movdqu %xmm6,64(%rdi) movdqu %xmm7,80(%rdi) - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_select_w5: @@ -2057,6 +2056,7 @@ L$SEH_end_ecp_nistz256_select_w5: .p2align 5 _ecp_nistz256_select_w7: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rax movq 8(%rax),%rax testl $32,%eax @@ -2100,7 +2100,7 @@ L$select_loop_sse_w7: movdqu %xmm3,16(%rdi) movdqu %xmm4,32(%rdi) movdqu %xmm5,48(%rdi) - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_select_w7: @@ -2163,7 +2163,7 @@ L$select_loop_avx2_w5: vmovdqu %ymm3,32(%rdi) vmovdqu %ymm4,64(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_avx2_select_w5: @@ -2177,6 +2177,7 @@ L$SEH_end_ecp_nistz256_avx2_select_w5: _ecp_nistz256_avx2_select_w7: L$avx2_select_w7: +_CET_ENDBR vzeroupper vmovdqa L$Three(%rip),%ymm0 @@ -2244,7 +2245,7 @@ L$select_loop_avx2_w7: vmovdqu %ymm2,0(%rdi) vmovdqu %ymm3,32(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_avx2_select_w7: @@ -2278,7 +2279,7 @@ __ecp_nistz256_add_toq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -2311,7 +2312,7 @@ __ecp_nistz256_sub_fromq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -2340,7 +2341,7 @@ __ecp_nistz256_subq: cmovnzq %rcx,%r8 cmovnzq %r10,%r9 - .byte 0xf3,0xc3 + ret @@ -2374,7 +2375,7 @@ __ecp_nistz256_mul_by_2q: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .globl _ecp_nistz256_point_double @@ -2383,6 +2384,7 @@ __ecp_nistz256_mul_by_2q: .p2align 5 _ecp_nistz256_point_double: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -2602,7 +2604,7 @@ L$point_double_shortcutq: leaq (%rsi),%rsp L$point_doubleq_epilogue: - .byte 0xf3,0xc3 + ret .globl _ecp_nistz256_point_add @@ -2611,6 +2613,7 @@ L$point_doubleq_epilogue: .p2align 5 _ecp_nistz256_point_add: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -3033,7 +3036,7 @@ L$add_doneq: leaq (%rsi),%rsp L$point_addq_epilogue: - .byte 0xf3,0xc3 + ret .globl _ecp_nistz256_point_add_affine @@ -3042,6 +3045,7 @@ L$point_addq_epilogue: .p2align 5 _ecp_nistz256_point_add_affine: +_CET_ENDBR leaq _OPENSSL_ia32cap_P(%rip),%rcx movq 8(%rcx),%rcx andl $0x80100,%ecx @@ -3361,7 +3365,7 @@ L$add_affineq_body: leaq (%rsi),%rsp L$add_affineq_epilogue: - .byte 0xf3,0xc3 + ret @@ -3395,7 +3399,7 @@ __ecp_nistz256_add_tox: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -3430,7 +3434,7 @@ __ecp_nistz256_sub_fromx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -3461,7 +3465,7 @@ __ecp_nistz256_subx: cmovcq %rcx,%r8 cmovcq %r10,%r9 - .byte 0xf3,0xc3 + ret @@ -3496,7 +3500,7 @@ __ecp_nistz256_mul_by_2x: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -3718,7 +3722,7 @@ L$point_double_shortcutx: leaq (%rsi),%rsp L$point_doublex_epilogue: - .byte 0xf3,0xc3 + ret @@ -4143,7 +4147,7 @@ L$add_donex: leaq (%rsi),%rsp L$point_addx_epilogue: - .byte 0xf3,0xc3 + ret @@ -4465,13 +4469,9 @@ L$add_affinex_body: leaq (%rsi),%rsp L$add_affinex_epilogue: - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S index 9ef3c41b..df5b6e56 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include "CJWTKitBoringSSL_arm_arch.h" .text @@ -316,11 +308,7 @@ Lbeeu_finish: AARCH64_VALIDATE_LINK_REGISTER ret -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S index a1620eca..f5a75ae2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include "CJWTKitBoringSSL_arm_arch.h" .text @@ -316,11 +308,7 @@ beeu_mod_inverse_vartime: AARCH64_VALIDATE_LINK_REGISTER ret .size beeu_mod_inverse_vartime,.-beeu_mod_inverse_vartime -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S index cea69f5f..83d9831e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .type beeu_mod_inverse_vartime,@function @@ -22,6 +15,7 @@ .align 32 beeu_mod_inverse_vartime: .cfi_startproc +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset rbp,-16 @@ -337,15 +331,11 @@ beeu_mod_inverse_vartime: popq %rbp .cfi_adjust_cfa_offset -8 .cfi_restore rbp - .byte 0xf3,0xc3 + ret .cfi_endproc .size beeu_mod_inverse_vartime, .-beeu_mod_inverse_vartime #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S index f0cc713f..6081cdd9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -22,6 +15,7 @@ .p2align 5 _beeu_mod_inverse_vartime: +_CET_ENDBR pushq %rbp pushq %r12 @@ -323,14 +317,10 @@ L$beeu_finish: popq %rbp - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.c index 903417ec..123a5285 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.c @@ -17,31 +17,34 @@ #endif #include - #include "fork_detect.h" -#if defined(OPENSSL_LINUX) -#include -#include +#if defined(OPENSSL_FORK_DETECTION_MADVISE) #include #include - -#include "../delocate.h" -#include "../../internal.h" - - +#include +#include #if defined(MADV_WIPEONFORK) static_assert(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18"); #else #define MADV_WIPEONFORK 18 #endif +#elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK) +#include +#include +#include +#endif // OPENSSL_FORK_DETECTION_MADVISE + +#include "../delocate.h" +#include "../../internal.h" +#if defined(OPENSSL_FORK_DETECTION_MADVISE) +DEFINE_BSS_GET(int, g_force_madv_wipeonfork); +DEFINE_BSS_GET(int, g_force_madv_wipeonfork_enabled); DEFINE_STATIC_ONCE(g_fork_detect_once); DEFINE_STATIC_MUTEX(g_fork_detect_lock); DEFINE_BSS_GET(CRYPTO_atomic_u32 *, g_fork_detect_addr); DEFINE_BSS_GET(uint64_t, g_fork_generation); -DEFINE_BSS_GET(int, g_force_madv_wipeonfork); -DEFINE_BSS_GET(int, g_force_madv_wipeonfork_enabled); static void init_fork_detect(void) { if (*g_force_madv_wipeonfork_bss_get()) { @@ -73,9 +76,12 @@ static void init_fork_detect(void) { CRYPTO_atomic_store_u32(addr, 1); *g_fork_detect_addr_bss_get() = addr; *g_fork_generation_bss_get() = 1; + } uint64_t CRYPTO_get_fork_generation(void) { + CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect); + // In a single-threaded process, there are obviously no races because there's // only a single mutator in the address space. // @@ -87,7 +93,6 @@ uint64_t CRYPTO_get_fork_generation(void) { // child process is single-threaded, the child may become multi-threaded // before it observes this. Therefore, we must synchronize the logic below. - CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect); CRYPTO_atomic_u32 *const flag_ptr = *g_fork_detect_addr_bss_get(); if (flag_ptr == NULL) { // Our kernel is too old to support |MADV_WIPEONFORK| or @@ -98,6 +103,12 @@ uint64_t CRYPTO_get_fork_generation(void) { // doesn't support it. return 42; } + // With Linux and clone(), we do not believe that pthread_atfork() is + // sufficient for detecting all forms of address space duplication. At this + // point we have a kernel that does not support MADV_WIPEONFORK. We could + // return the generation number from pthread_atfork() here and it would + // probably be safe in almost any situation, but to ensure safety we return + // 0 and force an entropy draw on every call. return 0; } @@ -114,8 +125,8 @@ uint64_t CRYPTO_get_fork_generation(void) { // The flag was zero. The generation number must be incremented, but other // threads may have concurrently observed the zero, so take a lock before // incrementing. - struct CRYPTO_STATIC_MUTEX *const lock = g_fork_detect_lock_bss_get(); - CRYPTO_STATIC_MUTEX_lock_write(lock); + CRYPTO_MUTEX *const lock = g_fork_detect_lock_bss_get(); + CRYPTO_MUTEX_lock_write(lock); uint64_t current_generation = *generation_ptr; if (CRYPTO_atomic_load_u32(flag_ptr) == 0) { // A fork has occurred. @@ -130,7 +141,7 @@ uint64_t CRYPTO_get_fork_generation(void) { *generation_ptr = current_generation; CRYPTO_atomic_store_u32(flag_ptr, 1); } - CRYPTO_STATIC_MUTEX_unlock_write(lock); + CRYPTO_MUTEX_unlock_write(lock); return current_generation; } @@ -140,8 +151,47 @@ void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(int on) { *g_force_madv_wipeonfork_enabled_bss_get() = on; } -#else // !OPENSSL_LINUX +#elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK) + +DEFINE_STATIC_ONCE(g_pthread_fork_detection_once); +DEFINE_BSS_GET(uint64_t, g_atfork_fork_generation); + +static void we_are_forked(void) { + // Immediately after a fork, the process must be single-threaded. + uint64_t value = *g_atfork_fork_generation_bss_get() + 1; + if (value == 0) { + value = 1; + } + *g_atfork_fork_generation_bss_get() = value; +} + +static void init_pthread_fork_detection(void) { + if (pthread_atfork(NULL, NULL, we_are_forked) != 0) { + abort(); + } + *g_atfork_fork_generation_bss_get() = 1; +} +uint64_t CRYPTO_get_fork_generation(void) { + CRYPTO_once(g_pthread_fork_detection_once_bss_get(), init_pthread_fork_detection); + + return *g_atfork_fork_generation_bss_get(); +} + +#elif defined(OPENSSL_DOES_NOT_FORK) + +// These platforms are guaranteed not to fork, and therefore do not require +// fork detection support. Returning a constant non zero value makes BoringSSL +// assume address space duplication is not a concern and adding entropy to +// every RAND_bytes call is not needed. +uint64_t CRYPTO_get_fork_generation(void) { return 0xc0ffee; } + +#else + +// These platforms may fork, but we do not have a mitigation mechanism in +// place. Returning a constant zero value makes BoringSSL assume that address +// space duplication could have occured on any call entropy must be added to +// every RAND_bytes call. uint64_t CRYPTO_get_fork_generation(void) { return 0; } -#endif // OPENSSL_LINUX +#endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.h index 79d8ddc0..a14bf8c2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/fork_detect.h @@ -17,6 +17,23 @@ #include +#if defined(OPENSSL_LINUX) +// On linux we use MADVISE instead of pthread_atfork(), due +// to concerns about clone() being used for address space +// duplication. +#define OPENSSL_FORK_DETECTION +#define OPENSSL_FORK_DETECTION_MADVISE +#elif defined(OPENSSL_MACOS) || defined(OPENSSL_IOS) || \ + defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD) +// These platforms may detect address space duplication with pthread_atfork. +// iOS doesn't normally allow fork in apps, but it's there. +#define OPENSSL_FORK_DETECTION +#define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK +#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) +// These platforms do not fork. +#define OPENSSL_DOES_NOT_FORK +#endif + #if defined(__cplusplus) extern "C" { #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h index 7202569d..0756785d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h @@ -26,9 +26,21 @@ extern "C" { #endif -#if !defined(OPENSSL_WINDOWS) && !defined(OPENSSL_FUCHSIA) && \ - !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) && !defined(OPENSSL_TRUSTY) -#define OPENSSL_URANDOM +#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#define OPENSSL_RAND_DETERMINISTIC +#elif defined(OPENSSL_TRUSTY) +#define OPENSSL_RAND_TRUSTY +#elif defined(OPENSSL_WINDOWS) +#define OPENSSL_RAND_WINDOWS +#elif defined(OPENSSL_LINUX) +#define OPENSSL_RAND_URANDOM +#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS) +// Unlike macOS, iOS and similar hide away getentropy(). +#define OPENSSL_RAND_IOS +#else +// By default if you are integrating BoringSSL we expect you to +// provide getentropy from the header file. +#define OPENSSL_RAND_GETENTROPY #endif // RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes @@ -70,11 +82,15 @@ void CRYPTO_sysrand(uint8_t *buf, size_t len); // depending on the vendor's configuration. void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len); -#if defined(OPENSSL_URANDOM) +#if defined(OPENSSL_RAND_URANDOM) || defined(OPENSSL_RAND_WINDOWS) // CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy // from the operating system. void CRYPTO_init_sysrand(void); +#else +OPENSSL_INLINE void CRYPTO_init_sysrand(void) {} +#endif // defined(OPENSSL_RAND_URANDOM) || defined(OPENSSL_RAND_WINDOWS) +#if defined(OPENSSL_RAND_URANDOM) // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the // operating system, or early /dev/urandom data, and returns 1, _if_ the entropy // pool is initialized or if getrandom() is not available and not in FIPS mode. @@ -82,13 +98,11 @@ void CRYPTO_init_sysrand(void); // return 0. int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len); #else -OPENSSL_INLINE void CRYPTO_init_sysrand(void) {} - OPENSSL_INLINE int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { CRYPTO_sysrand(buf, len); return 1; } -#endif +#endif // defined(OPENSSL_RAND_URANDOM) // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has // been enabled via |RAND_enable_fork_unsafe_buffering|. diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c index e72326bc..699a3697 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c @@ -92,7 +92,7 @@ DEFINE_STATIC_MUTEX(thread_states_list_lock); static void rand_thread_state_clear_all(void) __attribute__((destructor)); static void rand_thread_state_clear_all(void) { - CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get()); + CRYPTO_MUTEX_lock_write(thread_states_list_lock_bss_get()); for (struct rand_thread_state *cur = *thread_states_list_bss_get(); cur != NULL; cur = cur->next) { CRYPTO_MUTEX_lock_write(&cur->clear_drbg_lock); @@ -115,11 +115,14 @@ static void rand_thread_state_free(void *state_in) { } #if defined(BORINGSSL_FIPS) - CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get()); + CRYPTO_MUTEX_lock_write(thread_states_list_lock_bss_get()); if (state->prev != NULL) { state->prev->next = state->next; - } else { + } else if (*thread_states_list_bss_get() == state) { + // |state->prev| may be NULL either if it is the head of the list, + // or if |state| is freed before it was added to the list at all. + // Compare against the head of the list to distinguish these cases. *thread_states_list_bss_get() = state->next; } @@ -127,7 +130,7 @@ static void rand_thread_state_free(void *state_in) { state->next->prev = state->prev; } - CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get()); + CRYPTO_MUTEX_unlock_write(thread_states_list_lock_bss_get()); CTR_DRBG_clear(&state->drbg); #endif @@ -203,7 +206,7 @@ void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len, int want_additional_input) { struct entropy_buffer *const buffer = entropy_buffer_bss_get(); - CRYPTO_STATIC_MUTEX_lock_write(entropy_buffer_lock_bss_get()); + CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get()); const size_t space = sizeof(buffer->bytes) - buffer->bytes_valid; if (entropy_len > space) { entropy_len = space; @@ -213,7 +216,7 @@ void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len, buffer->bytes_valid += entropy_len; buffer->want_additional_input |= want_additional_input && (entropy_len != 0); - CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); + CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); } // get_seed_entropy fills |out_entropy_len| bytes of |out_entropy| from the @@ -225,11 +228,11 @@ static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len, abort(); } - CRYPTO_STATIC_MUTEX_lock_write(entropy_buffer_lock_bss_get()); + CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get()); while (buffer->bytes_valid < out_entropy_len) { - CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); + CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); RAND_need_entropy(out_entropy_len - buffer->bytes_valid); - CRYPTO_STATIC_MUTEX_lock_write(entropy_buffer_lock_bss_get()); + CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get()); } *out_want_additional_input = buffer->want_additional_input; @@ -241,7 +244,7 @@ static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len, buffer->want_additional_input = 0; } - CRYPTO_STATIC_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); + CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); } // rand_get_seed fills |seed| with entropy. In some cases, it will additionally @@ -371,7 +374,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND); if (state == NULL) { - state = OPENSSL_malloc(sizeof(struct rand_thread_state)); + state = OPENSSL_zalloc(sizeof(struct rand_thread_state)); if (state == NULL || !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state, rand_thread_state_free)) { @@ -397,7 +400,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, #if defined(BORINGSSL_FIPS) CRYPTO_MUTEX_init(&state->clear_drbg_lock); if (state != &stack_state) { - CRYPTO_STATIC_MUTEX_lock_write(thread_states_list_lock_bss_get()); + CRYPTO_MUTEX_lock_write(thread_states_list_lock_bss_get()); struct rand_thread_state **states_list = thread_states_list_bss_get(); state->next = *states_list; if (state->next != NULL) { @@ -405,7 +408,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, } state->prev = NULL; *states_list = state; - CRYPTO_STATIC_MUTEX_unlock_write(thread_states_list_lock_bss_get()); + CRYPTO_MUTEX_unlock_write(thread_states_list_lock_bss_get()); } #endif } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c index a88a1353..dc4fbedf 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c @@ -20,7 +20,7 @@ #include "internal.h" -#if defined(OPENSSL_URANDOM) +#if defined(OPENSSL_RAND_URANDOM) #include #include @@ -58,22 +58,6 @@ #endif #endif // OPENSSL_LINUX -#if defined(OPENSSL_MACOS) -// getentropy exists in any supported version of MacOS (Sierra and later) -#include -#endif - -#if defined(OPENSSL_OPENBSD) -// getentropy exists in any supported version of OpenBSD -#include -#endif - -#if defined(OPENSSL_FREEBSD) && __FreeBSD__ >= 12 -// getrandom is supported in FreeBSD 12 and up. -#define FREEBSD_GETRANDOM -#include -#endif - #include #include @@ -179,11 +163,6 @@ static void init_once(void) { } #endif // USE_NR_getrandom -#if defined(OPENSSL_MACOS) || defined(OPENSSL_OPENBSD) || defined(FREEBSD_GETRANDOM) - *urandom_fd_bss_get() = kHaveGetrandom; - return; -#endif - // FIPS builds must support getrandom. // // Historically, only Android FIPS builds required getrandom, while Linux FIPS @@ -295,12 +274,6 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { if (*urandom_fd_bss_get() == kHaveGetrandom) { #if defined(USE_NR_getrandom) r = boringssl_getrandom(out, len, getrandom_flags); -#elif defined(FREEBSD_GETRANDOM) - r = getrandom(out, len, getrandom_flags); -#elif defined(OPENSSL_MACOS) || defined(OPENSSL_OPENBSD) - // |getentropy| can only request 256 bytes at a time. - size_t todo = len <= 256 ? len : 256; - r = getentropy(out, todo) != 0 ? -1 : (ssize_t)todo; #else // USE_NR_getrandom fprintf(stderr, "urandom fd corrupt.\n"); abort(); @@ -352,4 +325,4 @@ int CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) { } } -#endif // OPENSSL_URANDOM +#endif // OPENSSL_RAND_URANDOM diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S index 8315f4a8..07c6e1bf 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text @@ -24,12 +17,13 @@ .align 16 CRYPTO_rdrand: .cfi_startproc +_CET_ENDBR xorq %rax,%rax .byte 72,15,199,242 adcq %rax,%rax movq %rdx,0(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size CRYPTO_rdrand,.-CRYPTO_rdrand @@ -43,6 +37,7 @@ CRYPTO_rdrand: .align 16 CRYPTO_rdrand_multiple8_buf: .cfi_startproc +_CET_ENDBR testq %rsi,%rsi jz .Lout movq $8,%rdx @@ -55,17 +50,13 @@ CRYPTO_rdrand_multiple8_buf: jnz .Lloop .Lout: movq $1,%rax - .byte 0xf3,0xc3 + ret .Lerr: xorq %rax,%rax - .byte 0xf3,0xc3 + ret .cfi_endproc .size CRYPTO_rdrand_multiple8_buf,.-CRYPTO_rdrand_multiple8_buf #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S index fabe7189..dbf92b80 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -24,12 +17,13 @@ .p2align 4 _CRYPTO_rdrand: +_CET_ENDBR xorq %rax,%rax .byte 72,15,199,242 adcq %rax,%rax movq %rdx,0(%rdi) - .byte 0xf3,0xc3 + ret @@ -43,6 +37,7 @@ _CRYPTO_rdrand: .p2align 4 _CRYPTO_rdrand_multiple8_buf: +_CET_ENDBR testq %rsi,%rsi jz L$out movq $8,%rdx @@ -55,16 +50,12 @@ L$loop: jnz L$loop L$out: movq $1,%rax - .byte 0xf3,0xc3 + ret L$err: xorq %rax,%rax - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/blinding.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/blinding.c index b7e66ecd..18b975ef 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/blinding.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/blinding.c @@ -130,11 +130,10 @@ static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e, const BN_MONT_CTX *mont, BN_CTX *ctx); BN_BLINDING *BN_BLINDING_new(void) { - BN_BLINDING *ret = OPENSSL_malloc(sizeof(BN_BLINDING)); + BN_BLINDING *ret = OPENSSL_zalloc(sizeof(BN_BLINDING)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BN_BLINDING)); ret->A = BN_new(); if (ret->A == NULL) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h index 50eb23fe..1bde1435 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h @@ -62,12 +62,67 @@ #include #include +#include "../../internal.h" #if defined(__cplusplus) extern "C" { #endif +typedef struct bn_blinding_st BN_BLINDING; + +struct rsa_st { + RSA_METHOD *meth; + + BIGNUM *n; + BIGNUM *e; + BIGNUM *d; + BIGNUM *p; + BIGNUM *q; + BIGNUM *dmp1; + BIGNUM *dmq1; + BIGNUM *iqmp; + + // be careful using this if the RSA structure is shared + CRYPTO_EX_DATA ex_data; + CRYPTO_refcount_t references; + int flags; + + CRYPTO_MUTEX lock; + + // Used to cache montgomery values. The creation of these values is protected + // by |lock|. + BN_MONT_CTX *mont_n; + BN_MONT_CTX *mont_p; + BN_MONT_CTX *mont_q; + + // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, + // but with the correct widths to prevent side channels. These must use + // separate copies due to threading concerns caused by OpenSSL's API + // mistakes. See https://github.com/openssl/openssl/issues/5158 and + // the |freeze_private_key| implementation. + BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed; + + // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|. + BIGNUM *iqmp_mont; + + // num_blindings contains the size of the |blindings| and |blindings_inuse| + // arrays. This member and the |blindings_inuse| array are protected by + // |lock|. + size_t num_blindings; + // blindings is an array of BN_BLINDING structures that can be reserved by a + // thread by locking |lock| and changing the corresponding element in + // |blindings_inuse| from 0 to 1. + BN_BLINDING **blindings; + unsigned char *blindings_inuse; + uint64_t blinding_fork_generation; + + // private_key_frozen is one if the key has been used for a private key + // operation and may no longer be mutated. + unsigned private_key_frozen:1; +}; + + #define RSA_PKCS1_PADDING_SIZE 11 // Default implementations of RSA operations. diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c index 85f2a4b4..b2d16505 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c @@ -206,13 +206,11 @@ RSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e, RSA *RSA_new(void) { return RSA_new_method(NULL); } RSA *RSA_new_method(const ENGINE *engine) { - RSA *rsa = OPENSSL_malloc(sizeof(RSA)); + RSA *rsa = OPENSSL_zalloc(sizeof(RSA)); if (rsa == NULL) { return NULL; } - OPENSSL_memset(rsa, 0, sizeof(RSA)); - if (engine) { rsa->meth = ENGINE_get_RSA_method(engine); } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c index 4274c9af..c1b26c2f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c @@ -155,7 +155,7 @@ static int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) { return 0; } *out = copy; - CONSTTIME_SECRET(copy->d, sizeof(BN_ULONG) * width); + bn_secret(copy); return 1; } @@ -243,37 +243,23 @@ static int freeze_private_key(RSA *rsa, BN_CTX *ctx) { } // CRT components are only publicly bounded by their corresponding - // moduli's bit lengths. |rsa->iqmp| is unused outside of this one-time - // setup, so we do not compute a fixed-width version of it. + // moduli's bit lengths. if (!ensure_fixed_copy(&rsa->dmp1_fixed, rsa->dmp1, p_fixed->width) || !ensure_fixed_copy(&rsa->dmq1_fixed, rsa->dmq1, q_fixed->width)) { goto err; } - // Compute |inv_small_mod_large_mont|. Note that it is always modulo the - // larger prime, independent of what is stored in |rsa->iqmp|. - if (rsa->inv_small_mod_large_mont == NULL) { - BIGNUM *inv_small_mod_large_mont = BN_new(); - int ok; - if (BN_cmp(rsa->p, rsa->q) < 0) { - ok = inv_small_mod_large_mont != NULL && - bn_mod_inverse_secret_prime(inv_small_mod_large_mont, rsa->p, - rsa->q, ctx, rsa->mont_q) && - BN_to_montgomery(inv_small_mod_large_mont, - inv_small_mod_large_mont, rsa->mont_q, ctx); - } else { - ok = inv_small_mod_large_mont != NULL && - BN_to_montgomery(inv_small_mod_large_mont, rsa->iqmp, - rsa->mont_p, ctx); - } - if (!ok) { - BN_free(inv_small_mod_large_mont); + // Compute |iqmp_mont|, which is |iqmp| in Montgomery form and with the + // correct bit width. + if (rsa->iqmp_mont == NULL) { + BIGNUM *iqmp_mont = BN_new(); + if (iqmp_mont == NULL || + !BN_to_montgomery(iqmp_mont, rsa->iqmp, rsa->mont_p, ctx)) { + BN_free(iqmp_mont); goto err; } - rsa->inv_small_mod_large_mont = inv_small_mod_large_mont; - CONSTTIME_SECRET( - rsa->inv_small_mod_large_mont->d, - sizeof(BN_ULONG) * rsa->inv_small_mod_large_mont->width); + rsa->iqmp_mont = iqmp_mont; + bn_secret(rsa->iqmp_mont); } } } @@ -302,8 +288,8 @@ void rsa_invalidate_key(RSA *rsa) { rsa->dmp1_fixed = NULL; BN_free(rsa->dmq1_fixed); rsa->dmq1_fixed = NULL; - BN_free(rsa->inv_small_mod_large_mont); - rsa->inv_small_mod_large_mont = NULL; + BN_free(rsa->iqmp_mont); + rsa->iqmp_mont = NULL; for (size_t i = 0; i < rsa->num_blindings; i++) { BN_BLINDING_free(rsa->blindings[i]); @@ -389,7 +375,7 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, size_t *index_used, assert(new_num_blindings > rsa->num_blindings); BN_BLINDING **new_blindings = - OPENSSL_malloc(sizeof(BN_BLINDING *) * new_num_blindings); + OPENSSL_calloc(new_num_blindings, sizeof(BN_BLINDING *)); uint8_t *new_blindings_inuse = OPENSSL_malloc(new_num_blindings); if (new_blindings == NULL || new_blindings_inuse == NULL) { goto err; @@ -635,7 +621,9 @@ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, goto err; } - if (BN_ucmp(f, rsa->n) >= 0) { + // The input to the RSA private transform may be secret, but padding is + // expected to construct a value within range, so we can leak this comparison. + if (constant_time_declassify_int(BN_ucmp(f, rsa->n) >= 0)) { // Usually the padding functions would catch this. OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); goto err; @@ -798,42 +786,37 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { goto err; } - // Implementing RSA with CRT in constant-time is sensitive to which prime is - // larger. Canonicalize fields so that |p| is the larger prime. - const BIGNUM *dmp1 = rsa->dmp1_fixed, *dmq1 = rsa->dmq1_fixed; - const BN_MONT_CTX *mont_p = rsa->mont_p, *mont_q = rsa->mont_q; - if (BN_cmp(rsa->p, rsa->q) < 0) { - mont_p = rsa->mont_q; - mont_q = rsa->mont_p; - dmp1 = rsa->dmq1_fixed; - dmq1 = rsa->dmp1_fixed; - } - // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if // someone gives us non-minimal values, these will be slightly more efficient // on the non-Montgomery operations. const BIGNUM *n = &rsa->mont_n->N; - const BIGNUM *p = &mont_p->N; - const BIGNUM *q = &mont_q->N; + const BIGNUM *p = &rsa->mont_p->N; + const BIGNUM *q = &rsa->mont_q->N; // This is a pre-condition for |mod_montgomery|. It was already checked by the // caller. assert(BN_ucmp(I, n) < 0); if (// |m1| is the result modulo |q|. - !mod_montgomery(r1, I, q, mont_q, p, ctx) || - !BN_mod_exp_mont_consttime(m1, r1, dmq1, q, ctx, mont_q) || + !mod_montgomery(r1, I, q, rsa->mont_q, p, ctx) || + !BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1_fixed, q, ctx, + rsa->mont_q) || // |r0| is the result modulo |p|. - !mod_montgomery(r1, I, p, mont_p, q, ctx) || - !BN_mod_exp_mont_consttime(r0, r1, dmp1, p, ctx, mont_p) || - // Compute r0 = r0 - m1 mod p. |p| is the larger prime, so |m1| is already - // fully reduced mod |p|. - !bn_mod_sub_consttime(r0, r0, m1, p, ctx) || + !mod_montgomery(r1, I, p, rsa->mont_p, q, ctx) || + !BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1_fixed, p, ctx, + rsa->mont_p) || + // Compute r0 = r0 - m1 mod p. |m1| is reduced mod |q|, not |p|, so we + // just run |mod_montgomery| again for simplicity. This could be more + // efficient with more cases: if |p > q|, |m1| is already reduced. If + // |p < q| but they have the same bit width, |bn_reduce_once| suffices. + // However, compared to over 2048 Montgomery multiplications above, this + // difference is not measurable. + !mod_montgomery(r1, m1, p, rsa->mont_p, q, ctx) || + !bn_mod_sub_consttime(r0, r0, r1, p, ctx) || // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this - // in constant time. |inv_small_mod_large_mont| is in Montgomery form and - // r0 is not, so the result is taken out of Montgomery form. - !BN_mod_mul_montgomery(r0, r0, rsa->inv_small_mod_large_mont, mont_p, - ctx) || + // in constant time. |iqmp_mont| is in Montgomery form and r0 is not, so + // the result is taken out of Montgomery form. + !BN_mod_mul_montgomery(r0, r0, rsa->iqmp_mont, rsa->mont_p, ctx) || // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0, // so it is correct mod q. Finally, the result is bounded by [m1, n + m1), @@ -1308,8 +1291,7 @@ static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits, replace_bignum(&rsa->d_fixed, &tmp->d_fixed); replace_bignum(&rsa->dmp1_fixed, &tmp->dmp1_fixed); replace_bignum(&rsa->dmq1_fixed, &tmp->dmq1_fixed); - replace_bignum(&rsa->inv_small_mod_large_mont, - &tmp->inv_small_mod_large_mont); + replace_bignum(&rsa->iqmp_mont, &tmp->iqmp_mont); rsa->private_key_frozen = tmp->private_key_frozen; ret = 1; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S index 95c16409..eaa8d40b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .globl rsaz_1024_sqr_avx2 @@ -21,6 +14,7 @@ .align 64 rsaz_1024_sqr_avx2: .cfi_startproc +_CET_ENDBR leaq (%rsp),%rax .cfi_def_cfa_register %rax pushq %rbx @@ -666,7 +660,7 @@ rsaz_1024_sqr_avx2: leaq (%rax),%rsp .cfi_def_cfa_register %rsp .Lsqr_1024_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_sqr_avx2,.-rsaz_1024_sqr_avx2 .globl rsaz_1024_mul_avx2 @@ -675,6 +669,7 @@ rsaz_1024_sqr_avx2: .align 64 rsaz_1024_mul_avx2: .cfi_startproc +_CET_ENDBR leaq (%rsp),%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1222,7 +1217,7 @@ rsaz_1024_mul_avx2: leaq (%rax),%rsp .cfi_def_cfa_register %rsp .Lmul_1024_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_mul_avx2,.-rsaz_1024_mul_avx2 .globl rsaz_1024_red2norm_avx2 @@ -1231,6 +1226,7 @@ rsaz_1024_mul_avx2: .align 32 rsaz_1024_red2norm_avx2: .cfi_startproc +_CET_ENDBR subq $-128,%rsi xorq %rax,%rax movq -128(%rsi),%r8 @@ -1421,7 +1417,7 @@ rsaz_1024_red2norm_avx2: adcq $0,%r11 movq %rax,120(%rdi) movq %r11,%rax - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_red2norm_avx2,.-rsaz_1024_red2norm_avx2 @@ -1431,6 +1427,7 @@ rsaz_1024_red2norm_avx2: .align 32 rsaz_1024_norm2red_avx2: .cfi_startproc +_CET_ENDBR subq $-128,%rdi movq (%rsi),%r8 movl $0x1fffffff,%eax @@ -1582,7 +1579,7 @@ rsaz_1024_norm2red_avx2: movq %r8,168(%rdi) movq %r8,176(%rdi) movq %r8,184(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_norm2red_avx2,.-rsaz_1024_norm2red_avx2 .globl rsaz_1024_scatter5_avx2 @@ -1591,6 +1588,7 @@ rsaz_1024_norm2red_avx2: .align 32 rsaz_1024_scatter5_avx2: .cfi_startproc +_CET_ENDBR vzeroupper vmovdqu .Lscatter_permd(%rip),%ymm5 shll $4,%edx @@ -1609,7 +1607,7 @@ rsaz_1024_scatter5_avx2: jnz .Loop_scatter_1024 vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_scatter5_avx2,.-rsaz_1024_scatter5_avx2 @@ -1619,6 +1617,7 @@ rsaz_1024_scatter5_avx2: .align 32 rsaz_1024_gather5_avx2: .cfi_startproc +_CET_ENDBR vzeroupper movq %rsp,%r11 .cfi_def_cfa_register %r11 @@ -1731,7 +1730,7 @@ rsaz_1024_gather5_avx2: vzeroupper leaq (%r11),%rsp .cfi_def_cfa_register %rsp - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_rsaz_1024_gather5: .size rsaz_1024_gather5_avx2,.-rsaz_1024_gather5_avx2 @@ -1750,10 +1749,6 @@ rsaz_1024_gather5_avx2: .align 64 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S index d71daf0a..2e1ff833 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text .globl _rsaz_1024_sqr_avx2 @@ -21,6 +14,7 @@ .p2align 6 _rsaz_1024_sqr_avx2: +_CET_ENDBR leaq (%rsp),%rax pushq %rbx @@ -666,7 +660,7 @@ L$OOP_REDUCE_1024: leaq (%rax),%rsp L$sqr_1024_epilogue: - .byte 0xf3,0xc3 + ret .globl _rsaz_1024_mul_avx2 @@ -675,6 +669,7 @@ L$sqr_1024_epilogue: .p2align 6 _rsaz_1024_mul_avx2: +_CET_ENDBR leaq (%rsp),%rax pushq %rbx @@ -1222,7 +1217,7 @@ L$oop_mul_1024: leaq (%rax),%rsp L$mul_1024_epilogue: - .byte 0xf3,0xc3 + ret .globl _rsaz_1024_red2norm_avx2 @@ -1231,6 +1226,7 @@ L$mul_1024_epilogue: .p2align 5 _rsaz_1024_red2norm_avx2: +_CET_ENDBR subq $-128,%rsi xorq %rax,%rax movq -128(%rsi),%r8 @@ -1421,7 +1417,7 @@ _rsaz_1024_red2norm_avx2: adcq $0,%r11 movq %rax,120(%rdi) movq %r11,%rax - .byte 0xf3,0xc3 + ret @@ -1431,6 +1427,7 @@ _rsaz_1024_red2norm_avx2: .p2align 5 _rsaz_1024_norm2red_avx2: +_CET_ENDBR subq $-128,%rdi movq (%rsi),%r8 movl $0x1fffffff,%eax @@ -1582,7 +1579,7 @@ _rsaz_1024_norm2red_avx2: movq %r8,168(%rdi) movq %r8,176(%rdi) movq %r8,184(%rdi) - .byte 0xf3,0xc3 + ret .globl _rsaz_1024_scatter5_avx2 @@ -1591,6 +1588,7 @@ _rsaz_1024_norm2red_avx2: .p2align 5 _rsaz_1024_scatter5_avx2: +_CET_ENDBR vzeroupper vmovdqu L$scatter_permd(%rip),%ymm5 shll $4,%edx @@ -1609,7 +1607,7 @@ L$oop_scatter_1024: jnz L$oop_scatter_1024 vzeroupper - .byte 0xf3,0xc3 + ret @@ -1619,6 +1617,7 @@ L$oop_scatter_1024: .p2align 5 _rsaz_1024_gather5_avx2: +_CET_ENDBR vzeroupper movq %rsp,%r11 @@ -1731,7 +1730,7 @@ L$oop_gather_1024: vzeroupper leaq (%r11),%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_rsaz_1024_gather5: @@ -1750,10 +1749,6 @@ L$inc: .p2align 6 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c index 6d4304ee..b6a59cdf 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c @@ -94,12 +94,11 @@ void boringssl_fips_inc_counter(enum fips_counter_t counter) { CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS); if (!array) { const size_t num_bytes = sizeof(size_t) * (fips_counter_max + 1); - array = OPENSSL_malloc(num_bytes); + array = OPENSSL_zalloc(num_bytes); if (!array) { return; } - OPENSSL_memset(array, 0, num_bytes); if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS, array, OPENSSL_free)) { // |OPENSSL_free| has already been called by |CRYPTO_set_thread_local|. diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c index 313c6907..05e628c5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c @@ -249,11 +249,12 @@ static EC_KEY *self_test_ecdsa_key(void) { 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77, }; - EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + EC_KEY *ec_key = EC_KEY_new(); BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL); BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL); BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL); if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL || + !EC_KEY_set_group(ec_key, EC_group_p256()) || !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) || !EC_KEY_set_private_key(ec_key, d)) { EC_KEY_free(ec_key); @@ -411,7 +412,6 @@ static int boringssl_self_test_rsa(void) { static int boringssl_self_test_ecc(void) { int ret = 0; EC_KEY *ec_key = NULL; - EC_GROUP *ec_group = NULL; EC_POINT *ec_point_in = NULL; EC_POINT *ec_point_out = NULL; BIGNUM *ec_scalar = NULL; @@ -506,11 +506,7 @@ static int boringssl_self_test_ecc(void) { 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, 0x0c, }; - ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); - if (ec_group == NULL) { - fprintf(stderr, "Failed to create P-256 group.\n"); - goto err; - } + const EC_GROUP *ec_group = EC_group_p256(); ec_point_in = EC_POINT_new(ec_group); ec_point_out = EC_POINT_new(ec_group); ec_scalar = BN_new(); @@ -535,7 +531,6 @@ static int boringssl_self_test_ecc(void) { EC_KEY_free(ec_key); EC_POINT_free(ec_point_in); EC_POINT_free(ec_point_out); - EC_GROUP_free(ec_group); BN_free(ec_scalar); ECDSA_SIG_free(sig); @@ -918,11 +913,6 @@ static int boringssl_self_test_fast(void) { } // TLS KDF KAT - static const uint8_t kTLSSecret[32] = { - 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, - 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, - 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, - }; static const char kTLSLabel[] = "FIPS self test"; static const uint8_t kTLSSeed1[16] = { 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2, @@ -932,17 +922,45 @@ static int boringssl_self_test_fast(void) { 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c, 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, }; - static const uint8_t kTLSOutput[32] = { - 0xe2, 0x1d, 0xd6, 0xc2, 0x68, 0xc7, 0x57, 0x03, 0x2c, 0x2c, 0xeb, - 0xbb, 0xb8, 0xa9, 0x7d, 0xe9, 0xee, 0xe6, 0xc9, 0x47, 0x83, 0x0a, - 0xbd, 0x11, 0x60, 0x5d, 0xd5, 0x2c, 0x47, 0xb6, 0x05, 0x88, + + static const uint8_t kTLS10Secret[32] = { + 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, + 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, + 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, + }; + static const uint8_t kTLS10Output[32] = { + 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90, + 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f, + 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8, + }; + uint8_t tls10_output[sizeof(kTLS10Output)]; + if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output), + kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel, + sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), + kTLSSeed2, sizeof(kTLSSeed2)) || + !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output), + "TLS10-KDF KAT")) { + fprintf(stderr, "TLS KDF failed.\n"); + goto err; + } + + static const uint8_t kTLS12Secret[32] = { + 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9, + 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc, + 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81, + }; + static const uint8_t kTLS12Output[32] = { + 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1, + 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85, + 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51, }; - uint8_t tls_output[sizeof(kTLSOutput)]; - if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret, - sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel), - kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2, - sizeof(kTLSSeed2)) || - !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS-KDF KAT")) { + uint8_t tls12_output[sizeof(kTLS12Output)]; + if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output), + kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel, + sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), + kTLSSeed2, sizeof(kTLSSeed2)) || + !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output), + "TLS12-KDF KAT")) { fprintf(stderr, "TLS KDF failed.\n"); goto err; } @@ -983,7 +1001,7 @@ static int boringssl_self_test_fast(void) { !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output, sizeof(kTLS13ExpandLabelOutput), "CRYPTO_tls13_hkdf_expand_label")) { - fprintf(stderr, "TLSv1.3 KDF failed.\n"); + fprintf(stderr, "TLS13-KDF failed.\n"); goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c index 8fcd24c0..a16211b8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c @@ -303,14 +303,11 @@ void HMAC_verify_service_indicator(const EVP_MD *evp_md) { } void TLSKDF_verify_service_indicator(const EVP_MD *md) { - // HMAC-MD5, HMAC-SHA1, and HMAC-MD5/HMAC-SHA1 (both used concurrently) are - // approved for use in the KDF in TLS 1.0/1.1. - // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2. - // These Key Derivation functions are to be used in the context of the TLS - // protocol. + // HMAC-MD5/HMAC-SHA1 (both used concurrently) is approved for use in the KDF + // in TLS 1.0/1.1. HMAC-SHA{256, 384, 512} are approved for use in the KDF in + // TLS 1.2. These Key Derivation functions are to be used in the context of + // the TLS protocol. switch (EVP_MD_type(md)) { - case NID_md5: - case NID_sha1: case NID_md5_sha1: case NID_sha256: case NID_sha384: diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/internal.h index a23eeaca..207eec5d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/internal.h @@ -17,25 +17,172 @@ #include +#include "../../internal.h" + #if defined(__cplusplus) extern "C" { #endif +// Define SHA{n}[_{variant}]_ASM if sha{n}_block_data_order[_{variant}] is +// defined in assembly. + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ - defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) #define SHA1_ASM #define SHA256_ASM #define SHA512_ASM -void sha1_block_data_order(uint32_t *state, const uint8_t *in, + +void sha1_block_data_order(uint32_t *state, const uint8_t *data, size_t num_blocks); -void sha256_block_data_order(uint32_t *state, const uint8_t *in, +void sha256_block_data_order(uint32_t *state, const uint8_t *data, size_t num_blocks); -void sha512_block_data_order(uint64_t *state, const uint8_t *in, +void sha512_block_data_order(uint64_t *state, const uint8_t *data, size_t num_blocks); + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_HW +OPENSSL_INLINE int sha1_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA1_capable(); +} + +#define SHA1_ASM_NEON +void sha1_block_data_order_neon(uint32_t *state, const uint8_t *data, + size_t num); + +#define SHA256_ASM_HW +OPENSSL_INLINE int sha256_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA256_capable(); +} + +#define SHA256_ASM_NEON +void sha256_block_data_order_neon(uint32_t *state, const uint8_t *data, + size_t num); + +// Armv8.2 SHA-512 instructions are not available in 32-bit. +#define SHA512_ASM_NEON +void sha512_block_data_order_neon(uint64_t *state, const uint8_t *data, + size_t num); + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_HW +OPENSSL_INLINE int sha1_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA1_capable(); +} + +#define SHA256_ASM_HW +OPENSSL_INLINE int sha256_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA256_capable(); +} + +#define SHA512_ASM_HW +OPENSSL_INLINE int sha512_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA512_capable(); +} + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_HW +OPENSSL_INLINE int sha1_hw_capable(void) { + return CRYPTO_is_x86_SHA_capable() && CRYPTO_is_SSSE3_capable(); +} + +#define SHA1_ASM_AVX2 +OPENSSL_INLINE int sha1_avx2_capable(void) { + return CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_BMI1_capable(); +} +void sha1_block_data_order_avx2(uint32_t *state, const uint8_t *data, + size_t num); + +#define SHA1_ASM_AVX +OPENSSL_INLINE int sha1_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu(); +} +void sha1_block_data_order_avx(uint32_t *state, const uint8_t *data, + size_t num); + +#define SHA1_ASM_SSSE3 +OPENSSL_INLINE int sha1_ssse3_capable(void) { + return CRYPTO_is_SSSE3_capable(); +} +void sha1_block_data_order_ssse3(uint32_t *state, const uint8_t *data, + size_t num); + +#define SHA256_ASM_HW +OPENSSL_INLINE int sha256_hw_capable(void) { + // Note that the original assembly did not check SSSE3. + return CRYPTO_is_x86_SHA_capable() && CRYPTO_is_SSSE3_capable(); +} + +#define SHA256_ASM_AVX +OPENSSL_INLINE int sha256_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu(); +} +void sha256_block_data_order_avx(uint32_t *state, const uint8_t *data, + size_t num); + +#define SHA256_ASM_SSSE3 +OPENSSL_INLINE int sha256_ssse3_capable(void) { + return CRYPTO_is_SSSE3_capable(); +} +void sha256_block_data_order_ssse3(uint32_t *state, const uint8_t *data, + size_t num); + +#define SHA512_ASM_AVX +OPENSSL_INLINE int sha512_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu(); +} +void sha512_block_data_order_avx(uint64_t *state, const uint8_t *data, + size_t num); + #endif +#if defined(SHA1_ASM_HW) +void sha1_block_data_order_hw(uint32_t *state, const uint8_t *data, size_t num); +#endif +#if defined(SHA1_ASM_NOHW) +void sha1_block_data_order_nohw(uint32_t *state, const uint8_t *data, + size_t num); +#endif + +#if defined(SHA256_ASM_HW) +void sha256_block_data_order_hw(uint32_t *state, const uint8_t *data, + size_t num); +#endif +#if defined(SHA256_ASM_NOHW) +void sha256_block_data_order_nohw(uint32_t *state, const uint8_t *data, + size_t num); +#endif + +#if defined(SHA512_ASM_HW) +void sha512_block_data_order_hw(uint64_t *state, const uint8_t *data, + size_t num); +#endif + +#if defined(SHA512_ASM_NOHW) +void sha512_block_data_order_nohw(uint64_t *state, const uint8_t *data, + size_t num); +#endif #if defined(__cplusplus) } // extern "C" diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c index f63526ce..295a9a75 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c @@ -100,19 +100,60 @@ int SHA1_Update(SHA_CTX *c, const void *data, size_t len) { return 1; } +static void sha1_output_state(uint8_t out[SHA_DIGEST_LENGTH], + const SHA_CTX *ctx) { + CRYPTO_store_u32_be(out, ctx->h[0]); + CRYPTO_store_u32_be(out + 4, ctx->h[1]); + CRYPTO_store_u32_be(out + 8, ctx->h[2]); + CRYPTO_store_u32_be(out + 12, ctx->h[3]); + CRYPTO_store_u32_be(out + 16, ctx->h[4]); +} + int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, c->Nh, c->Nl, /*is_big_endian=*/1); - CRYPTO_store_u32_be(out, c->h[0]); - CRYPTO_store_u32_be(out + 4, c->h[1]); - CRYPTO_store_u32_be(out + 8, c->h[2]); - CRYPTO_store_u32_be(out + 12, c->h[3]); - CRYPTO_store_u32_be(out + 16, c->h[4]); + sha1_output_state(out, c); FIPS_service_indicator_update_state(); return 1; } +void CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len, + const uint8_t xkey[SHA_DIGEST_LENGTH]) { + // XKEY and XVAL are 160-bit values, but are internally right-padded up to + // block size. See FIPS 186-2, Appendix 3.3. This buffer maintains both the + // current value of XKEY and the padding. + uint8_t block[SHA_CBLOCK] = {0}; + OPENSSL_memcpy(block, xkey, SHA_DIGEST_LENGTH); + + while (out_len != 0) { + // We always use a zero XSEED, so we can merge the inner and outer loops. + // XVAL is also always equal to XKEY. + SHA_CTX ctx; + SHA1_Init(&ctx); + SHA1_Transform(&ctx, block); + + // XKEY = (1 + XKEY + w_i) mod 2^b + uint32_t carry = 1; + for (int i = 4; i >= 0; i--) { + uint32_t tmp = CRYPTO_load_u32_be(block + i * 4); + tmp = CRYPTO_addc_u32(tmp, ctx.h[i], carry, &carry); + CRYPTO_store_u32_be(block + i * 4, tmp); + } + + // Output w_i. + if (out_len < SHA_DIGEST_LENGTH) { + uint8_t buf[SHA_DIGEST_LENGTH]; + sha1_output_state(buf, &ctx); + OPENSSL_memcpy(out, buf, out_len); + break; + } + sha1_output_state(out, &ctx); + out += SHA_DIGEST_LENGTH; + out_len -= SHA_DIGEST_LENGTH; + } +} + #define Xupdate(a, ix, ia, ib, ic, id) \ do { \ (a) = ((ia) ^ (ib) ^ (ic) ^ (id)); \ @@ -191,8 +232,10 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { #define X(i) XX##i #if !defined(SHA1_ASM) -static void sha1_block_data_order(uint32_t *state, const uint8_t *data, - size_t num) { + +#if !defined(SHA1_ASM_NOHW) +static void sha1_block_data_order_nohw(uint32_t *state, const uint8_t *data, + size_t num) { register uint32_t A, B, C, D, E, T; uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15; @@ -339,7 +382,44 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data, E = state[4]; } } +#endif // !SHA1_ASM_NOHW + +static void sha1_block_data_order(uint32_t *state, const uint8_t *data, + size_t num) { +#if defined(SHA1_ASM_HW) + if (sha1_hw_capable()) { + sha1_block_data_order_hw(state, data, num); + return; + } +#endif +#if defined(SHA1_ASM_AVX2) + if (sha1_avx2_capable()) { + sha1_block_data_order_avx(state, data, num); + return; + } +#endif +#if defined(SHA1_ASM_AVX) + if (sha1_avx_capable()) { + sha1_block_data_order_avx(state, data, num); + return; + } #endif +#if defined(SHA1_ASM_SSSE3) + if (sha1_ssse3_capable()) { + sha1_block_data_order_ssse3(state, data, num); + return; + } +#endif +#if defined(SHA1_ASM_NEON) + if (CRYPTO_is_NEON_capable()) { + sha1_block_data_order_neon(state, data, num); + return; + } +#endif + sha1_block_data_order_nohw(state, data, num); +} + +#endif // !SHA1_ASM #undef Xupdate #undef K_00_19 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c index b910f04e..3114f986 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c @@ -114,7 +114,7 @@ uint8_t *SHA256(const uint8_t *data, size_t len, return out; } -#ifndef SHA256_ASM +#if !defined(SHA256_ASM) static void sha256_block_data_order(uint32_t *state, const uint8_t *in, size_t num); #endif @@ -172,7 +172,9 @@ int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { return sha256_final_impl(out, SHA224_DIGEST_LENGTH, ctx); } -#ifndef SHA256_ASM +#if !defined(SHA256_ASM) + +#if !defined(SHA256_ASM_NOHW) static const uint32_t K256[64] = { 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, @@ -221,8 +223,8 @@ static const uint32_t K256[64] = { ROUND_00_15(i, a, b, c, d, e, f, g, h); \ } while (0) -static void sha256_block_data_order(uint32_t *state, const uint8_t *data, - size_t num) { +static void sha256_block_data_order_nohw(uint32_t *state, const uint8_t *data, + size_t num) { uint32_t a, b, c, d, e, f, g, h, s0, s1, T1; uint32_t X[16]; int i; @@ -308,7 +310,39 @@ static void sha256_block_data_order(uint32_t *state, const uint8_t *data, } } -#endif // !SHA256_ASM +#endif // !defined(SHA256_ASM_NOHW) + +static void sha256_block_data_order(uint32_t *state, const uint8_t *data, + size_t num) { +#if defined(SHA256_ASM_HW) + if (sha256_hw_capable()) { + sha256_block_data_order_hw(state, data, num); + return; + } +#endif +#if defined(SHA256_ASM_AVX) + if (sha256_avx_capable()) { + sha256_block_data_order_avx(state, data, num); + return; + } +#endif +#if defined(SHA256_ASM_SSSE3) + if (sha256_ssse3_capable()) { + sha256_block_data_order_ssse3(state, data, num); + return; + } +#endif +#if defined(SHA256_ASM_NEON) + if (CRYPTO_is_NEON_capable()) { + sha256_block_data_order_neon(state, data, num); + return; + } +#endif + sha256_block_data_order_nohw(state, data, num); +} + +#endif // !defined(SHA256_ASM) + void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data, size_t num_blocks) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c index 1bbeace1..d1dcaaf1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c @@ -279,7 +279,9 @@ static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) { return 1; } -#ifndef SHA512_ASM +#if !defined(SHA512_ASM) + +#if !defined(SHA512_ASM_NOHW) static const uint64_t K512[80] = { UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd), UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc), @@ -341,8 +343,8 @@ static const uint64_t K512[80] = { #if defined(__i386) || defined(__i386__) || defined(_M_IX86) // This code should give better results on 32-bit CPU with less than // ~24 registers, both size and performance wise... -static void sha512_block_data_order(uint64_t *state, const uint8_t *in, - size_t num) { +static void sha512_block_data_order_nohw(uint64_t *state, const uint8_t *in, + size_t num) { uint64_t A, E, T; uint64_t X[9 + 80], *F; int i; @@ -414,8 +416,8 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in, ROUND_00_15(i + j, a, b, c, d, e, f, g, h); \ } while (0) -static void sha512_block_data_order(uint64_t *state, const uint8_t *in, - size_t num) { +static void sha512_block_data_order_nohw(uint64_t *state, const uint8_t *in, + size_t num) { uint64_t a, b, c, d, e, f, g, h, s0, s1, T1; uint64_t X[16]; int i; @@ -498,6 +500,31 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in, #endif +#endif // !SHA512_ASM_NOHW + +static void sha512_block_data_order(uint64_t *state, const uint8_t *data, + size_t num) { +#if defined(SHA512_ASM_HW) + if (sha512_hw_capable()) { + sha512_block_data_order_hw(state, data, num); + return; + } +#endif +#if defined(SHA512_ASM_AVX) + if (sha512_avx_capable()) { + sha512_block_data_order_avx(state, data, num); + return; + } +#endif +#if defined(SHA512_ASM_NEON) + if (CRYPTO_is_NEON_capable()) { + sha512_block_data_order_neon(state, data, num); + return; + } +#endif + sha512_block_data_order_nohw(state, data, num); +} + #endif // !SHA512_ASM #undef Sigma0 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S index 085262c7..161c235a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl sha1_block_data_order .hidden sha1_block_data_order @@ -3812,11 +3805,7 @@ _sha1_block_data_order_avx: .byte 102,111,114,109,32,102,111,114,32,120,56,54,44,32,67,82 .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S index 0c54f7a5..d2694d47 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) #include .text @@ -24,27 +16,14 @@ .code 32 #endif -.globl _sha1_block_data_order -.private_extern _sha1_block_data_order +.globl _sha1_block_data_order_nohw +.private_extern _sha1_block_data_order_nohw #ifdef __thumb2__ -.thumb_func _sha1_block_data_order +.thumb_func _sha1_block_data_order_nohw #endif .align 5 -_sha1_block_data_order: -#if __ARM_MAX_ARCH__>=7 -Lsha1_block: - adr r3,Lsha1_block - ldr r12,LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA1 - bne LARMv8 - tst r12,#ARMV7_NEON - bne LNEON -#endif +_sha1_block_data_order_nohw: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 ldmia r0,{r3,r4,r5,r6,r7} @@ -56,7 +35,7 @@ Lloop: mov r6,r6,ror#30 mov r7,r7,ror#30 @ [6] L_00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -81,7 +60,7 @@ L_00_15: eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r7,r7,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -106,7 +85,7 @@ L_00_15: eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r6,r6,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -131,7 +110,7 @@ L_00_15: eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r5,r5,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -156,7 +135,7 @@ L_00_15: eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r4,r4,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -189,7 +168,7 @@ L_00_15: #endif bne L_00_15 @ [((11+4)*5+2)*3] sub sp,sp,#25*4 -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -487,7 +466,7 @@ L_done: teq r1,r2 bne Lloop @ [+18], total 1307 -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} @@ -502,10 +481,6 @@ LK_00_19:.word 0x5a827999 LK_20_39:.word 0x6ed9eba1 LK_40_59:.word 0x8f1bbcdc LK_60_79:.word 0xca62c1d6 -#if __ARM_MAX_ARCH__>=7 -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lsha1_block -#endif .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 5 @@ -513,12 +488,13 @@ LOPENSSL_armcap: +.globl _sha1_block_data_order_neon +.private_extern _sha1_block_data_order_neon #ifdef __thumb2__ -.thumb_func sha1_block_data_order_neon +.thumb_func _sha1_block_data_order_neon #endif .align 4 -sha1_block_data_order_neon: -LNEON: +_sha1_block_data_order_neon: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 @ dmb @ errata #451034 on early Cortex A8 @@ -1374,12 +1350,13 @@ Loop_neon: # define INST(a,b,c,d) .byte a,b,c,d|0x10 # endif +.globl _sha1_block_data_order_hw +.private_extern _sha1_block_data_order_hw #ifdef __thumb2__ -.thumb_func sha1_block_data_order_armv8 +.thumb_func _sha1_block_data_order_hw #endif .align 5 -sha1_block_data_order_armv8: -LARMv8: +_sha1_block_data_order_hw: vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so veor q1,q1,q1 @@ -1509,19 +1486,7 @@ Loop_v8: bx lr @ bx lr #endif -#if __ARM_MAX_ARCH__>=7 -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S index 723803ae..a1aa4817 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) #include .text @@ -24,25 +16,12 @@ .code 32 #endif -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,%function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,%function .align 5 -sha1_block_data_order: -#if __ARM_MAX_ARCH__>=7 -.Lsha1_block: - adr r3,.Lsha1_block - ldr r12,.LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA1 - bne .LARMv8 - tst r12,#ARMV7_NEON - bne .LNEON -#endif +sha1_block_data_order_nohw: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 ldmia r0,{r3,r4,r5,r6,r7} @@ -54,7 +33,7 @@ sha1_block_data_order: mov r6,r6,ror#30 mov r7,r7,ror#30 @ [6] .L_00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -79,7 +58,7 @@ sha1_block_data_order: eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r7,r7,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -104,7 +83,7 @@ sha1_block_data_order: eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r6,r6,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -129,7 +108,7 @@ sha1_block_data_order: eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r5,r5,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -154,7 +133,7 @@ sha1_block_data_order: eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r4,r4,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -187,7 +166,7 @@ sha1_block_data_order: #endif bne .L_00_15 @ [((11+4)*5+2)*3] sub sp,sp,#25*4 -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -485,7 +464,7 @@ sha1_block_data_order: teq r1,r2 bne .Lloop @ [+18], total 1307 -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} @@ -493,17 +472,13 @@ sha1_block_data_order: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size sha1_block_data_order,.-sha1_block_data_order +.size sha1_block_data_order_nohw,.-sha1_block_data_order_nohw .align 5 .LK_00_19:.word 0x5a827999 .LK_20_39:.word 0x6ed9eba1 .LK_40_59:.word 0x8f1bbcdc .LK_60_79:.word 0xca62c1d6 -#if __ARM_MAX_ARCH__>=7 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lsha1_block -#endif .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 5 @@ -511,10 +486,11 @@ sha1_block_data_order: .arch armv7-a .fpu neon +.globl sha1_block_data_order_neon +.hidden sha1_block_data_order_neon .type sha1_block_data_order_neon,%function .align 4 sha1_block_data_order_neon: -.LNEON: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 @ dmb @ errata #451034 on early Cortex A8 @@ -1370,10 +1346,11 @@ sha1_block_data_order_neon: # define INST(a,b,c,d) .byte a,b,c,d|0x10 # endif -.type sha1_block_data_order_armv8,%function +.globl sha1_block_data_order_hw +.hidden sha1_block_data_order_hw +.type sha1_block_data_order_hw,%function .align 5 -sha1_block_data_order_armv8: -.LARMv8: +sha1_block_data_order_hw: vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so veor q1,q1,q1 @@ -1501,17 +1478,9 @@ sha1_block_data_order_armv8: vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} bx lr @ bx lr -.size sha1_block_data_order_armv8,.-sha1_block_data_order_armv8 -#endif -#if __ARM_MAX_ARCH__>=7 -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits +.size sha1_block_data_order_hw,.-sha1_block_data_order_hw #endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S index df0c942a..91ff1d29 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S @@ -3,38 +3,20 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include .text - -.private_extern _OPENSSL_armcap_P -.globl _sha1_block_data_order -.private_extern _sha1_block_data_order +.globl _sha1_block_data_order_nohw +.private_extern _sha1_block_data_order_nohw .align 6 -_sha1_block_data_order: +_sha1_block_data_order_nohw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x16,_OPENSSL_armcap_P@PAGE -#endif - ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] - tst w16,#ARMV8_SHA1 - b.ne Lv8_entry stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1091,12 +1073,13 @@ Loop: ldr x29,[sp],#96 ret +.globl _sha1_block_data_order_hw +.private_extern _sha1_block_data_order_hw .align 6 -sha1_block_armv8: +_sha1_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -Lv8_entry: stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1234,11 +1217,7 @@ Lconst: .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S index 897b2a14..b7b10074 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S @@ -3,38 +3,20 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include .text - -.hidden OPENSSL_armcap_P -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,%function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,%function .align 6 -sha1_block_data_order: +sha1_block_data_order_nohw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x16,OPENSSL_armcap_P -#endif - ldr w16,[x16,:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA1 - b.ne .Lv8_entry stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1090,13 +1072,14 @@ sha1_block_data_order: ldp x27,x28,[sp,#80] ldr x29,[sp],#96 ret -.size sha1_block_data_order,.-sha1_block_data_order -.type sha1_block_armv8,%function +.size sha1_block_data_order_nohw,.-sha1_block_data_order_nohw +.globl sha1_block_data_order_hw +.hidden sha1_block_data_order_hw +.type sha1_block_data_order_hw,%function .align 6 -sha1_block_armv8: +sha1_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -.Lv8_entry: stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1223,7 +1206,7 @@ sha1_block_armv8: ldr x29,[sp],#16 ret -.size sha1_block_armv8,.-sha1_block_armv8 +.size sha1_block_data_order_hw,.-sha1_block_data_order_hw .section .rodata .align 6 .Lconst: @@ -1234,11 +1217,7 @@ sha1_block_armv8: .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S index ba13ad99..167d3865 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S @@ -3,46 +3,18 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,@function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,@function .align 16 -sha1_block_data_order: +sha1_block_data_order_nohw: .cfi_startproc - leaq OPENSSL_ia32cap_P(%rip),%r10 - movl 0(%r10),%r9d - movl 4(%r10),%r8d - movl 8(%r10),%r10d - testl $512,%r8d - jz .Lialu - testl $536870912,%r10d - jnz _shaext_shortcut - andl $296,%r10d - cmpl $296,%r10d - je _avx2_shortcut - andl $268435456,%r8d - andl $1073741824,%r9d - orl %r9d,%r8d - cmpl $1342177280,%r8d - je _avx_shortcut - jmp _ssse3_shortcut - -.align 16 -.Lialu: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1270,14 +1242,16 @@ sha1_block_data_order: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size sha1_block_data_order,.-sha1_block_data_order -.type sha1_block_data_order_shaext,@function +.size sha1_block_data_order_nohw,.-sha1_block_data_order_nohw +.globl sha1_block_data_order_hw +.hidden sha1_block_data_order_hw +.type sha1_block_data_order_hw,@function .align 32 -sha1_block_data_order_shaext: -_shaext_shortcut: +sha1_block_data_order_hw: .cfi_startproc +_CET_ENDBR movdqu (%rdi),%xmm0 movd 16(%rdi),%xmm1 movdqa K_XX_XX+160(%rip),%xmm3 @@ -1440,14 +1414,16 @@ _shaext_shortcut: pshufd $27,%xmm1,%xmm1 movdqu %xmm0,(%rdi) movd %xmm1,16(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc -.size sha1_block_data_order_shaext,.-sha1_block_data_order_shaext +.size sha1_block_data_order_hw,.-sha1_block_data_order_hw +.globl sha1_block_data_order_ssse3 +.hidden sha1_block_data_order_ssse3 .type sha1_block_data_order_ssse3,@function .align 16 sha1_block_data_order_ssse3: -_ssse3_shortcut: .cfi_startproc +_CET_ENDBR movq %rsp,%r11 .cfi_def_cfa_register %r11 pushq %rbx @@ -2628,14 +2604,16 @@ _ssse3_shortcut: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lepilogue_ssse3: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_ssse3,.-sha1_block_data_order_ssse3 +.globl sha1_block_data_order_avx +.hidden sha1_block_data_order_avx .type sha1_block_data_order_avx,@function .align 16 sha1_block_data_order_avx: -_avx_shortcut: .cfi_startproc +_CET_ENDBR movq %rsp,%r11 .cfi_def_cfa_register %r11 pushq %rbx @@ -3756,14 +3734,16 @@ _avx_shortcut: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_avx,.-sha1_block_data_order_avx +.globl sha1_block_data_order_avx2 +.hidden sha1_block_data_order_avx2 .type sha1_block_data_order_avx2,@function .align 16 sha1_block_data_order_avx2: -_avx2_shortcut: .cfi_startproc +_CET_ENDBR movq %rsp,%r11 .cfi_def_cfa_register %r11 pushq %rbx @@ -5449,7 +5429,7 @@ _avx2_shortcut: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx2: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_avx2,.-sha1_block_data_order_avx2 .section .rodata @@ -5470,10 +5450,6 @@ K_XX_XX: .align 64 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S index ed807ba6..37386c18 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S @@ -3,45 +3,18 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - -.globl _sha1_block_data_order -.private_extern _sha1_block_data_order +.globl _sha1_block_data_order_nohw +.private_extern _sha1_block_data_order_nohw .p2align 4 -_sha1_block_data_order: - - leaq _OPENSSL_ia32cap_P(%rip),%r10 - movl 0(%r10),%r9d - movl 4(%r10),%r8d - movl 8(%r10),%r10d - testl $512,%r8d - jz L$ialu - testl $536870912,%r10d - jnz _shaext_shortcut - andl $296,%r10d - cmpl $296,%r10d - je _avx2_shortcut - andl $268435456,%r8d - andl $1073741824,%r9d - orl %r9d,%r8d - cmpl $1342177280,%r8d - je _avx_shortcut - jmp _ssse3_shortcut +_sha1_block_data_order_nohw: -.p2align 4 -L$ialu: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -1269,14 +1242,16 @@ L$loop: leaq (%rsi),%rsp L$epilogue: - .byte 0xf3,0xc3 + ret +.globl _sha1_block_data_order_hw +.private_extern _sha1_block_data_order_hw .p2align 5 -sha1_block_data_order_shaext: -_shaext_shortcut: +_sha1_block_data_order_hw: +_CET_ENDBR movdqu (%rdi),%xmm0 movd 16(%rdi),%xmm1 movdqa K_XX_XX+160(%rip),%xmm3 @@ -1439,14 +1414,16 @@ L$oop_shaext: pshufd $27,%xmm1,%xmm1 movdqu %xmm0,(%rdi) movd %xmm1,16(%rdi) - .byte 0xf3,0xc3 + ret +.globl _sha1_block_data_order_ssse3 +.private_extern _sha1_block_data_order_ssse3 .p2align 4 -sha1_block_data_order_ssse3: -_ssse3_shortcut: +_sha1_block_data_order_ssse3: +_CET_ENDBR movq %rsp,%r11 pushq %rbx @@ -2627,14 +2604,16 @@ L$done_ssse3: leaq (%r11),%rsp L$epilogue_ssse3: - .byte 0xf3,0xc3 + ret +.globl _sha1_block_data_order_avx +.private_extern _sha1_block_data_order_avx .p2align 4 -sha1_block_data_order_avx: -_avx_shortcut: +_sha1_block_data_order_avx: +_CET_ENDBR movq %rsp,%r11 pushq %rbx @@ -3755,14 +3734,16 @@ L$done_avx: leaq (%r11),%rsp L$epilogue_avx: - .byte 0xf3,0xc3 + ret +.globl _sha1_block_data_order_avx2 +.private_extern _sha1_block_data_order_avx2 .p2align 4 -sha1_block_data_order_avx2: -_avx2_shortcut: +_sha1_block_data_order_avx2: +_CET_ENDBR movq %rsp,%r11 pushq %rbx @@ -5448,7 +5429,7 @@ L$done_avx2: leaq (%r11),%rsp L$epilogue_avx2: - .byte 0xf3,0xc3 + ret .section __DATA,__const @@ -5469,10 +5450,6 @@ K_XX_XX: .p2align 6 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S index c83a5803..87820ceb 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl sha256_block_data_order .hidden sha256_block_data_order @@ -5571,11 +5564,7 @@ sha256_block_data_order: popl %ebp ret .size sha256_block_data_order,.-.L_sha256_block_data_order_begin -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S index c647e911..5b18f524 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) @ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. @ @ Licensed under the OpenSSL license (the "License"). You may not use @@ -62,7 +54,7 @@ #ifndef __KERNEL__ # include #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ +# define __ARM_ARCH __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -100,49 +92,28 @@ K256: .word 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 .word 0 @ terminator -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lsha256_block_data_order -#endif .align 5 -.globl _sha256_block_data_order -.private_extern _sha256_block_data_order +.globl _sha256_block_data_order_nohw +.private_extern _sha256_block_data_order_nohw #ifdef __thumb2__ -.thumb_func _sha256_block_data_order -#endif -_sha256_block_data_order: -Lsha256_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) - sub r3,pc,#8 @ _sha256_block_data_order -#else - adr r3,Lsha256_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA256 - bne LARMv8 - tst r12,#ARMV7_NEON - bne LNEON +.thumb_func _sha256_block_data_order_nohw #endif +_sha256_block_data_order_nohw: add r2,r1,r2,lsl#6 @ len to point at the end of inp stmdb sp!,{r0,r1,r2,r4-r11,lr} ldmia r0,{r4,r5,r6,r7,r8,r9,r10,r11} - sub r14,r3,#256+32 @ K256 + adr r14,K256 sub sp,sp,#16*4 @ alloca(X[16]) Loop: -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 # else ldrb r2,[r1,#3] # endif eor r3,r5,r6 @ magic eor r12,r12,r12 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 0 # if 0==15 str r1,[sp,#17*4] @ make room for r1 @@ -183,7 +154,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 0<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -200,7 +171,7 @@ Loop: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 1 # if 1==15 str r1,[sp,#17*4] @ make room for r1 @@ -241,7 +212,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 1<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -258,7 +229,7 @@ Loop: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 2 # if 2==15 str r1,[sp,#17*4] @ make room for r1 @@ -299,7 +270,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 2<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -316,7 +287,7 @@ Loop: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 3 # if 3==15 str r1,[sp,#17*4] @ make room for r1 @@ -357,7 +328,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 3<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -374,7 +345,7 @@ Loop: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 4 # if 4==15 str r1,[sp,#17*4] @ make room for r1 @@ -415,7 +386,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 4<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -432,7 +403,7 @@ Loop: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 5 # if 5==15 str r1,[sp,#17*4] @ make room for r1 @@ -473,7 +444,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 5<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -490,7 +461,7 @@ Loop: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 6 # if 6==15 str r1,[sp,#17*4] @ make room for r1 @@ -531,7 +502,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 6<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -548,7 +519,7 @@ Loop: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 7 # if 7==15 str r1,[sp,#17*4] @ make room for r1 @@ -589,7 +560,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 7<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -606,7 +577,7 @@ Loop: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 8 # if 8==15 str r1,[sp,#17*4] @ make room for r1 @@ -647,7 +618,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 8<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -664,7 +635,7 @@ Loop: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 9 # if 9==15 str r1,[sp,#17*4] @ make room for r1 @@ -705,7 +676,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 9<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -722,7 +693,7 @@ Loop: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 10 # if 10==15 str r1,[sp,#17*4] @ make room for r1 @@ -763,7 +734,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 10<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -780,7 +751,7 @@ Loop: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 11 # if 11==15 str r1,[sp,#17*4] @ make room for r1 @@ -821,7 +792,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 11<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -838,7 +809,7 @@ Loop: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 12 # if 12==15 str r1,[sp,#17*4] @ make room for r1 @@ -879,7 +850,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 12<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -896,7 +867,7 @@ Loop: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 13 # if 13==15 str r1,[sp,#17*4] @ make room for r1 @@ -937,7 +908,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 13<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -954,7 +925,7 @@ Loop: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 14 # if 14==15 str r1,[sp,#17*4] @ make room for r1 @@ -995,7 +966,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 14<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1012,7 +983,7 @@ Loop: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 15 # if 15==15 str r1,[sp,#17*4] @ make room for r1 @@ -1053,7 +1024,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 15<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1103,7 +1074,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 16<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1152,7 +1123,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 17<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1201,7 +1172,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 18<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1250,7 +1221,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 19<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1299,7 +1270,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 20<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1348,7 +1319,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 21<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1397,7 +1368,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 22<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1446,7 +1417,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 23<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1495,7 +1466,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 24<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1544,7 +1515,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 25<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1593,7 +1564,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 26<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1642,7 +1613,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 27<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1691,7 +1662,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 28<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1740,7 +1711,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 29<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1789,7 +1760,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 30<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1838,7 +1809,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 31<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1855,7 +1826,7 @@ Lrounds_16_xx: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq r3,[sp,#16*4] @ pull ctx @@ -1886,7 +1857,7 @@ Lrounds_16_xx: bne Loop add sp,sp,#19*4 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,lr} @@ -1899,6 +1870,14 @@ Lrounds_16_xx: +LK256_shortcut_neon: +@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode. +#if defined(__thumb2__) +.word K256-(LK256_add_neon+4) +#else +.word K256-(LK256_add_neon+8) +#endif + .globl _sha256_block_data_order_neon .private_extern _sha256_block_data_order_neon #ifdef __thumb2__ @@ -1907,11 +1886,24 @@ Lrounds_16_xx: .align 5 .skip 16 _sha256_block_data_order_neon: -LNEON: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} sub r11,sp,#16*4+16 - adr r14,K256 + + @ K256 is just at the boundary of being easily referenced by an ADR from + @ this function. In Arm mode, when building with __ARM_ARCH=6, it does + @ not fit. By moving code around, we could make it fit, but this is too + @ fragile. For simplicity, just load the offset from + @ .LK256_shortcut_neon. + @ + @ TODO(davidben): adrl would avoid a load, but clang-assembler does not + @ support it. We might be able to emulate it with a macro, but Android's + @ did not work when I tried it. + @ https://android.googlesource.com/platform/ndk/+/refs/heads/master/docs/ClangMigration.md#arm + ldr r14,LK256_shortcut_neon +LK256_add_neon: + add r14,pc,r14 + bic r11,r11,#15 @ align for 128-bit stores mov r12,sp mov sp,r11 @ alloca @@ -2693,14 +2685,29 @@ L_00_48: # define INST(a,b,c,d) .byte a,b,c,d # endif +LK256_shortcut_hw: +@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode. +#if defined(__thumb2__) +.word K256-(LK256_add_hw+4) +#else +.word K256-(LK256_add_hw+8) +#endif + +.globl _sha256_block_data_order_hw +.private_extern _sha256_block_data_order_hw #ifdef __thumb2__ -.thumb_func sha256_block_data_order_armv8 +.thumb_func _sha256_block_data_order_hw #endif .align 5 -sha256_block_data_order_armv8: -LARMv8: +_sha256_block_data_order_hw: + @ K256 is too far to reference from one ADR command in Thumb mode. In + @ Arm mode, we could make it fit by aligning the ADR offset to a 64-byte + @ boundary. For simplicity, just load the offset from .LK256_shortcut_hw. + ldr r3,LK256_shortcut_hw +LK256_add_hw: + add r3,pc,r3 + vld1.32 {q0,q1},[r0] - sub r3,r3,#256+32 add r2,r1,r2,lsl#6 @ len to point at the end of inp b Loop_v8 @@ -2837,19 +2844,7 @@ Loop_v8: .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S index 511fe733..250134da 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) @ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. @ @ Licensed under the OpenSSL license (the "License"). You may not use @@ -62,7 +54,7 @@ #ifndef __KERNEL__ # include #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ +# define __ARM_ARCH __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -100,47 +92,26 @@ K256: .word 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 .size K256,.-K256 .word 0 @ terminator -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lsha256_block_data_order -#endif .align 5 -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,%function -sha256_block_data_order: -.Lsha256_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) - sub r3,pc,#8 @ sha256_block_data_order -#else - adr r3,.Lsha256_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,.LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA256 - bne .LARMv8 - tst r12,#ARMV7_NEON - bne .LNEON -#endif +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,%function +sha256_block_data_order_nohw: add r2,r1,r2,lsl#6 @ len to point at the end of inp stmdb sp!,{r0,r1,r2,r4-r11,lr} ldmia r0,{r4,r5,r6,r7,r8,r9,r10,r11} - sub r14,r3,#256+32 @ K256 + adr r14,K256 sub sp,sp,#16*4 @ alloca(X[16]) .Loop: -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 # else ldrb r2,[r1,#3] # endif eor r3,r5,r6 @ magic eor r12,r12,r12 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 0 # if 0==15 str r1,[sp,#17*4] @ make room for r1 @@ -181,7 +152,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 0<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -198,7 +169,7 @@ sha256_block_data_order: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 1 # if 1==15 str r1,[sp,#17*4] @ make room for r1 @@ -239,7 +210,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 1<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -256,7 +227,7 @@ sha256_block_data_order: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 2 # if 2==15 str r1,[sp,#17*4] @ make room for r1 @@ -297,7 +268,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 2<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -314,7 +285,7 @@ sha256_block_data_order: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 3 # if 3==15 str r1,[sp,#17*4] @ make room for r1 @@ -355,7 +326,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 3<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -372,7 +343,7 @@ sha256_block_data_order: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 4 # if 4==15 str r1,[sp,#17*4] @ make room for r1 @@ -413,7 +384,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 4<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -430,7 +401,7 @@ sha256_block_data_order: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 5 # if 5==15 str r1,[sp,#17*4] @ make room for r1 @@ -471,7 +442,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 5<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -488,7 +459,7 @@ sha256_block_data_order: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 6 # if 6==15 str r1,[sp,#17*4] @ make room for r1 @@ -529,7 +500,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 6<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -546,7 +517,7 @@ sha256_block_data_order: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 7 # if 7==15 str r1,[sp,#17*4] @ make room for r1 @@ -587,7 +558,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 7<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -604,7 +575,7 @@ sha256_block_data_order: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 8 # if 8==15 str r1,[sp,#17*4] @ make room for r1 @@ -645,7 +616,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 8<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -662,7 +633,7 @@ sha256_block_data_order: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 9 # if 9==15 str r1,[sp,#17*4] @ make room for r1 @@ -703,7 +674,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 9<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -720,7 +691,7 @@ sha256_block_data_order: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 10 # if 10==15 str r1,[sp,#17*4] @ make room for r1 @@ -761,7 +732,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 10<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -778,7 +749,7 @@ sha256_block_data_order: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 11 # if 11==15 str r1,[sp,#17*4] @ make room for r1 @@ -819,7 +790,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 11<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -836,7 +807,7 @@ sha256_block_data_order: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 12 # if 12==15 str r1,[sp,#17*4] @ make room for r1 @@ -877,7 +848,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 12<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -894,7 +865,7 @@ sha256_block_data_order: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 13 # if 13==15 str r1,[sp,#17*4] @ make room for r1 @@ -935,7 +906,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 13<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -952,7 +923,7 @@ sha256_block_data_order: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 14 # if 14==15 str r1,[sp,#17*4] @ make room for r1 @@ -993,7 +964,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 14<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1010,7 +981,7 @@ sha256_block_data_order: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 15 # if 15==15 str r1,[sp,#17*4] @ make room for r1 @@ -1051,7 +1022,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 15<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1101,7 +1072,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 16<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1150,7 +1121,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 17<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1199,7 +1170,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 18<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1248,7 +1219,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 19<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1297,7 +1268,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 20<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1346,7 +1317,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 21<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1395,7 +1366,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 22<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1444,7 +1415,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 23<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1493,7 +1464,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 24<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1542,7 +1513,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 25<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1591,7 +1562,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 26<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1640,7 +1611,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 27<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1689,7 +1660,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 28<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1738,7 +1709,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 29<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1787,7 +1758,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 30<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1836,7 +1807,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 31<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1853,7 +1824,7 @@ sha256_block_data_order: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq r3,[sp,#16*4] @ pull ctx @@ -1884,7 +1855,7 @@ sha256_block_data_order: bne .Loop add sp,sp,#19*4 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,lr} @@ -1892,22 +1863,43 @@ sha256_block_data_order: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size sha256_block_data_order,.-sha256_block_data_order +.size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon +.LK256_shortcut_neon: +@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode. +#if defined(__thumb2__) +.word K256-(.LK256_add_neon+4) +#else +.word K256-(.LK256_add_neon+8) +#endif + .globl sha256_block_data_order_neon .hidden sha256_block_data_order_neon .type sha256_block_data_order_neon,%function .align 5 .skip 16 sha256_block_data_order_neon: -.LNEON: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} sub r11,sp,#16*4+16 - adr r14,K256 + + @ K256 is just at the boundary of being easily referenced by an ADR from + @ this function. In Arm mode, when building with __ARM_ARCH=6, it does + @ not fit. By moving code around, we could make it fit, but this is too + @ fragile. For simplicity, just load the offset from + @ .LK256_shortcut_neon. + @ + @ TODO(davidben): adrl would avoid a load, but clang-assembler does not + @ support it. We might be able to emulate it with a macro, but Android's + @ did not work when I tried it. + @ https://android.googlesource.com/platform/ndk/+/refs/heads/master/docs/ClangMigration.md#arm + ldr r14,.LK256_shortcut_neon +.LK256_add_neon: + add r14,pc,r14 + bic r11,r11,#15 @ align for 128-bit stores mov r12,sp mov sp,r11 @ alloca @@ -2689,12 +2681,27 @@ sha256_block_data_order_neon: # define INST(a,b,c,d) .byte a,b,c,d # endif -.type sha256_block_data_order_armv8,%function +.LK256_shortcut_hw: +@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode. +#if defined(__thumb2__) +.word K256-(.LK256_add_hw+4) +#else +.word K256-(.LK256_add_hw+8) +#endif + +.globl sha256_block_data_order_hw +.hidden sha256_block_data_order_hw +.type sha256_block_data_order_hw,%function .align 5 -sha256_block_data_order_armv8: -.LARMv8: +sha256_block_data_order_hw: + @ K256 is too far to reference from one ADR command in Thumb mode. In + @ Arm mode, we could make it fit by aligning the ADR offset to a 64-byte + @ boundary. For simplicity, just load the offset from .LK256_shortcut_hw. + ldr r3,.LK256_shortcut_hw +.LK256_add_hw: + add r3,pc,r3 + vld1.32 {q0,q1},[r0] - sub r3,r3,#256+32 add r2,r1,r2,lsl#6 @ len to point at the end of inp b .Loop_v8 @@ -2826,20 +2833,12 @@ sha256_block_data_order_armv8: vst1.32 {q0,q1},[r0] bx lr @ bx lr -.size sha256_block_data_order_armv8,.-sha256_block_data_order_armv8 +.size sha256_block_data_order_hw,.-sha256_block_data_order_hw #endif .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S index a6abdf9a..32a14df9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) // Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use @@ -60,24 +52,11 @@ .text - -.private_extern _OPENSSL_armcap_P -.globl _sha256_block_data_order -.private_extern _sha256_block_data_order +.globl _sha256_block_data_order_nohw +.private_extern _sha256_block_data_order_nohw .align 6 -_sha256_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x16,_OPENSSL_armcap_P@PAGE -#endif - ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] - tst w16,#ARMV8_SHA256 - b.ne Lv8_entry -#endif +_sha256_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1070,11 +1049,13 @@ LK256: .align 2 .text #ifndef __KERNEL__ +.globl _sha256_block_data_order_hw +.private_extern _sha256_block_data_order_hw .align 6 -sha256_block_armv8: -Lv8_entry: +_sha256_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1211,11 +1192,7 @@ Loop_hw: ret #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S index d110b5b5..7b0c314d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) // Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use @@ -60,24 +52,11 @@ .text - -.hidden OPENSSL_armcap_P -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,%function +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,%function .align 6 -sha256_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x16,OPENSSL_armcap_P -#endif - ldr w16,[x16,:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA256 - b.ne .Lv8_entry -#endif +sha256_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1041,7 +1020,7 @@ sha256_block_data_order: ldp x29,x30,[sp],#128 AARCH64_VALIDATE_LINK_REGISTER ret -.size sha256_block_data_order,.-sha256_block_data_order +.size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw .section .rodata .align 6 @@ -1070,11 +1049,13 @@ sha256_block_data_order: .align 2 .text #ifndef __KERNEL__ -.type sha256_block_armv8,%function +.globl sha256_block_data_order_hw +.hidden sha256_block_data_order_hw +.type sha256_block_data_order_hw,%function .align 6 -sha256_block_armv8: -.Lv8_entry: +sha256_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1209,13 +1190,9 @@ sha256_block_armv8: ldr x29,[sp],#16 ret -.size sha256_block_armv8,.-sha256_block_armv8 -#endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits +.size sha256_block_data_order_hw,.-sha256_block_data_order_hw #endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S index 8e284ae1..88a24623 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S @@ -3,39 +3,18 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,@function +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,@function .align 16 -sha256_block_data_order: +sha256_block_data_order_nohw: .cfi_startproc - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - testl $536870912,%r11d - jnz .Lshaext_shortcut - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je .Lavx_shortcut - testl $512,%r10d - jnz .Lssse3_shortcut +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1739,9 +1718,9 @@ sha256_block_data_order: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size sha256_block_data_order,.-sha256_block_data_order +.size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw .section .rodata .align 64 .type K256,@object @@ -1787,11 +1766,13 @@ K256: .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text -.type sha256_block_data_order_shaext,@function +.globl sha256_block_data_order_hw +.hidden sha256_block_data_order_hw +.type sha256_block_data_order_hw,@function .align 64 -sha256_block_data_order_shaext: +sha256_block_data_order_hw: .cfi_startproc -.Lshaext_shortcut: +_CET_ENDBR leaq K256+128(%rip),%rcx movdqu (%rdi),%xmm1 movdqu 16(%rdi),%xmm2 @@ -1993,14 +1974,16 @@ sha256_block_data_order_shaext: movdqu %xmm1,(%rdi) movdqu %xmm2,16(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc -.size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext +.size sha256_block_data_order_hw,.-sha256_block_data_order_hw +.globl sha256_block_data_order_ssse3 +.hidden sha256_block_data_order_ssse3 .type sha256_block_data_order_ssse3,@function .align 64 sha256_block_data_order_ssse3: .cfi_startproc -.Lssse3_shortcut: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -3106,14 +3089,16 @@ sha256_block_data_order_ssse3: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue_ssse3: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha256_block_data_order_ssse3,.-sha256_block_data_order_ssse3 +.globl sha256_block_data_order_avx +.hidden sha256_block_data_order_avx .type sha256_block_data_order_avx,@function .align 64 sha256_block_data_order_avx: .cfi_startproc -.Lavx_shortcut: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -4181,14 +4166,10 @@ sha256_block_data_order_avx: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha256_block_data_order_avx,.-sha256_block_data_order_avx #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S index 7ab1b8eb..41a34808 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S @@ -3,38 +3,18 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - -.globl _sha256_block_data_order -.private_extern _sha256_block_data_order +.globl _sha256_block_data_order_nohw +.private_extern _sha256_block_data_order_nohw .p2align 4 -_sha256_block_data_order: - - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - testl $536870912,%r11d - jnz L$shaext_shortcut - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je L$avx_shortcut - testl $512,%r10d - jnz L$ssse3_shortcut +_sha256_block_data_order_nohw: + +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -1738,7 +1718,7 @@ L$rounds_16_xx: leaq (%rsi),%rsp L$epilogue: - .byte 0xf3,0xc3 + ret .section __DATA,__const @@ -1786,11 +1766,13 @@ K256: .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text +.globl _sha256_block_data_order_hw +.private_extern _sha256_block_data_order_hw .p2align 6 -sha256_block_data_order_shaext: +_sha256_block_data_order_hw: -L$shaext_shortcut: +_CET_ENDBR leaq K256+128(%rip),%rcx movdqu (%rdi),%xmm1 movdqu 16(%rdi),%xmm2 @@ -1992,14 +1974,16 @@ L$oop_shaext: movdqu %xmm1,(%rdi) movdqu %xmm2,16(%rdi) - .byte 0xf3,0xc3 + ret +.globl _sha256_block_data_order_ssse3 +.private_extern _sha256_block_data_order_ssse3 .p2align 6 -sha256_block_data_order_ssse3: +_sha256_block_data_order_ssse3: -L$ssse3_shortcut: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -3105,14 +3089,16 @@ L$ssse3_00_47: leaq (%rsi),%rsp L$epilogue_ssse3: - .byte 0xf3,0xc3 + ret +.globl _sha256_block_data_order_avx +.private_extern _sha256_block_data_order_avx .p2align 6 -sha256_block_data_order_avx: +_sha256_block_data_order_avx: -L$avx_shortcut: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -4180,13 +4166,9 @@ L$avx_00_47: leaq (%rsi),%rsp L$epilogue_avx: - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S index 2014c96c..a41a4abd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl sha512_block_data_order .hidden sha512_block_data_order @@ -2841,11 +2834,7 @@ sha512_block_data_order: .byte 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 .byte 62,0 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S index ae55c41b..54fe076f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) @ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. @ @ Licensed under the OpenSSL license (the "License"). You may not use @@ -73,7 +65,6 @@ # define VFP_ABI_PUSH vstmdb sp!,{d8-d15} # define VFP_ABI_POP vldmia sp!,{d8-d15} #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 # define VFP_ABI_PUSH # define VFP_ABI_POP @@ -146,38 +137,16 @@ K512: WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a) WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lsha512_block_data_order -.skip 32-4 -#else -.skip 32 -#endif -.globl _sha512_block_data_order -.private_extern _sha512_block_data_order +.globl _sha512_block_data_order_nohw +.private_extern _sha512_block_data_order_nohw #ifdef __thumb2__ -.thumb_func _sha512_block_data_order -#endif -_sha512_block_data_order: -Lsha512_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) - sub r3,pc,#8 @ _sha512_block_data_order -#else - adr r3,Lsha512_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV7_NEON - bne LNEON +.thumb_func _sha512_block_data_order_nohw #endif +_sha512_block_data_order_nohw: add r2,r1,r2,lsl#7 @ len to point at the end of inp stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - sub r14,r3,#672 @ K512 + adr r14,K512 sub sp,sp,#9*8 ldr r7,[r0,#32+LO] @@ -211,7 +180,7 @@ Loop: str r4,[sp,#40+4] L00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r3,[r1,#7] ldrb r9, [r1,#6] ldrb r10, [r1,#5] @@ -288,7 +257,7 @@ L00_15: teq r9,#148 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -428,7 +397,7 @@ L16_79: teq r9,#23 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -465,7 +434,7 @@ L16_79: adc r6,r6,r4 @ h += T tst r14,#1 add r14,r14,#8 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq r9,[sp,#184+0] @@ -544,7 +513,7 @@ L16_79: bne Loop add sp,sp,#8*9 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} @@ -564,7 +533,6 @@ L16_79: #endif .align 4 _sha512_block_data_order_neon: -LNEON: dmb @ errata #451034 on early Cortex A8 add r2,r1,r2,lsl#7 @ len to point at the end of inp adr r3,K512 @@ -1890,19 +1858,7 @@ L16_79_neon: .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S index 40e41cd0..fde56aba 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) @ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. @ @ Licensed under the OpenSSL license (the "License"). You may not use @@ -73,7 +65,6 @@ # define VFP_ABI_PUSH vstmdb sp!,{d8-d15} # define VFP_ABI_POP vldmia sp!,{d8-d15} #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 # define VFP_ABI_PUSH # define VFP_ABI_POP @@ -146,36 +137,14 @@ K512: WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a) WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) .size K512,.-K512 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lsha512_block_data_order -.skip 32-4 -#else -.skip 32 -#endif -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,%function -sha512_block_data_order: -.Lsha512_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) - sub r3,pc,#8 @ sha512_block_data_order -#else - adr r3,.Lsha512_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,.LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV7_NEON - bne .LNEON -#endif +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,%function +sha512_block_data_order_nohw: add r2,r1,r2,lsl#7 @ len to point at the end of inp stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - sub r14,r3,#672 @ K512 + adr r14,K512 sub sp,sp,#9*8 ldr r7,[r0,#32+LO] @@ -209,7 +178,7 @@ sha512_block_data_order: str r4,[sp,#40+4] .L00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r3,[r1,#7] ldrb r9, [r1,#6] ldrb r10, [r1,#5] @@ -286,7 +255,7 @@ sha512_block_data_order: teq r9,#148 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -426,7 +395,7 @@ sha512_block_data_order: teq r9,#23 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -463,7 +432,7 @@ sha512_block_data_order: adc r6,r6,r4 @ h += T tst r14,#1 add r14,r14,#8 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq r9,[sp,#184+0] @@ -542,7 +511,7 @@ sha512_block_data_order: bne .Loop add sp,sp,#8*9 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} @@ -550,7 +519,7 @@ sha512_block_data_order: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size sha512_block_data_order,.-sha512_block_data_order +.size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon @@ -560,7 +529,6 @@ sha512_block_data_order: .type sha512_block_data_order_neon,%function .align 4 sha512_block_data_order_neon: -.LNEON: dmb @ errata #451034 on early Cortex A8 add r2,r1,r2,lsl#7 @ len to point at the end of inp adr r3,K512 @@ -1886,15 +1854,7 @@ sha512_block_data_order_neon: .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S index d95180eb..20818db0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) // Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use @@ -60,24 +52,11 @@ .text - -.private_extern _OPENSSL_armcap_P -.globl _sha512_block_data_order -.private_extern _sha512_block_data_order +.globl _sha512_block_data_order_nohw +.private_extern _sha512_block_data_order_nohw .align 6 -_sha512_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x16,_OPENSSL_armcap_P@PAGE -#endif - ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] - tst w16,#ARMV8_SHA512 - b.ne Lv8_entry -#endif +_sha512_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1094,10 +1073,13 @@ LK512: .align 2 .text #ifndef __KERNEL__ +.globl _sha512_block_data_order_hw +.private_extern _sha512_block_data_order_hw .align 6 -sha512_block_armv8: -Lv8_entry: +_sha512_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1613,11 +1595,7 @@ Loop_hw: ret #endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S index 8196c1ed..e6307483 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) // Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use @@ -60,24 +52,11 @@ .text - -.hidden OPENSSL_armcap_P -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,%function +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,%function .align 6 -sha512_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x16,OPENSSL_armcap_P -#endif - ldr w16,[x16,:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA512 - b.ne .Lv8_entry -#endif +sha512_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1041,7 +1020,7 @@ sha512_block_data_order: ldp x29,x30,[sp],#128 AARCH64_VALIDATE_LINK_REGISTER ret -.size sha512_block_data_order,.-sha512_block_data_order +.size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw .section .rodata .align 6 @@ -1094,10 +1073,13 @@ sha512_block_data_order: .align 2 .text #ifndef __KERNEL__ -.type sha512_block_armv8,%function +.globl sha512_block_data_order_hw +.hidden sha512_block_data_order_hw +.type sha512_block_data_order_hw,%function .align 6 -sha512_block_armv8: -.Lv8_entry: +sha512_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1611,13 +1593,9 @@ sha512_block_armv8: ldr x29,[sp],#16 ret -.size sha512_block_armv8,.-sha512_block_armv8 -#endif -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits +.size sha512_block_data_order_hw,.-sha512_block_data_order_hw #endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S index c925db29..7f80d77e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S @@ -3,35 +3,18 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,@function +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,@function .align 16 -sha512_block_data_order: +sha512_block_data_order_nohw: .cfi_startproc - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je .Lavx_shortcut +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1735,9 +1718,9 @@ sha512_block_data_order: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size sha512_block_data_order,.-sha512_block_data_order +.size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw .section .rodata .align 64 .type K512,@object @@ -1827,11 +1810,13 @@ K512: .quad 0x0001020304050607,0x08090a0b0c0d0e0f .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text +.globl sha512_block_data_order_avx +.hidden sha512_block_data_order_avx .type sha512_block_data_order_avx,@function .align 64 sha512_block_data_order_avx: .cfi_startproc -.Lavx_shortcut: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -2989,14 +2974,10 @@ sha512_block_data_order_avx: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha512_block_data_order_avx,.-sha512_block_data_order_avx #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S index 0d82aa75..96f8e261 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S @@ -3,34 +3,18 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - -.globl _sha512_block_data_order -.private_extern _sha512_block_data_order +.globl _sha512_block_data_order_nohw +.private_extern _sha512_block_data_order_nohw .p2align 4 -_sha512_block_data_order: - - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je L$avx_shortcut +_sha512_block_data_order_nohw: + +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -1734,7 +1718,7 @@ L$rounds_16_xx: leaq (%rsi),%rsp L$epilogue: - .byte 0xf3,0xc3 + ret .section __DATA,__const @@ -1826,11 +1810,13 @@ K512: .quad 0x0001020304050607,0x08090a0b0c0d0e0f .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text +.globl _sha512_block_data_order_avx +.private_extern _sha512_block_data_order_avx .p2align 6 -sha512_block_data_order_avx: +_sha512_block_data_order_avx: -L$avx_shortcut: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -2988,13 +2974,9 @@ L$avx_00_47: leaq (%rsi),%rsp L$epilogue_avx: - .byte 0xf3,0xc3 + ret -#endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S index 3419afe4..effbc957 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) .syntax unified @@ -1264,11 +1256,7 @@ Lctr32_done: vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) #endif // defined(__arm__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S index 3647d0ae..a11c3a67 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__ARMEL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) .syntax unified .arch armv7-a @@ -1232,11 +1224,7 @@ vpaes_ctr32_encrypt_blocks: vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks -#endif // !OPENSSL_NO_ASM && defined(__ARMEL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S index 93913fc5..90675493 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include .section __TEXT,__const @@ -1231,11 +1223,7 @@ Lctr32_done: AARCH64_VALIDATE_LINK_REGISTER ret -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__APPLE__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S index 959569ff..139aabfc 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S @@ -3,17 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if !defined(__has_feature) -#define __has_feature(x) 0 -#endif -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include .section .rodata @@ -1231,11 +1223,7 @@ vpaes_ctr32_encrypt_blocks: AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks -#endif // !OPENSSL_NO_ASM && defined(__AARCH64EL__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) #endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S index 5e0be578..9fe9460a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text #ifdef BORINGSSL_DISPATCH_TEST #endif @@ -712,11 +705,7 @@ vpaes_cbc_encrypt: popl %ebp ret .size vpaes_cbc_encrypt,.-.L_vpaes_cbc_encrypt_begin -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S index 1c00e099..7512945b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text @@ -113,7 +106,7 @@ _vpaes_encrypt_core: movdqa 64(%r11,%r10,1),%xmm1 pxor %xmm4,%xmm0 .byte 102,15,56,0,193 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_encrypt_core,.-_vpaes_encrypt_core @@ -288,7 +281,7 @@ _vpaes_encrypt_core_2x: pxor %xmm12,%xmm6 .byte 102,15,56,0,193 .byte 102,15,56,0,241 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_encrypt_core_2x,.-_vpaes_encrypt_core_2x @@ -396,7 +389,7 @@ _vpaes_decrypt_core: .byte 102,15,56,0,195 pxor %xmm4,%xmm0 .byte 102,15,56,0,194 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_decrypt_core,.-_vpaes_decrypt_core @@ -574,7 +567,7 @@ _vpaes_schedule_core: pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 pxor %xmm7,%xmm7 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_core,.-_vpaes_schedule_core @@ -603,7 +596,7 @@ _vpaes_schedule_192_smear: pxor %xmm0,%xmm6 movdqa %xmm6,%xmm0 movhlps %xmm1,%xmm6 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear @@ -681,7 +674,7 @@ _vpaes_schedule_low_round: pxor %xmm7,%xmm0 movdqa %xmm0,%xmm7 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_round,.-_vpaes_schedule_round @@ -707,7 +700,7 @@ _vpaes_schedule_transform: movdqa 16(%r11),%xmm0 .byte 102,15,56,0,193 pxor %xmm2,%xmm0 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_transform,.-_vpaes_schedule_transform @@ -801,7 +794,7 @@ _vpaes_schedule_mangle: addq $-16,%r8 andq $0x30,%r8 movdqu %xmm3,(%rdx) - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle @@ -814,6 +807,7 @@ _vpaes_schedule_mangle: .align 16 vpaes_set_encrypt_key: .cfi_startproc +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST .extern BORINGSSL_function_hit .hidden BORINGSSL_function_hit @@ -829,7 +823,7 @@ vpaes_set_encrypt_key: movl $0x30,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key @@ -839,6 +833,7 @@ vpaes_set_encrypt_key: .align 16 vpaes_set_decrypt_key: .cfi_startproc +_CET_ENDBR movl %esi,%eax shrl $5,%eax addl $5,%eax @@ -853,7 +848,7 @@ vpaes_set_decrypt_key: xorl $32,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key @@ -863,6 +858,7 @@ vpaes_set_decrypt_key: .align 16 vpaes_encrypt: .cfi_startproc +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST .extern BORINGSSL_function_hit .hidden BORINGSSL_function_hit @@ -872,7 +868,7 @@ vpaes_encrypt: call _vpaes_preheat call _vpaes_encrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_encrypt,.-vpaes_encrypt @@ -882,11 +878,12 @@ vpaes_encrypt: .align 16 vpaes_decrypt: .cfi_startproc +_CET_ENDBR movdqu (%rdi),%xmm0 call _vpaes_preheat call _vpaes_decrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_decrypt,.-vpaes_decrypt .globl vpaes_cbc_encrypt @@ -895,6 +892,7 @@ vpaes_decrypt: .align 16 vpaes_cbc_encrypt: .cfi_startproc +_CET_ENDBR xchgq %rcx,%rdx subq $16,%rcx jc .Lcbc_abort @@ -929,7 +927,7 @@ vpaes_cbc_encrypt: .Lcbc_done: movdqu %xmm6,(%r8) .Lcbc_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt .globl vpaes_ctr32_encrypt_blocks @@ -938,6 +936,7 @@ vpaes_cbc_encrypt: .align 16 vpaes_ctr32_encrypt_blocks: .cfi_startproc +_CET_ENDBR xchgq %rcx,%rdx testq %rcx,%rcx @@ -992,7 +991,7 @@ vpaes_ctr32_encrypt_blocks: .Lctr32_done: .Lctr32_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks @@ -1013,7 +1012,7 @@ _vpaes_preheat: movdqa 64(%r10),%xmm12 movdqa 80(%r10),%xmm15 movdqa 96(%r10),%xmm14 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_preheat,.-_vpaes_preheat @@ -1134,10 +1133,6 @@ _vpaes_consts: .size _vpaes_consts,.-_vpaes_consts .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S index 83b50721..c1049fd0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -113,7 +106,7 @@ L$enc_entry: movdqa 64(%r11,%r10,1),%xmm1 pxor %xmm4,%xmm0 .byte 102,15,56,0,193 - .byte 0xf3,0xc3 + ret @@ -288,7 +281,7 @@ L$enc2x_entry: pxor %xmm12,%xmm6 .byte 102,15,56,0,193 .byte 102,15,56,0,241 - .byte 0xf3,0xc3 + ret @@ -396,7 +389,7 @@ L$dec_entry: .byte 102,15,56,0,195 pxor %xmm4,%xmm0 .byte 102,15,56,0,194 - .byte 0xf3,0xc3 + ret @@ -574,7 +567,7 @@ L$schedule_mangle_last_dec: pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 pxor %xmm7,%xmm7 - .byte 0xf3,0xc3 + ret @@ -603,7 +596,7 @@ _vpaes_schedule_192_smear: pxor %xmm0,%xmm6 movdqa %xmm6,%xmm0 movhlps %xmm1,%xmm6 - .byte 0xf3,0xc3 + ret @@ -681,7 +674,7 @@ _vpaes_schedule_low_round: pxor %xmm7,%xmm0 movdqa %xmm0,%xmm7 - .byte 0xf3,0xc3 + ret @@ -707,7 +700,7 @@ _vpaes_schedule_transform: movdqa 16(%r11),%xmm0 .byte 102,15,56,0,193 pxor %xmm2,%xmm0 - .byte 0xf3,0xc3 + ret @@ -801,7 +794,7 @@ L$schedule_mangle_both: addq $-16,%r8 andq $0x30,%r8 movdqu %xmm3,(%rdx) - .byte 0xf3,0xc3 + ret @@ -814,6 +807,7 @@ L$schedule_mangle_both: .p2align 4 _vpaes_set_encrypt_key: +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit+5(%rip) @@ -828,7 +822,7 @@ _vpaes_set_encrypt_key: movl $0x30,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret @@ -838,6 +832,7 @@ _vpaes_set_encrypt_key: .p2align 4 _vpaes_set_decrypt_key: +_CET_ENDBR movl %esi,%eax shrl $5,%eax addl $5,%eax @@ -852,7 +847,7 @@ _vpaes_set_decrypt_key: xorl $32,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret @@ -862,6 +857,7 @@ _vpaes_set_decrypt_key: .p2align 4 _vpaes_encrypt: +_CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit+4(%rip) @@ -870,7 +866,7 @@ _vpaes_encrypt: call _vpaes_preheat call _vpaes_encrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret @@ -880,11 +876,12 @@ _vpaes_encrypt: .p2align 4 _vpaes_decrypt: +_CET_ENDBR movdqu (%rdi),%xmm0 call _vpaes_preheat call _vpaes_decrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret .globl _vpaes_cbc_encrypt @@ -893,6 +890,7 @@ _vpaes_decrypt: .p2align 4 _vpaes_cbc_encrypt: +_CET_ENDBR xchgq %rcx,%rdx subq $16,%rcx jc L$cbc_abort @@ -927,7 +925,7 @@ L$cbc_dec_loop: L$cbc_done: movdqu %xmm6,(%r8) L$cbc_abort: - .byte 0xf3,0xc3 + ret .globl _vpaes_ctr32_encrypt_blocks @@ -936,6 +934,7 @@ L$cbc_abort: .p2align 4 _vpaes_ctr32_encrypt_blocks: +_CET_ENDBR xchgq %rcx,%rdx testq %rcx,%rcx @@ -990,7 +989,7 @@ L$ctr32_loop: L$ctr32_done: L$ctr32_abort: - .byte 0xf3,0xc3 + ret @@ -1011,7 +1010,7 @@ _vpaes_preheat: movdqa 64(%r10),%xmm12 movdqa 80(%r10),%xmm15 movdqa 96(%r10),%xmm14 - .byte 0xf3,0xc3 + ret @@ -1132,10 +1131,6 @@ L$ctr_add_two: .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S index 354f6bdc..f77fd557 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text .globl bn_mul_mont .hidden bn_mul_mont @@ -488,11 +481,7 @@ bn_mul_mont: .byte 54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 .byte 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 .byte 111,114,103,62,0 -#endif // !defined(OPENSSL_NO_ASM) && defined(__i386__) && defined(__ELF__) -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) #endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S index ecd7eb1c..a5120fc0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S @@ -3,44 +3,21 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P - -.globl bn_mul_mont -.hidden bn_mul_mont -.type bn_mul_mont,@function +.globl bn_mul_mont_nohw +.hidden bn_mul_mont_nohw +.type bn_mul_mont_nohw,@function .align 16 -bn_mul_mont: +bn_mul_mont_nohw: .cfi_startproc +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax - testl $3,%r9d - jnz .Lmul_enter - cmpl $8,%r9d - jb .Lmul_enter - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - cmpq %rsi,%rdx - jne .Lmul4x_enter - testl $7,%r9d - jz .Lsqr8x_enter - jmp .Lmul4x_enter - -.align 16 -.Lmul_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -270,20 +247,19 @@ bn_mul_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size bn_mul_mont,.-bn_mul_mont +.size bn_mul_mont_nohw,.-bn_mul_mont_nohw +.globl bn_mul4x_mont +.hidden bn_mul4x_mont .type bn_mul4x_mont,@function .align 16 bn_mul4x_mont: .cfi_startproc +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax -.Lmul4x_enter: - andl $0x80100,%r11d - cmpl $0x80100,%r11d - je .Lmulx4x_enter pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -704,7 +680,7 @@ bn_mul4x_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul4x_mont,.-bn_mul4x_mont .extern bn_sqrx8x_internal @@ -712,13 +688,16 @@ bn_mul4x_mont: .extern bn_sqr8x_internal .hidden bn_sqr8x_internal +.globl bn_sqr8x_mont +.hidden bn_sqr8x_mont .type bn_sqr8x_mont,@function .align 32 bn_sqr8x_mont: .cfi_startproc +_CET_ENDBR + movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax -.Lsqr8x_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -793,11 +772,8 @@ bn_sqr8x_mont: pxor %xmm0,%xmm0 .byte 102,72,15,110,207 .byte 102,73,15,110,218 - leaq OPENSSL_ia32cap_P(%rip),%rax - movl 8(%rax),%eax - andl $0x80100,%eax - cmpl $0x80100,%eax - jne .Lsqr8x_nox + testq %rdx,%rdx + jz .Lsqr8x_nox call bn_sqrx8x_internal @@ -897,16 +873,18 @@ bn_sqr8x_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lsqr8x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_sqr8x_mont,.-bn_sqr8x_mont +.globl bn_mulx4x_mont +.hidden bn_mulx4x_mont .type bn_mulx4x_mont,@function .align 32 bn_mulx4x_mont: .cfi_startproc +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax -.Lmulx4x_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -1253,16 +1231,12 @@ bn_mulx4x_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmulx4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mulx4x_mont,.-bn_mulx4x_mont .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 16 #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S index 37d58f05..ce162b8a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S @@ -3,43 +3,21 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - - -.globl _bn_mul_mont -.private_extern _bn_mul_mont +.globl _bn_mul_mont_nohw +.private_extern _bn_mul_mont_nohw .p2align 4 -_bn_mul_mont: +_bn_mul_mont_nohw: +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax - testl $3,%r9d - jnz L$mul_enter - cmpl $8,%r9d - jb L$mul_enter - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - cmpq %rsi,%rdx - jne L$mul4x_enter - testl $7,%r9d - jz L$sqr8x_enter - jmp L$mul4x_enter - -.p2align 4 -L$mul_enter: pushq %rbx pushq %rbp @@ -269,20 +247,19 @@ L$copy: leaq (%rsi),%rsp L$mul_epilogue: - .byte 0xf3,0xc3 + ret +.globl _bn_mul4x_mont +.private_extern _bn_mul4x_mont .p2align 4 -bn_mul4x_mont: +_bn_mul4x_mont: +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax -L$mul4x_enter: - andl $0x80100,%r11d - cmpl $0x80100,%r11d - je L$mulx4x_enter pushq %rbx pushq %rbp @@ -703,19 +680,22 @@ L$copy4x: leaq (%rsi),%rsp L$mul4x_epilogue: - .byte 0xf3,0xc3 + ret +.globl _bn_sqr8x_mont +.private_extern _bn_sqr8x_mont .p2align 5 -bn_sqr8x_mont: +_bn_sqr8x_mont: +_CET_ENDBR + movl %r9d,%r9d movq %rsp,%rax -L$sqr8x_enter: pushq %rbx pushq %rbp @@ -790,11 +770,8 @@ L$sqr8x_body: pxor %xmm0,%xmm0 .byte 102,72,15,110,207 .byte 102,73,15,110,218 - leaq _OPENSSL_ia32cap_P(%rip),%rax - movl 8(%rax),%eax - andl $0x80100,%eax - cmpl $0x80100,%eax - jne L$sqr8x_nox + testq %rdx,%rdx + jz L$sqr8x_nox call _bn_sqrx8x_internal @@ -894,16 +871,18 @@ L$sqr8x_cond_copy: leaq (%rsi),%rsp L$sqr8x_epilogue: - .byte 0xf3,0xc3 + ret +.globl _bn_mulx4x_mont +.private_extern _bn_mulx4x_mont .p2align 5 -bn_mulx4x_mont: +_bn_mulx4x_mont: +_CET_ENDBR movq %rsp,%rax -L$mulx4x_enter: pushq %rbx pushq %rbp @@ -1250,16 +1229,12 @@ L$mulx4x_cond_copy: leaq (%rsi),%rsp L$mulx4x_epilogue: - .byte 0xf3,0xc3 + ret .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 4 #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S index 1ac24db1..2cd1f6f9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text .extern OPENSSL_ia32cap_P @@ -24,6 +17,7 @@ .align 64 bn_mul_mont_gather5: .cfi_startproc +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax @@ -458,7 +452,7 @@ bn_mul_mont_gather5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul_mont_gather5,.-bn_mul_mont_gather5 .type bn_mul4x_mont_gather5,@function @@ -563,7 +557,7 @@ bn_mul4x_mont_gather5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul4x_mont_gather5,.-bn_mul4x_mont_gather5 @@ -1102,6 +1096,7 @@ mul4x_internal: .align 32 bn_power5: .cfi_startproc +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax leaq OPENSSL_ia32cap_P(%rip),%r11 @@ -1229,7 +1224,7 @@ bn_power5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpower5_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_power5,.-bn_power5 @@ -1241,6 +1236,7 @@ bn_power5: bn_sqr8x_internal: __bn_sqr8x_internal: .cfi_startproc +_CET_ENDBR @@ -2014,7 +2010,7 @@ __bn_sqr8x_reduction: cmpq %rdx,%rdi jb .L8x_reduction_loop - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_sqr8x_internal,.-bn_sqr8x_internal .type __bn_post4x_internal,@function @@ -2070,7 +2066,7 @@ __bn_post4x_internal: movq %r9,%r10 negq %r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __bn_post4x_internal,.-__bn_post4x_internal .type bn_mulx4x_mont_gather5,@function @@ -2180,7 +2176,7 @@ bn_mulx4x_mont_gather5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmulx4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mulx4x_mont_gather5,.-bn_mulx4x_mont_gather5 @@ -2741,7 +2737,7 @@ bn_powerx5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpowerx5_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_powerx5,.-bn_powerx5 @@ -2753,6 +2749,7 @@ bn_powerx5: bn_sqrx8x_internal: __bn_sqrx8x_internal: .cfi_startproc +_CET_ENDBR @@ -3363,7 +3360,7 @@ __bn_sqrx8x_reduction: leaq 64(%rdi,%rcx,1),%rdi cmpq 8+8(%rsp),%r8 jb .Lsqrx8x_reduction_loop - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_sqrx8x_internal,.-bn_sqrx8x_internal .align 32 @@ -3416,7 +3413,7 @@ __bn_postx4x_internal: negq %r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __bn_postx4x_internal,.-__bn_postx4x_internal .globl bn_scatter5 @@ -3425,6 +3422,7 @@ __bn_postx4x_internal: .align 16 bn_scatter5: .cfi_startproc +_CET_ENDBR cmpl $0,%esi jz .Lscatter_epilogue @@ -3445,7 +3443,7 @@ bn_scatter5: subl $1,%esi jnz .Lscatter .Lscatter_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_scatter5,.-bn_scatter5 @@ -3456,6 +3454,7 @@ bn_scatter5: bn_gather5: .cfi_startproc .LSEH_begin_bn_gather5: +_CET_ENDBR .byte 0x4c,0x8d,0x14,0x24 .cfi_def_cfa_register %r10 @@ -3614,7 +3613,7 @@ bn_gather5: leaq (%r10),%rsp .cfi_def_cfa_register %rsp - .byte 0xf3,0xc3 + ret .LSEH_end_bn_gather5: .cfi_endproc .size bn_gather5,.-bn_gather5 @@ -3626,10 +3625,6 @@ bn_gather5: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S index 6972f50a..223d50b8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S @@ -3,16 +3,9 @@ // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif +#include -#if defined(__x86_64__) && !defined(OPENSSL_NO_ASM) && defined(__APPLE__) -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text @@ -23,6 +16,7 @@ .p2align 6 _bn_mul_mont_gather5: +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax @@ -457,7 +451,7 @@ L$copy: leaq (%rsi),%rsp L$mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -562,7 +556,7 @@ L$mul4x_body: leaq (%rsi),%rsp L$mul4x_epilogue: - .byte 0xf3,0xc3 + ret @@ -1101,6 +1095,7 @@ L$inner4x: .p2align 5 _bn_power5: +_CET_ENDBR movq %rsp,%rax leaq _OPENSSL_ia32cap_P(%rip),%r11 @@ -1228,7 +1223,7 @@ L$power5_body: leaq (%rsi),%rsp L$power5_epilogue: - .byte 0xf3,0xc3 + ret @@ -1240,6 +1235,7 @@ L$power5_epilogue: _bn_sqr8x_internal: __bn_sqr8x_internal: +_CET_ENDBR @@ -2013,7 +2009,7 @@ L$8x_no_tail: cmpq %rdx,%rdi jb L$8x_reduction_loop - .byte 0xf3,0xc3 + ret @@ -2069,7 +2065,7 @@ L$sqr4x_sub_entry: movq %r9,%r10 negq %r9 - .byte 0xf3,0xc3 + ret @@ -2179,7 +2175,7 @@ L$mulx4x_body: leaq (%rsi),%rsp L$mulx4x_epilogue: - .byte 0xf3,0xc3 + ret @@ -2740,7 +2736,7 @@ L$powerx5_body: leaq (%rsi),%rsp L$powerx5_epilogue: - .byte 0xf3,0xc3 + ret @@ -2752,6 +2748,7 @@ L$powerx5_epilogue: _bn_sqrx8x_internal: __bn_sqrx8x_internal: +_CET_ENDBR @@ -3362,7 +3359,7 @@ L$sqrx8x_no_tail: leaq 64(%rdi,%rcx,1),%rdi cmpq 8+8(%rsp),%r8 jb L$sqrx8x_reduction_loop - .byte 0xf3,0xc3 + ret .p2align 5 @@ -3415,7 +3412,7 @@ L$sqrx4x_sub_entry: negq %r9 - .byte 0xf3,0xc3 + ret .globl _bn_scatter5 @@ -3424,6 +3421,7 @@ L$sqrx4x_sub_entry: .p2align 4 _bn_scatter5: +_CET_ENDBR cmpl $0,%esi jz L$scatter_epilogue @@ -3444,7 +3442,7 @@ L$scatter: subl $1,%esi jnz L$scatter L$scatter_epilogue: - .byte 0xf3,0xc3 + ret @@ -3455,6 +3453,7 @@ L$scatter_epilogue: _bn_gather5: L$SEH_begin_bn_gather5: +_CET_ENDBR .byte 0x4c,0x8d,0x14,0x24 @@ -3613,7 +3612,7 @@ L$gather: leaq (%r10),%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_bn_gather5: @@ -3625,10 +3624,6 @@ L$inc: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text #endif -#if defined(__ELF__) -// See https://www.airs.com/blog/archives/518. -.section .note.GNU-stack,"",%progbits -#endif #endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c b/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c index e166d065..e7463e1b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c +++ b/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c @@ -352,6 +352,13 @@ int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) { return 1; } +void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) { + EVP_HPKE_KEY_cleanup(out); + // For now, |EVP_HPKE_KEY| is trivially movable. + OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY)); + EVP_HPKE_KEY_zero(in); +} + int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem, const uint8_t *priv_key, size_t priv_key_len) { EVP_HPKE_KEY_zero(key); diff --git a/Sources/CJWTKitBoringSSL/crypto/hrss/asm/poly_rq_mul.S b/Sources/CJWTKitBoringSSL/crypto/hrss/asm/poly_rq_mul.S index 53cd1ce3..608ae408 100644 --- a/Sources/CJWTKitBoringSSL/crypto/hrss/asm/poly_rq_mul.S +++ b/Sources/CJWTKitBoringSSL/crypto/hrss/asm/poly_rq_mul.S @@ -14,11 +14,9 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && defined(__linux__) && defined(__x86_64__) +#include -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && defined(OPENSSL_LINUX) && defined(OPENSSL_X86_64) // This is the polynomial multiplication function from [HRSS], provided by kind // permission of the authors. @@ -305,6 +303,7 @@ mask_mod8192: .att_syntax prefix poly_Rq_mul: .cfi_startproc +_CET_ENDBR push %rbp .cfi_adjust_cfa_offset 8 .cfi_offset rbp, -16 @@ -8488,10 +8487,6 @@ ret .cfi_endproc .size poly_Rq_mul,.-poly_Rq_mul -#endif - -#if defined(__ELF__) -.section .note.GNU-stack,"",%progbits #endif #endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/internal.h b/Sources/CJWTKitBoringSSL/crypto/internal.h index 45c4187b..c9db854b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/internal.h @@ -109,6 +109,7 @@ #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H #define OPENSSL_HEADER_CRYPTO_INTERNAL_H +#include #include #include #include @@ -126,24 +127,13 @@ #endif #if !defined(__cplusplus) -#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L -#include -#elif defined(_MSC_VER) && !defined(__clang__) -#define alignas(x) __declspec(align(x)) -#define alignof __alignof -#else -// With the exception of MSVC, we require C11 to build the library. C11 is a -// prerequisite for improved refcounting performance. All our supported C -// compilers have long implemented C11 and made it default. The most likely -// cause of pre-C11 modes is stale -std=c99 or -std=gnu99 flags in build -// configuration. Such flags can be removed. -// -// TODO(davidben): In MSVC 2019 16.8 or higher (_MSC_VER >= 1928), -// |__STDC_VERSION__| will be 201112 when passed /std:c11 and unset otherwise. -// C11 alignas and alignof are only implemented in C11 mode. Can we mandate C11 -// mode for those versions? +#if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 201112L +// BoringSSL requires C11 to build the library. The most likely cause of +// pre-C11 modes is stale -std=c99 or -std=gnu99 flags in build configuration. +// Such flags can be removed. If building with MSVC, build with /std:c11. #error "BoringSSL must be built in C11 mode or higher." #endif +#include #endif #if defined(OPENSSL_THREADS) && \ @@ -159,9 +149,8 @@ // Determine the atomics implementation to use with C. #if !defined(__cplusplus) -#if !defined(OPENSSL_C11_ATOMIC) && defined(OPENSSL_THREADS) && \ - !defined(__STDC_NO_ATOMICS__) && defined(__STDC_VERSION__) && \ - __STDC_VERSION__ >= 201112L +#if !defined(OPENSSL_C11_ATOMIC) && defined(OPENSSL_THREADS) && \ + !defined(__STDC_NO_ATOMICS__) #define OPENSSL_C11_ATOMIC #endif @@ -206,14 +195,17 @@ OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void); #endif +// On non-MSVC 64-bit targets, we expect __uint128_t support. This includes +// clang-cl, which defines both __clang__ and _MSC_VER. #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT) #define BORINGSSL_HAS_UINT128 typedef __int128_t int128_t; typedef __uint128_t uint128_t; -// clang-cl supports __uint128_t but modulus and division don't work. -// https://crbug.com/787617. -#if !defined(_MSC_VER) || !defined(__clang__) +// __uint128_t division depends on intrinsics in the compiler runtime. Those +// intrinsics are missing in clang-cl (https://crbug.com/787617) and nanolibc. +// These may be bugs in the toolchain definition, but just disable it for now. +#if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC) #define BORINGSSL_CAN_DIVIDE_UINT128 #endif #endif @@ -243,14 +235,36 @@ typedef __uint128_t uint128_t; #define OPENSSL_FALLTHROUGH #endif -// For convenience in testing 64-bit generic code, we allow disabling SSE2 -// intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. x86_64 always has SSE2 -// available, so we would otherwise need to test such code on a non-x86_64 -// platform. -#if defined(__SSE2__) && !defined(OPENSSL_NO_SSE2_FOR_TESTING) +// GCC-like compilers indicate SSE2 with |__SSE2__|. MSVC leaves the caller to +// know that x86_64 has SSE2, and uses _M_IX86_FP to indicate SSE2 on x86. +// https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170 +#if defined(__SSE2__) || defined(_M_AMD64) || defined(_M_X64) || \ + (defined(_M_IX86_FP) && _M_IX86_FP >= 2) #define OPENSSL_SSE2 #endif +#if defined(OPENSSL_X86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SSE2) +#error \ + "x86 assembly requires SSE2. Build with -msse2 (recommended), or disable assembly optimizations with -DOPENSSL_NO_ASM." +#endif + +// For convenience in testing the fallback code, we allow disabling SSE2 +// intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. We require SSE2 on x86 and +// x86_64, so we would otherwise need to test such code on a non-x86 platform. +// +// This does not remove the above requirement for SSE2 support with assembly +// optimizations. It only disables some intrinsics-based optimizations so that +// we can test the fallback code on CI. +#if defined(OPENSSL_SSE2) && defined(OPENSSL_NO_SSE2_FOR_TESTING) +#undef OPENSSL_SSE2 +#endif + +#if defined(__GNUC__) || defined(__clang__) +#define OPENSSL_ATTR_PURE __attribute__((pure)) +#else +#define OPENSSL_ATTR_PURE +#endif + #if defined(BORINGSSL_MALLOC_FAILURE_TESTING) // OPENSSL_reset_malloc_counter_for_testing, when malloc testing is enabled, // resets the internal malloc counter, to simulate further malloc failures. This @@ -261,19 +275,25 @@ OPENSSL_EXPORT void OPENSSL_reset_malloc_counter_for_testing(void); OPENSSL_INLINE void OPENSSL_reset_malloc_counter_for_testing(void) {} #endif +#if defined(__has_builtin) +#define OPENSSL_HAS_BUILTIN(x) __has_builtin(x) +#else +#define OPENSSL_HAS_BUILTIN(x) 0 +#endif + // Pointer utility functions. // buffers_alias returns one if |a| and |b| alias and zero otherwise. -static inline int buffers_alias(const uint8_t *a, size_t a_len, - const uint8_t *b, size_t b_len) { +static inline int buffers_alias(const void *a, size_t a_bytes, + const void *b, size_t b_bytes) { // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated // objects are undefined whereas pointer to integer conversions are merely // implementation-defined. We assume the implementation defined it in a sane // way. uintptr_t a_u = (uintptr_t)a; uintptr_t b_u = (uintptr_t)b; - return a_u + a_len > b_u && b_u + b_len > a_u; + return a_u + a_bytes > b_u && b_u + b_bytes > a_u; } // align_pointer returns |ptr|, advanced to |alignment|. |alignment| must be a @@ -360,6 +380,9 @@ static inline uint64_t value_barrier_u64(uint64_t a) { return a; } +// |value_barrier_u8| could be defined as above, but compilers other than +// clang seem to still materialize 0x00..00MM instead of reusing 0x??..??MM. + // constant_time_msb_w returns the given value with the MSB copied to all the // other bits. static inline crypto_word_t constant_time_msb_w(crypto_word_t a) { @@ -476,16 +499,23 @@ static inline crypto_word_t constant_time_select_w(crypto_word_t mask, // to a cmov, it sometimes further transforms it into a branch, which we do // not want. // - // Adding barriers to both |mask| and |~mask| breaks the relationship between - // the two, which makes the compiler stick with bitmasks. - return (value_barrier_w(mask) & a) | (value_barrier_w(~mask) & b); + // Hiding the value of the mask from the compiler evades this transformation. + mask = value_barrier_w(mask); + return (mask & a) | (~mask & b); } // constant_time_select_8 acts like |constant_time_select| but operates on // 8-bit values. -static inline uint8_t constant_time_select_8(uint8_t mask, uint8_t a, +static inline uint8_t constant_time_select_8(crypto_word_t mask, uint8_t a, uint8_t b) { - return (uint8_t)(constant_time_select_w(mask, a, b)); + // |mask| is a word instead of |uint8_t| to avoid materializing 0x000..0MM + // Making both |mask| and its value barrier |uint8_t| would allow the compiler + // to materialize 0x????..?MM instead, but only clang is that clever. + // However, vectorization of bitwise operations seems to work better on + // |uint8_t| than a mix of |uint64_t| and |uint8_t|, so |m| is cast to + // |uint8_t| after the value barrier but before the bitwise operations. + uint8_t m = value_barrier_w(mask); + return (m & a) | (~m & b); } // constant_time_select_int acts like |constant_time_select| but operates on @@ -495,6 +525,34 @@ static inline int constant_time_select_int(crypto_word_t mask, int a, int b) { (crypto_word_t)(b))); } +// constant_time_conditional_memcpy copies |n| bytes from |src| to |dst| if +// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory +// ranges at |dst| and |src| must not overlap, as when calling |memcpy|. +static inline void constant_time_conditional_memcpy(void *dst, const void *src, + const size_t n, + const crypto_word_t mask) { + assert(!buffers_alias(dst, n, src, n)); + uint8_t *out = (uint8_t *)dst; + const uint8_t *in = (const uint8_t *)src; + for (size_t i = 0; i < n; i++) { + out[i] = constant_time_select_8(mask, in[i], out[i]); + } +} + +// constant_time_conditional_memxor xors |n| bytes from |src| to |dst| if +// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory +// ranges at |dst| and |src| must not overlap, as when calling |memcpy|. +static inline void constant_time_conditional_memxor(void *dst, const void *src, + const size_t n, + const crypto_word_t mask) { + assert(!buffers_alias(dst, n, src, n)); + uint8_t *out = (uint8_t *)dst; + const uint8_t *in = (const uint8_t *)src; + for (size_t i = 0; i < n; i++) { + out[i] ^= value_barrier_w(mask) & in[i]; + } +} + #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION) // CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region @@ -697,37 +755,24 @@ OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count); // Locks. -// -// Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in -// structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as -// a global lock. A global lock must be initialised to the value -// |CRYPTO_STATIC_MUTEX_INIT|. -// -// |CRYPTO_MUTEX| can appear in public structures and so is defined in -// thread.h as a structure large enough to fit the real type. The global lock is -// a different type so it may be initialized with platform initializer macros. #if !defined(OPENSSL_THREADS) -struct CRYPTO_STATIC_MUTEX { +typedef struct crypto_mutex_st { char padding; // Empty structs have different sizes in C and C++. -}; -#define CRYPTO_STATIC_MUTEX_INIT { 0 } +} CRYPTO_MUTEX; +#define CRYPTO_MUTEX_INIT { 0 } #elif defined(OPENSSL_WINDOWS_THREADS) -struct CRYPTO_STATIC_MUTEX { - SRWLOCK lock; -}; -#define CRYPTO_STATIC_MUTEX_INIT { SRWLOCK_INIT } +typedef SRWLOCK CRYPTO_MUTEX; +#define CRYPTO_MUTEX_INIT SRWLOCK_INIT #elif defined(OPENSSL_PTHREADS) -struct CRYPTO_STATIC_MUTEX { - pthread_rwlock_t lock; -}; -#define CRYPTO_STATIC_MUTEX_INIT { PTHREAD_RWLOCK_INITIALIZER } +typedef pthread_rwlock_t CRYPTO_MUTEX; +#define CRYPTO_MUTEX_INIT PTHREAD_RWLOCK_INITIALIZER #else #error "Unknown threading library" #endif // CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a -// |CRYPTO_STATIC_MUTEX|. +// |CRYPTO_MUTEX_INIT|. OPENSSL_EXPORT void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock); // CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a @@ -747,28 +792,6 @@ OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock); // CRYPTO_MUTEX_cleanup releases all resources held by |lock|. OPENSSL_EXPORT void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock); -// CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also -// have a read lock, but none may have a write lock. The |lock| variable does -// not need to be initialised by any function, but must have been statically -// initialised with |CRYPTO_STATIC_MUTEX_INIT|. -OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_read( - struct CRYPTO_STATIC_MUTEX *lock); - -// CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has -// any type of lock on it. The |lock| variable does not need to be initialised -// by any function, but must have been statically initialised with -// |CRYPTO_STATIC_MUTEX_INIT|. -OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_write( - struct CRYPTO_STATIC_MUTEX *lock); - -// CRYPTO_STATIC_MUTEX_unlock_read unlocks |lock| for reading. -OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_read( - struct CRYPTO_STATIC_MUTEX *lock); - -// CRYPTO_STATIC_MUTEX_unlock_write unlocks |lock| for writing. -OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_write( - struct CRYPTO_STATIC_MUTEX *lock); - #if defined(__cplusplus) extern "C++" { @@ -854,7 +877,7 @@ typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS; // supports ex_data. It should defined as a static global within the module // which defines that type. typedef struct { - struct CRYPTO_STATIC_MUTEX lock; + CRYPTO_MUTEX lock; // funcs is a linked list of |CRYPTO_EX_DATA_FUNCS| structures. It may be // traversed without serialization only up to |num_funcs|. last points to the // final entry of |funcs|, or NULL if empty. @@ -866,9 +889,9 @@ typedef struct { uint8_t num_reserved; } CRYPTO_EX_DATA_CLASS; -#define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_STATIC_MUTEX_INIT, NULL, NULL, 0, 0} +#define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_MUTEX_INIT, NULL, NULL, 0, 0} #define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \ - {CRYPTO_STATIC_MUTEX_INIT, NULL, NULL, 0, 1} + {CRYPTO_MUTEX_INIT, NULL, NULL, 0, 1} // CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes // it to |*out_index|. Each class of object should provide a wrapper function @@ -1133,6 +1156,110 @@ static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) { } +// Arithmetic functions. + +// CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry +// bit. |carry| must be zero or one. +#if OPENSSL_HAS_BUILTIN(__builtin_addc) + +#define CRYPTO_GENERIC_ADDC(x, y, carry, out_carry) \ + (_Generic((x), \ + unsigned: __builtin_addc, \ + unsigned long: __builtin_addcl, \ + unsigned long long: __builtin_addcll))((x), (y), (carry), (out_carry)) + +static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry, + uint32_t *out_carry) { + assert(carry <= 1); + return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry); +} + +static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry, + uint64_t *out_carry) { + assert(carry <= 1); + return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry); +} + +#else + +static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry, + uint32_t *out_carry) { + assert(carry <= 1); + uint64_t ret = carry; + ret += (uint64_t)x + y; + *out_carry = (uint32_t)(ret >> 32); + return (uint32_t)ret; +} + +static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry, + uint64_t *out_carry) { + assert(carry <= 1); +#if defined(BORINGSSL_HAS_UINT128) + uint128_t ret = carry; + ret += (uint128_t)x + y; + *out_carry = (uint64_t)(ret >> 64); + return (uint64_t)ret; +#else + x += carry; + carry = x < carry; + uint64_t ret = x + y; + carry += ret < x; + *out_carry = carry; + return ret; +#endif +} +#endif + +// CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow +// bit. |borrow| must be zero or one. +#if OPENSSL_HAS_BUILTIN(__builtin_subc) + +#define CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow) \ + (_Generic((x), \ + unsigned: __builtin_subc, \ + unsigned long: __builtin_subcl, \ + unsigned long long: __builtin_subcll))((x), (y), (borrow), (out_borrow)) + +static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow, + uint32_t *out_borrow) { + assert(borrow <= 1); + return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow); +} + +static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow, + uint64_t *out_borrow) { + assert(borrow <= 1); + return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow); +} + +#else + +static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow, + uint32_t *out_borrow) { + assert(borrow <= 1); + uint32_t ret = x - y - borrow; + *out_borrow = (x < y) | ((x == y) & borrow); + return ret; +} + +static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow, + uint64_t *out_borrow) { + assert(borrow <= 1); + uint64_t ret = x - y - borrow; + *out_borrow = (x < y) | ((x == y) & borrow); + return ret; +} +#endif + +#if defined(OPENSSL_64_BIT) +#define CRYPTO_addc_w CRYPTO_addc_u64 +#define CRYPTO_subc_w CRYPTO_subc_u64 +#else +#define CRYPTO_addc_w CRYPTO_addc_u32 +#define CRYPTO_subc_w CRYPTO_subc_u32 +#endif + + // FIPS functions. #if defined(BORINGSSL_FIPS) @@ -1220,19 +1347,16 @@ OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { // ECX for CPUID where EAX = 7 // // Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM -// bits in XCR0, so it is not necessary to check those. +// bits in XCR0, so it is not necessary to check those. (WARNING: See caveats +// in cpu_intel.c.) +// +// From C, this symbol should only be accessed with |OPENSSL_get_ia32cap|. extern uint32_t OPENSSL_ia32cap_P[4]; -#if defined(BORINGSSL_FIPS) && !defined(BORINGSSL_SHARED_LIBRARY) -// The FIPS module, as a static library, requires an out-of-line version of -// |OPENSSL_ia32cap_get| so accesses can be rewritten by delocate. Mark the -// function const so multiple accesses can be optimized together. -const uint32_t *OPENSSL_ia32cap_get(void) __attribute__((const)); -#else -OPENSSL_INLINE const uint32_t *OPENSSL_ia32cap_get(void) { - return OPENSSL_ia32cap_P; -} -#endif +// OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th +// entry of |OPENSSL_ia32cap_P|. It is marked as a pure function so duplicate +// calls can be merged by the compiler, at least when indices match. +OPENSSL_ATTR_PURE uint32_t OPENSSL_get_ia32cap(int idx); // See Intel manual, volume 2A, table 3-11. @@ -1240,13 +1364,13 @@ OPENSSL_INLINE int CRYPTO_is_FXSR_capable(void) { #if defined(__FXSR__) return 1; #else - return (OPENSSL_ia32cap_get()[0] & (1 << 24)) != 0; + return (OPENSSL_get_ia32cap(0) & (1u << 24)) != 0; #endif } OPENSSL_INLINE int CRYPTO_is_intel_cpu(void) { // The reserved bit 30 is used to indicate an Intel CPU. - return (OPENSSL_ia32cap_get()[0] & (1 << 30)) != 0; + return (OPENSSL_get_ia32cap(0) & (1u << 30)) != 0; } // See Intel manual, volume 2A, table 3-10. @@ -1255,7 +1379,7 @@ OPENSSL_INLINE int CRYPTO_is_PCLMUL_capable(void) { #if defined(__PCLMUL__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 1)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 1)) != 0; #endif } @@ -1263,7 +1387,7 @@ OPENSSL_INLINE int CRYPTO_is_SSSE3_capable(void) { #if defined(__SSSE3__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 9)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 9)) != 0; #endif } @@ -1271,7 +1395,7 @@ OPENSSL_INLINE int CRYPTO_is_SSE4_1_capable(void) { #if defined(__SSE4_1__) return 1; #else - return (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 19)) != 0; #endif } @@ -1279,7 +1403,7 @@ OPENSSL_INLINE int CRYPTO_is_MOVBE_capable(void) { #if defined(__MOVBE__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 22)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 22)) != 0; #endif } @@ -1287,26 +1411,26 @@ OPENSSL_INLINE int CRYPTO_is_AESNI_capable(void) { #if defined(__AES__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 25)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 25)) != 0; #endif } +// We intentionally avoid defining a |CRYPTO_is_XSAVE_capable| function. See +// |CRYPTO_cpu_perf_is_like_silvermont|. + OPENSSL_INLINE int CRYPTO_is_AVX_capable(void) { #if defined(__AVX__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 28)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 28)) != 0; #endif } OPENSSL_INLINE int CRYPTO_is_RDRAND_capable(void) { - // The GCC/Clang feature name and preprocessor symbol for RDRAND are "rdrnd" - // and |__RDRND__|, respectively. -#if defined(__RDRND__) - return 1; -#else - return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0; -#endif + // We intentionally do not check |__RDRND__| here. On some AMD processors, we + // will act as if the hardware is RDRAND-incapable, even it actually supports + // it. See cpu_intel.c. + return (OPENSSL_get_ia32cap(1) & (1u << 30)) != 0; } // See Intel manual, volume 2A, table 3-8. @@ -1315,7 +1439,7 @@ OPENSSL_INLINE int CRYPTO_is_BMI1_capable(void) { #if defined(__BMI1__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 3)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 3)) != 0; #endif } @@ -1323,7 +1447,7 @@ OPENSSL_INLINE int CRYPTO_is_AVX2_capable(void) { #if defined(__AVX2__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 5)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 5)) != 0; #endif } @@ -1331,7 +1455,7 @@ OPENSSL_INLINE int CRYPTO_is_BMI2_capable(void) { #if defined(__BMI2__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 8)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 8)) != 0; #endif } @@ -1339,17 +1463,79 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { #if defined(__ADX__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 19)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 19)) != 0; #endif } +// SHA-1 and SHA-256 are defined as a single extension. +OPENSSL_INLINE int CRYPTO_is_x86_SHA_capable(void) { + // We should check __SHA__ here, but for now we ignore it. We've run into a + // few places where projects build with -march=goldmont, but need a build that + // does not require SHA extensions: + // + // - Some CrOS toolchain definitions are incorrect and build with + // -march=goldmont when targetting boards that are not Goldmont. b/320482539 + // tracks fixing this. + // + // - Sometimes projects build with -march=goldmont as a rough optimized + // baseline. However, Intel CPU capabilities are not strictly linear, so + // this does not quite work. Some combination of -mtune and + // -march=x86-64-v{1,2,3,4} would be a better strategy here. + // + // - QEMU versions before 8.2 do not support SHA extensions and disable it + // with a warning. Projects that target Goldmont and test on QEMU will + // break. The long-term fix is to update to 8.2. A principled short-term fix + // would be -march=goldmont -mno-sha, to reflect that the binary needs to + // run on both QEMU-8.1-Goldmont and actual-Goldmont. + // + // TODO(b/320482539): Once the CrOS toolchain is fixed, try this again. + return (OPENSSL_get_ia32cap(2) & (1u << 29)) != 0; +} + +// CRYPTO_cpu_perf_is_like_silvermont returns one if, based on a heuristic, the +// CPU has Silvermont-like performance characteristics. It is often faster to +// run different codepaths on these CPUs than the available instructions would +// otherwise select. See chacha-x86_64.pl. +// +// Bonnell, Silvermont's predecessor in the Atom lineup, will also be matched by +// this. |OPENSSL_cpuid_setup| forces Knights Landing to also be matched by +// this. Goldmont (Silvermont's successor in the Atom lineup) added XSAVE so it +// isn't matched by this. Various sources indicate AMD first implemented MOVBE +// and XSAVE at the same time in Jaguar, so it seems like AMD chips will not be +// matched by this. That seems to be the case for other x86(-64) CPUs. +OPENSSL_INLINE int CRYPTO_cpu_perf_is_like_silvermont(void) { + // WARNING: This MUST NOT be used to guard the execution of the XSAVE + // instruction. This is the "hardware supports XSAVE" bit, not the OSXSAVE bit + // that indicates whether we can safely execute XSAVE. This bit may be set + // even when XSAVE is disabled (by the operating system). See the comment in + // cpu_intel.c and check how the users of this bit use it. + // + // We do not use |__XSAVE__| for static detection because the hack in + // |OPENSSL_cpuid_setup| for Knights Landing CPUs needs to override it. + int hardware_supports_xsave = (OPENSSL_get_ia32cap(1) & (1u << 26)) != 0; + return !hardware_supports_xsave && CRYPTO_is_MOVBE_capable(); +} + #endif // OPENSSL_X86 || OPENSSL_X86_64 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) -#if defined(OPENSSL_APPLE) && defined(OPENSSL_ARM) -// We do not detect any features at runtime for Apple's 32-bit ARM platforms. On -// 64-bit ARM, we detect some post-ARMv8.0 features. +// OPENSSL_armcap_P contains ARM CPU capabilities. From C, this should only be +// accessed with |OPENSSL_get_armcap|. +extern uint32_t OPENSSL_armcap_P; + +// OPENSSL_get_armcap initializes the library if needed and returns ARM CPU +// capabilities. It is marked as a pure function so duplicate calls can be +// merged by the compiler, at least when indices match. +OPENSSL_ATTR_PURE uint32_t OPENSSL_get_armcap(void); + +// We do not detect any features at runtime on several 32-bit Arm platforms. +// Apple platforms and OpenBSD require NEON and moved to 64-bit to pick up Armv8 +// extensions. Android baremetal does not aim to support 32-bit Arm at all, but +// it simplifies things to make it build. +#if defined(OPENSSL_ARM) && !defined(OPENSSL_STATIC_ARMCAP) && \ + (defined(OPENSSL_APPLE) || defined(OPENSSL_OPENBSD) || \ + defined(ANDROID_BAREMETAL)) #define OPENSSL_STATIC_ARMCAP #endif @@ -1367,21 +1553,6 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { #endif #endif -#if !defined(OPENSSL_STATIC_ARMCAP) -// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON -// unit. Note that |OPENSSL_armcap_P| also exists and contains the same -// information in a form that's easier for assembly to use. -OPENSSL_EXPORT int CRYPTO_is_NEON_capable_at_runtime(void); - -// CRYPTO_is_ARMv8_AES_capable_at_runtime returns true if the current CPU -// supports the ARMv8 AES instruction. -int CRYPTO_is_ARMv8_AES_capable_at_runtime(void); - -// CRYPTO_is_ARMv8_PMULL_capable_at_runtime returns true if the current CPU -// supports the ARMv8 PMULL instruction. -int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void); -#endif // !OPENSSL_STATIC_ARMCAP - // CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If // this is known statically, it is a constant inline function. OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) { @@ -1390,7 +1561,7 @@ OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) { #elif defined(OPENSSL_STATIC_ARMCAP) return 0; #else - return CRYPTO_is_NEON_capable_at_runtime(); + return (OPENSSL_get_armcap() & ARMV7_NEON) != 0; #endif } @@ -1400,7 +1571,7 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_AES_capable(void) { #elif defined(OPENSSL_STATIC_ARMCAP) return 0; #else - return CRYPTO_is_ARMv8_AES_capable_at_runtime(); + return (OPENSSL_get_armcap() & ARMV8_AES) != 0; #endif } @@ -1410,7 +1581,42 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) { #elif defined(OPENSSL_STATIC_ARMCAP) return 0; #else - return CRYPTO_is_ARMv8_PMULL_capable_at_runtime(); + return (OPENSSL_get_armcap() & ARMV8_PMULL) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_SHA1_capable(void) { + // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise + // are dealt with independently. +#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return (OPENSSL_get_armcap() & ARMV8_SHA1) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_SHA256_capable(void) { + // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise + // are dealt with independently. +#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return (OPENSSL_get_armcap() & ARMV8_SHA256) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_SHA512_capable(void) { + // There is no |OPENSSL_STATIC_ARMCAP_SHA512|. +#if defined(__ARM_FEATURE_SHA512) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return (OPENSSL_get_armcap() & ARMV8_SHA512) != 0; #endif } diff --git a/Sources/CJWTKitBoringSSL/crypto/keccak/internal.h b/Sources/CJWTKitBoringSSL/crypto/keccak/internal.h new file mode 100644 index 00000000..cd4ed2ba --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/keccak/internal.h @@ -0,0 +1,70 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_KECCAK_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_KECCAK_INTERNAL_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +enum boringssl_keccak_config_t { + boringssl_sha3_256, + boringssl_sha3_512, + boringssl_shake128, + boringssl_shake256, +}; + +enum boringssl_keccak_phase_t { + boringssl_keccak_phase_absorb, + boringssl_keccak_phase_squeeze, +}; + +struct BORINGSSL_keccak_st { + enum boringssl_keccak_config_t config; + enum boringssl_keccak_phase_t phase; + uint64_t state[25]; + size_t rate_bytes; + size_t absorb_offset; + size_t squeeze_offset; +}; + +// BORINGSSL_keccak hashes |in_len| bytes from |in| and writes |out_len| bytes +// of output to |out|. If the |config| specifies a fixed-output function, like +// SHA3-256, then |out_len| must be the correct length for that function. +OPENSSL_EXPORT void BORINGSSL_keccak(uint8_t *out, size_t out_len, + const uint8_t *in, size_t in_len, + enum boringssl_keccak_config_t config); + +// BORINGSSL_keccak_init prepares |ctx| for absorbing. The |config| must specify +// a SHAKE variant, otherwise callers should use |BORINGSSL_keccak|. +OPENSSL_EXPORT void BORINGSSL_keccak_init( + struct BORINGSSL_keccak_st *ctx, enum boringssl_keccak_config_t config); + +// BORINGSSL_keccak_absorb absorbs |in_len| bytes from |in|. +OPENSSL_EXPORT void BORINGSSL_keccak_absorb(struct BORINGSSL_keccak_st *ctx, + const uint8_t *in, size_t in_len); + +// BORINGSSL_keccak_squeeze writes |out_len| bytes to |out| from |ctx|. +OPENSSL_EXPORT void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, + uint8_t *out, size_t out_len); + +#if defined(__cplusplus) +} +#endif + +#endif // OPENSSL_HEADER_CRYPTO_KECCAK_INTERNAL_H diff --git a/Sources/CJWTKitBoringSSL/crypto/kyber/keccak.c b/Sources/CJWTKitBoringSSL/crypto/keccak/keccak.c similarity index 66% rename from Sources/CJWTKitBoringSSL/crypto/kyber/keccak.c rename to Sources/CJWTKitBoringSSL/crypto/keccak/keccak.c index 500a3428..18d252e4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/kyber/keccak.c +++ b/Sources/CJWTKitBoringSSL/crypto/keccak/keccak.c @@ -56,19 +56,40 @@ static void keccak_f(uint64_t state[25]) { // and the sequence will repeat. All that remains is to handle the element // at (0, 0), but the rotation for that element is zero, and it goes to (0, // 0), so we can ignore it. - static const uint8_t kIndexes[24] = {10, 7, 11, 17, 18, 3, 5, 16, - 8, 21, 24, 4, 15, 23, 19, 13, - 12, 2, 20, 14, 22, 9, 6, 1}; - static const uint8_t kRotations[24] = {1, 3, 6, 10, 15, 21, 28, 36, - 45, 55, 2, 14, 27, 41, 56, 8, - 25, 43, 62, 18, 39, 61, 20, 44}; uint64_t prev_value = state[1]; - for (int i = 0; i < 24; i++) { - const uint64_t value = CRYPTO_rotl_u64(prev_value, kRotations[i]); - const size_t index = kIndexes[i]; - prev_value = state[index]; - state[index] = value; - } +#define PI_RHO_STEP(index, rotation) \ + do { \ + const uint64_t value = CRYPTO_rotl_u64(prev_value, rotation); \ + prev_value = state[index]; \ + state[index] = value; \ + } while (0) + + PI_RHO_STEP(10, 1); + PI_RHO_STEP(7, 3); + PI_RHO_STEP(11, 6); + PI_RHO_STEP(17, 10); + PI_RHO_STEP(18, 15); + PI_RHO_STEP(3, 21); + PI_RHO_STEP(5, 28); + PI_RHO_STEP(16, 36); + PI_RHO_STEP(8, 45); + PI_RHO_STEP(21, 55); + PI_RHO_STEP(24, 2); + PI_RHO_STEP(4, 14); + PI_RHO_STEP(15, 27); + PI_RHO_STEP(23, 41); + PI_RHO_STEP(19, 56); + PI_RHO_STEP(13, 8); + PI_RHO_STEP(12, 25); + PI_RHO_STEP(2, 43); + PI_RHO_STEP(20, 62); + PI_RHO_STEP(14, 18); + PI_RHO_STEP(22, 39); + PI_RHO_STEP(9, 61); + PI_RHO_STEP(6, 20); + PI_RHO_STEP(1, 44); + +#undef PI_RHO_STEP // χ step for (int y = 0; y < 5; y++) { @@ -105,40 +126,90 @@ static void keccak_f(uint64_t state[25]) { } static void keccak_init(struct BORINGSSL_keccak_st *ctx, - size_t *out_required_out_len, const uint8_t *in, - size_t in_len, enum boringssl_keccak_config_t config) { + size_t *out_required_out_len, + enum boringssl_keccak_config_t config) { size_t capacity_bytes; - uint8_t terminator; switch (config) { case boringssl_sha3_256: capacity_bytes = 512 / 8; *out_required_out_len = 32; - terminator = 0x06; break; case boringssl_sha3_512: capacity_bytes = 1024 / 8; *out_required_out_len = 64; - terminator = 0x06; break; case boringssl_shake128: capacity_bytes = 256 / 8; *out_required_out_len = 0; - terminator = 0x1f; break; case boringssl_shake256: capacity_bytes = 512 / 8; *out_required_out_len = 0; - terminator = 0x1f; break; default: abort(); } OPENSSL_memset(ctx, 0, sizeof(*ctx)); + ctx->config = config; + ctx->phase = boringssl_keccak_phase_absorb; ctx->rate_bytes = 200 - capacity_bytes; assert(ctx->rate_bytes % 8 == 0); +} + +void BORINGSSL_keccak(uint8_t *out, size_t out_len, const uint8_t *in, + size_t in_len, enum boringssl_keccak_config_t config) { + struct BORINGSSL_keccak_st ctx; + size_t required_out_len; + keccak_init(&ctx, &required_out_len, config); + if (required_out_len != 0 && out_len != required_out_len) { + abort(); + } + BORINGSSL_keccak_absorb(&ctx, in, in_len); + BORINGSSL_keccak_squeeze(&ctx, out, out_len); +} + +void BORINGSSL_keccak_init(struct BORINGSSL_keccak_st *ctx, + enum boringssl_keccak_config_t config) { + size_t required_out_len; + keccak_init(ctx, &required_out_len, config); + if (required_out_len != 0) { + abort(); + } +} + +void BORINGSSL_keccak_absorb(struct BORINGSSL_keccak_st *ctx, const uint8_t *in, + size_t in_len) { + if (ctx->phase == boringssl_keccak_phase_squeeze) { + // It's illegal to call absorb() again after calling squeeze(). + abort(); + } + const size_t rate_words = ctx->rate_bytes / 8; + // XOR the input. Accessing |ctx->state| as a |uint8_t*| is allowed by strict + // aliasing because we require |uint8_t| to be a character type. + uint8_t *state_bytes = (uint8_t *)ctx->state; + + // Absorb partial block. + if (ctx->absorb_offset != 0) { + assert(ctx->absorb_offset < ctx->rate_bytes); + size_t first_block_len = ctx->rate_bytes - ctx->absorb_offset; + for (size_t i = 0; i < first_block_len && i < in_len; i++) { + state_bytes[ctx->absorb_offset + i] ^= in[i]; + } + + // This input didn't fill the block. + if (first_block_len > in_len) { + ctx->absorb_offset += in_len; + return; + } + keccak_f(ctx->state); + in += first_block_len; + in_len -= first_block_len; + } + + // Absorb full blocks. while (in_len >= ctx->rate_bytes) { for (size_t i = 0; i < rate_words; i++) { ctx->state[i] ^= CRYPTO_load_u64_le(in + 8 * i); @@ -148,57 +219,61 @@ static void keccak_init(struct BORINGSSL_keccak_st *ctx, in_len -= ctx->rate_bytes; } - // XOR the final block. Accessing |ctx->state| as a |uint8_t*| is allowed by - // strict aliasing because we require |uint8_t| to be a character type. - uint8_t *state_bytes = (uint8_t *)ctx->state; + // Absorb partial block. assert(in_len < ctx->rate_bytes); for (size_t i = 0; i < in_len; i++) { state_bytes[i] ^= in[i]; } - state_bytes[in_len] ^= terminator; - state_bytes[ctx->rate_bytes - 1] ^= 0x80; - keccak_f(ctx->state); + ctx->absorb_offset = in_len; } -void BORINGSSL_keccak(uint8_t *out, size_t out_len, const uint8_t *in, - size_t in_len, enum boringssl_keccak_config_t config) { - struct BORINGSSL_keccak_st ctx; - size_t required_out_len; - keccak_init(&ctx, &required_out_len, in, in_len, config); - if (required_out_len != 0 && out_len != required_out_len) { - abort(); +static void keccak_finalize(struct BORINGSSL_keccak_st *ctx) { + uint8_t terminator; + switch (ctx->config) { + case boringssl_sha3_256: + case boringssl_sha3_512: + terminator = 0x06; + break; + case boringssl_shake128: + case boringssl_shake256: + terminator = 0x1f; + break; + default: + abort(); } - BORINGSSL_keccak_squeeze(&ctx, out, out_len); -} -void BORINGSSL_keccak_init(struct BORINGSSL_keccak_st *ctx, const uint8_t *in, - size_t in_len, - enum boringssl_keccak_config_t config) { - size_t required_out_len; - keccak_init(ctx, &required_out_len, in, in_len, config); - if (required_out_len != 0) { - abort(); - } + // XOR the terminator. Accessing |ctx->state| as a |uint8_t*| is allowed by + // strict aliasing because we require |uint8_t| to be a character type. + uint8_t *state_bytes = (uint8_t *)ctx->state; + state_bytes[ctx->absorb_offset] ^= terminator; + state_bytes[ctx->rate_bytes - 1] ^= 0x80; + keccak_f(ctx->state); } void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, uint8_t *out, size_t out_len) { + if (ctx->phase == boringssl_keccak_phase_absorb) { + keccak_finalize(ctx); + ctx->phase = boringssl_keccak_phase_squeeze; + } + // Accessing |ctx->state| as a |uint8_t*| is allowed by strict aliasing // because we require |uint8_t| to be a character type. const uint8_t *state_bytes = (const uint8_t *)ctx->state; while (out_len) { - size_t remaining = ctx->rate_bytes - ctx->offset; + if (ctx->squeeze_offset == ctx->rate_bytes) { + keccak_f(ctx->state); + ctx->squeeze_offset = 0; + } + + size_t remaining = ctx->rate_bytes - ctx->squeeze_offset; size_t todo = out_len; if (todo > remaining) { todo = remaining; } - OPENSSL_memcpy(out, &state_bytes[ctx->offset], todo); + OPENSSL_memcpy(out, &state_bytes[ctx->squeeze_offset], todo); out += todo; out_len -= todo; - ctx->offset += todo; - if (ctx->offset == ctx->rate_bytes) { - keccak_f(ctx->state); - ctx->offset = 0; - } + ctx->squeeze_offset += todo; } } diff --git a/Sources/CJWTKitBoringSSL/crypto/kyber/internal.h b/Sources/CJWTKitBoringSSL/crypto/kyber/internal.h index fd1d40cd..4caa10b0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/kyber/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/kyber/internal.h @@ -32,37 +32,6 @@ extern "C" { // necessary to generate a key. #define KYBER_GENERATE_KEY_ENTROPY 64 -struct BORINGSSL_keccak_st { - uint64_t state[25]; - size_t rate_bytes; - size_t offset; -}; - -enum boringssl_keccak_config_t { - boringssl_sha3_256, - boringssl_sha3_512, - boringssl_shake128, - boringssl_shake256, -}; - -// BORINGSSL_keccak hashes |in_len| bytes from |in| and writes |out_len| bytes -// of output to |out|. If the |config| specifies a fixed-output function, like -// SHA3-256, then |out_len| must be the correct length for that function. -OPENSSL_EXPORT void BORINGSSL_keccak(uint8_t *out, size_t out_len, - const uint8_t *in, size_t in_len, - enum boringssl_keccak_config_t config); - -// BORINGSSL_keccak_init absorbs |in_len| bytes from |in| and sets up |ctx| for -// squeezing. The |config| must specify a SHAKE variant, otherwise callers -// should use |BORINGSSL_keccak|. -OPENSSL_EXPORT void BORINGSSL_keccak_init( - struct BORINGSSL_keccak_st *ctx, const uint8_t *in, size_t in_len, - enum boringssl_keccak_config_t config); - -// BORINGSSL_keccak_squeeze writes |out_len| bytes to |out| from |ctx|. -OPENSSL_EXPORT void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, - uint8_t *out, size_t out_len); - // KYBER_generate_key_external_entropy is a deterministic function to create a // pair of Kyber768 keys, using the supplied entropy. The entropy needs to be // uniformly random generated. This function is should only be used for tests, @@ -73,15 +42,15 @@ OPENSSL_EXPORT void KYBER_generate_key_external_entropy( struct KYBER_private_key *out_private_key, const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]); -// KYBER_encap_external_entropy is a deterministic function to encapsulate -// |out_shared_secret_len| bytes of |out_shared_secret| to |ciphertext|, using -// |KYBER_ENCAP_ENTROPY| bytes of |entropy| for randomization. The -// decapsulating side will be able to recover |entropy| in full. This -// function is should only be used for tests, regular callers should use the -// non-deterministic |KYBER_encap| directly. +// KYBER_encap_external_entropy behaves like |KYBER_encap|, but uses +// |KYBER_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating +// side will be able to recover |entropy| in full. This function should only be +// used for tests, regular callers should use the non-deterministic +// |KYBER_encap| directly. OPENSSL_EXPORT void KYBER_encap_external_entropy( - uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t *out_shared_secret, - size_t out_shared_secret_len, const struct KYBER_public_key *public_key, + uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], + const struct KYBER_public_key *public_key, const uint8_t entropy[KYBER_ENCAP_ENTROPY]); #if defined(__cplusplus) diff --git a/Sources/CJWTKitBoringSSL/crypto/kyber/kyber.c b/Sources/CJWTKitBoringSSL/crypto/kyber/kyber.c index 9a3a027e..5dbc052f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/kyber/kyber.c +++ b/Sources/CJWTKitBoringSSL/crypto/kyber/kyber.c @@ -21,12 +21,29 @@ #include #include "../internal.h" +#include "../keccak/internal.h" #include "./internal.h" // See // https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf +static void prf(uint8_t *out, size_t out_len, const uint8_t in[33]) { + BORINGSSL_keccak(out, out_len, in, 33, boringssl_shake256); +} + +static void hash_h(uint8_t out[32], const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, 32, in, len, boringssl_sha3_256); +} + +static void hash_g(uint8_t out[64], const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, 64, in, len, boringssl_sha3_512); +} + +static void kdf(uint8_t *out, size_t out_len, const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, out_len, in, len, boringssl_shake256); +} + #define DEGREE 256 #define RANK 3 @@ -283,7 +300,7 @@ static void scalar_inner_product(scalar *out, const vector *lhs, // operates on public inputs. static void scalar_from_keccak_vartime(scalar *out, struct BORINGSSL_keccak_st *keccak_ctx) { - assert(keccak_ctx->offset == 0); + assert(keccak_ctx->squeeze_offset == 0); assert(keccak_ctx->rate_bytes == 168); static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); @@ -314,7 +331,7 @@ static void scalar_centered_binomial_distribution_eta_2_with_prf( scalar *out, const uint8_t input[33]) { uint8_t entropy[128]; static_assert(sizeof(entropy) == 2 * /*kEta=*/2 * DEGREE / 8, ""); - BORINGSSL_keccak(entropy, sizeof(entropy), input, 33, boringssl_shake256); + prf(entropy, sizeof(entropy), input); for (int i = 0; i < DEGREE; i += 2) { uint8_t byte = entropy[i / 2]; @@ -354,8 +371,8 @@ static void matrix_expand(matrix *out, const uint8_t rho[32]) { input[32] = i; input[33] = j; struct BORINGSSL_keccak_st keccak_ctx; - BORINGSSL_keccak_init(&keccak_ctx, input, sizeof(input), - boringssl_shake128); + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128); + BORINGSSL_keccak_absorb(&keccak_ctx, input, sizeof(input)); scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx); } } @@ -610,7 +627,7 @@ void KYBER_generate_key_external_entropy( const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]) { struct private_key *priv = private_key_from_external(out_private_key); uint8_t hashed[64]; - BORINGSSL_keccak(hashed, sizeof(hashed), entropy, 32, boringssl_sha3_512); + hash_g(hashed, entropy, 32); const uint8_t *const rho = hashed; const uint8_t *const sigma = hashed + 32; OPENSSL_memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho)); @@ -630,9 +647,8 @@ void KYBER_generate_key_external_entropy( abort(); } - BORINGSSL_keccak(priv->pub.public_key_hash, sizeof(priv->pub.public_key_hash), - out_encoded_public_key, KYBER_PUBLIC_KEY_BYTES, - boringssl_sha3_256); + hash_h(priv->pub.public_key_hash, out_encoded_public_key, + KYBER_PUBLIC_KEY_BYTES); OPENSSL_memcpy(priv->fo_failure_secret, entropy + 32, 32); } @@ -681,12 +697,12 @@ static void encrypt_cpa(uint8_t out[KYBER_CIPHERTEXT_BYTES], // Calls KYBER_encap_external_entropy| with random bytes from |RAND_bytes| void KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], - uint8_t *out_shared_secret, size_t out_shared_secret_len, + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const struct KYBER_public_key *public_key) { uint8_t entropy[KYBER_ENCAP_ENTROPY]; RAND_bytes(entropy, KYBER_ENCAP_ENTROPY); - KYBER_encap_external_entropy(out_ciphertext, out_shared_secret, - out_shared_secret_len, public_key, entropy); + KYBER_encap_external_entropy(out_ciphertext, out_shared_secret, public_key, + entropy); } // Algorithm 8 of the Kyber spec, safe for line 2 of the spec. The spec there @@ -696,8 +712,9 @@ void KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], // number generator is used, the caller should switch to a secure one before // calling this method. void KYBER_encap_external_entropy( - uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t *out_shared_secret, - size_t out_shared_secret_len, const struct KYBER_public_key *public_key, + uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], + const struct KYBER_public_key *public_key, const uint8_t entropy[KYBER_ENCAP_ENTROPY]) { const struct public_key *pub = public_key_from_external(public_key); uint8_t input[64]; @@ -705,14 +722,11 @@ void KYBER_encap_external_entropy( OPENSSL_memcpy(input + KYBER_ENCAP_ENTROPY, pub->public_key_hash, sizeof(input) - KYBER_ENCAP_ENTROPY); uint8_t prekey_and_randomness[64]; - BORINGSSL_keccak(prekey_and_randomness, sizeof(prekey_and_randomness), input, - sizeof(input), boringssl_sha3_512); + hash_g(prekey_and_randomness, input, sizeof(input)); encrypt_cpa(out_ciphertext, pub, entropy, prekey_and_randomness + 32); - BORINGSSL_keccak(prekey_and_randomness + 32, 32, out_ciphertext, - KYBER_CIPHERTEXT_BYTES, boringssl_sha3_256); - BORINGSSL_keccak(out_shared_secret, out_shared_secret_len, - prekey_and_randomness, sizeof(prekey_and_randomness), - boringssl_shake256); + hash_h(prekey_and_randomness + 32, out_ciphertext, KYBER_CIPHERTEXT_BYTES); + kdf(out_shared_secret, KYBER_SHARED_SECRET_BYTES, prekey_and_randomness, + sizeof(prekey_and_randomness)); } // Algorithm 6 of the Kyber spec. @@ -738,7 +752,7 @@ static void decrypt_cpa(uint8_t out[32], const struct private_key *priv, // failure to be passed on to the caller, and instead returns a result that is // deterministic but unpredictable to anyone without knowledge of the private // key. -void KYBER_decap(uint8_t *out_shared_secret, size_t out_shared_secret_len, +void KYBER_decap(uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES], const struct KYBER_private_key *private_key) { const struct private_key *priv = private_key_from_external(private_key); @@ -747,8 +761,7 @@ void KYBER_decap(uint8_t *out_shared_secret, size_t out_shared_secret_len, OPENSSL_memcpy(decrypted + 32, priv->pub.public_key_hash, sizeof(decrypted) - 32); uint8_t prekey_and_randomness[64]; - BORINGSSL_keccak(prekey_and_randomness, sizeof(prekey_and_randomness), - decrypted, sizeof(decrypted), boringssl_sha3_512); + hash_g(prekey_and_randomness, decrypted, sizeof(decrypted)); uint8_t expected_ciphertext[KYBER_CIPHERTEXT_BYTES]; encrypt_cpa(expected_ciphertext, &priv->pub, decrypted, prekey_and_randomness + 32); @@ -761,10 +774,8 @@ void KYBER_decap(uint8_t *out_shared_secret, size_t out_shared_secret_len, input[i] = constant_time_select_8(mask, prekey_and_randomness[i], priv->fo_failure_secret[i]); } - BORINGSSL_keccak(input + 32, 32, ciphertext, KYBER_CIPHERTEXT_BYTES, - boringssl_sha3_256); - BORINGSSL_keccak(out_shared_secret, out_shared_secret_len, input, - sizeof(input), boringssl_shake256); + hash_h(input + 32, ciphertext, KYBER_CIPHERTEXT_BYTES); + kdf(out_shared_secret, KYBER_SHARED_SECRET_BYTES, input, sizeof(input)); } int KYBER_marshal_public_key(CBB *out, @@ -792,8 +803,7 @@ int KYBER_parse_public_key(struct KYBER_public_key *public_key, CBS *in) { CBS_len(in) != 0) { return 0; } - BORINGSSL_keccak(pub->public_key_hash, sizeof(pub->public_key_hash), - CBS_data(&orig_in), CBS_len(&orig_in), boringssl_sha3_256); + hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in)); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/lhash/lhash.c b/Sources/CJWTKitBoringSSL/crypto/lhash/lhash.c index ca82b224..0adee03f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/lhash/lhash.c +++ b/Sources/CJWTKitBoringSSL/crypto/lhash/lhash.c @@ -104,19 +104,17 @@ struct lhash_st { }; _LHASH *OPENSSL_lh_new(lhash_hash_func hash, lhash_cmp_func comp) { - _LHASH *ret = OPENSSL_malloc(sizeof(_LHASH)); + _LHASH *ret = OPENSSL_zalloc(sizeof(_LHASH)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(_LHASH)); ret->num_buckets = kMinNumBuckets; - ret->buckets = OPENSSL_malloc(sizeof(LHASH_ITEM *) * ret->num_buckets); + ret->buckets = OPENSSL_calloc(ret->num_buckets, sizeof(LHASH_ITEM *)); if (ret->buckets == NULL) { OPENSSL_free(ret); return NULL; } - OPENSSL_memset(ret->buckets, 0, sizeof(LHASH_ITEM *) * ret->num_buckets); ret->comp = comp; ret->hash = hash; @@ -214,11 +212,10 @@ static void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) { return; } - new_buckets = OPENSSL_malloc(alloc_size); + new_buckets = OPENSSL_zalloc(alloc_size); if (new_buckets == NULL) { return; } - OPENSSL_memset(new_buckets, 0, alloc_size); for (i = 0; i < lh->num_buckets; i++) { for (cur = lh->buckets[i]; cur != NULL; cur = next) { diff --git a/Sources/CJWTKitBoringSSL/crypto/mem.c b/Sources/CJWTKitBoringSSL/crypto/mem.c index 1aac9a1a..8ab8fc24 100644 --- a/Sources/CJWTKitBoringSSL/crypto/mem.c +++ b/Sources/CJWTKitBoringSSL/crypto/mem.c @@ -133,47 +133,21 @@ WEAK_SYMBOL_FUNC(void *, OPENSSL_memory_alloc, (size_t size)); WEAK_SYMBOL_FUNC(void, OPENSSL_memory_free, (void *ptr)); WEAK_SYMBOL_FUNC(size_t, OPENSSL_memory_get_size, (void *ptr)); -// kBoringSSLBinaryTag is a distinctive byte sequence to identify binaries that -// are linking in BoringSSL and, roughly, what version they are using. -static const uint8_t kBoringSSLBinaryTag[18] = { - // 16 bytes of magic tag. - 0x8c, - 0x62, - 0x20, - 0x0b, - 0xd2, - 0xa0, - 0x72, - 0x58, - 0x44, - 0xa8, - 0x96, - 0x69, - 0xad, - 0x55, - 0x7e, - 0xec, - // Current source iteration. Incremented ~monthly. - 3, - 0, -}; - #if defined(BORINGSSL_MALLOC_FAILURE_TESTING) -static struct CRYPTO_STATIC_MUTEX malloc_failure_lock = - CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX malloc_failure_lock = CRYPTO_MUTEX_INIT; static uint64_t current_malloc_count = 0; static uint64_t malloc_number_to_fail = 0; static int malloc_failure_enabled = 0, break_on_malloc_fail = 0, any_malloc_failed = 0; static void malloc_exit_handler(void) { - CRYPTO_STATIC_MUTEX_lock_read(&malloc_failure_lock); + CRYPTO_MUTEX_lock_read(&malloc_failure_lock); if (any_malloc_failed) { // Signal to the test driver that some allocation failed, so it knows to // increment the counter and continue. _exit(88); } - CRYPTO_STATIC_MUTEX_unlock_read(&malloc_failure_lock); + CRYPTO_MUTEX_unlock_read(&malloc_failure_lock); } static void init_malloc_failure(void) { @@ -200,11 +174,11 @@ static int should_fail_allocation() { // We lock just so multi-threaded tests are still correct, but we won't test // every malloc exhaustively. - CRYPTO_STATIC_MUTEX_lock_write(&malloc_failure_lock); + CRYPTO_MUTEX_lock_write(&malloc_failure_lock); int should_fail = current_malloc_count == malloc_number_to_fail; current_malloc_count++; any_malloc_failed = any_malloc_failed || should_fail; - CRYPTO_STATIC_MUTEX_unlock_write(&malloc_failure_lock); + CRYPTO_MUTEX_unlock_write(&malloc_failure_lock); if (should_fail && break_on_malloc_fail) { raise(SIGTRAP); @@ -216,9 +190,9 @@ static int should_fail_allocation() { } void OPENSSL_reset_malloc_counter_for_testing(void) { - CRYPTO_STATIC_MUTEX_lock_write(&malloc_failure_lock); + CRYPTO_MUTEX_lock_write(&malloc_failure_lock); current_malloc_count = 0; - CRYPTO_STATIC_MUTEX_unlock_write(&malloc_failure_lock); + CRYPTO_MUTEX_unlock_write(&malloc_failure_lock); } #else @@ -241,14 +215,6 @@ void *OPENSSL_malloc(size_t size) { } if (size + OPENSSL_MALLOC_PREFIX < size) { - // |OPENSSL_malloc| is a central function in BoringSSL thus a reference to - // |kBoringSSLBinaryTag| is created here so that the tag isn't discarded by - // the linker. The following is sufficient to stop GCC, Clang, and MSVC - // optimising away the reference at the time of writing. Since this - // probably results in an actual memory reference, it is put in this very - // rare code path. - uint8_t unused = *(volatile uint8_t *)kBoringSSLBinaryTag; - (void) unused; goto err; } @@ -268,6 +234,23 @@ void *OPENSSL_malloc(size_t size) { return NULL; } +void *OPENSSL_zalloc(size_t size) { + void *ret = OPENSSL_malloc(size); + if (ret != NULL) { + OPENSSL_memset(ret, 0, size); + } + return ret; +} + +void *OPENSSL_calloc(size_t num, size_t size) { + if (size != 0 && num > SIZE_MAX / size) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); + return NULL; + } + + return OPENSSL_zalloc(num * size); +} + void OPENSSL_free(void *orig_ptr) { if (orig_ptr == NULL) { return; diff --git a/Sources/CJWTKitBoringSSL/crypto/obj/obj.c b/Sources/CJWTKitBoringSSL/crypto/obj/obj.c index 67b878dd..a0bcfc2c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/obj/obj.c +++ b/Sources/CJWTKitBoringSSL/crypto/obj/obj.c @@ -77,24 +77,20 @@ DEFINE_LHASH_OF(ASN1_OBJECT) -static struct CRYPTO_STATIC_MUTEX global_added_lock = CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX global_added_lock = CRYPTO_MUTEX_INIT; // These globals are protected by |global_added_lock|. static LHASH_OF(ASN1_OBJECT) *global_added_by_data = NULL; static LHASH_OF(ASN1_OBJECT) *global_added_by_nid = NULL; static LHASH_OF(ASN1_OBJECT) *global_added_by_short_name = NULL; static LHASH_OF(ASN1_OBJECT) *global_added_by_long_name = NULL; -static struct CRYPTO_STATIC_MUTEX global_next_nid_lock = - CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX global_next_nid_lock = CRYPTO_MUTEX_INIT; static unsigned global_next_nid = NUM_NID; static int obj_next_nid(void) { - int ret; - - CRYPTO_STATIC_MUTEX_lock_write(&global_next_nid_lock); - ret = global_next_nid++; - CRYPTO_STATIC_MUTEX_unlock_write(&global_next_nid_lock); - + CRYPTO_MUTEX_lock_write(&global_next_nid_lock); + int ret = global_next_nid++; + CRYPTO_MUTEX_unlock_write(&global_next_nid_lock); return ret; } @@ -119,16 +115,12 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) { } r->ln = r->sn = NULL; - data = OPENSSL_malloc(o->length); - if (data == NULL) { + // once data is attached to an object, it remains const + r->data = OPENSSL_memdup(o->data, o->length); + if (o->length != 0 && r->data == NULL) { goto err; } - if (o->data != NULL) { - OPENSSL_memcpy(data, o->data, o->length); - } - // once data is attached to an object, it remains const - r->data = data; r->length = o->length; r->nid = o->nid; @@ -163,11 +155,10 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) { } int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { - int ret; - - ret = a->length - b->length; - if (ret) { - return ret; + if (a->length < b->length) { + return -1; + } else if (a->length > b->length) { + return 1; } return OPENSSL_memcmp(a->data, b->data, a->length); } @@ -188,20 +179,19 @@ size_t OBJ_length(const ASN1_OBJECT *obj) { return (size_t)obj->length; } +static const ASN1_OBJECT *get_builtin_object(int nid) { + // |NID_undef| is stored separately, so all the indices are off by one. The + // caller of this function must have a valid built-in, non-undef NID. + BSSL_CHECK(nid > 0 && nid < NUM_NID); + return &kObjects[nid - 1]; +} + // obj_cmp is called to search the kNIDsInOIDOrder array. The |key| argument is // an |ASN1_OBJECT|* that we're looking for and |element| is a pointer to an // unsigned int in the array. static int obj_cmp(const void *key, const void *element) { uint16_t nid = *((const uint16_t *)element); - const ASN1_OBJECT *a = key; - const ASN1_OBJECT *b = &kObjects[nid]; - - if (a->length < b->length) { - return -1; - } else if (a->length > b->length) { - return 1; - } - return OPENSSL_memcmp(a->data, b->data, a->length); + return OBJ_cmp(key, get_builtin_object(nid)); } int OBJ_obj2nid(const ASN1_OBJECT *obj) { @@ -213,17 +203,17 @@ int OBJ_obj2nid(const ASN1_OBJECT *obj) { return obj->nid; } - CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock); + CRYPTO_MUTEX_lock_read(&global_added_lock); if (global_added_by_data != NULL) { ASN1_OBJECT *match; match = lh_ASN1_OBJECT_retrieve(global_added_by_data, obj); if (match != NULL) { - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); return match->nid; } } - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); const uint16_t *nid_ptr = bsearch(obj, kNIDsInOIDOrder, OPENSSL_ARRAY_SIZE(kNIDsInOIDOrder), @@ -232,7 +222,7 @@ int OBJ_obj2nid(const ASN1_OBJECT *obj) { return NID_undef; } - return kObjects[*nid_ptr].nid; + return get_builtin_object(*nid_ptr)->nid; } int OBJ_cbs2nid(const CBS *cbs) { @@ -255,22 +245,22 @@ static int short_name_cmp(const void *key, const void *element) { const char *name = (const char *)key; uint16_t nid = *((const uint16_t *)element); - return strcmp(name, kObjects[nid].sn); + return strcmp(name, get_builtin_object(nid)->sn); } int OBJ_sn2nid(const char *short_name) { - CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock); + CRYPTO_MUTEX_lock_read(&global_added_lock); if (global_added_by_short_name != NULL) { ASN1_OBJECT *match, template; template.sn = short_name; match = lh_ASN1_OBJECT_retrieve(global_added_by_short_name, &template); if (match != NULL) { - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); return match->nid; } } - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); const uint16_t *nid_ptr = bsearch(short_name, kNIDsInShortNameOrder, @@ -280,7 +270,7 @@ int OBJ_sn2nid(const char *short_name) { return NID_undef; } - return kObjects[*nid_ptr].nid; + return get_builtin_object(*nid_ptr)->nid; } // long_name_cmp is called to search the kNIDsInLongNameOrder array. The @@ -290,22 +280,22 @@ static int long_name_cmp(const void *key, const void *element) { const char *name = (const char *)key; uint16_t nid = *((const uint16_t *)element); - return strcmp(name, kObjects[nid].ln); + return strcmp(name, get_builtin_object(nid)->ln); } int OBJ_ln2nid(const char *long_name) { - CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock); + CRYPTO_MUTEX_lock_read(&global_added_lock); if (global_added_by_long_name != NULL) { ASN1_OBJECT *match, template; template.ln = long_name; match = lh_ASN1_OBJECT_retrieve(global_added_by_long_name, &template); if (match != NULL) { - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); return match->nid; } } - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); const uint16_t *nid_ptr = bsearch( long_name, kNIDsInLongNameOrder, OPENSSL_ARRAY_SIZE(kNIDsInLongNameOrder), @@ -314,7 +304,7 @@ int OBJ_ln2nid(const char *long_name) { return NID_undef; } - return kObjects[*nid_ptr].nid; + return get_builtin_object(*nid_ptr)->nid; } int OBJ_txt2nid(const char *s) { @@ -341,26 +331,43 @@ OPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid) { return 1; } +const ASN1_OBJECT *OBJ_get_undef(void) { + static const ASN1_OBJECT kUndef = { + /*sn=*/SN_undef, + /*ln=*/LN_undef, + /*nid=*/NID_undef, + /*length=*/0, + /*data=*/NULL, + /*flags=*/0, + }; + return &kUndef; +} + ASN1_OBJECT *OBJ_nid2obj(int nid) { - if (nid >= 0 && nid < NUM_NID) { - if (nid != NID_undef && kObjects[nid].nid == NID_undef) { + if (nid == NID_undef) { + return (ASN1_OBJECT *)OBJ_get_undef(); + } + + if (nid > 0 && nid < NUM_NID) { + const ASN1_OBJECT *obj = get_builtin_object(nid); + if (nid != NID_undef && obj->nid == NID_undef) { goto err; } - return (ASN1_OBJECT *)&kObjects[nid]; + return (ASN1_OBJECT *)obj; } - CRYPTO_STATIC_MUTEX_lock_read(&global_added_lock); + CRYPTO_MUTEX_lock_read(&global_added_lock); if (global_added_by_nid != NULL) { ASN1_OBJECT *match, template; template.nid = nid; match = lh_ASN1_OBJECT_retrieve(global_added_by_nid, &template); if (match != NULL) { - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); return match; } } - CRYPTO_STATIC_MUTEX_unlock_read(&global_added_lock); + CRYPTO_MUTEX_unlock_read(&global_added_lock); err: OPENSSL_PUT_ERROR(OBJ, OBJ_R_UNKNOWN_NID); @@ -478,14 +485,6 @@ static uint32_t hash_data(const ASN1_OBJECT *obj) { return OPENSSL_hash32(obj->data, obj->length); } -static int cmp_data(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { - int i = a->length - b->length; - if (i) { - return i; - } - return OPENSSL_memcmp(a->data, b->data, a->length); -} - static uint32_t hash_short_name(const ASN1_OBJECT *obj) { return OPENSSL_strhash(obj->sn); } @@ -508,12 +507,12 @@ static int obj_add_object(ASN1_OBJECT *obj) { obj->flags &= ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA); - CRYPTO_STATIC_MUTEX_lock_write(&global_added_lock); + CRYPTO_MUTEX_lock_write(&global_added_lock); if (global_added_by_nid == NULL) { global_added_by_nid = lh_ASN1_OBJECT_new(hash_nid, cmp_nid); } if (global_added_by_data == NULL) { - global_added_by_data = lh_ASN1_OBJECT_new(hash_data, cmp_data); + global_added_by_data = lh_ASN1_OBJECT_new(hash_data, OBJ_cmp); } if (global_added_by_short_name == NULL) { global_added_by_short_name = @@ -548,7 +547,7 @@ static int obj_add_object(ASN1_OBJECT *obj) { } err: - CRYPTO_STATIC_MUTEX_unlock_write(&global_added_lock); + CRYPTO_MUTEX_unlock_write(&global_added_lock); return ok; } diff --git a/Sources/CJWTKitBoringSSL/crypto/obj/obj_dat.h b/Sources/CJWTKitBoringSSL/crypto/obj/obj_dat.h index 654b3c08..71ef2d2b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/obj/obj_dat.h +++ b/Sources/CJWTKitBoringSSL/crypto/obj/obj_dat.h @@ -7140,7 +7140,6 @@ static const uint8_t kObjectData[] = { }; static const ASN1_OBJECT kObjects[NUM_NID] = { - {"UNDEF", "undefined", NID_undef, 0, NULL, 0}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &kObjectData[0], 0}, {"pkcs", "RSA Data Security, Inc. PKCS", NID_pkcs, 7, &kObjectData[6], 0}, {"MD2", "md2", NID_md2, 8, &kObjectData[13], 0}, @@ -8980,7 +8979,6 @@ static const uint16_t kNIDsInShortNameOrder[] = { 16 /* ST */, 143 /* SXNetID */, 458 /* UID */, - 0 /* UNDEF */, 948 /* X25519 */, 964 /* X25519Kyber768Draft00 */, 961 /* X448 */, @@ -10670,7 +10668,6 @@ static const uint16_t kNIDsInLongNameOrder[] = { 106 /* title */, 682 /* tpBasis */, 436 /* ucl */, - 0 /* undefined */, 888 /* uniqueMember */, 55 /* unstructuredAddress */, 49 /* unstructuredName */, diff --git a/Sources/CJWTKitBoringSSL/crypto/pem/pem_info.c b/Sources/CJWTKitBoringSSL/crypto/pem/pem_info.c index ff203531..509bb72c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pem/pem_info.c +++ b/Sources/CJWTKitBoringSSL/crypto/pem/pem_info.c @@ -69,6 +69,37 @@ #include #include + +static X509_PKEY *X509_PKEY_new(void) { + return OPENSSL_zalloc(sizeof(X509_PKEY)); +} + +static void X509_PKEY_free(X509_PKEY *x) { + if (x == NULL) { + return; + } + + EVP_PKEY_free(x->dec_pkey); + OPENSSL_free(x); +} + +static X509_INFO *X509_INFO_new(void) { + return OPENSSL_zalloc(sizeof(X509_INFO)); +} + +void X509_INFO_free(X509_INFO *x) { + if (x == NULL) { + return; + } + + X509_free(x->x509); + X509_CRL_free(x->crl); + X509_PKEY_free(x->x_pkey); + OPENSSL_free(x->enc_data); + OPENSSL_free(x); +} + + STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u) { BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c b/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c index e3113223..25102ded 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c @@ -237,11 +237,10 @@ int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) { } static PKCS7 *pkcs7_new(CBS *cbs) { - PKCS7 *ret = OPENSSL_malloc(sizeof(PKCS7)); + PKCS7 *ret = OPENSSL_zalloc(sizeof(PKCS7)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(PKCS7)); ret->type = OBJ_nid2obj(NID_pkcs7_signed); ret->d.sign = OPENSSL_malloc(sizeof(PKCS7_SIGNED)); if (ret->d.sign == NULL) { @@ -326,11 +325,10 @@ int i2d_PKCS7(const PKCS7 *p7, uint8_t **out) { } if (*out == NULL) { - *out = OPENSSL_malloc(p7->ber_len); + *out = OPENSSL_memdup(p7->ber_bytes, p7->ber_len); if (*out == NULL) { return -1; } - OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len); } else { OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len); *out += p7->ber_len; diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h b/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h index 49a28943..ec8d6f4f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h @@ -87,13 +87,13 @@ int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm, // key material to |out| and returns one. Otherwise, it returns zero. |id| // should be one of the |PKCS12_*_ID| values. int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, - size_t salt_len, uint8_t id, unsigned iterations, + size_t salt_len, uint8_t id, uint32_t iterations, size_t out_len, uint8_t *out, const EVP_MD *md); // pkcs12_pbe_encrypt_init configures |ctx| for encrypting with a PBES1 scheme // defined in PKCS#12. It writes the corresponding AlgorithmIdentifier to |out|. int pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg, - unsigned iterations, const char *pass, + uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len); @@ -121,7 +121,7 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, // as defined in RFC 2998, with the specified parameters. It writes the // corresponding AlgorithmIdentifier to |out|. int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, - const EVP_CIPHER *cipher, unsigned iterations, + const EVP_CIPHER *cipher, uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len); diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/p5_pbev2.c b/Sources/CJWTKitBoringSSL/crypto/pkcs8/p5_pbev2.c index 7537bc15..b25ba94e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/p5_pbev2.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/p5_pbev2.c @@ -144,7 +144,7 @@ static int add_cipher_oid(CBB *out, int nid) { } static int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - const EVP_MD *pbkdf2_md, unsigned iterations, + const EVP_MD *pbkdf2_md, uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len, const uint8_t *iv, size_t iv_len, int enc) { @@ -162,7 +162,7 @@ static int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, } int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, - const EVP_CIPHER *cipher, unsigned iterations, + const EVP_CIPHER *cipher, uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len) { int cipher_nid = EVP_CIPHER_nid(cipher); @@ -310,7 +310,7 @@ int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, return 0; } - return pkcs5_pbe2_cipher_init(ctx, cipher, md, (unsigned)iterations, pass, + return pkcs5_pbe2_cipher_init(ctx, cipher, md, (uint32_t)iterations, pass, pass_len, CBS_data(&salt), CBS_len(&salt), CBS_data(&iv), CBS_len(&iv), 0 /* decrypt */); } diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c index 04c9e458..4c577643 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c @@ -85,15 +85,15 @@ static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out, CBS_init(&cbs, (const uint8_t *)in, in_len); while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&cbs, &c) || - !cbb_add_ucs2_be(&cbb, c)) { + if (!CBS_get_utf8(&cbs, &c) || + !CBB_add_ucs2_be(&cbb, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); goto err; } } // Terminate the result with a UCS-2 NUL. - if (!cbb_add_ucs2_be(&cbb, 0) || + if (!CBB_add_ucs2_be(&cbb, 0) || !CBB_finish(&cbb, out, out_len)) { goto err; } @@ -106,7 +106,7 @@ static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out, } int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, - size_t salt_len, uint8_t id, unsigned iterations, + size_t salt_len, uint8_t id, uint32_t iterations, size_t out_len, uint8_t *out, const EVP_MD *md) { // See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the // specification have errata applied and other typos fixed. @@ -182,7 +182,7 @@ int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, !EVP_DigestFinal_ex(&ctx, A, &A_len)) { goto err; } - for (unsigned iter = 1; iter < iterations; iter++) { + for (uint32_t iter = 1; iter < iterations; iter++) { if (!EVP_DigestInit_ex(&ctx, md, NULL) || !EVP_DigestUpdate(&ctx, A, A_len) || !EVP_DigestFinal_ex(&ctx, A, &A_len)) { @@ -229,7 +229,7 @@ int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, } static int pkcs12_pbe_cipher_init(const struct pbe_suite *suite, - EVP_CIPHER_CTX *ctx, unsigned iterations, + EVP_CIPHER_CTX *ctx, uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len, int is_encrypt) { @@ -271,7 +271,7 @@ static int pkcs12_pbe_decrypt_init(const struct pbe_suite *suite, return 0; } - return pkcs12_pbe_cipher_init(suite, ctx, (unsigned)iterations, pass, + return pkcs12_pbe_cipher_init(suite, ctx, (uint32_t)iterations, pass, pass_len, CBS_data(&salt), CBS_len(&salt), 0 /* decrypt */); } @@ -329,7 +329,7 @@ static const struct pbe_suite *get_pkcs12_pbe_suite(int pbe_nid) { } int pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg, - unsigned iterations, const char *pass, + uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len) { const struct pbe_suite *suite = get_pkcs12_pbe_suite(alg); @@ -489,10 +489,10 @@ int PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid, // it. See 5693a30813a031d3921a016a870420e7eb93ec90 in OpenSSL. int alg_ok; if (pbe_nid == -1) { - alg_ok = PKCS5_pbe2_encrypt_init(&epki, &ctx, cipher, (unsigned)iterations, + alg_ok = PKCS5_pbe2_encrypt_init(&epki, &ctx, cipher, (uint32_t)iterations, pass, pass_len, salt, salt_len); } else { - alg_ok = pkcs12_pbe_encrypt_init(&epki, &ctx, pbe_nid, (unsigned)iterations, + alg_ok = pkcs12_pbe_encrypt_init(&epki, &ctx, pbe_nid, (uint32_t)iterations, pass, pass_len, salt, salt_len); } if (!alg_ok) { diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c index e7109162..e169e23d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c @@ -70,9 +70,10 @@ #include #include -#include "internal.h" #include "../bytestring/internal.h" #include "../internal.h" +#include "../x509/internal.h" +#include "internal.h" int pkcs12_iterations_acceptable(uint64_t iterations) { @@ -87,6 +88,7 @@ int pkcs12_iterations_acceptable(uint64_t iterations) { static const uint64_t kIterationsLimit = 100 * 1000000; #endif + assert(kIterationsLimit <= UINT32_MAX); return 0 < iterations && iterations <= kIterationsLimit; } @@ -338,8 +340,8 @@ static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name, } while (CBS_len(&value) != 0) { uint32_t c; - if (!cbs_get_ucs2_be(&value, &c) || - !cbb_add_utf8(&cbb, c)) { + if (!CBS_get_ucs2_be(&value, &c) || + !CBB_add_utf8(&cbb, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); CBB_cleanup(&cbb); goto err; @@ -554,7 +556,7 @@ static int PKCS12_handle_content_info(CBS *content_info, static int pkcs12_check_mac(int *out_mac_ok, const char *password, size_t password_len, const CBS *salt, - unsigned iterations, const EVP_MD *md, + uint32_t iterations, const EVP_MD *md, const CBS *authsafes, const CBS *expected_mac) { int ret = 0; uint8_t hmac_key[EVP_MAX_MD_SIZE]; @@ -676,13 +678,15 @@ int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, } // The iteration count is optional and the default is one. - uint64_t iterations = 1; + uint32_t iterations = 1; if (CBS_len(&mac_data) > 0) { - if (!CBS_get_asn1_uint64(&mac_data, &iterations) || - !pkcs12_iterations_acceptable(iterations)) { + uint64_t iterations_u64; + if (!CBS_get_asn1_uint64(&mac_data, &iterations_u64) || + !pkcs12_iterations_acceptable(iterations_u64)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); goto err; } + iterations = (uint32_t)iterations_u64; } int mac_ok; @@ -738,26 +742,22 @@ struct pkcs12_st { PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { - PKCS12 *p12; - - p12 = OPENSSL_malloc(sizeof(PKCS12)); + PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12)); if (!p12) { return NULL; } - p12->ber_bytes = OPENSSL_malloc(ber_len); + p12->ber_bytes = OPENSSL_memdup(*ber_bytes, ber_len); if (!p12->ber_bytes) { OPENSSL_free(p12); return NULL; } - OPENSSL_memcpy(p12->ber_bytes, *ber_bytes, ber_len); p12->ber_len = ber_len; *ber_bytes += ber_len; if (out_p12) { PKCS12_free(*out_p12); - *out_p12 = p12; } @@ -840,11 +840,10 @@ int i2d_PKCS12(const PKCS12 *p12, uint8_t **out) { } if (*out == NULL) { - *out = OPENSSL_malloc(p12->ber_len); + *out = OPENSSL_memdup(p12->ber_bytes, p12->ber_len); if (*out == NULL) { return -1; } - OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len); } else { OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len); *out += p12->ber_len; @@ -969,8 +968,8 @@ static int add_bag_attributes(CBB *bag, const char *name, size_t name_len, CBS_init(&name_cbs, (const uint8_t *)name, name_len); while (CBS_len(&name_cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&name_cbs, &c) || - !cbb_add_ucs2_be(&value, c)) { + if (!CBS_get_utf8(&name_cbs, &c) || + !CBB_add_ucs2_be(&value, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); return 0; } @@ -1056,7 +1055,7 @@ static int add_cert_safe_contents(CBB *cbb, X509 *cert, } static int add_encrypted_data(CBB *out, int pbe_nid, const char *password, - size_t password_len, unsigned iterations, + size_t password_len, uint32_t iterations, const uint8_t *in, size_t in_len) { uint8_t salt[PKCS5_SALT_LEN]; if (!RAND_bytes(salt, sizeof(salt))) { diff --git a/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305_arm_asm.S b/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305_arm_asm.S index 5a677ef7..91aea50f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305_arm_asm.S +++ b/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305_arm_asm.S @@ -1,16 +1,8 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__arm__) && defined(__linux__) -#if defined(__has_feature) -#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif - -#if defined(__ARMEL__) && !defined(OPENSSL_NO_ASM) && defined(__ELF__) +#include -#if defined(BORINGSSL_PREFIX) -#include -#endif +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__) # This implementation was taken from the public domain, neon2 version in # SUPERCOP by D. J. Bernstein and Peter Schwabe. @@ -2024,11 +2016,7 @@ vst1.8 d4,[r0,: 64] add sp,sp,#0 bx lr -#endif /* __ARMEL__ && !OPENSSL_NO_ASM && __ELF__ */ - -#if defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif +#endif /* !OPENSSL_NO_ASM && OPENSSL_ARM && __ELF__ */ #endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/pool/internal.h b/Sources/CJWTKitBoringSSL/crypto/pool/internal.h index bf632e0f..115fc235 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pool/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/pool/internal.h @@ -18,6 +18,7 @@ #include #include +#include "../internal.h" #include "../lhash/internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/pool/pool.c b/Sources/CJWTKitBoringSSL/crypto/pool/pool.c index e0348a79..42f3f3dd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pool/pool.c +++ b/Sources/CJWTKitBoringSSL/crypto/pool/pool.c @@ -42,12 +42,11 @@ static int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) { } CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void) { - CRYPTO_BUFFER_POOL *pool = OPENSSL_malloc(sizeof(CRYPTO_BUFFER_POOL)); + CRYPTO_BUFFER_POOL *pool = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER_POOL)); if (pool == NULL) { return NULL; } - OPENSSL_memset(pool, 0, sizeof(CRYPTO_BUFFER_POOL)); pool->bufs = lh_CRYPTO_BUFFER_new(CRYPTO_BUFFER_hash, CRYPTO_BUFFER_cmp); if (pool->bufs == NULL) { OPENSSL_free(pool); @@ -109,11 +108,10 @@ static CRYPTO_BUFFER *crypto_buffer_new(const uint8_t *data, size_t len, } } - CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER)); + CRYPTO_BUFFER *const buf = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER)); if (buf == NULL) { return NULL; } - OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER)); if (data_is_static) { buf->data = (uint8_t *)data; @@ -170,11 +168,10 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, } CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len) { - CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER)); + CRYPTO_BUFFER *const buf = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER)); if (buf == NULL) { return NULL; } - OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER)); buf->data = OPENSSL_malloc(len); if (len != 0 && buf->data == NULL) { diff --git a/Sources/CJWTKitBoringSSL/crypto/rand_extra/deterministic.c b/Sources/CJWTKitBoringSSL/crypto/rand_extra/deterministic.c index a64af386..8a256dc4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/rand_extra/deterministic.c +++ b/Sources/CJWTKitBoringSSL/crypto/rand_extra/deterministic.c @@ -14,14 +14,15 @@ #include -#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#include "../fipsmodule/rand/internal.h" + +#if defined(OPENSSL_RAND_DETERMINISTIC) #include #include #include "../internal.h" -#include "../fipsmodule/rand/internal.h" // g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred. @@ -30,16 +31,16 @@ // multi-threaded program, replace this with a thread-local. (A mutex would not // be deterministic.) static uint64_t g_num_calls = 0; -static struct CRYPTO_STATIC_MUTEX g_num_calls_lock = CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX g_num_calls_lock = CRYPTO_MUTEX_INIT; void RAND_reset_for_fuzzing(void) { g_num_calls = 0; } void CRYPTO_sysrand(uint8_t *out, size_t requested) { static const uint8_t kZeroKey[32]; - CRYPTO_STATIC_MUTEX_lock_write(&g_num_calls_lock); + CRYPTO_MUTEX_lock_write(&g_num_calls_lock); uint64_t num_calls = g_num_calls++; - CRYPTO_STATIC_MUTEX_unlock_write(&g_num_calls_lock); + CRYPTO_MUTEX_unlock_write(&g_num_calls_lock); uint8_t nonce[12]; OPENSSL_memset(nonce, 0, sizeof(nonce)); @@ -53,4 +54,4 @@ void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } -#endif // BORINGSSL_UNSAFE_DETERMINISTIC_MODE +#endif // OPENSSL_RAND_DETERMINISTIC diff --git a/Sources/CJWTKitBoringSSL/crypto/rand_extra/forkunsafe.c b/Sources/CJWTKitBoringSSL/crypto/rand_extra/forkunsafe.c index f3efb9c1..8c0e4efb 100644 --- a/Sources/CJWTKitBoringSSL/crypto/rand_extra/forkunsafe.c +++ b/Sources/CJWTKitBoringSSL/crypto/rand_extra/forkunsafe.c @@ -33,6 +33,10 @@ void RAND_enable_fork_unsafe_buffering(int fd) { CRYPTO_atomic_store_u32(&g_buffering_enabled, 1); } + +void RAND_disable_fork_unsafe_buffering(void) { + CRYPTO_atomic_store_u32(&g_buffering_enabled, 0); +} #endif int rand_fork_unsafe_buffering_enabled(void) { diff --git a/Sources/CJWTKitBoringSSL/crypto/rand_extra/getentropy.c b/Sources/CJWTKitBoringSSL/crypto/rand_extra/getentropy.c new file mode 100644 index 00000000..7785515f --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/rand_extra/getentropy.c @@ -0,0 +1,52 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#if !defined(_DEFAULT_SOURCE) +#define _DEFAULT_SOURCE // Needed for getentropy on musl and glibc +#endif + +#include + +#include "../fipsmodule/rand/internal.h" + +#if defined(OPENSSL_RAND_GETENTROPY) + +#include +#include +#include + +#if defined(OPENSSL_MACOS) || defined(OPENSSL_FUCHSIA) +#include +#endif + +// CRYPTO_sysrand puts |requested| random bytes into |out|. +void CRYPTO_sysrand(uint8_t *out, size_t requested) { + while (requested > 0) { + // |getentropy| can only request 256 bytes at a time. + size_t todo = requested <= 256 ? requested : 256; + if (getentropy(out, todo) != 0) { + perror("getentropy() failed"); + abort(); + } + + out += todo; + requested -= todo; + } +} + +void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { + CRYPTO_sysrand(out, requested); +} + +#endif // OPENSSL_RAND_GETENTROPY diff --git a/Sources/CJWTKitBoringSSL/crypto/rand_extra/fuchsia.c b/Sources/CJWTKitBoringSSL/crypto/rand_extra/ios.c similarity index 79% rename from Sources/CJWTKitBoringSSL/crypto/rand_extra/fuchsia.c rename to Sources/CJWTKitBoringSSL/crypto/rand_extra/ios.c index 29fbec72..9d1a3ee4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/rand_extra/fuchsia.c +++ b/Sources/CJWTKitBoringSSL/crypto/rand_extra/ios.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2017, Google Inc. +/* Copyright (c) 2023, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,21 +14,21 @@ #include -#if defined(OPENSSL_FUCHSIA) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#include "../fipsmodule/rand/internal.h" -#include +#if defined(OPENSSL_RAND_IOS) #include -#include - -#include "../fipsmodule/rand/internal.h" +#include void CRYPTO_sysrand(uint8_t *out, size_t requested) { - zx_cprng_draw(out, requested); + if (CCRandomGenerateBytes(out, requested) != kCCSuccess) { + abort(); + } } void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } -#endif // OPENSSL_FUCHSIA && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE +#endif // OPENSSL_RAND_IOS diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_arm_openbsd.c b/Sources/CJWTKitBoringSSL/crypto/rand_extra/trusty.c similarity index 61% rename from Sources/CJWTKitBoringSSL/crypto/cpu_arm_openbsd.c rename to Sources/CJWTKitBoringSSL/crypto/rand_extra/trusty.c index 8828d56b..7610e22d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu_arm_openbsd.c +++ b/Sources/CJWTKitBoringSSL/crypto/rand_extra/trusty.c @@ -12,20 +12,27 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "internal.h" +#include -#if defined(OPENSSL_ARM) && defined(OPENSSL_OPENBSD) && \ - !defined(OPENSSL_STATIC_ARMCAP) +#include "../fipsmodule/rand/internal.h" -#include +#if defined(OPENSSL_RAND_TRUSTY) +#include +#include -extern uint32_t OPENSSL_armcap_P; +#include +#include -void OPENSSL_cpuid_setup(void) { - // OpenBSD does not support arm32 machines without NEON - OPENSSL_armcap_P |= ARMV7_NEON; +#include - // OpenBSD does not support v8 features on non aarch64 +void CRYPTO_sysrand(uint8_t *out, size_t requested) { + if (trusty_rng_hw_rand(out, requested) != NO_ERROR) { + abort(); + } } -#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP +void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { + CRYPTO_sysrand(out, requested); +} + +#endif // OPENSSL_RAND_TRUSTY diff --git a/Sources/CJWTKitBoringSSL/crypto/rand_extra/windows.c b/Sources/CJWTKitBoringSSL/crypto/rand_extra/windows.c index 620437bf..aa39a129 100644 --- a/Sources/CJWTKitBoringSSL/crypto/rand_extra/windows.c +++ b/Sources/CJWTKitBoringSSL/crypto/rand_extra/windows.c @@ -14,7 +14,9 @@ #include -#if defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#include "../fipsmodule/rand/internal.h" + +#if defined(OPENSSL_RAND_WINDOWS) #include #include @@ -27,19 +29,14 @@ OPENSSL_MSVC_PRAGMA(warning(push, 3)) !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) #include OPENSSL_MSVC_PRAGMA(comment(lib, "bcrypt.lib")) -#else -// #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the -// "Community Additions" comment on MSDN here: -// http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx -#define SystemFunction036 NTAPI SystemFunction036 -#include -#undef SystemFunction036 #endif // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP OPENSSL_MSVC_PRAGMA(warning(pop)) -#include "../fipsmodule/rand/internal.h" +#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \ + !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) +void CRYPTO_init_sysrand(void) {} void CRYPTO_sysrand(uint8_t *out, size_t requested) { while (requested > 0) { @@ -47,27 +44,52 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) { if (requested < output_bytes_this_pass) { output_bytes_this_pass = (ULONG)requested; } - // On non-UWP configurations, use RtlGenRandom instead of BCryptGenRandom - // to avoid accessing resources that may be unavailable inside the - // Chromium sandbox. See https://crbug.com/boringssl/307 -#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \ - !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) if (!BCRYPT_SUCCESS(BCryptGenRandom( /*hAlgorithm=*/NULL, out, output_bytes_this_pass, BCRYPT_USE_SYSTEM_PREFERRED_RNG))) { -#else - if (RtlGenRandom(out, output_bytes_this_pass) == FALSE) { -#endif // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP abort(); } requested -= output_bytes_this_pass; out += output_bytes_this_pass; } - return; } +#else + +// See: https://learn.microsoft.com/en-us/windows/win32/seccng/processprng +typedef BOOL (WINAPI *ProcessPrngFunction)(PBYTE pbData, SIZE_T cbData); +static ProcessPrngFunction g_processprng_fn = NULL; + +static void init_processprng(void) { + HMODULE hmod = LoadLibraryW(L"bcryptprimitives"); + if (hmod == NULL) { + abort(); + } + g_processprng_fn = (ProcessPrngFunction)GetProcAddress(hmod, "ProcessPrng"); + if (g_processprng_fn == NULL) { + abort(); + } +} + +void CRYPTO_init_sysrand(void) { + static CRYPTO_once_t once = CRYPTO_ONCE_INIT; + CRYPTO_once(&once, init_processprng); +} + +void CRYPTO_sysrand(uint8_t *out, size_t requested) { + CRYPTO_init_sysrand(); + // On non-UWP configurations, use ProcessPrng instead of BCryptGenRandom + // to avoid accessing resources that may be unavailable inside the + // Chromium sandbox. See https://crbug.com/74242 + if (!g_processprng_fn(out, requested)) { + abort(); + } +} + +#endif // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP + void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } -#endif // OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE +#endif // OPENSSL_RAND_WINDOWS diff --git a/Sources/CJWTKitBoringSSL/crypto/refcount.c b/Sources/CJWTKitBoringSSL/crypto/refcount.c index 74ebdd7c..d2a886d0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/refcount.c +++ b/Sources/CJWTKitBoringSSL/crypto/refcount.c @@ -15,7 +15,6 @@ #include "internal.h" #include -#include #include diff --git a/Sources/CJWTKitBoringSSL/crypto/rsa_extra/rsa_crypt.c b/Sources/CJWTKitBoringSSL/crypto/rsa_extra/rsa_crypt.c index 52fb1cf2..5307730f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/rsa_extra/rsa_crypt.c +++ b/Sources/CJWTKitBoringSSL/crypto/rsa_extra/rsa_crypt.c @@ -75,7 +75,9 @@ static void rand_nonzero(uint8_t *out, size_t len) { RAND_bytes(out, len); for (size_t i = 0; i < len; i++) { - while (out[i] == 0) { + // Zero values are replaced, and the distribution of zero and non-zero bytes + // is public, so leaking this is safe. + while (constant_time_declassify_int(out[i] == 0)) { RAND_bytes(out + i, 1); } } diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/address.c b/Sources/CJWTKitBoringSSL/crypto/spx/address.c new file mode 100644 index 00000000..eea3005f --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/address.c @@ -0,0 +1,101 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "../internal.h" +#include "./address.h" +#include "./spx_util.h" + + +// Offsets of various fields in the address structure for SPHINCS+-SHA2-128s. + +// The byte used to specify the Merkle tree layer. +#define SPX_OFFSET_LAYER 0 + +// The start of the 8 byte field used to specify the tree. +#define SPX_OFFSET_TREE 1 + +// The byte used to specify the hash type (reason). +#define SPX_OFFSET_TYPE 9 + +// The high byte used to specify the key pair (which one-time signature). +#define SPX_OFFSET_KP_ADDR2 12 + +// The low byte used to specific the key pair. +#define SPX_OFFSET_KP_ADDR1 13 + +// The byte used to specify the chain address (which Winternitz chain). +#define SPX_OFFSET_CHAIN_ADDR 17 + +// The byte used to specify the hash address (where in the Winternitz chain). +#define SPX_OFFSET_HASH_ADDR 21 + +// The byte used to specify the height of this node in the FORS or Merkle tree. +#define SPX_OFFSET_TREE_HGT 17 + +// The start of the 4 byte field used to specify the node in the FORS or Merkle +// tree. +#define SPX_OFFSET_TREE_INDEX 18 + + +void spx_set_chain_addr(uint8_t addr[32], uint32_t chain) { + addr[SPX_OFFSET_CHAIN_ADDR] = (uint8_t)chain; +} + +void spx_set_hash_addr(uint8_t addr[32], uint32_t hash) { + addr[SPX_OFFSET_HASH_ADDR] = (uint8_t)hash; +} + +void spx_set_keypair_addr(uint8_t addr[32], uint32_t keypair) { + addr[SPX_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8); + addr[SPX_OFFSET_KP_ADDR1] = (uint8_t)keypair; +} + +void spx_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]) { + memcpy(out, in, SPX_OFFSET_TREE + 8); + out[SPX_OFFSET_KP_ADDR2] = in[SPX_OFFSET_KP_ADDR2]; + out[SPX_OFFSET_KP_ADDR1] = in[SPX_OFFSET_KP_ADDR1]; +} + +void spx_set_layer_addr(uint8_t addr[32], uint32_t layer) { + addr[SPX_OFFSET_LAYER] = (uint8_t)layer; +} + +void spx_set_tree_addr(uint8_t addr[32], uint64_t tree) { + spx_uint64_to_len_bytes(&addr[SPX_OFFSET_TREE], 8, tree); +} + +void spx_set_type(uint8_t addr[32], uint32_t type) { + // NIST draft relies on this setting parts of the address to 0, so we do it + // here to avoid confusion. + // + // The behavior here is only correct for the SHA2 instantiations. + memset(addr + 10, 0, 12); + addr[SPX_OFFSET_TYPE] = (uint8_t)type; +} + +void spx_set_tree_height(uint8_t addr[32], uint32_t tree_height) { + addr[SPX_OFFSET_TREE_HGT] = (uint8_t)tree_height; +} + +void spx_set_tree_index(uint8_t addr[32], uint32_t tree_index) { + CRYPTO_store_u32_be(&addr[SPX_OFFSET_TREE_INDEX], tree_index); +} + +uint32_t spx_get_tree_index(uint8_t addr[32]) { + return CRYPTO_load_u32_be(addr + SPX_OFFSET_TREE_INDEX); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/address.h b/Sources/CJWTKitBoringSSL/crypto/spx/address.h new file mode 100644 index 00000000..9b3966bb --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/address.h @@ -0,0 +1,50 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H +#define OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +#define SPX_ADDR_TYPE_WOTS 0 +#define SPX_ADDR_TYPE_WOTSPK 1 +#define SPX_ADDR_TYPE_HASHTREE 2 +#define SPX_ADDR_TYPE_FORSTREE 3 +#define SPX_ADDR_TYPE_FORSPK 4 +#define SPX_ADDR_TYPE_WOTSPRF 5 +#define SPX_ADDR_TYPE_FORSPRF 6 + +void spx_set_chain_addr(uint8_t addr[32], uint32_t chain); +void spx_set_hash_addr(uint8_t addr[32], uint32_t hash); +void spx_set_keypair_addr(uint8_t addr[32], uint32_t keypair); +void spx_set_layer_addr(uint8_t addr[32], uint32_t layer); +void spx_set_tree_addr(uint8_t addr[32], uint64_t tree); +void spx_set_type(uint8_t addr[32], uint32_t type); +void spx_set_tree_height(uint8_t addr[32], uint32_t tree_height); +void spx_set_tree_index(uint8_t addr[32], uint32_t tree_index); +void spx_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]); + +uint32_t spx_get_tree_index(uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/fors.c b/Sources/CJWTKitBoringSSL/crypto/spx/fors.c new file mode 100644 index 00000000..7d9c56f5 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/fors.c @@ -0,0 +1,133 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "./address.h" +#include "./fors.h" +#include "./params.h" +#include "./spx_util.h" +#include "./thash.h" + +void spx_fors_sk_gen(uint8_t *fors_sk, uint32_t idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + uint8_t sk_addr[32]; + memcpy(sk_addr, addr, sizeof(sk_addr)); + + spx_set_type(sk_addr, SPX_ADDR_TYPE_FORSPRF); + spx_copy_keypair_addr(sk_addr, addr); + spx_set_tree_index(sk_addr, idx); + spx_thash_prf(fors_sk, pk_seed, sk_seed, sk_addr); +} + +void spx_fors_treehash(uint8_t root_node[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + + BSSL_CHECK(z <= SPX_FORS_HEIGHT); + BSSL_CHECK(i < (uint32_t)(SPX_FORS_TREES * (1 << (SPX_FORS_HEIGHT - z)))); + + if (z == 0) { + uint8_t sk[SPX_N]; + spx_set_tree_height(addr, 0); + spx_set_tree_index(addr, i); + spx_fors_sk_gen(sk, i, sk_seed, pk_seed, addr); + spx_thash_f(root_node, sk, pk_seed, addr); + } else { + // Stores left node and right node. + uint8_t nodes[2 * SPX_N]; + spx_fors_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr); + spx_fors_treehash(nodes + SPX_N, sk_seed, 2 * i + 1, z - 1, pk_seed, addr); + spx_set_tree_height(addr, z); + spx_set_tree_index(addr, i); + spx_thash_h(root_node, nodes, pk_seed, addr); + } +} + +void spx_fors_sign(uint8_t *fors_sig, const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + uint32_t indices[SPX_FORS_TREES]; + + // Derive FORS indices compatible with the NIST changes. + spx_base_b(indices, SPX_FORS_TREES, message, /*log2_b=*/SPX_FORS_HEIGHT); + + for (size_t i = 0; i < SPX_FORS_TREES; ++i) { + spx_set_tree_height(addr, 0); + // Write the FORS secret key element to the correct position. + spx_fors_sk_gen(fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1), + i * (1 << SPX_FORS_HEIGHT) + indices[i], sk_seed, pk_seed, + addr); + for (size_t j = 0; j < SPX_FORS_HEIGHT; ++j) { + size_t s = (indices[i] / (1 << j)) ^ 1; + // Write the FORS auth path element to the correct position. + spx_fors_treehash(fors_sig + SPX_N * (i * (SPX_FORS_HEIGHT + 1) + j + 1), + sk_seed, i * (1ULL << (SPX_FORS_HEIGHT - j)) + s, j, + pk_seed, addr); + } + } +} + +void spx_fors_pk_from_sig(uint8_t *fors_pk, + const uint8_t fors_sig[SPX_FORS_BYTES], + const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + uint32_t indices[SPX_FORS_TREES]; + uint8_t tmp[2 * SPX_N]; + uint8_t roots[SPX_FORS_TREES * SPX_N]; + + // Derive FORS indices compatible with the NIST changes. + spx_base_b(indices, SPX_FORS_TREES, message, /*log2_b=*/SPX_FORS_HEIGHT); + + for (size_t i = 0; i < SPX_FORS_TREES; ++i) { + // Pointer to current sk and authentication path + const uint8_t *sk = fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1); + const uint8_t *auth = fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1) + SPX_N; + uint8_t nodes[2 * SPX_N]; + + spx_set_tree_height(addr, 0); + spx_set_tree_index(addr, (i * (1 << SPX_FORS_HEIGHT)) + indices[i]); + + spx_thash_f(nodes, sk, pk_seed, addr); + + for (size_t j = 0; j < SPX_FORS_HEIGHT; ++j) { + spx_set_tree_height(addr, j + 1); + + // Even node + if (((indices[i] / (1 << j)) % 2) == 0) { + spx_set_tree_index(addr, spx_get_tree_index(addr) / 2); + memcpy(tmp, nodes, SPX_N); + memcpy(tmp + SPX_N, auth + j * SPX_N, SPX_N); + spx_thash_h(nodes + SPX_N, tmp, pk_seed, addr); + } else { + spx_set_tree_index(addr, (spx_get_tree_index(addr) - 1) / 2); + memcpy(tmp, auth + j * SPX_N, SPX_N); + memcpy(tmp + SPX_N, nodes, SPX_N); + spx_thash_h(nodes + SPX_N, tmp, pk_seed, addr); + } + memcpy(nodes, nodes + SPX_N, SPX_N); + } + memcpy(roots + i * SPX_N, nodes, SPX_N); + } + + uint8_t forspk_addr[32]; + memcpy(forspk_addr, addr, sizeof(forspk_addr)); + spx_set_type(forspk_addr, SPX_ADDR_TYPE_FORSPK); + spx_copy_keypair_addr(forspk_addr, addr); + spx_thash_tk(fors_pk, roots, pk_seed, forspk_addr); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/fors.h b/Sources/CJWTKitBoringSSL/crypto/spx/fors.h new file mode 100644 index 00000000..2f5dd245 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/fors.h @@ -0,0 +1,54 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_FORS_H +#define OPENSSL_HEADER_CRYPTO_SPX_FORS_H + +#include + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Algorithm 13: Generate a FORS private key value. +void spx_fors_sk_gen(uint8_t *fors_sk, uint32_t idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 14: Compute the root of a Merkle subtree of FORS public values. +void spx_fors_treehash(uint8_t root_node[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 15: Generate a FORS signature. +void spx_fors_sign(uint8_t *fors_sig, const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 16: Compute a FORS public key from a FORS signature. +void spx_fors_pk_from_sig(uint8_t *fors_pk, + const uint8_t fors_sig[SPX_FORS_BYTES], + const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_FORS_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/internal.h b/Sources/CJWTKitBoringSSL/crypto/spx/internal.h new file mode 100644 index 00000000..79af9eb5 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/internal.h @@ -0,0 +1,79 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_SPX_H +#define OPENSSL_HEADER_SPX_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// SPX_N is the number of bytes in the hash output +#define SPX_N 16 + +// SPX_PUBLIC_KEY_BYTES is the nNumber of bytes in the public key of +// SPHINCS+-SHA2-128s +#define SPX_PUBLIC_KEY_BYTES 32 + +// SPX_SECRET_KEY_BYTES is the number of bytes in the private key of +// SPHINCS+-SHA2-128s +#define SPX_SECRET_KEY_BYTES 64 + +// SPX_SIGNATURE_BYTES is the number of bytes in a signature of +// SPHINCS+-SHA2-128s +#define SPX_SIGNATURE_BYTES 7856 + +// spx_generate_key generates a SPHINCS+-SHA2-128s key pair and writes the +// result to |out_public_key| and |out_secret_key|. +// Private key: SK.seed || SK.prf || PK.seed || PK.root +// Public key: PK.seed || PK.root +OPENSSL_EXPORT void spx_generate_key( + uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES]); + +// spx_generate_key_from_seed generates a SPHINCS+-SHA2-128s key pair from a +// 48-byte seed and writes the result to |out_public_key| and |out_secret_key|. +// Secret key: SK.seed || SK.prf || PK.seed || PK.root +// Public key: PK.seed || PK.root +OPENSSL_EXPORT void spx_generate_key_from_seed( + uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t seed[3 * SPX_N]); + +// spx_sign generates a SPHINCS+-SHA2-128s signature over |msg| or length +// |msg_len| using |secret_key| and writes the output to |out_signature|. +// +// if |randomized| is 0, deterministic signing is performed, otherwise, +// non-deterministic signing is performed. +OPENSSL_EXPORT void spx_sign(uint8_t out_snignature[SPX_SIGNATURE_BYTES], + const uint8_t secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t *msg, size_t msg_len, + int randomized); + +// spx_verify verifies a SPHINCS+-SHA2-128s signature in |signature| over |msg| +// or length |msg_len| using |public_key|. 1 is returned if the signature +// matches, 0 otherwise. +OPENSSL_EXPORT int spx_verify(const uint8_t signature[SPX_SIGNATURE_BYTES], + const uint8_t public_key[SPX_SECRET_KEY_BYTES], + const uint8_t *msg, size_t msg_len); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_SPX_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/merkle.c b/Sources/CJWTKitBoringSSL/crypto/spx/merkle.c new file mode 100644 index 00000000..48203976 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/merkle.c @@ -0,0 +1,150 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "./address.h" +#include "./merkle.h" +#include "./params.h" +#include "./thash.h" +#include "./wots.h" + +void spx_treehash(uint8_t out_pk[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + BSSL_CHECK(z <= SPX_TREE_HEIGHT); + BSSL_CHECK(i < (uint32_t)(1 << (SPX_TREE_HEIGHT - z))); + + if (z == 0) { + spx_set_type(addr, SPX_ADDR_TYPE_WOTS); + spx_set_keypair_addr(addr, i); + spx_wots_pk_gen(out_pk, sk_seed, pk_seed, addr); + } else { + // Stores left node and right node. + uint8_t nodes[2 * SPX_N]; + spx_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr); + spx_treehash(nodes + SPX_N, sk_seed, 2 * i + 1, z - 1, pk_seed, addr); + spx_set_type(addr, SPX_ADDR_TYPE_HASHTREE); + spx_set_tree_height(addr, z); + spx_set_tree_index(addr, i); + spx_thash_h(out_pk, nodes, pk_seed, addr); + } +} + +void spx_xmss_sign(uint8_t *sig, const uint8_t msg[SPX_N], unsigned int idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + // Build authentication path + for (size_t j = 0; j < SPX_TREE_HEIGHT; ++j) { + unsigned int k = (idx >> j) ^ 1; + spx_treehash(sig + SPX_WOTS_BYTES + j * SPX_N, sk_seed, k, j, pk_seed, + addr); + } + + // Compute WOTS+ signature + spx_set_type(addr, SPX_ADDR_TYPE_WOTS); + spx_set_keypair_addr(addr, idx); + spx_wots_sign(sig, msg, sk_seed, pk_seed, addr); +} + +void spx_xmss_pk_from_sig(uint8_t *root, const uint8_t *xmss_sig, + unsigned int idx, const uint8_t msg[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + // Stores node[0] and node[1] from Algorithm 10 + uint8_t node[2 * SPX_N]; + uint8_t tmp[2 * SPX_N]; + spx_set_type(addr, SPX_ADDR_TYPE_WOTS); + spx_set_keypair_addr(addr, idx); + spx_wots_pk_from_sig(node, xmss_sig, msg, pk_seed, addr); + + const uint8_t *auth = xmss_sig + SPX_WOTS_BYTES; + + spx_set_type(addr, SPX_ADDR_TYPE_HASHTREE); + spx_set_tree_index(addr, idx); + for (size_t k = 0; k < SPX_TREE_HEIGHT; ++k) { + spx_set_tree_height(addr, k + 1); + // Is even + if (((idx >> k) & 1) == 0) { + spx_set_tree_index(addr, spx_get_tree_index(addr) >> 1); + memcpy(tmp, node, SPX_N); + memcpy(tmp + SPX_N, auth + k * SPX_N, SPX_N); + spx_thash_h(node + SPX_N, tmp, pk_seed, addr); + } else { + spx_set_tree_index(addr, (spx_get_tree_index(addr) - 1) >> 1); + memcpy(tmp, auth + k * SPX_N, SPX_N); + memcpy(tmp + SPX_N, node, SPX_N); + spx_thash_h(node + SPX_N, tmp, pk_seed, addr); + } + memcpy(node, node + SPX_N, SPX_N); + } + memcpy(root, node, SPX_N); +} + +void spx_ht_sign(uint8_t *sig, const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t sk_seed[SPX_N], + const uint8_t pk_seed[SPX_N]) { + uint8_t addr[32] = {0}; + spx_set_tree_addr(addr, idx_tree); + + // Layer 0 + uint8_t sig_tmp[SPX_XMSS_BYTES]; + spx_xmss_sign(sig_tmp, message, idx_leaf, sk_seed, pk_seed, addr); + memcpy(sig, sig_tmp, sizeof(sig_tmp)); + + uint8_t root[SPX_N]; + spx_xmss_pk_from_sig(root, sig_tmp, idx_leaf, message, pk_seed, addr); + + // All other layers + for (size_t j = 1; j < SPX_D; ++j) { + idx_leaf = idx_tree % (1 << SPX_TREE_HEIGHT); + idx_tree = idx_tree >> SPX_TREE_HEIGHT; + spx_set_layer_addr(addr, j); + spx_set_tree_addr(addr, idx_tree); + spx_xmss_sign(sig_tmp, root, idx_leaf, sk_seed, pk_seed, addr); + memcpy(sig + j * SPX_XMSS_BYTES, sig_tmp, sizeof(sig_tmp)); + + if (j < (SPX_D - 1)) { + spx_xmss_pk_from_sig(root, sig_tmp, idx_leaf, root, pk_seed, addr); + } + } +} + +int spx_ht_verify(const uint8_t sig[SPX_D * SPX_XMSS_BYTES], + const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t pk_root[SPX_N], + const uint8_t pk_seed[SPX_N]) { + uint8_t addr[32] = {0}; + spx_set_tree_addr(addr, idx_tree); + + uint8_t sig_tmp[SPX_XMSS_BYTES]; + memcpy(sig_tmp, sig, sizeof(sig_tmp)); + + uint8_t node[SPX_N]; + spx_xmss_pk_from_sig(node, sig_tmp, idx_leaf, message, pk_seed, addr); + + for (size_t j = 1; j < SPX_D; ++j) { + idx_leaf = idx_tree % (1 << SPX_TREE_HEIGHT); + idx_tree = idx_tree >> SPX_TREE_HEIGHT; + spx_set_layer_addr(addr, j); + spx_set_tree_addr(addr, idx_tree); + // Get jth XMSS signature + memcpy(sig_tmp, sig + j * SPX_XMSS_BYTES, sizeof(sig_tmp)); + + spx_xmss_pk_from_sig(node, sig_tmp, idx_leaf, node, pk_seed, addr); + } + return memcmp(node, pk_root, SPX_N) == 0; +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/merkle.h b/Sources/CJWTKitBoringSSL/crypto/spx/merkle.h new file mode 100644 index 00000000..302e8cf5 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/merkle.h @@ -0,0 +1,61 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_MERKLE_H +#define OPENSSL_HEADER_CRYPTO_SPX_MERKLE_H + +#include + +#include + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Algorithm 8: Compute the root of a Merkle subtree of WOTS+ public keys. +void spx_treehash(uint8_t out_pk[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 9: Generate an XMSS signature. +void spx_xmss_sign(uint8_t *sig, const uint8_t msg[SPX_N], unsigned int idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 10: Compute an XMSS public key from an XMSS signature. +void spx_xmss_pk_from_sig(uint8_t *root, const uint8_t *xmss_sig, + unsigned int idx, const uint8_t msg[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 11: Generate a hypertree signature. +void spx_ht_sign(uint8_t *sig, const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t sk_seed[SPX_N], + const uint8_t pk_seed[SPX_N]); + +// Algorithm 12: Verify a hypertree signature. +int spx_ht_verify(const uint8_t sig[SPX_D * SPX_XMSS_BYTES], + const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t pk_root[SPX_N], + const uint8_t pk_seed[SPX_N]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_MERKLE_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/params.h b/Sources/CJWTKitBoringSSL/crypto/spx/params.h new file mode 100644 index 00000000..cc7fd102 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/params.h @@ -0,0 +1,71 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_PARAMS_H +#define OPENSSL_HEADER_CRYPTO_SPX_PARAMS_H + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Output length of the hash function. +#define SPX_N 16 +// Total height of the tree structure. +#define SPX_FULL_HEIGHT 63 +// Number of subtree layers. +#define SPX_D 7 +// Height of the trees on each layer +#define SPX_TREE_HEIGHT 9 +// Height of each individual FORS tree. +#define SPX_FORS_HEIGHT 12 +// Total number of FORS tree used. +#define SPX_FORS_TREES 14 +// Size of a FORS signature +#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) + +// Winternitz parameter and derived values +#define SPX_WOTS_W 16 +#define SPX_WOTS_LOG_W 4 +#define SPX_WOTS_LEN1 32 +#define SPX_WOTS_LEN2 3 +#define SPX_WOTS_LEN 35 +#define SPX_WOTS_BYTES (SPX_N * SPX_WOTS_LEN) + +// XMSS sizes +#define SPX_XMSS_BYTES (SPX_WOTS_BYTES + (SPX_N * SPX_TREE_HEIGHT)) + +// Size of the message digest (NOTE: This is only correct for the SHA256 params +// here) +#define SPX_DIGEST_SIZE \ + (((SPX_FORS_TREES * SPX_FORS_HEIGHT) / 8) + \ + (((SPX_FULL_HEIGHT - SPX_TREE_HEIGHT) / 8) + 1) + (SPX_TREE_HEIGHT / 8) + \ + 1) + +// Compressed address size when using SHA256 +#define SPX_SHA256_ADDR_BYTES 22 + +// Size of the FORS message hash +#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) +#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) +#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) +#define SPX_LEAF_BITS SPX_TREE_HEIGHT +#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_PARAMS_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/spx.c b/Sources/CJWTKitBoringSSL/crypto/spx/spx.c new file mode 100644 index 00000000..622cc8ab --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/spx.c @@ -0,0 +1,139 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include + +#include "./address.h" +#include "./fors.h" +#include "./internal.h" +#include "./merkle.h" +#include "./params.h" +#include "./spx_util.h" +#include "./thash.h" + +void spx_generate_key(uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES]) { + uint8_t seed[3 * SPX_N]; + RAND_bytes(seed, 3 * SPX_N); + spx_generate_key_from_seed(out_public_key, out_secret_key, seed); +} + +void spx_generate_key_from_seed(uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t seed[3 * SPX_N]) { + // Initialize SK.seed || SK.prf || PK.seed from seed. + memcpy(out_secret_key, seed, 3 * SPX_N); + + // Initialize PK.seed from seed. + memcpy(out_public_key, seed + 2 * SPX_N, SPX_N); + + uint8_t addr[32] = {0}; + spx_set_layer_addr(addr, SPX_D - 1); + + // Set PK.root + spx_treehash(out_public_key + SPX_N, out_secret_key, 0, SPX_TREE_HEIGHT, + out_public_key, addr); + memcpy(out_secret_key + 3 * SPX_N, out_public_key + SPX_N, SPX_N); +} + +void spx_sign(uint8_t out_signature[SPX_SIGNATURE_BYTES], + const uint8_t secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t *msg, size_t msg_len, int randomized) { + uint8_t addr[32] = {0}; + const uint8_t *sk_seed = secret_key; + const uint8_t *sk_prf = secret_key + SPX_N; + const uint8_t *pk_seed = secret_key + 2 * SPX_N; + const uint8_t *pk_root = secret_key + 3 * SPX_N; + + uint8_t opt_rand[SPX_N] = {0}; + + if (randomized) { + RAND_bytes(opt_rand, SPX_N); + } else { + memcpy(opt_rand, pk_seed, SPX_N); + } + + // Derive randomizer r and copy it to signature. + uint8_t r[SPX_N]; + spx_thash_prfmsg(r, sk_prf, opt_rand, msg, msg_len); + memcpy(out_signature, r, SPX_N); + + uint8_t digest[SPX_DIGEST_SIZE]; + spx_thash_hmsg(digest, r, pk_seed, pk_root, msg, msg_len); + + uint8_t fors_digest[SPX_FORS_MSG_BYTES]; + memcpy(fors_digest, digest, SPX_FORS_MSG_BYTES); + + uint8_t *tmp_idx_tree = digest + SPX_FORS_MSG_BYTES; + uint8_t *tmp_idx_leaf = tmp_idx_tree + SPX_TREE_BYTES; + + uint64_t idx_tree = spx_to_uint64(tmp_idx_tree, SPX_TREE_BYTES); + idx_tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); + + uint32_t idx_leaf = (uint32_t)spx_to_uint64(tmp_idx_leaf, SPX_LEAF_BYTES); + idx_leaf &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); + + spx_set_tree_addr(addr, idx_tree); + spx_set_type(addr, SPX_ADDR_TYPE_FORSTREE); + spx_set_keypair_addr(addr, idx_leaf); + + spx_fors_sign(out_signature + SPX_N, fors_digest, sk_seed, pk_seed, addr); + + uint8_t pk_fors[SPX_N]; + spx_fors_pk_from_sig(pk_fors, out_signature + SPX_N, fors_digest, pk_seed, + addr); + + spx_ht_sign(out_signature + SPX_N + SPX_FORS_BYTES, pk_fors, idx_tree, + idx_leaf, sk_seed, pk_seed); +} + +int spx_verify(const uint8_t signature[SPX_SIGNATURE_BYTES], + const uint8_t public_key[SPX_SECRET_KEY_BYTES], + const uint8_t *msg, size_t msg_len) { + uint8_t addr[32] = {0}; + const uint8_t *pk_seed = public_key; + const uint8_t *pk_root = public_key + SPX_N; + + const uint8_t *r = signature; + const uint8_t *sig_fors = signature + SPX_N; + const uint8_t *sig_ht = sig_fors + SPX_FORS_BYTES; + + uint8_t digest[SPX_DIGEST_SIZE]; + spx_thash_hmsg(digest, r, pk_seed, pk_root, msg, msg_len); + + uint8_t fors_digest[SPX_FORS_MSG_BYTES]; + memcpy(fors_digest, digest, SPX_FORS_MSG_BYTES); + + uint8_t *tmp_idx_tree = digest + SPX_FORS_MSG_BYTES; + uint8_t *tmp_idx_leaf = tmp_idx_tree + SPX_TREE_BYTES; + + uint64_t idx_tree = spx_to_uint64(tmp_idx_tree, SPX_TREE_BYTES); + idx_tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); + + uint32_t idx_leaf = (uint32_t)spx_to_uint64(tmp_idx_leaf, SPX_LEAF_BYTES); + idx_leaf &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); + + spx_set_tree_addr(addr, idx_tree); + spx_set_type(addr, SPX_ADDR_TYPE_FORSTREE); + spx_set_keypair_addr(addr, idx_leaf); + + uint8_t pk_fors[SPX_N]; + spx_fors_pk_from_sig(pk_fors, sig_fors, fors_digest, pk_seed, addr); + + return spx_ht_verify(sig_ht, pk_fors, idx_tree, idx_leaf, pk_root, pk_seed); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/spx_util.c b/Sources/CJWTKitBoringSSL/crypto/spx/spx_util.c new file mode 100644 index 00000000..ded5d675 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/spx_util.c @@ -0,0 +1,53 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "./spx_util.h" + +void spx_uint64_to_len_bytes(uint8_t *output, size_t out_len, uint64_t input) { + for (size_t i = out_len; i > 0; --i) { + output[i - 1] = input & 0xff; + input = input >> 8; + } +} + +uint64_t spx_to_uint64(const uint8_t *input, size_t input_len) { + uint64_t tmp = 0; + for (size_t i = 0; i < input_len; ++i) { + tmp = 256 * tmp + input[i]; + } + return tmp; +} + +void spx_base_b(uint32_t *output, size_t out_len, const uint8_t *input, + unsigned int log2_b) { + int in = 0; + uint32_t out = 0; + uint32_t bits = 0; + uint32_t total = 0; + uint32_t base = UINT32_C(1) << log2_b; + + for (out = 0; out < out_len; ++out) { + while (bits < log2_b) { + total = (total << 8) + input[in]; + in++; + bits = bits + 8; + } + bits -= log2_b; + output[out] = (total >> bits) % base; + } +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/spx_util.h b/Sources/CJWTKitBoringSSL/crypto/spx/spx_util.h new file mode 100644 index 00000000..0ef50ac2 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/spx_util.h @@ -0,0 +1,44 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_UTIL_H +#define OPENSSL_HEADER_CRYPTO_SPX_UTIL_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Encodes the integer value of input to out_len bytes in big-endian order. +// Note that input < 2^(8*out_len), as otherwise this function will truncate +// the least significant bytes of the integer representation. +void spx_uint64_to_len_bytes(uint8_t *output, size_t out_len, uint64_t input); + +uint64_t spx_to_uint64(const uint8_t *input, size_t input_len); + +// Compute the base 2^log2_b representation of X. +// +// As some of the parameter sets in https://eprint.iacr.org/2022/1725.pdf use +// a FORS height > 16 we use a uint32_t to store the output. +void spx_base_b(uint32_t *output, size_t out_len, const uint8_t *input, + unsigned int log2_b); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_UTIL_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/thash.c b/Sources/CJWTKitBoringSSL/crypto/spx/thash.c new file mode 100644 index 00000000..68042449 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/thash.c @@ -0,0 +1,136 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include + +#include + +#include "./params.h" +#include "./spx_util.h" +#include "./thash.h" + +static void spx_thash(uint8_t *output, const uint8_t *input, + size_t input_blocks, const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + uint8_t hash[32]; + SHA256_CTX sha256; + SHA256_Init(&sha256); + + // Process pubseed with padding to full block. + // TODO: This could be precomputed instead as it will be the same across all + // hash calls. + uint8_t padded_pk_seed[64] = {0}; + memcpy(padded_pk_seed, pk_seed, SPX_N); + + SHA256_Update(&sha256, padded_pk_seed, sizeof(padded_pk_seed)); + SHA256_Update(&sha256, addr, SPX_SHA256_ADDR_BYTES); + SHA256_Update(&sha256, input, input_blocks * SPX_N); + + SHA256_Final(hash, &sha256); + memcpy(output, hash, SPX_N); +} + +void spx_thash_f(uint8_t *output, const uint8_t input[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, 1, pk_seed, addr); +} + +void spx_thash_h(uint8_t *output, const uint8_t input[2 * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, 2, pk_seed, addr); +} + +void spx_thash_hmsg(uint8_t *output, const uint8_t r[SPX_N], + const uint8_t pk_seed[SPX_N], const uint8_t pk_root[SPX_N], + const uint8_t *msg, size_t msg_len) { + // MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || M), m) + // input_buffer stores R || PK_SEED || SHA256(..) || 4-byte index + uint8_t input_buffer[2 * SPX_N + 32 + 4] = {0}; + memcpy(input_buffer, r, SPX_N); + memcpy(input_buffer + SPX_N, pk_seed, SPX_N); + + // Inner hash + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, r, SPX_N); + SHA256_Update(&ctx, pk_seed, SPX_N); + SHA256_Update(&ctx, pk_root, SPX_N); + SHA256_Update(&ctx, msg, msg_len); + // Write directly into the input buffer + SHA256_Final(input_buffer + 2 * SPX_N, &ctx); + + // MGF1-SHA-256 + uint8_t output_buffer[3 * 32]; + // Need to call SHA256 3 times for message digest. + static_assert(SPX_DIGEST_SIZE <= sizeof(output_buffer), + "not enough room for hashes"); + SHA256(input_buffer, sizeof(input_buffer), output_buffer); + input_buffer[2 * SPX_N + 32 + 3] = 1; + SHA256(input_buffer, sizeof(input_buffer), output_buffer + 32); + input_buffer[2 * SPX_N + 32 + 3] = 2; + SHA256(input_buffer, sizeof(input_buffer), output_buffer + 64); + + memcpy(output, output_buffer, SPX_DIGEST_SIZE); +} + +void spx_thash_prf(uint8_t *output, const uint8_t pk_seed[SPX_N], + const uint8_t sk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, sk_seed, 1, pk_seed, addr); +} + +void spx_thash_prfmsg(uint8_t *output, const uint8_t sk_prf[SPX_N], + const uint8_t opt_rand[SPX_N], const uint8_t *msg, + size_t msg_len) { + // Compute HMAC-SHA256(sk_prf, opt_rand || msg). We inline HMAC to avoid an + // allocation. + uint8_t hmac_key[SHA256_CBLOCK] = {0}; + static_assert(SPX_N <= SHA256_CBLOCK, "HMAC key is larger than block size"); + memcpy(hmac_key, sk_prf, SPX_N); + for (size_t i = 0; i < sizeof(hmac_key); i++) { + hmac_key[i] ^= 0x36; + } + + uint8_t hash[SHA256_DIGEST_LENGTH]; + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, hmac_key, sizeof(hmac_key)); + SHA256_Update(&ctx, opt_rand, SPX_N); + SHA256_Update(&ctx, msg, msg_len); + SHA256_Final(hash, &ctx); + + for (size_t i = 0; i < sizeof(hmac_key); i++) { + hmac_key[i] ^= 0x36 ^ 0x5c; + } + SHA256_Init(&ctx); + SHA256_Update(&ctx, hmac_key, sizeof(hmac_key)); + SHA256_Update(&ctx, hash, sizeof(hash)); + SHA256_Final(hash, &ctx); + + // Truncate to SPX_N bytes + memcpy(output, hash, SPX_N); +} + +void spx_thash_tl(uint8_t *output, const uint8_t input[SPX_WOTS_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, SPX_WOTS_LEN, pk_seed, addr); +} + +void spx_thash_tk(uint8_t *output, const uint8_t input[SPX_FORS_TREES * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, SPX_FORS_TREES, pk_seed, addr); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/thash.h b/Sources/CJWTKitBoringSSL/crypto/spx/thash.h new file mode 100644 index 00000000..e8933f7c --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/thash.h @@ -0,0 +1,70 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_THASH_H +#define OPENSSL_HEADER_CRYPTO_SPX_THASH_H + +#include + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Implements F: a hash function takes an n-byte message as input and produces +// an n-byte output. +void spx_thash_f(uint8_t *output, const uint8_t input[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Implements H: a hash function takes a 2*n-byte message as input and produces +// an n-byte output. +void spx_thash_h(uint8_t *output, const uint8_t input[2 * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Implements Hmsg: a hash function used to generate the digest of the message +// to be signed. +void spx_thash_hmsg(uint8_t *output, const uint8_t r[SPX_N], + const uint8_t pk_seed[SPX_N], const uint8_t pk_root[SPX_N], + const uint8_t *msg, size_t msg_len); + +// Implements PRF: a pseudo-random function that is used to generate the secret +// values in WOTS+ and FORS private keys. +void spx_thash_prf(uint8_t *output, const uint8_t pk_seed[SPX_N], + const uint8_t sk_seed[SPX_N], uint8_t addr[32]); + +// Implements PRF: a pseudo-random function that is used to generate the +// randomizer r for the randomized hashing of the message to be signed. values +// in WOTS+ and FORS private keys. +void spx_thash_prfmsg(uint8_t *output, const uint8_t sk_prf[SPX_N], + const uint8_t opt_rand[SPX_N], const uint8_t *msg, + size_t msg_len); + +// Implements Tl: a hash function that maps an l*n-byte message to an n-byte +// message. +void spx_thash_tl(uint8_t *output, const uint8_t input[SPX_WOTS_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Implements Tk: a hash function that maps a k*n-byte message to an n-byte +// message. +void spx_thash_tk(uint8_t *output, const uint8_t input[SPX_FORS_TREES * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_THASH_H diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/wots.c b/Sources/CJWTKitBoringSSL/crypto/spx/wots.c new file mode 100644 index 00000000..b2d9d769 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/wots.c @@ -0,0 +1,135 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include + +#include "./address.h" +#include "./params.h" +#include "./spx_util.h" +#include "./thash.h" +#include "./wots.h" + +// Chaining function used in WOTS+. +static void chain(uint8_t *output, const uint8_t *input, uint32_t start, + uint32_t steps, const uint8_t *pub_seed, uint8_t addr[32]) { + memcpy(output, input, SPX_N); + + for (size_t i = start; i < (start + steps) && i < SPX_WOTS_W; ++i) { + spx_set_hash_addr(addr, i); + spx_thash_f(output, output, pub_seed, addr); + } +} + +void spx_wots_pk_from_sig(uint8_t *pk, const uint8_t *sig, const uint8_t *msg, + const uint8_t pub_seed[SPX_N], uint8_t addr[32]) { + uint8_t tmp[SPX_WOTS_BYTES]; + uint8_t wots_pk_addr[32]; + memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr)); + + // Convert message to base w + uint32_t base_w_msg[SPX_WOTS_LEN]; + spx_base_b(base_w_msg, SPX_WOTS_LEN1, msg, /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute checksum + uint64_t csum = 0; + for (size_t i = 0; i < SPX_WOTS_LEN1; ++i) { + csum += SPX_WOTS_W - 1 - base_w_msg[i]; + } + + // Convert csum to base w as in Algorithm 7, Line 9 + uint8_t csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOG_W + 7) / 8]; + csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOG_W)) % 8) % 8); + spx_uint64_to_len_bytes(csum_bytes, sizeof(csum_bytes), csum); + + // Write the base w representation of csum to the end of the message. + spx_base_b(base_w_msg + SPX_WOTS_LEN1, SPX_WOTS_LEN2, csum_bytes, + /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute chains + for (size_t i = 0; i < SPX_WOTS_LEN; ++i) { + spx_set_chain_addr(addr, i); + chain(tmp + i * SPX_N, sig + i * SPX_N, base_w_msg[i], + SPX_WOTS_W - 1 - base_w_msg[i], pub_seed, addr); + } + + // Compress pk + spx_set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); + spx_copy_keypair_addr(wots_pk_addr, addr); + spx_thash_tl(pk, tmp, pub_seed, wots_pk_addr); +} + +void spx_wots_pk_gen(uint8_t *pk, const uint8_t sk_seed[SPX_N], + const uint8_t pub_seed[SPX_N], uint8_t addr[32]) { + uint8_t tmp[SPX_WOTS_BYTES]; + uint8_t tmp_sk[SPX_N]; + uint8_t wots_pk_addr[32], sk_addr[32]; + memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr)); + memcpy(sk_addr, addr, sizeof(sk_addr)); + + spx_set_type(sk_addr, SPX_ADDR_TYPE_WOTSPRF); + spx_copy_keypair_addr(sk_addr, addr); + + for (size_t i = 0; i < SPX_WOTS_LEN; ++i) { + spx_set_chain_addr(sk_addr, i); + spx_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr); + spx_set_chain_addr(addr, i); + chain(tmp + i * SPX_N, tmp_sk, 0, SPX_WOTS_W - 1, pub_seed, addr); + } + + // Compress pk + spx_set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); + spx_copy_keypair_addr(wots_pk_addr, addr); + spx_thash_tl(pk, tmp, pub_seed, wots_pk_addr); +} + +void spx_wots_sign(uint8_t *sig, const uint8_t msg[SPX_N], + const uint8_t sk_seed[SPX_N], const uint8_t pub_seed[SPX_N], + uint8_t addr[32]) { + // Convert message to base w + uint32_t base_w_msg[SPX_WOTS_LEN]; + spx_base_b(base_w_msg, SPX_WOTS_LEN1, msg, /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute checksum + uint64_t csum = 0; + for (size_t i = 0; i < SPX_WOTS_LEN1; ++i) { + csum += SPX_WOTS_W - 1 - base_w_msg[i]; + } + + // Convert csum to base w as in Algorithm 6, Line 9 + uint8_t csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOG_W + 7) / 8]; + csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOG_W)) % 8) % 8); + spx_uint64_to_len_bytes(csum_bytes, sizeof(csum_bytes), csum); + + // Write the base w representation of csum to the end of the message. + spx_base_b(base_w_msg + SPX_WOTS_LEN1, SPX_WOTS_LEN2, csum_bytes, + /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute chains + uint8_t tmp_sk[SPX_N]; + uint8_t sk_addr[32]; + memcpy(sk_addr, addr, sizeof(sk_addr)); + spx_set_type(sk_addr, SPX_ADDR_TYPE_WOTSPRF); + spx_copy_keypair_addr(sk_addr, addr); + + for (size_t i = 0; i < SPX_WOTS_LEN; ++i) { + spx_set_chain_addr(sk_addr, i); + spx_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr); + spx_set_chain_addr(addr, i); + chain(sig + i * SPX_N, tmp_sk, 0, base_w_msg[i], pub_seed, addr); + } +} diff --git a/Sources/CJWTKitBoringSSL/crypto/spx/wots.h b/Sources/CJWTKitBoringSSL/crypto/spx/wots.h new file mode 100644 index 00000000..2d27766d --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/spx/wots.h @@ -0,0 +1,45 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_WOTS_H +#define OPENSSL_HEADER_CRYPTO_SPX_WOTS_H + +#include + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Algorithm 5: Generate a WOTS+ public key. +void spx_wots_pk_gen(uint8_t *pk, const uint8_t sk_seed[SPX_N], + const uint8_t pub_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 6: Generate a WOTS+ signature on an n-byte message. +void spx_wots_sign(uint8_t *sig, const uint8_t msg[SPX_N], + const uint8_t sk_seed[SPX_N], const uint8_t pub_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 7: Compute a WOTS+ public key from a message and its signature. +void spx_wots_pk_from_sig(uint8_t *pk, const uint8_t *sig, const uint8_t *msg, + const uint8_t pub_seed[SPX_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_WOTS_H diff --git a/Sources/CJWTKitBoringSSL/crypto/stack/stack.c b/Sources/CJWTKitBoringSSL/crypto/stack/stack.c index ef576ed3..6d5aadf1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/stack/stack.c +++ b/Sources/CJWTKitBoringSSL/crypto/stack/stack.c @@ -65,24 +65,35 @@ #include "../internal.h" +struct stack_st { + // num contains the number of valid pointers in |data|. + size_t num; + void **data; + // sorted is non-zero if the values pointed to by |data| are in ascending + // order, based on |comp|. + int sorted; + // num_alloc contains the number of pointers allocated in the buffer pointed + // to by |data|, which may be larger than |num|. + size_t num_alloc; + // comp is an optional comparison function. + OPENSSL_sk_cmp_func comp; +}; + // kMinSize is the number of pointers that will be initially allocated in a new // stack. static const size_t kMinSize = 4; -_STACK *sk_new(OPENSSL_sk_cmp_func comp) { - _STACK *ret = OPENSSL_malloc(sizeof(_STACK)); +OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp) { + OPENSSL_STACK *ret = OPENSSL_zalloc(sizeof(OPENSSL_STACK)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(_STACK)); - ret->data = OPENSSL_malloc(sizeof(void *) * kMinSize); + ret->data = OPENSSL_calloc(kMinSize, sizeof(void *)); if (ret->data == NULL) { goto err; } - OPENSSL_memset(ret->data, 0, sizeof(void *) * kMinSize); - ret->comp = comp; ret->num_alloc = kMinSize; @@ -93,16 +104,16 @@ _STACK *sk_new(OPENSSL_sk_cmp_func comp) { return NULL; } -_STACK *sk_new_null(void) { return sk_new(NULL); } +OPENSSL_STACK *OPENSSL_sk_new_null(void) { return OPENSSL_sk_new(NULL); } -size_t sk_num(const _STACK *sk) { +size_t OPENSSL_sk_num(const OPENSSL_STACK *sk) { if (sk == NULL) { return 0; } return sk->num; } -void sk_zero(_STACK *sk) { +void OPENSSL_sk_zero(OPENSSL_STACK *sk) { if (sk == NULL || sk->num == 0) { return; } @@ -111,21 +122,21 @@ void sk_zero(_STACK *sk) { sk->sorted = 0; } -void *sk_value(const _STACK *sk, size_t i) { +void *OPENSSL_sk_value(const OPENSSL_STACK *sk, size_t i) { if (!sk || i >= sk->num) { return NULL; } return sk->data[i]; } -void *sk_set(_STACK *sk, size_t i, void *value) { +void *OPENSSL_sk_set(OPENSSL_STACK *sk, size_t i, void *value) { if (!sk || i >= sk->num) { return NULL; } return sk->data[i] = value; } -void sk_free(_STACK *sk) { +void OPENSSL_sk_free(OPENSSL_STACK *sk) { if (sk == NULL) { return; } @@ -133,8 +144,9 @@ void sk_free(_STACK *sk) { OPENSSL_free(sk); } -void sk_pop_free_ex(_STACK *sk, OPENSSL_sk_call_free_func call_free_func, - OPENSSL_sk_free_func free_func) { +void OPENSSL_sk_pop_free_ex(OPENSSL_STACK *sk, + OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func) { if (sk == NULL) { return; } @@ -144,7 +156,7 @@ void sk_pop_free_ex(_STACK *sk, OPENSSL_sk_call_free_func call_free_func, call_free_func(free_func, sk->data[i]); } } - sk_free(sk); + OPENSSL_sk_free(sk); } // Historically, |sk_pop_free| called the function as |OPENSSL_sk_free_func| @@ -154,11 +166,11 @@ static void call_free_func_legacy(OPENSSL_sk_free_func func, void *ptr) { func(ptr); } -void sk_pop_free(_STACK *sk, OPENSSL_sk_free_func free_func) { - sk_pop_free_ex(sk, call_free_func_legacy, free_func); +void sk_pop_free(OPENSSL_STACK *sk, OPENSSL_sk_free_func free_func) { + OPENSSL_sk_pop_free_ex(sk, call_free_func_legacy, free_func); } -size_t sk_insert(_STACK *sk, void *p, size_t where) { +size_t OPENSSL_sk_insert(OPENSSL_STACK *sk, void *p, size_t where) { if (sk == NULL) { return 0; } @@ -208,7 +220,7 @@ size_t sk_insert(_STACK *sk, void *p, size_t where) { return sk->num; } -void *sk_delete(_STACK *sk, size_t where) { +void *OPENSSL_sk_delete(OPENSSL_STACK *sk, size_t where) { void *ret; if (!sk || where >= sk->num) { @@ -226,22 +238,23 @@ void *sk_delete(_STACK *sk, size_t where) { return ret; } -void *sk_delete_ptr(_STACK *sk, const void *p) { +void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *sk, const void *p) { if (sk == NULL) { return NULL; } for (size_t i = 0; i < sk->num; i++) { if (sk->data[i] == p) { - return sk_delete(sk, i); + return OPENSSL_sk_delete(sk, i); } } return NULL; } -void sk_delete_if(_STACK *sk, OPENSSL_sk_call_delete_if_func call_func, - OPENSSL_sk_delete_if_func func, void *data) { +void OPENSSL_sk_delete_if(OPENSSL_STACK *sk, + OPENSSL_sk_call_delete_if_func call_func, + OPENSSL_sk_delete_if_func func, void *data) { if (sk == NULL) { return; } @@ -256,8 +269,8 @@ void sk_delete_if(_STACK *sk, OPENSSL_sk_call_delete_if_func call_func, sk->num = new_num; } -int sk_find(const _STACK *sk, size_t *out_index, const void *p, - OPENSSL_sk_call_cmp_func call_cmp_func) { +int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, const void *p, + OPENSSL_sk_call_cmp_func call_cmp_func) { if (sk == NULL) { return 0; } @@ -279,10 +292,9 @@ int sk_find(const _STACK *sk, size_t *out_index, const void *p, return 0; } - if (!sk_is_sorted(sk)) { + if (!OPENSSL_sk_is_sorted(sk)) { for (size_t i = 0; i < sk->num; i++) { - const void *elem = sk->data[i]; - if (call_cmp_func(sk->comp, &p, &elem) == 0) { + if (call_cmp_func(sk->comp, p, sk->data[i]) == 0) { if (out_index) { *out_index = i; } @@ -301,8 +313,7 @@ int sk_find(const _STACK *sk, size_t *out_index, const void *p, // Bias |mid| towards |lo|. See the |r == 0| case below. size_t mid = lo + (hi - lo - 1) / 2; assert(lo <= mid && mid < hi); - const void *elem = sk->data[mid]; - int r = call_cmp_func(sk->comp, &p, &elem); + int r = call_cmp_func(sk->comp, p, sk->data[mid]); if (r > 0) { lo = mid + 1; // |mid| is too low. } else if (r < 0) { @@ -327,98 +338,134 @@ int sk_find(const _STACK *sk, size_t *out_index, const void *p, return 0; // Not found. } -void *sk_shift(_STACK *sk) { +void *OPENSSL_sk_shift(OPENSSL_STACK *sk) { if (sk == NULL) { return NULL; } if (sk->num == 0) { return NULL; } - return sk_delete(sk, 0); + return OPENSSL_sk_delete(sk, 0); } -size_t sk_push(_STACK *sk, void *p) { return (sk_insert(sk, p, sk->num)); } +size_t OPENSSL_sk_push(OPENSSL_STACK *sk, void *p) { + return OPENSSL_sk_insert(sk, p, sk->num); +} -void *sk_pop(_STACK *sk) { +void *OPENSSL_sk_pop(OPENSSL_STACK *sk) { if (sk == NULL) { return NULL; } if (sk->num == 0) { return NULL; } - return sk_delete(sk, sk->num - 1); + return OPENSSL_sk_delete(sk, sk->num - 1); } -_STACK *sk_dup(const _STACK *sk) { +OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk) { if (sk == NULL) { return NULL; } - _STACK *ret = OPENSSL_malloc(sizeof(_STACK)); + OPENSSL_STACK *ret = OPENSSL_zalloc(sizeof(OPENSSL_STACK)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(_STACK)); - ret->data = OPENSSL_malloc(sizeof(void *) * sk->num_alloc); + ret->data = OPENSSL_memdup(sk->data, sizeof(void *) * sk->num_alloc); if (ret->data == NULL) { goto err; } ret->num = sk->num; - OPENSSL_memcpy(ret->data, sk->data, sizeof(void *) * sk->num); ret->sorted = sk->sorted; ret->num_alloc = sk->num_alloc; ret->comp = sk->comp; return ret; err: - sk_free(ret); + OPENSSL_sk_free(ret); return NULL; } -#if defined(_MSC_VER) -struct sort_compare_ctx { - OPENSSL_sk_call_cmp_func call_cmp_func; - OPENSSL_sk_cmp_func cmp_func; -}; +static size_t parent_idx(size_t idx) { + assert(idx > 0); + return (idx - 1) / 2; +} + +static size_t left_idx(size_t idx) { + // The largest possible index is |PTRDIFF_MAX|, not |SIZE_MAX|. If + // |ptrdiff_t|, a signed type, is the same size as |size_t|, this cannot + // overflow. + assert(idx <= PTRDIFF_MAX); + static_assert(PTRDIFF_MAX <= (SIZE_MAX - 1) / 2, "2 * idx + 1 may oveflow"); + return 2 * idx + 1; +} + +// down_heap fixes the subtree rooted at |i|. |i|'s children must each satisfy +// the heap property. Only the first |num| elements of |sk| are considered. +static void down_heap(OPENSSL_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func, + size_t i, size_t num) { + assert(i < num && num <= sk->num); + for (;;) { + size_t left = left_idx(i); + if (left >= num) { + break; // No left child. + } + + // Swap |i| with the largest of its children. + size_t next = i; + if (call_cmp_func(sk->comp, sk->data[next], sk->data[left]) < 0) { + next = left; + } + size_t right = left + 1; // Cannot overflow because |left < num|. + if (right < num && + call_cmp_func(sk->comp, sk->data[next], sk->data[right]) < 0) { + next = right; + } + + if (i == next) { + break; // |i| is already larger than its children. + } -static int sort_compare(void *ctx_v, const void *a, const void *b) { - struct sort_compare_ctx *ctx = ctx_v; - return ctx->call_cmp_func(ctx->cmp_func, a, b); + void *tmp = sk->data[i]; + sk->data[i] = sk->data[next]; + sk->data[next] = tmp; + i = next; + } } -#endif -void sk_sort(_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func) { +void OPENSSL_sk_sort(OPENSSL_STACK *sk, + OPENSSL_sk_call_cmp_func call_cmp_func) { if (sk == NULL || sk->comp == NULL || sk->sorted) { return; } if (sk->num >= 2) { -#if defined(_MSC_VER) - // MSVC's |qsort_s| is different from the C11 one. - // https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/qsort-s?view=msvc-170 - struct sort_compare_ctx ctx = {call_cmp_func, sk->comp}; - qsort_s(sk->data, sk->num, sizeof(void *), sort_compare, &ctx); -#else - // sk->comp is a function that takes pointers to pointers to elements, but - // qsort take a comparison function that just takes pointers to elements. - // However, since we're passing an array of pointers to qsort, we can just - // cast the comparison function and everything works. - // - // TODO(davidben): This is undefined behavior, but the call is in libc so, - // e.g., CFI does not notice. |qsort| is missing a void* parameter in its - // callback, while no one defines |qsort_r| or |qsort_s| consistently. See + // |qsort| lacks a context parameter in the comparison function for us to + // pass in |call_cmp_func| and |sk->comp|. While we could cast |sk->comp| to + // the expected type, it is undefined behavior in C can trip sanitizers. + // |qsort_r| and |qsort_s| avoid this, but using them is impractical. See // https://stackoverflow.com/a/39561369 - int (*comp_func)(const void *, const void *) = - (int (*)(const void *, const void *))(sk->comp); - qsort(sk->data, sk->num, sizeof(void *), comp_func); -#endif + // + // Use our own heap sort instead. This is not performance-sensitive, so we + // optimize for simplicity and size. First, build a max-heap in place. + for (size_t i = parent_idx(sk->num - 1); i < sk->num; i--) { + down_heap(sk, call_cmp_func, i, sk->num); + } + + // Iteratively remove the maximum element to populate the result in reverse. + for (size_t i = sk->num - 1; i > 0; i--) { + void *tmp = sk->data[0]; + sk->data[0] = sk->data[i]; + sk->data[i] = tmp; + down_heap(sk, call_cmp_func, 0, i); + } } sk->sorted = 1; } -int sk_is_sorted(const _STACK *sk) { +int OPENSSL_sk_is_sorted(const OPENSSL_STACK *sk) { if (!sk) { return 1; } @@ -426,7 +473,8 @@ int sk_is_sorted(const _STACK *sk) { return sk->sorted || (sk->comp != NULL && sk->num < 2); } -OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, OPENSSL_sk_cmp_func comp) { +OPENSSL_sk_cmp_func OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, + OPENSSL_sk_cmp_func comp) { OPENSSL_sk_cmp_func old = sk->comp; if (sk->comp != comp) { @@ -437,11 +485,12 @@ OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, OPENSSL_sk_cmp_func comp) { return old; } -_STACK *sk_deep_copy(const _STACK *sk, OPENSSL_sk_call_copy_func call_copy_func, - OPENSSL_sk_copy_func copy_func, - OPENSSL_sk_call_free_func call_free_func, - OPENSSL_sk_free_func free_func) { - _STACK *ret = sk_dup(sk); +OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk, + OPENSSL_sk_call_copy_func call_copy_func, + OPENSSL_sk_copy_func copy_func, + OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func) { + OPENSSL_STACK *ret = OPENSSL_sk_dup(sk); if (ret == NULL) { return NULL; } @@ -457,10 +506,29 @@ _STACK *sk_deep_copy(const _STACK *sk, OPENSSL_sk_call_copy_func call_copy_func, call_free_func(free_func, ret->data[j]); } } - sk_free(ret); + OPENSSL_sk_free(ret); return NULL; } } return ret; } + +OPENSSL_STACK *sk_new_null(void) { return OPENSSL_sk_new_null(); } + +size_t sk_num(const OPENSSL_STACK *sk) { return OPENSSL_sk_num(sk); } + +void *sk_value(const OPENSSL_STACK *sk, size_t i) { + return OPENSSL_sk_value(sk, i); +} + +void sk_free(OPENSSL_STACK *sk) { OPENSSL_sk_free(sk); } + +size_t sk_push(OPENSSL_STACK *sk, void *p) { return OPENSSL_sk_push(sk, p); } + +void *sk_pop(OPENSSL_STACK *sk) { return OPENSSL_sk_pop(sk); } + +void sk_pop_free_ex(OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func) { + OPENSSL_sk_pop_free_ex(sk, call_free_func, free_func); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/thread_none.c b/Sources/CJWTKitBoringSSL/crypto/thread_none.c index 4f07b9d9..e6f7d427 100644 --- a/Sources/CJWTKitBoringSSL/crypto/thread_none.c +++ b/Sources/CJWTKitBoringSSL/crypto/thread_none.c @@ -28,14 +28,6 @@ void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) {} void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {} -void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) {} - -void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) {} - -void CRYPTO_STATIC_MUTEX_unlock_read(struct CRYPTO_STATIC_MUTEX *lock) {} - -void CRYPTO_STATIC_MUTEX_unlock_write(struct CRYPTO_STATIC_MUTEX *lock) {} - void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) { if (*once) { return; diff --git a/Sources/CJWTKitBoringSSL/crypto/thread_pthread.c b/Sources/CJWTKitBoringSSL/crypto/thread_pthread.c index 82cbbfe5..a40fbc00 100644 --- a/Sources/CJWTKitBoringSSL/crypto/thread_pthread.c +++ b/Sources/CJWTKitBoringSSL/crypto/thread_pthread.c @@ -23,67 +23,38 @@ #include #include -static_assert(sizeof(CRYPTO_MUTEX) >= sizeof(pthread_rwlock_t), - "CRYPTO_MUTEX is too small"); -static_assert(alignof(CRYPTO_MUTEX) >= alignof(pthread_rwlock_t), - "CRYPTO_MUTEX has insufficient alignment"); - void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_init((pthread_rwlock_t *) lock, NULL) != 0) { + if (pthread_rwlock_init(lock, NULL) != 0) { abort(); } } void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_rdlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_rdlock(lock) != 0) { abort(); } } void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_wrlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_wrlock(lock) != 0) { abort(); } } void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_unlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_unlock(lock) != 0) { abort(); } } void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) { - if (pthread_rwlock_unlock((pthread_rwlock_t *) lock) != 0) { + if (pthread_rwlock_unlock(lock) != 0) { abort(); } } void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) { - pthread_rwlock_destroy((pthread_rwlock_t *) lock); -} - -void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) { - if (pthread_rwlock_rdlock(&lock->lock) != 0) { - abort(); - } -} - -void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) { - if (pthread_rwlock_wrlock(&lock->lock) != 0) { - abort(); - } -} - -void CRYPTO_STATIC_MUTEX_unlock_read(struct CRYPTO_STATIC_MUTEX *lock) { - if (pthread_rwlock_unlock(&lock->lock) != 0) { - abort(); - } -} - -void CRYPTO_STATIC_MUTEX_unlock_write(struct CRYPTO_STATIC_MUTEX *lock) { - if (pthread_rwlock_unlock(&lock->lock) != 0) { - abort(); - } + pthread_rwlock_destroy(lock); } void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) { diff --git a/Sources/CJWTKitBoringSSL/crypto/thread_win.c b/Sources/CJWTKitBoringSSL/crypto/thread_win.c index 57e4f9be..6daa8144 100644 --- a/Sources/CJWTKitBoringSSL/crypto/thread_win.c +++ b/Sources/CJWTKitBoringSSL/crypto/thread_win.c @@ -26,11 +26,6 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #include #include -static_assert(sizeof(CRYPTO_MUTEX) >= sizeof(SRWLOCK), - "CRYPTO_MUTEX is too small"); -static_assert(alignof(CRYPTO_MUTEX) >= alignof(SRWLOCK), - "CRYPTO_MUTEX has insufficient alignment"); - static BOOL CALLBACK call_once_init(INIT_ONCE *once, void *arg, void **out) { void (**init)(void) = (void (**)(void))arg; (**init)(); @@ -44,45 +39,29 @@ void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) { } void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) { - InitializeSRWLock((SRWLOCK *) lock); + InitializeSRWLock(lock); } void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) { - AcquireSRWLockShared((SRWLOCK *) lock); + AcquireSRWLockShared(lock); } void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) { - AcquireSRWLockExclusive((SRWLOCK *) lock); + AcquireSRWLockExclusive(lock); } void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) { - ReleaseSRWLockShared((SRWLOCK *) lock); + ReleaseSRWLockShared(lock); } void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) { - ReleaseSRWLockExclusive((SRWLOCK *) lock); + ReleaseSRWLockExclusive(lock); } void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) { // SRWLOCKs require no cleanup. } -void CRYPTO_STATIC_MUTEX_lock_read(struct CRYPTO_STATIC_MUTEX *lock) { - AcquireSRWLockShared(&lock->lock); -} - -void CRYPTO_STATIC_MUTEX_lock_write(struct CRYPTO_STATIC_MUTEX *lock) { - AcquireSRWLockExclusive(&lock->lock); -} - -void CRYPTO_STATIC_MUTEX_unlock_read(struct CRYPTO_STATIC_MUTEX *lock) { - ReleaseSRWLockShared(&lock->lock); -} - -void CRYPTO_STATIC_MUTEX_unlock_write(struct CRYPTO_STATIC_MUTEX *lock) { - ReleaseSRWLockExclusive(&lock->lock); -} - static SRWLOCK g_destructors_lock = SRWLOCK_INIT; static thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS]; diff --git a/Sources/CJWTKitBoringSSL/crypto/trust_token/pmbtoken.c b/Sources/CJWTKitBoringSSL/crypto/trust_token/pmbtoken.c index d715fcc7..759d1cd9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/trust_token/pmbtoken.c +++ b/Sources/CJWTKitBoringSSL/crypto/trust_token/pmbtoken.c @@ -62,17 +62,13 @@ typedef struct { static const uint8_t kDefaultAdditionalData[32] = {0}; -static int pmbtoken_init_method(PMBTOKEN_METHOD *method, int curve_nid, +static int pmbtoken_init_method(PMBTOKEN_METHOD *method, const EC_GROUP *group, const uint8_t *h_bytes, size_t h_len, hash_t_func_t hash_t, hash_s_func_t hash_s, hash_c_func_t hash_c, hash_to_scalar_func_t hash_to_scalar, int prefix_point) { - method->group = EC_GROUP_new_by_curve_name(curve_nid); - if (method->group == NULL) { - return 0; - } - + method->group = group; method->hash_t = hash_t; method->hash_s = hash_s; method->hash_c = hash_c; @@ -86,7 +82,7 @@ static int pmbtoken_init_method(PMBTOKEN_METHOD *method, int curve_nid, ec_affine_to_jacobian(method->group, &method->h, &h); if (!ec_init_precomp(method->group, &method->g_precomp, - &method->group->generator->raw) || + &method->group->generator.raw) || !ec_init_precomp(method->group, &method->h_precomp, &method->h)) { return 0; } @@ -160,7 +156,7 @@ static int cbs_get_prefixed_point(CBS *cbs, const EC_GROUP *group, return 0; } } else { - size_t plen = 1 + 2 * BN_num_bytes(&group->field); + size_t plen = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBS_get_bytes(cbs, &child, plen)) { return 0; } @@ -201,7 +197,7 @@ static int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method, } const EC_SCALAR *scalars[] = {x0, y0, x1, y1, xs, ys}; - size_t scalar_len = BN_num_bytes(&group->order); + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) { uint8_t *buf; if (!CBB_add_space(out_private, &buf, scalar_len)) { @@ -290,7 +286,7 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method, const EC_GROUP *group = method->group; CBS cbs, tmp; CBS_init(&cbs, in, len); - size_t scalar_len = BN_num_bytes(&group->order); + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); EC_SCALAR *scalars[] = {&key->x0, &key->y0, &key->x1, &key->y1, &key->xs, &key->ys}; for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) { @@ -390,7 +386,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind( static int scalar_to_cbb(CBB *out, const EC_GROUP *group, const EC_SCALAR *scalar) { uint8_t *buf; - size_t scalar_len = BN_num_bytes(&group->order); + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); if (!CBB_add_space(out, &buf, scalar_len)) { return 0; } @@ -399,7 +395,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group, } static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) { - size_t scalar_len = BN_num_bytes(&group->order); + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); CBS tmp; if (!CBS_get_bytes(cbs, &tmp, scalar_len)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); @@ -679,7 +675,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs, const EC_JACOBIAN *S, const EC_JACOBIAN *W, const EC_JACOBIAN *Ws) { const EC_GROUP *group = method->group; - const EC_JACOBIAN *g = &group->generator->raw; + const EC_JACOBIAN *g = &group->generator.raw; // We verify a DLEQ proof for the validity token and a DLEQOR2 proof for the // private metadata token. To allow amortizing Jacobian-to-affine conversions, @@ -803,18 +799,12 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, return 0; } - if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) || - num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; - EC_JACOBIAN *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + EC_JACOBIAN *Tps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Sps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wsps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (!Tps || @@ -912,7 +902,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, } // Skip over any unused requests. - size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); size_t token_len = point_len; if (method->prefix_point) { token_len += 2; @@ -944,19 +934,13 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind( return NULL; } - if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) || - count > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return NULL; - } - int ok = 0; STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); - EC_JACOBIAN *Tps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Sps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wsps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + EC_JACOBIAN *Tps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Sps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wsps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(count, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (ret == NULL || @@ -1015,7 +999,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind( // Serialize the token. Include |key_id| to avoid an extra copy in the layer // above. CBB token_cbb; - size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + 3 * (2 + point_len)) || !CBB_add_u32(&token_cbb, key_id) || @@ -1230,7 +1214,7 @@ static void pmbtoken_exp1_init_method_impl(void) { }; pmbtoken_exp1_ok = pmbtoken_init_method( - &pmbtoken_exp1_method, NID_secp384r1, kH, sizeof(kH), + &pmbtoken_exp1_method, EC_group_p384(), kH, sizeof(kH), pmbtoken_exp1_hash_t, pmbtoken_exp1_hash_s, pmbtoken_exp1_hash_c, pmbtoken_exp1_hash_to_scalar, 1); } @@ -1403,7 +1387,7 @@ static void pmbtoken_exp2_init_method_impl(void) { }; pmbtoken_exp2_ok = pmbtoken_init_method( - &pmbtoken_exp2_method, NID_secp384r1, kH, sizeof(kH), + &pmbtoken_exp2_method, EC_group_p384(), kH, sizeof(kH), pmbtoken_exp2_hash_t, pmbtoken_exp2_hash_s, pmbtoken_exp2_hash_c, pmbtoken_exp2_hash_to_scalar, 0); } @@ -1577,7 +1561,7 @@ static void pmbtoken_pst1_init_method_impl(void) { }; pmbtoken_pst1_ok = pmbtoken_init_method( - &pmbtoken_pst1_method, NID_secp384r1, kH, sizeof(kH), + &pmbtoken_pst1_method, EC_group_p384(), kH, sizeof(kH), pmbtoken_pst1_hash_t, pmbtoken_pst1_hash_s, pmbtoken_pst1_hash_c, pmbtoken_pst1_hash_to_scalar, 0); } diff --git a/Sources/CJWTKitBoringSSL/crypto/trust_token/trust_token.c b/Sources/CJWTKitBoringSSL/crypto/trust_token/trust_token.c index f058bfd5..8e4363be 100644 --- a/Sources/CJWTKitBoringSSL/crypto/trust_token/trust_token.c +++ b/Sources/CJWTKitBoringSSL/crypto/trust_token/trust_token.c @@ -118,11 +118,10 @@ void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *pretoken) { } TRUST_TOKEN *TRUST_TOKEN_new(const uint8_t *data, size_t len) { - TRUST_TOKEN *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN)); + TRUST_TOKEN *ret = OPENSSL_zalloc(sizeof(TRUST_TOKEN)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN)); ret->data = OPENSSL_memdup(data, len); if (len != 0 && ret->data == NULL) { OPENSSL_free(ret); @@ -205,11 +204,10 @@ TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(const TRUST_TOKEN_METHOD *method, return NULL; } - TRUST_TOKEN_CLIENT *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN_CLIENT)); + TRUST_TOKEN_CLIENT *ret = OPENSSL_zalloc(sizeof(TRUST_TOKEN_CLIENT)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN_CLIENT)); ret->method = method; ret->max_batchsize = (uint16_t)max_batchsize; return ret; @@ -446,11 +444,10 @@ TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(const TRUST_TOKEN_METHOD *method, return NULL; } - TRUST_TOKEN_ISSUER *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN_ISSUER)); + TRUST_TOKEN_ISSUER *ret = OPENSSL_zalloc(sizeof(TRUST_TOKEN_ISSUER)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN_ISSUER)); ret->method = method; ret->max_batchsize = (uint16_t)max_batchsize; return ret; diff --git a/Sources/CJWTKitBoringSSL/crypto/trust_token/voprf.c b/Sources/CJWTKitBoringSSL/crypto/trust_token/voprf.c index 3a36ddf8..6f1114e3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/trust_token/voprf.c +++ b/Sources/CJWTKitBoringSSL/crypto/trust_token/voprf.c @@ -35,7 +35,7 @@ typedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out, uint8_t *buf, size_t len); typedef struct { - const EC_GROUP *group; + const EC_GROUP *(*group_func)(void); // hash_to_group implements the HashToGroup operation for VOPRFs. It returns // one on success and zero on error. @@ -47,20 +47,6 @@ typedef struct { static const uint8_t kDefaultAdditionalData[32] = {0}; -static int voprf_init_method(VOPRF_METHOD *method, int curve_nid, - hash_to_group_func_t hash_to_group, - hash_to_scalar_func_t hash_to_scalar) { - method->group = EC_GROUP_new_by_curve_name(curve_nid); - if (method->group == NULL) { - return 0; - } - - method->hash_to_group = hash_to_group; - method->hash_to_scalar = hash_to_scalar; - - return 1; -} - static int cbb_add_point(CBB *out, const EC_GROUP *group, const EC_AFFINE *point) { uint8_t *p; @@ -83,7 +69,7 @@ static int cbb_serialize_point(CBB *out, const EC_GROUP *group, static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) { CBS child; - size_t plen = 1 + 2 * BN_num_bytes(&group->field); + size_t plen = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBS_get_bytes(cbs, &child, plen) || !ec_point_from_uncompressed(group, out, CBS_data(&child), CBS_len(&child))) { @@ -95,7 +81,7 @@ static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) { static int scalar_to_cbb(CBB *out, const EC_GROUP *group, const EC_SCALAR *scalar) { uint8_t *buf; - size_t scalar_len = BN_num_bytes(&group->order); + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); if (!CBB_add_space(out, &buf, scalar_len)) { return 0; } @@ -104,7 +90,7 @@ static int scalar_to_cbb(CBB *out, const EC_GROUP *group, } static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) { - size_t scalar_len = BN_num_bytes(&group->order); + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); CBS tmp; if (!CBS_get_bytes(cbs, &tmp, scalar_len)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); @@ -117,7 +103,7 @@ static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) { static int voprf_calculate_key(const VOPRF_METHOD *method, CBB *out_private, CBB *out_public, const EC_SCALAR *priv) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); EC_JACOBIAN pub; EC_AFFINE pub_affine; if (!ec_point_mul_scalar_base(group, &pub, priv) || @@ -139,7 +125,8 @@ static int voprf_calculate_key(const VOPRF_METHOD *method, CBB *out_private, static int voprf_generate_key(const VOPRF_METHOD *method, CBB *out_private, CBB *out_public) { EC_SCALAR priv; - if (!ec_random_nonzero_scalar(method->group, &priv, kDefaultAdditionalData)) { + if (!ec_random_nonzero_scalar(method->group_func(), &priv, + kDefaultAdditionalData)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE); return 0; } @@ -162,7 +149,7 @@ static int voprf_derive_key_from_secret(const VOPRF_METHOD *method, !CBB_add_bytes(&cbb, kKeygenLabel, sizeof(kKeygenLabel)) || !CBB_add_bytes(&cbb, secret, secret_len) || !CBB_finish(&cbb, &buf, &len) || - !method->hash_to_scalar(method->group, &priv, buf, len)) { + !method->hash_to_scalar(method->group_func(), &priv, buf, len)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE); goto err; } @@ -178,7 +165,7 @@ static int voprf_derive_key_from_secret(const VOPRF_METHOD *method, static int voprf_client_key_from_bytes(const VOPRF_METHOD *method, TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (!ec_point_from_uncompressed(group, &key->pubs, in, len)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return 0; @@ -190,7 +177,7 @@ static int voprf_client_key_from_bytes(const VOPRF_METHOD *method, static int voprf_issuer_key_from_bytes(const VOPRF_METHOD *method, TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (!ec_scalar_from_bytes(group, &key->xs, in, len)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return 0; @@ -213,7 +200,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_blind(const VOPRF_METHOD *method, size_t msg_len) { SHA512_CTX hash_ctx; - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = sk_TRUST_TOKEN_PRETOKEN_new_null(); if (pretokens == NULL) { @@ -280,6 +267,7 @@ static int hash_to_scalar_dleq(const VOPRF_METHOD *method, EC_SCALAR *out, const EC_AFFINE *K1) { static const uint8_t kDLEQLabel[] = "DLEQ"; + const EC_GROUP *group = method->group_func(); int ok = 0; CBB cbb; CBB_zero(&cbb); @@ -287,13 +275,13 @@ static int hash_to_scalar_dleq(const VOPRF_METHOD *method, EC_SCALAR *out, size_t len; if (!CBB_init(&cbb, 0) || !CBB_add_bytes(&cbb, kDLEQLabel, sizeof(kDLEQLabel)) || - !cbb_add_point(&cbb, method->group, X) || - !cbb_add_point(&cbb, method->group, T) || - !cbb_add_point(&cbb, method->group, W) || - !cbb_add_point(&cbb, method->group, K0) || - !cbb_add_point(&cbb, method->group, K1) || + !cbb_add_point(&cbb, group, X) || + !cbb_add_point(&cbb, group, T) || + !cbb_add_point(&cbb, group, W) || + !cbb_add_point(&cbb, group, K0) || + !cbb_add_point(&cbb, group, K1) || !CBB_finish(&cbb, &buf, &len) || - !method->hash_to_scalar(method->group, out, buf, len)) { + !method->hash_to_scalar(group, out, buf, len)) { goto err; } @@ -311,18 +299,19 @@ static int hash_to_scalar_challenge(const VOPRF_METHOD *method, EC_SCALAR *out, const EC_AFFINE *a3) { static const uint8_t kChallengeLabel[] = "Challenge"; + const EC_GROUP *group = method->group_func(); CBB cbb; uint8_t transcript[5 * EC_MAX_COMPRESSED + 2 + sizeof(kChallengeLabel) - 1]; size_t len; if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) || - !cbb_serialize_point(&cbb, method->group, Bm) || - !cbb_serialize_point(&cbb, method->group, a0) || - !cbb_serialize_point(&cbb, method->group, a1) || - !cbb_serialize_point(&cbb, method->group, a2) || - !cbb_serialize_point(&cbb, method->group, a3) || + !cbb_serialize_point(&cbb, group, Bm) || + !cbb_serialize_point(&cbb, group, a0) || + !cbb_serialize_point(&cbb, group, a1) || + !cbb_serialize_point(&cbb, group, a2) || + !cbb_serialize_point(&cbb, group, a3) || !CBB_add_bytes(&cbb, kChallengeLabel, sizeof(kChallengeLabel) - 1) || !CBB_finish(&cbb, NULL, &len) || - !method->hash_to_scalar(method->group, out, transcript, len)) { + !method->hash_to_scalar(group, out, transcript, len)) { return 0; } @@ -348,7 +337,7 @@ static int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out, !CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) || !CBB_add_u16(&cbb, (uint16_t)index) || !CBB_finish(&cbb, &buf, &len) || - !method->hash_to_scalar(method->group, out, buf, len)) { + !method->hash_to_scalar(method->group_func(), out, buf, len)) { goto err; } @@ -363,7 +352,7 @@ static int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out, static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb, const TRUST_TOKEN_ISSUER_KEY *priv, const EC_JACOBIAN *T, const EC_JACOBIAN *W) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); enum { idx_T, @@ -429,7 +418,7 @@ static int mul_public_2(const EC_GROUP *group, EC_JACOBIAN *out, static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs, const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T, const EC_JACOBIAN *W) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); enum { @@ -488,29 +477,23 @@ static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs, static int voprf_sign_tt(const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (num_requested < num_to_issue) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); return 0; } - if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) || - num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; - EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (!BTs || !Zs || !es || !CBB_init(&batch_cbb, 0) || - !cbb_add_point(&batch_cbb, method->group, &key->pubs)) { + !cbb_add_point(&batch_cbb, group, &key->pubs)) { goto err; } @@ -567,7 +550,7 @@ static int voprf_sign_tt(const VOPRF_METHOD *method, } // Skip over any unused requests. - size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); goto err; @@ -587,23 +570,17 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, uint32_t key_id) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return NULL; } - if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) || - count > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return NULL; - } - int ok = 0; STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); - EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(count, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (ret == NULL || @@ -611,7 +588,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( Zs == NULL || es == NULL || !CBB_init(&batch_cbb, 0) || - !cbb_add_point(&batch_cbb, method->group, &key->pubs)) { + !cbb_add_point(&batch_cbb, group, &key->pubs)) { goto err; } @@ -645,7 +622,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( // Serialize the token. Include |key_id| to avoid an extra copy in the layer // above. CBB token_cbb; - size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) || !CBB_add_u32(&token_cbb, key_id) || !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) || @@ -721,7 +698,7 @@ static void sha384_update_point_with_length( static int compute_composite_seed(const VOPRF_METHOD *method, uint8_t out[SHA384_DIGEST_LENGTH], const EC_AFFINE *pub) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); static const uint8_t kSeedDST[] = "Seed-OPRFV1-\x01-P384-SHA384"; SHA512_CTX hash_ctx; @@ -739,7 +716,7 @@ static int compute_composite_element(const VOPRF_METHOD *method, EC_SCALAR *di, size_t index, const EC_AFFINE *C, const EC_AFFINE *D) { static const uint8_t kCompositeLabel[] = "Composite"; - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (index > UINT16_MAX) { return 0; @@ -758,7 +735,7 @@ static int compute_composite_element(const VOPRF_METHOD *method, !CBB_add_bytes(&cbb, kCompositeLabel, sizeof(kCompositeLabel) - 1) || !CBB_finish(&cbb, NULL, &len) || - !method->hash_to_scalar(method->group, di, transcript, len)) { + !method->hash_to_scalar(group, di, transcript, len)) { return 0; } @@ -769,7 +746,7 @@ static int generate_proof(const VOPRF_METHOD *method, CBB *cbb, const TRUST_TOKEN_ISSUER_KEY *priv, const EC_SCALAR *r, const EC_JACOBIAN *M, const EC_JACOBIAN *Z) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); enum { idx_M, @@ -820,7 +797,7 @@ static int generate_proof(const VOPRF_METHOD *method, CBB *cbb, static int verify_proof(const VOPRF_METHOD *method, CBS *cbs, const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *M, const EC_JACOBIAN *Z) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); enum { idx_M, @@ -873,22 +850,16 @@ static int voprf_sign_impl(const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, const EC_SCALAR *proof_scalar) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (num_requested < num_to_issue) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); return 0; } - if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) || - num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; - EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_SCALAR *dis = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_SCALAR *dis = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); if (!BTs || !Zs || !dis) { goto err; } @@ -944,7 +915,7 @@ static int voprf_sign_impl(const VOPRF_METHOD *method, } // Skip over any unused requests. - size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); goto err; @@ -963,7 +934,7 @@ static int voprf_sign(const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue) { EC_SCALAR proof_scalar; - if (!ec_random_nonzero_scalar(method->group, &proof_scalar, + if (!ec_random_nonzero_scalar(method->group_func(), &proof_scalar, kDefaultAdditionalData)) { return 0; } @@ -977,8 +948,8 @@ static int voprf_sign_with_proof_scalar_for_testing( CBS *cbs, size_t num_requested, size_t num_to_issue, const uint8_t *proof_scalar_buf, size_t proof_scalar_len) { EC_SCALAR proof_scalar; - if (!ec_scalar_from_bytes(method->group, &proof_scalar, proof_scalar_buf, - proof_scalar_len)) { + if (!ec_scalar_from_bytes(method->group_func(), &proof_scalar, + proof_scalar_buf, proof_scalar_len)) { return 0; } return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue, @@ -989,23 +960,17 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind( const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, uint32_t key_id) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return NULL; } - if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) || - count > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return NULL; - } - int ok = 0; STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); - EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_SCALAR *dis = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_SCALAR *dis = OPENSSL_calloc(count, sizeof(EC_SCALAR)); if (ret == NULL || !BTs || !Zs || !dis) { goto err; } @@ -1044,7 +1009,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind( // Serialize the token. Include |key_id| to avoid an extra copy in the layer // above. CBB token_cbb; - size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) || !CBB_add_u32(&token_cbb, key_id) || !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) || @@ -1099,7 +1064,7 @@ static int voprf_read(const VOPRF_METHOD *method, uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], const uint8_t *token, size_t token_len, int include_message, const uint8_t *msg, size_t msg_len) { - const EC_GROUP *group = method->group; + const EC_GROUP *group = method->group_func(); CBS cbs, salt; CBS_init(&cbs, token, token_len); EC_AFFINE Ws; @@ -1154,57 +1119,27 @@ static int voprf_exp2_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, group, out, kHashCLabel, sizeof(kHashCLabel), buf, len); } -static int voprf_exp2_ok = 0; -static VOPRF_METHOD voprf_exp2_method; -static CRYPTO_once_t voprf_exp2_method_once = CRYPTO_ONCE_INIT; - -static void voprf_exp2_init_method_impl(void) { - voprf_exp2_ok = - voprf_init_method(&voprf_exp2_method, NID_secp384r1, - voprf_exp2_hash_to_group, voprf_exp2_hash_to_scalar); -} - -static int voprf_exp2_init_method(void) { - CRYPTO_once(&voprf_exp2_method_once, voprf_exp2_init_method_impl); - if (!voprf_exp2_ok) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); - return 0; - } - return 1; -} +static VOPRF_METHOD voprf_exp2_method = { + EC_group_p384, voprf_exp2_hash_to_group, voprf_exp2_hash_to_scalar}; int voprf_exp2_generate_key(CBB *out_private, CBB *out_public) { - if (!voprf_exp2_init_method()) { - return 0; - } - return voprf_generate_key(&voprf_exp2_method, out_private, out_public); } int voprf_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public, const uint8_t *secret, size_t secret_len) { - if (!voprf_exp2_init_method()) { - return 0; - } - return voprf_derive_key_from_secret(&voprf_exp2_method, out_private, out_public, secret, secret_len); } int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len) { - if (!voprf_exp2_init_method()) { - return 0; - } return voprf_client_key_from_bytes(&voprf_exp2_method, key, in, len); } int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len) { - if (!voprf_exp2_init_method()) { - return 0; - } return voprf_issuer_key_from_bytes(&voprf_exp2_method, key, in, len); } @@ -1212,9 +1147,6 @@ STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_exp2_blind(CBB *cbb, size_t count, int include_message, const uint8_t *msg, size_t msg_len) { - if (!voprf_exp2_init_method()) { - return NULL; - } return voprf_blind(&voprf_exp2_method, cbb, count, include_message, msg, msg_len); } @@ -1222,7 +1154,7 @@ STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_exp2_blind(CBB *cbb, size_t count, int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata) { - if (!voprf_exp2_init_method() || private_metadata != 0) { + if (private_metadata != 0) { return 0; } return voprf_sign_tt(&voprf_exp2_method, key, cbb, cbs, num_requested, @@ -1233,9 +1165,6 @@ STACK_OF(TRUST_TOKEN) *voprf_exp2_unblind( const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, uint32_t key_id) { - if (!voprf_exp2_init_method()) { - return NULL; - } return voprf_unblind_tt(&voprf_exp2_method, key, pretokens, cbs, count, key_id); } @@ -1245,9 +1174,6 @@ int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, uint8_t *out_private_metadata, const uint8_t *token, size_t token_len, int include_message, const uint8_t *msg, size_t msg_len) { - if (!voprf_exp2_init_method()) { - return 0; - } return voprf_read(&voprf_exp2_method, key, out_nonce, token, token_len, include_message, msg, msg_len); } @@ -1269,57 +1195,27 @@ static int voprf_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, sizeof(kHashCLabel) - 1, buf, len); } -static int voprf_pst1_ok = 0; -static VOPRF_METHOD voprf_pst1_method; -static CRYPTO_once_t voprf_pst1_method_once = CRYPTO_ONCE_INIT; - -static void voprf_pst1_init_method_impl(void) { - voprf_pst1_ok = - voprf_init_method(&voprf_pst1_method, NID_secp384r1, - voprf_pst1_hash_to_group, voprf_pst1_hash_to_scalar); -} - -static int voprf_pst1_init_method(void) { - CRYPTO_once(&voprf_pst1_method_once, voprf_pst1_init_method_impl); - if (!voprf_pst1_ok) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); - return 0; - } - return 1; -} +static VOPRF_METHOD voprf_pst1_method = { + EC_group_p384, voprf_pst1_hash_to_group, voprf_pst1_hash_to_scalar}; int voprf_pst1_generate_key(CBB *out_private, CBB *out_public) { - if (!voprf_pst1_init_method()) { - return 0; - } - return voprf_generate_key(&voprf_pst1_method, out_private, out_public); } int voprf_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public, const uint8_t *secret, size_t secret_len) { - if (!voprf_pst1_init_method()) { - return 0; - } - return voprf_derive_key_from_secret(&voprf_pst1_method, out_private, out_public, secret, secret_len); } int voprf_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len) { - if (!voprf_pst1_init_method()) { - return 0; - } return voprf_client_key_from_bytes(&voprf_pst1_method, key, in, len); } int voprf_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len) { - if (!voprf_pst1_init_method()) { - return 0; - } return voprf_issuer_key_from_bytes(&voprf_pst1_method, key, in, len); } @@ -1327,9 +1223,6 @@ STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count, int include_message, const uint8_t *msg, size_t msg_len) { - if (!voprf_pst1_init_method()) { - return NULL; - } return voprf_blind(&voprf_pst1_method, cbb, count, include_message, msg, msg_len); } @@ -1337,7 +1230,7 @@ STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count, int voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata) { - if (!voprf_pst1_init_method() || private_metadata != 0) { + if (private_metadata != 0) { return 0; } return voprf_sign(&voprf_pst1_method, key, cbb, cbs, num_requested, @@ -1349,7 +1242,7 @@ int voprf_pst1_sign_with_proof_scalar_for_testing( const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata, const uint8_t *proof_scalar_buf, size_t proof_scalar_len) { - if (!voprf_pst1_init_method() || private_metadata != 0) { + if (private_metadata != 0) { return 0; } return voprf_sign_with_proof_scalar_for_testing( @@ -1361,9 +1254,6 @@ STACK_OF(TRUST_TOKEN) *voprf_pst1_unblind( const TRUST_TOKEN_CLIENT_KEY *key, const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count, uint32_t key_id) { - if (!voprf_pst1_init_method()) { - return NULL; - } return voprf_unblind(&voprf_pst1_method, key, pretokens, cbs, count, key_id); } @@ -1372,9 +1262,6 @@ int voprf_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key, uint8_t *out_private_metadata, const uint8_t *token, size_t token_len, int include_message, const uint8_t *msg, size_t msg_len) { - if (!voprf_pst1_init_method()) { - return 0; - } return voprf_read(&voprf_pst1_method, key, out_nonce, token, token_len, include_message, msg, msg_len); } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/algorithm.c b/Sources/CJWTKitBoringSSL/crypto/x509/algorithm.c index 58ff88db..d19c5007 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/algorithm.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/algorithm.c @@ -116,8 +116,7 @@ int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor) { // it. int paramtype = (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) ? V_ASN1_NULL : V_ASN1_UNDEF; - X509_ALGOR_set0(algor, OBJ_nid2obj(sign_nid), paramtype, NULL); - return 1; + return X509_ALGOR_set0(algor, OBJ_nid2obj(sign_nid), paramtype, NULL); } int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c b/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c index 04e5a8c8..e980eefb 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c @@ -65,11 +65,9 @@ #include #include #include -#include #include "../conf/internal.h" #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c b/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c index cce414de..db190f8d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c @@ -54,6 +54,7 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +#include #include #include #include @@ -64,13 +65,11 @@ #include #include -#if !defined(OPENSSL_TRUSTY) - #include "../internal.h" #include "internal.h" typedef struct lookup_dir_hashes_st { - unsigned long hash; + uint32_t hash; int suffix; } BY_DIR_HASH; @@ -81,7 +80,6 @@ typedef struct lookup_dir_entry_st { } BY_DIR_ENTRY; typedef struct lookup_dir_st { - BUF_MEM *buffer; STACK_OF(BY_DIR_ENTRY) *dirs; } BY_DIR; @@ -95,17 +93,16 @@ static void free_dir(X509_LOOKUP *lu); static int add_cert_dir(BY_DIR *ctx, const char *dir, int type); static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509_OBJECT *ret); -static X509_LOOKUP_METHOD x509_dir_lookup = { - "Load certs from files in a directory", +static const X509_LOOKUP_METHOD x509_dir_lookup = { new_dir, // new free_dir, // free - NULL, // init - NULL, // shutdown dir_ctrl, // ctrl get_cert_by_subject, // get_by_subject }; -X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) { return &x509_dir_lookup; } +const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) { + return &x509_dir_lookup; +} static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **retp) { @@ -141,10 +138,6 @@ static int new_dir(X509_LOOKUP *lu) { if ((a = (BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL) { return 0; } - if ((a->buffer = BUF_MEM_new()) == NULL) { - OPENSSL_free(a); - return 0; - } a->dirs = NULL; lu->method_data = a; return 1; @@ -175,7 +168,6 @@ static void free_dir(X509_LOOKUP *lu) { BY_DIR *a = lu->method_data; if (a != NULL) { sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free); - BUF_MEM_free(a->buffer); OPENSSL_free(a); } } @@ -238,7 +230,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { // g_ent_hashes_lock protects the |hashes| member of all |BY_DIR_ENTRY| // objects. -static struct CRYPTO_STATIC_MUTEX g_ent_hashes_lock = CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX g_ent_hashes_lock = CRYPTO_MUTEX_INIT; static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509_OBJECT *ret) { @@ -255,8 +247,8 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, int ok = 0; size_t i; int j, k; - unsigned long h; - unsigned long hash_array[2]; + uint32_t h; + uint32_t hash_array[2]; int hash_index; BUF_MEM *b = NULL; X509_OBJECT stmp, *tmp; @@ -304,7 +296,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, } if (type == X509_LU_CRL && ent->hashes) { htmp.hash = h; - CRYPTO_STATIC_MUTEX_lock_read(&g_ent_hashes_lock); + CRYPTO_MUTEX_lock_read(&g_ent_hashes_lock); if (sk_BY_DIR_HASH_find(ent->hashes, &idx, &htmp)) { hent = sk_BY_DIR_HASH_value(ent->hashes, idx); k = hent->suffix; @@ -312,14 +304,14 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, hent = NULL; k = 0; } - CRYPTO_STATIC_MUTEX_unlock_read(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_read(&g_ent_hashes_lock); } else { k = 0; hent = NULL; } for (;;) { - BIO_snprintf(b->data, b->max, "%s/%08lx.%s%d", ent->dir, h, postfix, - k); + snprintf(b->data, b->max, "%s/%08" PRIx32 ".%s%d", ent->dir, h, postfix, + k); #ifndef OPENSSL_NO_POSIX_IO #if defined(_WIN32) && !defined(stat) #define stat _stat @@ -357,7 +349,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, // If a CRL, update the last file suffix added for this if (type == X509_LU_CRL) { - CRYPTO_STATIC_MUTEX_lock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_lock_write(&g_ent_hashes_lock); // Look for entry again in case another thread added an entry // first. if (!hent) { @@ -370,14 +362,14 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, if (!hent) { hent = OPENSSL_malloc(sizeof(BY_DIR_HASH)); if (hent == NULL) { - CRYPTO_STATIC_MUTEX_unlock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_write(&g_ent_hashes_lock); ok = 0; goto finish; } hent->hash = h; hent->suffix = k; if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { - CRYPTO_STATIC_MUTEX_unlock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_write(&g_ent_hashes_lock); OPENSSL_free(hent); ok = 0; goto finish; @@ -387,7 +379,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, hent->suffix = k; } - CRYPTO_STATIC_MUTEX_unlock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_write(&g_ent_hashes_lock); } if (tmp != NULL) { @@ -410,4 +402,6 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, return ok; } -#endif // OPENSSL_TRUSTY +int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *name, int type) { + return X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, name, type, NULL); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c b/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c index c8556b31..25397a8f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c @@ -62,53 +62,38 @@ #include "internal.h" -#ifndef OPENSSL_NO_STDIO static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); -static X509_LOOKUP_METHOD x509_file_lookup = { - "Load file into cache", +static const X509_LOOKUP_METHOD x509_file_lookup = { NULL, // new NULL, // free - NULL, // init - NULL, // shutdown by_file_ctrl, // ctrl NULL, // get_by_subject }; -X509_LOOKUP_METHOD *X509_LOOKUP_file(void) { return &x509_file_lookup; } +const X509_LOOKUP_METHOD *X509_LOOKUP_file(void) { return &x509_file_lookup; } static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **ret) { - int ok = 0; - const char *file; - - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { - file = getenv(X509_get_default_cert_file_env()); - if (file) { - ok = (X509_load_cert_crl_file(ctx, file, X509_FILETYPE_PEM) != 0); - } - - else { - ok = (X509_load_cert_crl_file(ctx, X509_get_default_cert_file(), - X509_FILETYPE_PEM) != 0); - } - - if (!ok) { - OPENSSL_PUT_ERROR(X509, X509_R_LOADING_DEFAULTS); - } - } else { - if (argl == X509_FILETYPE_PEM) { - ok = (X509_load_cert_crl_file(ctx, argp, X509_FILETYPE_PEM) != 0); - } else { - ok = (X509_load_cert_file(ctx, argp, (int)argl) != 0); - } - } - break; + if (cmd != X509_L_FILE_LOAD) { + return 0; + } + const char *file = argp; + int type = argl; + if (argl == X509_FILETYPE_DEFAULT) { + if ((file = getenv(X509_get_default_cert_file_env())) == NULL) { + file = X509_get_default_cert_file(); + } + type = X509_FILETYPE_PEM; } - return ok; + if (X509_load_cert_crl_file(ctx, file, type) != 0) { + return 1; + } + if (argl == X509_FILETYPE_DEFAULT) { + OPENSSL_PUT_ERROR(X509, X509_R_LOADING_DEFAULTS); + } + return 0; } int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) { @@ -279,4 +264,6 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) { return count; } -#endif // OPENSSL_NO_STDIO +int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *name, int type) { + return X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, name, type, NULL); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/ext_dat.h b/Sources/CJWTKitBoringSSL/crypto/x509/ext_dat.h similarity index 100% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/ext_dat.h rename to Sources/CJWTKitBoringSSL/crypto/x509/ext_dat.h diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/internal.h b/Sources/CJWTKitBoringSSL/crypto/x509/internal.h index a9eb95a2..1183e6bd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/x509/internal.h @@ -64,6 +64,7 @@ #include #include "../asn1/internal.h" +#include "../internal.h" #if defined(__cplusplus) extern "C" { @@ -85,18 +86,25 @@ struct X509_pubkey_st { EVP_PKEY *pkey; } /* X509_PUBKEY */; +// X509_PUBKEY is an |ASN1_ITEM| whose ASN.1 type is SubjectPublicKeyInfo and C +// type is |X509_PUBKEY*|. +DECLARE_ASN1_ITEM(X509_PUBKEY) + struct X509_name_entry_st { ASN1_OBJECT *object; ASN1_STRING *value; int set; } /* X509_NAME_ENTRY */; +// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue +// (RFC 5280) and C type is |X509_NAME_ENTRY*|. +DECLARE_ASN1_ITEM(X509_NAME_ENTRY) + // we always keep X509_NAMEs in 2 forms. struct X509_name_st { STACK_OF(X509_NAME_ENTRY) *entries; int modified; // true if 'bytes' needs to be built BUF_MEM *bytes; - // unsigned long hash; Keep the hash around for lookups unsigned char *canon_enc; int canon_enclen; } /* X509_NAME */; @@ -106,6 +114,10 @@ struct x509_attributes_st { STACK_OF(ASN1_TYPE) *set; } /* X509_ATTRIBUTE */; +// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and +// C type is |X509_ATTRIBUTE*|. +DECLARE_ASN1_ITEM(X509_ATTRIBUTE) + typedef struct x509_cert_aux_st { STACK_OF(ASN1_OBJECT) *trust; // trusted uses STACK_OF(ASN1_OBJECT) *reject; // rejected uses @@ -121,6 +133,14 @@ struct X509_extension_st { ASN1_OCTET_STRING *value; } /* X509_EXTENSION */; +// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC +// 5280) and C type is |X509_EXTENSION*|. +DECLARE_ASN1_ITEM(X509_EXTENSION) + +// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension +// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|. +DECLARE_ASN1_ITEM(X509_EXTENSIONS) + typedef struct { ASN1_INTEGER *version; // [ 0 ] default of v1 ASN1_INTEGER *serialNumber; @@ -150,7 +170,6 @@ struct x509_st { uint32_t ex_flags; uint32_t ex_kusage; uint32_t ex_xkusage; - uint32_t ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; STACK_OF(DIST_POINT) *crldp; @@ -161,6 +180,10 @@ struct x509_st { CRYPTO_MUTEX lock; } /* X509 */; +// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C +// type is |X509*|. +DECLARE_ASN1_ITEM(X509) + typedef struct { ASN1_ENCODING enc; ASN1_INTEGER *version; @@ -180,16 +203,23 @@ struct X509_req_st { ASN1_BIT_STRING *signature; } /* X509_REQ */; +// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986) +// and C type is |X509_REQ*|. +DECLARE_ASN1_ITEM(X509_REQ) + struct x509_revoked_st { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; STACK_OF(X509_EXTENSION) /* optional */ *extensions; - // Set up if indirect CRL - STACK_OF(GENERAL_NAME) *issuer; // Revocation reason int reason; } /* X509_REVOKED */; +// X509_REVOKED is an |ASN1_ITEM| whose ASN.1 type is an element of the +// revokedCertificates field of TBSCertList (RFC 5280) and C type is +// |X509_REVOKED*|. +DECLARE_ASN1_ITEM(X509_REVOKED) + typedef struct { ASN1_INTEGER *version; X509_ALGOR *sig_alg; @@ -205,6 +235,22 @@ typedef struct { // an |X509_NAME|. DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO) +// Values in idp_flags field +// IDP present +#define IDP_PRESENT 0x1 +// IDP values inconsistent +#define IDP_INVALID 0x2 +// onlyuser true +#define IDP_ONLYUSER 0x4 +// onlyCA true +#define IDP_ONLYCA 0x8 +// onlyattr true +#define IDP_ONLYATTR 0x10 +// indirectCRL true +#define IDP_INDIRECT 0x20 +// onlysomereasons present +#define IDP_REASONS 0x40 + struct X509_crl_st { // actual signature X509_CRL_INFO *crl; @@ -217,18 +263,23 @@ struct X509_crl_st { ISSUING_DIST_POINT *idp; // Convenient breakdown of IDP int idp_flags; - int idp_reasons; - // CRL and base CRL numbers for delta processing - ASN1_INTEGER *crl_number; - ASN1_INTEGER *base_crl_number; unsigned char crl_hash[SHA256_DIGEST_LENGTH]; - STACK_OF(GENERAL_NAMES) *issuers; } /* X509_CRL */; +// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC +// 5280) and C type is |X509_CRL*|. +DECLARE_ASN1_ITEM(X509_CRL) + +// GENERAL_NAME is an |ASN1_ITEM| whose ASN.1 type is GeneralName and C type is +// |GENERAL_NAME*|. +DECLARE_ASN1_ITEM(GENERAL_NAME) + +// GENERAL_NAMES is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE OF GeneralName +// and C type is |GENERAL_NAMES*|, aka |STACK_OF(GENERAL_NAME)*|. +DECLARE_ASN1_ITEM(GENERAL_NAMES) + struct X509_VERIFY_PARAM_st { - char *name; int64_t check_time; // POSIX time to use - unsigned long inh_flags; // Inheritance flags unsigned long flags; // Various verify flags int purpose; // purpose to check untrusted certificates int trust; // trust setting to check @@ -237,7 +288,6 @@ struct X509_VERIFY_PARAM_st { // The following fields specify acceptable peer identities. STACK_OF(OPENSSL_STRING) *hosts; // Set of acceptable names unsigned int hostflags; // Flags to control matching features - char *peername; // Matching hostname in peer certificate char *email; // If not NULL email address to match size_t emaillen; unsigned char *ip; // If not NULL IP address to match @@ -256,25 +306,31 @@ struct x509_object_st { } data; } /* X509_OBJECT */; +// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is +// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. +DECLARE_ASN1_ITEM(NETSCAPE_SPKI) + +// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge +// and C type is |NETSCAPE_SPKAC*|. +DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) + // This is a static that defines the function interface struct x509_lookup_method_st { - const char *name; int (*new_item)(X509_LOOKUP *ctx); void (*free)(X509_LOOKUP *ctx); - int (*init)(X509_LOOKUP *ctx); - int (*shutdown)(X509_LOOKUP *ctx); int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret); } /* X509_LOOKUP_METHOD */; +DEFINE_STACK_OF(X509_LOOKUP) + // This is used to hold everything. It is used for all certificate // validation. Once we have a certificate chain, the 'verify' // function is then called to actually check the cert chain. struct x509_store_st { // The following is a cache of trusted certs - int cache; // if true, stash any hits STACK_OF(X509_OBJECT) *objs; // Cache of all objects CRYPTO_MUTEX objs_lock; @@ -284,28 +340,16 @@ struct x509_store_st { X509_VERIFY_PARAM *param; // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity CRYPTO_refcount_t references; } /* X509_STORE */; - // This is the functions plus an instance of the local variables. struct x509_lookup_st { - int init; // have we been started - int skip; // don't use us. - X509_LOOKUP_METHOD *method; // the functions + const X509_LOOKUP_METHOD *method; // the functions void *method_data; // method data X509_STORE *store_ctx; // who owns us @@ -323,39 +367,28 @@ struct x509_store_ctx_st { STACK_OF(X509_CRL) *crls; // set of CRLs passed in X509_VERIFY_PARAM *param; - void *other_ctx; // Other info for use with get_issuer() + + // trusted_stack, if non-NULL, is a set of trusted certificates to consider + // instead of those from |X509_STORE|. + STACK_OF(X509) *trusted_stack; // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_check_policy_fn check_policy; - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity // The following is built up - int valid; // if 0, rebuild chain - int last_untrusted; // index of last untrusted cert - STACK_OF(X509) *chain; // chain of X509s - built up and trusted + int last_untrusted; // index of last untrusted cert + STACK_OF(X509) *chain; // chain of X509s - built up and trusted // When something goes wrong, this is why int error_depth; int error; X509 *current_cert; - X509 *current_issuer; // cert currently being tested as valid issuer X509_CRL *current_crl; // current CRL - int current_crl_score; // score of current CRL - unsigned int current_reasons; // Reason mask - - X509_STORE_CTX *parent; // For CRL path validation: parent context + X509 *current_crl_issuer; // issuer of current CRL + int current_crl_score; // score of current CRL CRYPTO_EX_DATA ex_data; } /* X509_STORE_CTX */; @@ -414,6 +447,147 @@ int X509_policy_check(const STACK_OF(X509) *certs, const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, X509 **out_current_cert); +// x509_check_issued_with_callback calls |X509_check_issued|, but allows the +// verify callback to override the result. It returns one on success and zero on +// error. +// +// TODO(davidben): Reduce the scope of the verify callback and remove this. The +// callback only runs with |X509_V_FLAG_CB_ISSUER_CHECK|, which is only used by +// one internal project and rust-openssl, who use it by mistake. +int x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + +// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a +// newly-allocated NUL-terminated string containing the result, or NULL on +// allocation error. +// +// This function was historically named |hex_to_string| in OpenSSL. Despite the +// name, |hex_to_string| converted to hex. +OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); + +// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated +// array containing the result, or NULL on error. On success, it sets |*len| to +// the length of the result. Colon separators between bytes in the input are +// allowed and ignored. +// +// This function was historically named |string_to_hex| in OpenSSL. Despite the +// name, |string_to_hex| converted from hex. +unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len); + +// x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins +// with |cmp| followed by '.', and zero otherwise. +int x509v3_conf_name_matches(const char *name, const char *cmp); + +// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero +// otherwise. +OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in, + size_t len); + +// x509v3_cache_extensions fills in a number of fields relating to X.509 +// extensions in |x|. It returns one on success and zero if some extensions were +// invalid. +OPENSSL_EXPORT int x509v3_cache_extensions(X509 *x); + +// x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses +// use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If +// it decodes an IPv4 address, it writes the result to the first four bytes of +// |ipout| and returns four. If it decodes an IPv6 address, it writes the result +// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero. +int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc); + +// A |BIT_STRING_BITNAME| is used to contain a list of bit names. +typedef struct { + int bitnum; + const char *lname; + const char *sname; +} BIT_STRING_BITNAME; + +// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name +// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a +// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and +// zero on error. +int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, + STACK_OF(CONF_VALUE) **extlist); + +// X509V3_NAME_from_section adds attributes to |nm| by interpreting the +// key/value pairs in |dn_sk|. It returns one on success and zero on error. +// |chtype|, which should be one of |MBSTRING_*| constants, determines the +// character encoding used to interpret values. +int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk, + int chtype); + +// X509V3_bool_from_string decodes |str| as a boolean. On success, it returns +// one and sets |*out_bool| to resulting value. Otherwise, it returns zero. +int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool); + +// X509V3_get_value_bool decodes |value| as a boolean. On success, it returns +// one and sets |*out_bool| to the resulting value. Otherwise, it returns zero. +int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool); + +// X509V3_get_value_int decodes |value| as an integer. On success, it returns +// one and sets |*aint| to the resulting value. Otherwise, it returns zero. If +// |*aint| was non-NULL at the start of the function, it frees the previous +// value before writing a new one. +int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); + +// X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s +// config database. +const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, + const char *section); + +// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to +// |*extlist|. It returns one on success and zero on error. If |*extlist| is +// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| +// containing the result. Either |name| or |value| may be NULL to omit the +// field. +// +// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the +// function returns. +int X509V3_add_value(const char *name, const char *value, + STACK_OF(CONF_VALUE) **extlist); + +// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value +// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. +int X509V3_add_value_bool(const char *name, int asn1_bool, + STACK_OF(CONF_VALUE) **extlist); + +// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string +// representation of |aint|. Note this string representation may be decimal or +// hexadecimal, depending on the size of |aint|. +int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, + STACK_OF(CONF_VALUE) **extlist); + +STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); + +#define X509V3_conf_err(val) \ + ERR_add_error_data(6, "section:", (val)->section, ",name:", (val)->name, \ + ",value:", (val)->value); + +// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero +// value otherwise. Note this function does not provide a comparison suitable +// for sorting. +// +// This function is exported for testing. +OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, + const GENERAL_NAME *b); + +// X509_VERIFY_PARAM_lookup returns a pre-defined |X509_VERIFY_PARAM| named by +// |name|, or NULL if no such name is defined. +const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); + +GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const CONF_VALUE *cnf); +GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, + const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const CONF_VALUE *cnf, + int is_nc); +GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, + const STACK_OF(CONF_VALUE) *nval); + +// TODO(https://crbug.com/boringssl/407): Make |issuer| const once the +// |X509_NAME| issue is resolved. +int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid); + #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/policy.c b/Sources/CJWTKitBoringSSL/crypto/x509/policy.c index 9eb78613..d5d042c4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/policy.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/policy.c @@ -19,10 +19,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" @@ -107,11 +105,10 @@ static void x509_policy_node_free(X509_POLICY_NODE *node) { static X509_POLICY_NODE *x509_policy_node_new(const ASN1_OBJECT *policy) { assert(!is_any_policy(policy)); - X509_POLICY_NODE *node = OPENSSL_malloc(sizeof(X509_POLICY_NODE)); + X509_POLICY_NODE *node = OPENSSL_zalloc(sizeof(X509_POLICY_NODE)); if (node == NULL) { return NULL; } - OPENSSL_memset(node, 0, sizeof(X509_POLICY_NODE)); node->policy = OBJ_dup(policy); node->parent_policies = sk_ASN1_OBJECT_new_null(); if (node->policy == NULL || node->parent_policies == NULL) { @@ -134,11 +131,10 @@ static void x509_policy_level_free(X509_POLICY_LEVEL *level) { } static X509_POLICY_LEVEL *x509_policy_level_new(void) { - X509_POLICY_LEVEL *level = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL)); + X509_POLICY_LEVEL *level = OPENSSL_zalloc(sizeof(X509_POLICY_LEVEL)); if (level == NULL) { return NULL; } - OPENSSL_memset(level, 0, sizeof(X509_POLICY_LEVEL)); level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp); if (level->nodes == NULL) { x509_policy_level_free(level); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c b/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c index 65ab641e..21d188ce 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c @@ -145,7 +145,9 @@ static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) { if (!*palg) { goto err; } - X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); + if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) { + goto err; + } stmp = NULL; err: @@ -235,7 +237,9 @@ int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) { goto err; } - X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os); + if (!X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os)) { + goto err; + } os = NULL; ret = 1; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c index a073317f..8fca5212 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c @@ -61,7 +61,7 @@ #include #include #include -#include + int X509_CRL_print_fp(FILE *fp, X509_CRL *x) { BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c index b5bbd31a..ea7f20f1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c @@ -62,7 +62,6 @@ #include #include #include -#include #include "internal.h" @@ -81,7 +80,6 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x) { int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags, unsigned long cflag) { long l; - EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) *sk; char mlch = ' '; @@ -128,13 +126,12 @@ int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags, goto err; } - pkey = X509_REQ_get_pubkey(x); + const EVP_PKEY *pkey = X509_REQ_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bio, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bio); } else { EVP_PKEY_print_public(bio, pkey, 16, NULL); - EVP_PKEY_free(pkey); } } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c index c576a3c4..9a6d7f62 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c @@ -64,7 +64,6 @@ #include #include #include -#include #include "internal.h" @@ -213,13 +212,12 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, return 0; } - EVP_PKEY *pkey = X509_get_pubkey(x); + const EVP_PKEY *pkey = X509_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); } else { EVP_PKEY_print_public(bp, pkey, 16, NULL); - EVP_PKEY_free(pkey); } } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_akey.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_akey.c index 6de9bc7b..d4b50a53 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_akey.c @@ -63,7 +63,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akeya.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_akeya.c similarity index 98% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akeya.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_akeya.c index 5c2e322d..b165cdb1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akeya.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_akeya.c @@ -59,7 +59,9 @@ #include #include #include -#include +#include + +#include "internal.h" ASN1_SEQUENCE(AUTHORITY_KEYID) = { diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_alt.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_alt.c index 9b568130..5021d3b5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_alt.c @@ -61,9 +61,8 @@ #include #include #include -#include +#include -#include "../x509/internal.h" #include "internal.h" @@ -173,13 +172,12 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(const X509V3_EXT_METHOD *method, case GEN_IPADD: p = gen->d.ip->data; if (gen->d.ip->length == 4) { - BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d", p[0], p[1], p[2], - p[3]); + snprintf(oline, sizeof(oline), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); } else if (gen->d.ip->length == 16) { oline[0] = 0; for (i = 0; i < 8; i++) { uint16_t v = ((uint16_t)p[0] << 8) | p[1]; - BIO_snprintf(htmp, sizeof(htmp), "%X", v); + snprintf(htmp, sizeof(htmp), "%X", v); p += 2; OPENSSL_strlcat(oline, htmp, sizeof(oline)); if (i != 7) { @@ -448,10 +446,10 @@ GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0); } -GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, int gen_type, - const char *value, int is_nc) { +static GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, + const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, int gen_type, + const char *value, int is_nc) { if (!value) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE); return NULL; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_bcons.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_bcons.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_bcons.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_bcons.c index e5715c15..34e24c1c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_bcons.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_bcons.c @@ -62,7 +62,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_bitst.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_bitst.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_bitst.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_bitst.c index d18cdc05..b92c4f5a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_bitst.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_bitst.c @@ -60,7 +60,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_conf.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_conf.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_conf.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_conf.c index e2a0695b..e2ef0c38 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_conf.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_conf.c @@ -66,10 +66,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509/internal.h" #include "internal.h" static int v3_check_critical(const char **value); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_cpols.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_cpols.c index 8f8357dc..914d300a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_cpols.c @@ -66,7 +66,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_crld.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_crld.c index 1cd73058..2fca7044 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_crld.c @@ -63,9 +63,8 @@ #include #include #include -#include +#include -#include "../x509/internal.h" #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_enum.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_enum.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_enum.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_enum.c index 2b79adc3..db3551be 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_enum.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_enum.c @@ -58,6 +58,7 @@ #include #include +#include #include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_extku.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_extku.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_extku.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_extku.c index 0de5d2c7..2c5e8ec4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_extku.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_extku.c @@ -60,7 +60,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_genn.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_genn.c similarity index 94% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_genn.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_genn.c index 3f8b3a65..0426895f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_genn.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_genn.c @@ -59,7 +59,7 @@ #include #include #include -#include +#include #include "internal.h" @@ -70,7 +70,7 @@ ASN1_SEQUENCE(OTHERNAME) = { ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0), } ASN1_SEQUENCE_END(OTHERNAME) -IMPLEMENT_ASN1_FUNCTIONS_const(OTHERNAME) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OTHERNAME) ASN1_SEQUENCE(EDIPARTYNAME) = { // DirectoryString is a CHOICE type, so use explicit tagging. @@ -78,7 +78,7 @@ ASN1_SEQUENCE(EDIPARTYNAME) = { ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1), } ASN1_SEQUENCE_END(EDIPARTYNAME) -IMPLEMENT_ASN1_FUNCTIONS_const(EDIPARTYNAME) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(EDIPARTYNAME) ASN1_CHOICE(GENERAL_NAME) = { ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME), @@ -208,9 +208,9 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) { a->type = type; } -void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) { - if (ptype) { - *ptype = a->type; +void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *out_type) { + if (out_type) { + *out_type = a->type; } switch (a->type) { case GEN_X400: @@ -255,16 +255,16 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, return 1; } -int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **poid, - ASN1_TYPE **pvalue) { +int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **out_oid, + ASN1_TYPE **out_value) { if (gen->type != GEN_OTHERNAME) { return 0; } - if (poid) { - *poid = gen->d.otherName->type_id; + if (out_oid != NULL) { + *out_oid = gen->d.otherName->type_id; } - if (pvalue) { - *pvalue = gen->d.otherName->value; + if (out_value != NULL) { + *out_value = gen->d.otherName->value; } return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ia5.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_ia5.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ia5.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_ia5.c index 9613fc2f..b49bbc2f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ia5.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_ia5.c @@ -64,7 +64,7 @@ #include #include #include -#include +#include #include "../internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_info.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_info.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_info.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_info.c index aee3dd27..2eb58f97 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_info.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_info.c @@ -65,7 +65,10 @@ #include #include #include -#include +#include + +#include "internal.h" + static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS( const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret); @@ -206,8 +209,3 @@ static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method, sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free); return NULL; } - -int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a) { - i2a_ASN1_OBJECT(bp, a->method); - return 2; -} diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_int.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_int.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_int.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_int.c index 48aba7ba..32edf240 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_int.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_int.c @@ -57,7 +57,7 @@ #include #include -#include +#include static char *i2s_ASN1_INTEGER_cb(const X509V3_EXT_METHOD *method, void *ext) { diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_lib.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_lib.c index a111fec4..f294f251 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_lib.c @@ -64,11 +64,12 @@ #include #include #include -#include +#include -#include "../x509/internal.h" +#include "internal.h" #include "ext_dat.h" + static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; static int ext_stack_cmp(const X509V3_EXT_METHOD *const *a, diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_ncons.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_ncons.c index 5ab0d895..c9152cf2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_ncons.c @@ -62,10 +62,10 @@ #include #include #include -#include +#include #include "../internal.h" -#include "../x509/internal.h" +#include "internal.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ocsp.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_ocsp.c similarity index 98% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ocsp.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_ocsp.c index 0b9b2803..41f4f211 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ocsp.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_ocsp.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include +#include #include #include diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pcons.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_pcons.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pcons.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_pcons.c index e2d9e737..8115fda8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pcons.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_pcons.c @@ -62,7 +62,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pmaps.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_pmaps.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pmaps.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_pmaps.c index 855cd353..410e5dbf 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pmaps.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_pmaps.c @@ -60,7 +60,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_prn.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_prn.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_prn.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_prn.c index 25be650c..cd8ee79d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_prn.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_prn.c @@ -61,7 +61,7 @@ #include #include #include -#include +#include // Extension printing routines @@ -69,9 +69,8 @@ static int unknown_ext_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag, int indent, int supported); // Print out a name+value stack - -void X509V3_EXT_val_prn(BIO *out, const STACK_OF(CONF_VALUE) *val, int indent, - int ml) { +static void X509V3_EXT_val_prn(BIO *out, const STACK_OF(CONF_VALUE) *val, + int indent, int ml) { if (!val) { return; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_purp.c similarity index 63% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_purp.c index 153bbbf4..77bcc9d3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_purp.c @@ -54,8 +54,8 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). */ -#include - +#include +#include #include #include @@ -63,10 +63,9 @@ #include #include #include -#include +#include #include "../internal.h" -#include "../x509/internal.h" #include "internal.h" #define V1_ROOT (EXFLAG_V1 | EXFLAG_SS) @@ -74,16 +73,14 @@ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) #define xku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) +static int check_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); -static int purpose_smime(const X509 *x, int ca); static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, @@ -93,12 +90,8 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); - -static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b); -static void xptable_free(X509_PURPOSE *p); -static X509_PURPOSE xstandard[] = { +static const X509_PURPOSE xstandard[] = { {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL}, {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, @@ -115,39 +108,37 @@ static X509_PURPOSE xstandard[] = { (char *)"CRL signing", (char *)"crlsign", NULL}, {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, (char *)"Any Purpose", (char *)"any", NULL}, - {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, + // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP + // implementation relied on the caller performing EKU and KU checks. + {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, no_check, (char *)"OCSP helper", (char *)"ocsphelper", NULL}, {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, (char *)"Time Stamp signing", (char *)"timestampsign", NULL}, }; -#define X509_PURPOSE_COUNT (sizeof(xstandard) / sizeof(X509_PURPOSE)) - -static STACK_OF(X509_PURPOSE) *xptable = NULL; - -static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b) { - return (*a)->purpose - (*b)->purpose; -} - -// As much as I'd like to make X509_check_purpose use a "const" X509* I -// really can't because it does recalculate hashes and do other non-const -// things. int X509_check_purpose(X509 *x, int id, int ca) { - int idx; - const X509_PURPOSE *pt; + // This differs from OpenSSL, which uses -1 to indicate a fatal error and 0 to + // indicate an invalid certificate. BoringSSL uses 0 for both. if (!x509v3_cache_extensions(x)) { - return -1; + return 0; } if (id == -1) { return 1; } - idx = X509_PURPOSE_get_by_id(id); + int idx = X509_PURPOSE_get_by_id(id); if (idx == -1) { - return -1; + return 0; + } + // Historically, |check_purpose| implementations other than |X509_PURPOSE_ANY| + // called |check_ca|. This is redundant with the |X509_V_ERR_INVALID_CA| + // logic, but |X509_check_purpose| is public API, so we preserve this + // behavior. + if (ca && id != X509_PURPOSE_ANY && !check_ca(x)) { + return 0; } - pt = X509_PURPOSE_get0(idx); + const X509_PURPOSE *pt = X509_PURPOSE_get0(idx); return pt->check_purpose(pt, x, ca); } @@ -160,27 +151,18 @@ int X509_PURPOSE_set(int *p, int purpose) { return 1; } -int X509_PURPOSE_get_count(void) { - if (!xptable) { - return X509_PURPOSE_COUNT; - } - return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; -} +int X509_PURPOSE_get_count(void) { return OPENSSL_ARRAY_SIZE(xstandard); } -X509_PURPOSE *X509_PURPOSE_get0(int idx) { - if (idx < 0) { +const X509_PURPOSE *X509_PURPOSE_get0(int idx) { + if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(xstandard)) { return NULL; } - if (idx < (int)X509_PURPOSE_COUNT) { - return xstandard + idx; - } - return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); + return xstandard + idx; } -int X509_PURPOSE_get_by_sname(char *sname) { - int i; - X509_PURPOSE *xptmp; - for (i = 0; i < X509_PURPOSE_get_count(); i++) { +int X509_PURPOSE_get_by_sname(const char *sname) { + const X509_PURPOSE *xptmp; + for (int i = 0; i < X509_PURPOSE_get_count(); i++) { xptmp = X509_PURPOSE_get0(i); if (!strcmp(xptmp->sname, sname)) { return i; @@ -190,119 +172,14 @@ int X509_PURPOSE_get_by_sname(char *sname) { } int X509_PURPOSE_get_by_id(int purpose) { - X509_PURPOSE tmp; - size_t idx; - - if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) { - return purpose - X509_PURPOSE_MIN; - } - tmp.purpose = purpose; - if (!xptable) { - return -1; - } - - if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp)) { - return -1; - } - return idx + X509_PURPOSE_COUNT; -} - -int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, const X509 *, int), - char *name, char *sname, void *arg) { - int idx; - X509_PURPOSE *ptmp; - char *name_dup, *sname_dup; - - // This is set according to what we change: application can't set it - flags &= ~X509_PURPOSE_DYNAMIC; - // This will always be set for application modified trust entries - flags |= X509_PURPOSE_DYNAMIC_NAME; - // Get existing entry if any - idx = X509_PURPOSE_get_by_id(id); - // Need a new entry - if (idx == -1) { - if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) { - return 0; - } - ptmp->flags = X509_PURPOSE_DYNAMIC; - } else { - ptmp = X509_PURPOSE_get0(idx); - } - - // Duplicate the supplied names. - name_dup = OPENSSL_strdup(name); - sname_dup = OPENSSL_strdup(sname); - if (name_dup == NULL || sname_dup == NULL) { - if (name_dup != NULL) { - OPENSSL_free(name_dup); - } - if (sname_dup != NULL) { - OPENSSL_free(sname_dup); - } - if (idx == -1) { - OPENSSL_free(ptmp); - } - return 0; - } - - // OPENSSL_free existing name if dynamic - if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { - OPENSSL_free(ptmp->name); - OPENSSL_free(ptmp->sname); - } - // dup supplied name - ptmp->name = name_dup; - ptmp->sname = sname_dup; - // Keep the dynamic flag of existing entry - ptmp->flags &= X509_PURPOSE_DYNAMIC; - // Set all other flags - ptmp->flags |= flags; - - ptmp->purpose = id; - ptmp->trust = trust; - ptmp->check_purpose = ck; - ptmp->usr_data = arg; - - // If its a new entry manage the dynamic table - if (idx == -1) { - // TODO(davidben): This should be locked. Alternatively, remove the dynamic - // registration mechanism entirely. The trouble is there no way to pass in - // the various parameters into an |X509_VERIFY_PARAM| directly. You can only - // register it in the global table and get an ID. - if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { - xptable_free(ptmp); - return 0; - } - if (!sk_X509_PURPOSE_push(xptable, ptmp)) { - xptable_free(ptmp); - return 0; + for (size_t i = 0; i flags & X509_PURPOSE_DYNAMIC) { - if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { - OPENSSL_free(p->name); - OPENSSL_free(p->sname); - } - OPENSSL_free(p); - } -} - -void X509_PURPOSE_cleanup(void) { - unsigned int i; - sk_X509_PURPOSE_pop_free(xptable, xptable_free); - for (i = 0; i < X509_PURPOSE_COUNT; i++) { - xptable_free(xstandard + i); - } - xptable = NULL; + return -1; } int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; } @@ -313,63 +190,25 @@ char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; } int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; } -static int nid_cmp(const void *void_a, const void *void_b) { - const int *a = void_a, *b = void_b; - - return *a - *b; -} - int X509_supported_extension(const X509_EXTENSION *ex) { - // This table is a list of the NIDs of supported extensions: that is - // those which are used by the verify process. If an extension is - // critical and doesn't appear in this list then the verify process will - // normally reject the certificate. The list must be kept in numerical - // order because it will be searched using bsearch. - - static const int supported_nids[] = { - NID_netscape_cert_type, // 71 - NID_key_usage, // 83 - NID_subject_alt_name, // 85 - NID_basic_constraints, // 87 - NID_certificate_policies, // 89 - NID_ext_key_usage, // 126 - NID_policy_constraints, // 401 - NID_name_constraints, // 666 - NID_policy_mappings, // 747 - NID_inhibit_any_policy // 748 - }; - - int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); - - if (ex_nid == NID_undef) { - return 0; - } - - if (bsearch(&ex_nid, supported_nids, sizeof(supported_nids) / sizeof(int), - sizeof(int), nid_cmp) != NULL) { - return 1; - } - return 0; + int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); + return nid == NID_key_usage || // + nid == NID_subject_alt_name || // + nid == NID_basic_constraints || // + nid == NID_certificate_policies || // + nid == NID_ext_key_usage || // + nid == NID_policy_constraints || // + nid == NID_name_constraints || // + nid == NID_policy_mappings || // + nid == NID_inhibit_any_policy; } static int setup_dp(X509 *x, DIST_POINT *dp) { - X509_NAME *iname = NULL; - size_t i; - if (dp->reasons) { - if (dp->reasons->length > 0) { - dp->dp_reasons = dp->reasons->data[0]; - } - if (dp->reasons->length > 1) { - dp->dp_reasons |= (dp->reasons->data[1] << 8); - } - dp->dp_reasons &= CRLDP_ALL_REASONS; - } else { - dp->dp_reasons = CRLDP_ALL_REASONS; - } if (!dp->distpoint || (dp->distpoint->type != 1)) { return 1; } - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { + X509_NAME *iname = NULL; + for (size_t i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); if (gen->type == GEN_DIRNAME) { iname = gen->d.directoryName; @@ -400,7 +239,6 @@ static int setup_crldp(X509 *x) { int x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; ASN1_BIT_STRING *usage; - ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; size_t i; int j; @@ -514,17 +352,6 @@ int x509v3_cache_extensions(X509 *x) { x->ex_flags |= EXFLAG_INVALID; } - if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &j, NULL))) { - if (ns->length > 0) { - x->ex_nscert = ns->data[0]; - } else { - x->ex_nscert = 0; - } - x->ex_flags |= EXFLAG_NSCERT; - ASN1_BIT_STRING_free(ns); - } else if (j != -1) { - x->ex_flags |= EXFLAG_INVALID; - } x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &j, NULL); if (x->skid == NULL && j != -1) { x->ex_flags |= EXFLAG_INVALID; @@ -538,7 +365,7 @@ int x509v3_cache_extensions(X509 *x) { x->ex_flags |= EXFLAG_SI; // If SKID matches AKID also indicate self signed if (X509_check_akid(x, x->akid) == X509_V_OK && - !ku_reject(x, KU_KEY_CERT_SIGN)) { + !ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) { x->ex_flags |= EXFLAG_SS; } } @@ -556,9 +383,6 @@ int x509v3_cache_extensions(X509 *x) { for (j = 0; j < X509_get_ext_count(x); j++) { const X509_EXTENSION *ex = X509_get_ext(x, j); - if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) { - x->ex_flags |= EXFLAG_FRESHEST; - } if (!X509_EXTENSION_get_critical(ex)) { continue; } @@ -577,7 +401,7 @@ int x509v3_cache_extensions(X509 *x) { // otherwise. static int check_ca(const X509 *x) { // keyUsage if present should allow cert signing - if (ku_reject(x, KU_KEY_CERT_SIGN)) { + if (ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) { return 0; } // Version 1 certificates are considered CAs and don't have extensions. @@ -595,138 +419,68 @@ int X509_check_ca(X509 *x) { return check_ca(x); } -static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, - int ca) { - if (xku_reject(x, XKU_SSL_CLIENT)) { +// check_purpose returns one if |x| is a valid part of a certificate path for +// extended key usage |required_xku| and at least one of key usages in +// |required_kus|. |ca| indicates whether |x| is a CA or end-entity certificate. +static int check_purpose(const X509 *x, int ca, int required_xku, + int required_kus) { + // Check extended key usage on the entire chain. + if (required_xku != 0 && xku_reject(x, required_xku)) { return 0; } - if (ca) { - return check_ca(x); - } - // We need to do digital signatures or key agreement - if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) { - return 0; - } - // nsCertType if present should allow SSL client use - if (ns_reject(x, NS_SSL_CLIENT)) { - return 0; - } - return 1; + + // Check key usages only on the end-entity certificate. + return ca || !ku_reject(x, required_kus); +} + +static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, + int ca) { + // We need to do digital signatures or key agreement. + // + // TODO(davidben): We do not implement any TLS client certificate modes based + // on key agreement. + return check_purpose(x, ca, XKU_SSL_CLIENT, + X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_AGREEMENT); } // Key usage needed for TLS/SSL server: digital signature, encipherment or // key agreement. The ssl code can check this more thoroughly for individual // key types. -#define KU_TLS (KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT) +#define X509v3_KU_TLS \ + (X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_ENCIPHERMENT | \ + X509v3_KU_KEY_AGREEMENT) static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { - if (xku_reject(x, XKU_SSL_SERVER)) { - return 0; - } - if (ca) { - return check_ca(x); - } - - if (ns_reject(x, NS_SSL_SERVER)) { - return 0; - } - if (ku_reject(x, KU_TLS)) { - return 0; - } - - return 1; + return check_purpose(x, ca, XKU_SSL_SERVER, X509v3_KU_TLS); } static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { - int ret; - ret = check_purpose_ssl_server(xp, x, ca); - if (!ret || ca) { - return ret; - } - // We need to encipher or Netscape complains - if (ku_reject(x, KU_KEY_ENCIPHERMENT)) { - return 0; - } - return ret; -} - -// purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA -// (|ca| is one) certificate, and zero otherwise. -static int purpose_smime(const X509 *x, int ca) { - if (xku_reject(x, XKU_SMIME)) { - return 0; - } - if (ca) { - // check nsCertType if present - if ((x->ex_flags & EXFLAG_NSCERT) && (x->ex_nscert & NS_SMIME_CA) == 0) { - return 0; - } - - return check_ca(x); - } - if (x->ex_flags & EXFLAG_NSCERT) { - return (x->ex_nscert & NS_SMIME) == NS_SMIME; - } - return 1; + // We need to encipher or Netscape complains. + return check_purpose(x, ca, XKU_SSL_SERVER, X509v3_KU_KEY_ENCIPHERMENT); } static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - int ret; - ret = purpose_smime(x, ca); - if (!ret || ca) { - return ret; - } - if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) { - return 0; - } - return ret; + return check_purpose(x, ca, XKU_SMIME, + X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_NON_REPUDIATION); } static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) { - int ret; - ret = purpose_smime(x, ca); - if (!ret || ca) { - return ret; - } - if (ku_reject(x, KU_KEY_ENCIPHERMENT)) { - return 0; - } - return ret; + return check_purpose(x, ca, XKU_SMIME, X509v3_KU_KEY_ENCIPHERMENT); } static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - if (ca) { - return check_ca(x); - } - if (ku_reject(x, KU_CRL_SIGN)) { - return 0; - } - return 1; -} - -// OCSP helper: this is *not* a full OCSP check. It just checks that each CA -// is valid. Additional checks must be made on the chain. - -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { - if (ca) { - return check_ca(x); - } - // leaf certificate is checked in OCSP_verify() - return 1; + return check_purpose(x, ca, /*required_xku=*/0, X509v3_KU_CRL_SIGN); } static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - int i_ext; - - // If ca is true we must return if this is a valid CA certificate. if (ca) { - return check_ca(x); + return 1; } // Check the optional key usage field: @@ -734,20 +488,24 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, // and/or nonRepudiation (other values are not consistent and shall // be rejected). if ((x->ex_flags & EXFLAG_KUSAGE) && - ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || - !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) { + ((x->ex_kusage & + ~(X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)) || + !(x->ex_kusage & + (X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)))) { return 0; } // Only time stamp key usage is permitted and it's required. + // + // TODO(davidben): Should we check EKUs up the chain like the other cases? if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) { return 0; } // Extended Key Usage MUST be critical - i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1); + int i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1); if (i_ext >= 0) { - const X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext); + const X509_EXTENSION *ext = X509_get_ext(x, i_ext); if (!X509_EXTENSION_get_critical(ext)) { return 0; } @@ -758,14 +516,6 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; } -// Various checks to see if one certificate issued the second. This can be -// used to prune a set of possible issuer certificates which have been looked -// up using some simple method such as by subject name. These are: 1. Check -// issuer_name(subject) == subject_name(issuer) 2. If akid(subject) exists -// check it matches issuer 3. If key_usage(issuer) exists check it supports -// certificate signing returns 0 for OK, positive for reason for mismatch, -// reasons match codes for X509_verify_cert() - int X509_check_issued(X509 *issuer, X509 *subject) { if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) { @@ -782,13 +532,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) { } } - if (ku_reject(issuer, KU_KEY_CERT_SIGN)) { + if (ku_reject(issuer, X509v3_KU_KEY_CERT_SIGN)) { return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; } return X509_V_OK; } -int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) { +int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid) { if (!akid) { return X509_V_OK; } @@ -841,6 +591,9 @@ uint32_t X509_get_key_usage(X509 *x) { if (x->ex_flags & EXFLAG_KUSAGE) { return x->ex_kusage; } + // If there is no extension, key usage is unconstrained, so set all bits to + // one. Note that, although we use |UINT32_MAX|, |ex_kusage| only contains the + // first 16 bits when the extension is present. return UINT32_MAX; } @@ -851,6 +604,8 @@ uint32_t X509_get_extended_key_usage(X509 *x) { if (x->ex_flags & EXFLAG_XKUSAGE) { return x->ex_xkusage; } + // If there is no extension, extended key usage is unconstrained, so set all + // bits to one. return UINT32_MAX; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_skey.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_skey.c similarity index 98% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_skey.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_skey.c index 48834d0d..1e07090b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_skey.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_skey.c @@ -62,9 +62,8 @@ #include #include #include -#include +#include -#include "../x509/internal.h" #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c b/Sources/CJWTKitBoringSSL/crypto/x509/v3_utl.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c rename to Sources/CJWTKitBoringSSL/crypto/x509/v3_utl.c index 62432f38..4d927a36 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/v3_utl.c @@ -67,7 +67,7 @@ #include #include #include -#include +#include #include "../conf/internal.h" #include "../internal.h" @@ -555,7 +555,7 @@ static int sk_strcmp(const char *const *a, const char *const *b) { return strcmp(*a, *b); } -STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) { +STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x) { GENERAL_NAMES *gens; STACK_OF(OPENSSL_STRING) *ret; @@ -565,7 +565,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) { return ret; } -STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) { +STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x) { AUTHORITY_INFO_ACCESS *info; STACK_OF(OPENSSL_STRING) *ret = NULL; size_t i; @@ -588,7 +588,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) { return ret; } -STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) { +STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(const X509_REQ *x) { GENERAL_NAMES *gens; STACK_OF(X509_EXTENSION) *exts; STACK_OF(OPENSSL_STRING) *ret; @@ -942,6 +942,9 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, } if (rv > 0 && peername) { *peername = OPENSSL_strndup((char *)a->data, a->length); + if (*peername == NULL) { + return -1; + } } } else { int astrlen; @@ -960,13 +963,16 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, } if (rv > 0 && peername) { *peername = OPENSSL_strndup((char *)astr, astrlen); + if (*peername == NULL) { + return -1; + } } OPENSSL_free(astr); } return rv; } -static int do_x509_check(X509 *x, const char *chk, size_t chklen, +static int do_x509_check(const X509 *x, const char *chk, size_t chklen, unsigned int flags, int check_type, char **peername) { int cnid = NID_undef; int alt_type; @@ -1033,8 +1039,8 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, return 0; } -int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, - char **peername) { +int X509_check_host(const X509 *x, const char *chk, size_t chklen, + unsigned int flags, char **peername) { if (chk == NULL) { return -2; } @@ -1044,7 +1050,7 @@ int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername); } -int X509_check_email(X509 *x, const char *chk, size_t chklen, +int X509_check_email(const X509 *x, const char *chk, size_t chklen, unsigned int flags) { if (chk == NULL) { return -2; @@ -1055,15 +1061,15 @@ int X509_check_email(X509 *x, const char *chk, size_t chklen, return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL); } -int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, +int X509_check_ip(const X509 *x, const unsigned char *chk, size_t chklen, unsigned int flags) { if (chk == NULL) { return -2; } - return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL); + return do_x509_check(x, (const char *)chk, chklen, flags, GEN_IPADD, NULL); } -int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) { +int X509_check_ip_asc(const X509 *x, const char *ipasc, unsigned int flags) { unsigned char ipout[16]; size_t iplen; @@ -1074,7 +1080,7 @@ int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) { if (iplen == 0) { return -2; } - return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL); + return do_x509_check(x, (const char *)ipout, iplen, flags, GEN_IPADD, NULL); } // Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible @@ -1143,12 +1149,8 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) { return ret; err: - if (iptmp) { - OPENSSL_free(iptmp); - } - if (ret) { - ASN1_OCTET_STRING_free(ret); - } + OPENSSL_free(iptmp); + ASN1_OCTET_STRING_free(ret); return NULL; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_att.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_att.c index 39c0f66e..0e1d8469 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_att.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_att.c @@ -137,54 +137,57 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) { int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len) { - ASN1_TYPE *ttmp = NULL; - ASN1_STRING *stmp = NULL; - int atype = 0; if (!attr) { return 0; } + + if (attrtype == 0) { + // Do nothing. This is used to create an empty value set in + // |X509_ATTRIBUTE_create_by_*|. This is invalid, but supported by OpenSSL. + return 1; + } + + ASN1_TYPE *typ = ASN1_TYPE_new(); + if (typ == NULL) { + return 0; + } + + // This function is several functions in one. if (attrtype & MBSTRING_FLAG) { - stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype, - OBJ_obj2nid(attr->object)); - if (!stmp) { + // |data| is an encoded string. We must decode and re-encode it to |attr|'s + // preferred ASN.1 type. Note |len| may be -1, in which case + // |ASN1_STRING_set_by_NID| calls |strlen| automatically. + ASN1_STRING *str = ASN1_STRING_set_by_NID(NULL, data, len, attrtype, + OBJ_obj2nid(attr->object)); + if (str == NULL) { OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB); - return 0; - } - atype = stmp->type; - } else if (len != -1) { - if (!(stmp = ASN1_STRING_type_new(attrtype))) { goto err; } - if (!ASN1_STRING_set(stmp, data, len)) { + asn1_type_set0_string(typ, str); + } else if (len != -1) { + // |attrtype| must be a valid |ASN1_STRING| type. |data| and |len| is a + // value in the corresponding |ASN1_STRING| representation. + ASN1_STRING *str = ASN1_STRING_type_new(attrtype); + if (str == NULL || !ASN1_STRING_set(str, data, len)) { + ASN1_STRING_free(str); goto err; } - atype = attrtype; - } - // This is a bit naughty because the attribute should really have at - // least one value but some types use and zero length SET and require - // this. - if (attrtype == 0) { - ASN1_STRING_free(stmp); - return 1; - } - if (!(ttmp = ASN1_TYPE_new())) { - goto err; - } - if ((len == -1) && !(attrtype & MBSTRING_FLAG)) { - if (!ASN1_TYPE_set1(ttmp, attrtype, data)) { + asn1_type_set0_string(typ, str); + } else { + // |attrtype| must be a valid |ASN1_TYPE| type. |data| is a pointer to an + // object of the corresponding type. + if (!ASN1_TYPE_set1(typ, attrtype, data)) { goto err; } - } else { - ASN1_TYPE_set(ttmp, atype, stmp); - stmp = NULL; } - if (!sk_ASN1_TYPE_push(attr->set, ttmp)) { + + if (!sk_ASN1_TYPE_push(attr->set, typ)) { goto err; } return 1; + err: - ASN1_TYPE_free(ttmp); - ASN1_STRING_free(stmp); + ASN1_TYPE_free(typ); return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c index 6bc41131..dd92c21a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c @@ -60,13 +60,13 @@ #include #include #include +#include #include +#include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" @@ -90,11 +90,11 @@ X509_NAME *X509_get_issuer_name(const X509 *a) { return a->cert_info->issuer; } -unsigned long X509_issuer_name_hash(X509 *x) { - return (X509_NAME_hash(x->cert_info->issuer)); +uint32_t X509_issuer_name_hash(X509 *x) { + return X509_NAME_hash(x->cert_info->issuer); } -unsigned long X509_issuer_name_hash_old(X509 *x) { +uint32_t X509_issuer_name_hash_old(X509 *x) { return (X509_NAME_hash_old(x->cert_info->issuer)); } @@ -110,12 +110,12 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509) { return x509->cert_info->serialNumber; } -unsigned long X509_subject_name_hash(X509 *x) { - return (X509_NAME_hash(x->cert_info->subject)); +uint32_t X509_subject_name_hash(X509 *x) { + return X509_NAME_hash(x->cert_info->subject); } -unsigned long X509_subject_name_hash_old(X509 *x) { - return (X509_NAME_hash_old(x->cert_info->subject)); +uint32_t X509_subject_name_hash_old(X509 *x) { + return X509_NAME_hash_old(x->cert_info->subject); } // Compare two certificates: they must be identical for this to work. NB: @@ -167,44 +167,29 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { return OPENSSL_memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); } -unsigned long X509_NAME_hash(X509_NAME *x) { - unsigned long ret = 0; - unsigned char md[SHA_DIGEST_LENGTH]; - - // Make sure X509_NAME structure contains valid cached encoding - i2d_X509_NAME(x, NULL); - if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL)) { +uint32_t X509_NAME_hash(X509_NAME *x) { + // Make sure the X509_NAME structure contains a valid cached encoding. + if (i2d_X509_NAME(x, NULL) < 0) { return 0; } - ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)) & - 0xffffffffL; - return ret; + uint8_t md[SHA_DIGEST_LENGTH]; + SHA1(x->canon_enc, x->canon_enclen, md); + return CRYPTO_load_u32_le(md); } // I now DER encode the name and hash it. Since I cache the DER encoding, // this is reasonably efficient. -unsigned long X509_NAME_hash_old(X509_NAME *x) { - EVP_MD_CTX md_ctx; - unsigned long ret = 0; - unsigned char md[16]; - - // Make sure X509_NAME structure contains valid cached encoding - i2d_X509_NAME(x, NULL); - EVP_MD_CTX_init(&md_ctx); - // EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) && - EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) && - EVP_DigestFinal_ex(&md_ctx, md, NULL)) { - ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)) & - 0xffffffffL; +uint32_t X509_NAME_hash_old(X509_NAME *x) { + // Make sure the X509_NAME structure contains a valid cached encoding. + if (i2d_X509_NAME(x, NULL) < 0) { + return 0; } - EVP_MD_CTX_cleanup(&md_ctx); - return ret; + uint8_t md[SHA_DIGEST_LENGTH]; + MD5((const uint8_t *)x->bytes->data, x->bytes->length, md); + return CRYPTO_load_u32_le(md); } X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, X509_NAME *name, @@ -233,11 +218,18 @@ X509 *X509_find_by_subject(const STACK_OF(X509) *sk, X509_NAME *name) { return NULL; } -EVP_PKEY *X509_get_pubkey(X509 *x) { - if ((x == NULL) || (x->cert_info == NULL)) { +EVP_PKEY *X509_get0_pubkey(const X509 *x) { + if (x == NULL) { + return NULL; + } + return X509_PUBKEY_get0(x->cert_info->key); +} + +EVP_PKEY *X509_get_pubkey(const X509 *x) { + if (x == NULL) { return NULL; } - return (X509_PUBKEY_get(x->cert_info->key)); + return X509_PUBKEY_get(x->cert_info->key); } ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) { @@ -247,36 +239,29 @@ ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) { return x->cert_info->key->public_key; } -int X509_check_private_key(X509 *x, const EVP_PKEY *k) { - EVP_PKEY *xk; - int ret; - - xk = X509_get_pubkey(x); +int X509_check_private_key(const X509 *x, const EVP_PKEY *k) { + const EVP_PKEY *xk = X509_get0_pubkey(x); + if (xk == NULL) { + return 0; + } - if (xk) { - ret = EVP_PKEY_cmp(xk, k); - } else { - ret = -2; + int ret = EVP_PKEY_cmp(xk, k); + if (ret > 0) { + return 1; } switch (ret) { - case 1: - break; case 0: OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH); - break; + return 0; case -1: OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH); - break; + return 0; case -2: OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); + return 0; } - if (xk) { - EVP_PKEY_free(xk); - } - if (ret > 0) { - return 1; - } + return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_d2.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_d2.c index 9557ea64..3726bf73 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_d2.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_d2.c @@ -57,7 +57,7 @@ #include #include -#ifndef OPENSSL_NO_STDIO + int X509_STORE_set_default_paths(X509_STORE *ctx) { X509_LOOKUP *lookup; @@ -106,5 +106,3 @@ int X509_STORE_load_locations(X509_STORE *ctx, const char *file, } return 1; } - -#endif diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_ext.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_ext.c index e5357cbc..c09036eb 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_ext.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_ext.c @@ -59,7 +59,6 @@ #include #include #include -#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c index 566d1e32..98649d31 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c @@ -60,25 +60,34 @@ #include #include #include -#include #include "../internal.h" #include "internal.h" -X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { - X509_LOOKUP *ret; - ret = (X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP)); +static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name); +static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, + int type, X509_NAME *name); +static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, + X509_OBJECT *x); +static int X509_OBJECT_up_ref_count(X509_OBJECT *a); + +static X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method, + X509_STORE *store); +static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + +static X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method, + X509_STORE *store) { + X509_LOOKUP *ret = OPENSSL_zalloc(sizeof(X509_LOOKUP)); if (ret == NULL) { return NULL; } - ret->init = 0; - ret->skip = 0; ret->method = method; - ret->method_data = NULL; - ret->store_ctx = NULL; - if ((method->new_item != NULL) && !method->new_item(ret)) { + ret->store_ctx = store; + if (method->new_item != NULL && !method->new_item(ret)) { OPENSSL_free(ret); return NULL; } @@ -89,34 +98,12 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) { if (ctx == NULL) { return; } - if ((ctx->method != NULL) && (ctx->method->free != NULL)) { + if (ctx->method != NULL && ctx->method->free != NULL) { (*ctx->method->free)(ctx); } OPENSSL_free(ctx); } -int X509_LOOKUP_init(X509_LOOKUP *ctx) { - if (ctx->method == NULL) { - return 0; - } - if (ctx->method->init != NULL) { - return ctx->method->init(ctx); - } else { - return 1; - } -} - -int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) { - if (ctx->method == NULL) { - return 0; - } - if (ctx->method->shutdown != NULL) { - return ctx->method->shutdown(ctx); - } else { - return 1; - } -} - int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret) { if (ctx->method == NULL) { @@ -129,14 +116,15 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, } } -int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, - X509_OBJECT *ret) { - if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) { - return 0; - } - if (ctx->skip) { +static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret) { + if (ctx->method == NULL || ctx->method->get_by_subject == NULL) { return 0; } + // Note |get_by_subject| leaves |ret| in an inconsistent state. It has + // pointers to an |X509| or |X509_CRL|, but has not bumped the refcount yet. + // For now, the caller is expected to fix this, but ideally we'd fix the + // |X509_LOOKUP| convention itself. return ctx->method->get_by_subject(ctx, type, name, ret) > 0; } @@ -162,44 +150,24 @@ static int x509_object_cmp_sk(const X509_OBJECT *const *a, } X509_STORE *X509_STORE_new(void) { - X509_STORE *ret; - - if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) { + X509_STORE *ret = OPENSSL_zalloc(sizeof(X509_STORE)); + if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(*ret)); + + ret->references = 1; CRYPTO_MUTEX_init(&ret->objs_lock); ret->objs = sk_X509_OBJECT_new(x509_object_cmp_sk); - if (ret->objs == NULL) { - goto err; - } - ret->cache = 1; ret->get_cert_methods = sk_X509_LOOKUP_new_null(); - if (ret->get_cert_methods == NULL) { - goto err; - } ret->param = X509_VERIFY_PARAM_new(); - if (ret->param == NULL) { - goto err; + if (ret->objs == NULL || + ret->get_cert_methods == NULL || + ret->param == NULL) { + X509_STORE_free(ret); + return NULL; } - ret->references = 1; return ret; -err: - if (ret) { - CRYPTO_MUTEX_cleanup(&ret->objs_lock); - if (ret->param) { - X509_VERIFY_PARAM_free(ret->param); - } - if (ret->get_cert_methods) { - sk_X509_LOOKUP_free(ret->get_cert_methods); - } - if (ret->objs) { - sk_X509_OBJECT_free(ret->objs); - } - OPENSSL_free(ret); - } - return NULL; } int X509_STORE_up_ref(X509_STORE *store) { @@ -207,26 +175,7 @@ int X509_STORE_up_ref(X509_STORE *store) { return 1; } -static void cleanup(X509_OBJECT *a) { - if (a == NULL) { - return; - } - if (a->type == X509_LU_X509) { - X509_free(a->data.x509); - } else if (a->type == X509_LU_CRL) { - X509_CRL_free(a->data.crl); - } else { - // abort(); - } - - OPENSSL_free(a); -} - void X509_STORE_free(X509_STORE *vfy) { - size_t j; - STACK_OF(X509_LOOKUP) *sk; - X509_LOOKUP *lu; - if (vfy == NULL) { return; } @@ -236,63 +185,41 @@ void X509_STORE_free(X509_STORE *vfy) { } CRYPTO_MUTEX_cleanup(&vfy->objs_lock); - - sk = vfy->get_cert_methods; - for (j = 0; j < sk_X509_LOOKUP_num(sk); j++) { - lu = sk_X509_LOOKUP_value(sk, j); - X509_LOOKUP_shutdown(lu); - X509_LOOKUP_free(lu); - } - sk_X509_LOOKUP_free(sk); - sk_X509_OBJECT_pop_free(vfy->objs, cleanup); - - if (vfy->param) { - X509_VERIFY_PARAM_free(vfy->param); - } + sk_X509_LOOKUP_pop_free(vfy->get_cert_methods, X509_LOOKUP_free); + sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free); + X509_VERIFY_PARAM_free(vfy->param); OPENSSL_free(vfy); } -X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) { - size_t i; - STACK_OF(X509_LOOKUP) *sk; - X509_LOOKUP *lu; - - sk = v->get_cert_methods; - for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { - lu = sk_X509_LOOKUP_value(sk, i); +X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, const X509_LOOKUP_METHOD *m) { + STACK_OF(X509_LOOKUP) *sk = v->get_cert_methods; + for (size_t i = 0; i < sk_X509_LOOKUP_num(sk); i++) { + X509_LOOKUP *lu = sk_X509_LOOKUP_value(sk, i); if (m == lu->method) { return lu; } } - // a new one - lu = X509_LOOKUP_new(m); - if (lu == NULL) { + + X509_LOOKUP *lu = X509_LOOKUP_new(m, v); + if (lu == NULL || !sk_X509_LOOKUP_push(v->get_cert_methods, lu)) { + X509_LOOKUP_free(lu); return NULL; - } else { - lu->store_ctx = v; - if (sk_X509_LOOKUP_push(v->get_cert_methods, lu)) { - return lu; - } else { - X509_LOOKUP_free(lu); - return NULL; - } } + + return lu; } -int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, - X509_OBJECT *ret) { +int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, + X509_OBJECT *ret) { X509_STORE *ctx = vs->ctx; - X509_LOOKUP *lu; - X509_OBJECT stmp, *tmp; - int i; - + X509_OBJECT stmp; CRYPTO_MUTEX_lock_write(&ctx->objs_lock); - tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); + X509_OBJECT *tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); if (tmp == NULL || type == X509_LU_CRL) { - for (i = 0; i < (int)sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { - lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); + for (size_t i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { + X509_LOOKUP *lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); if (X509_LOOKUP_by_subject(lu, type, name, &stmp)) { tmp = &stmp; break; @@ -318,7 +245,7 @@ static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) { return 0; } - X509_OBJECT *const obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + X509_OBJECT *const obj = X509_OBJECT_new(); if (obj == NULL) { return 0; } @@ -344,8 +271,7 @@ static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) { CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); if (!added) { - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); + X509_OBJECT_free(obj); } return ret; @@ -359,7 +285,19 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) { return x509_store_add(ctx, x, /*is_crl=*/1); } -int X509_OBJECT_up_ref_count(X509_OBJECT *a) { +X509_OBJECT *X509_OBJECT_new(void) { + return OPENSSL_zalloc(sizeof(X509_OBJECT)); +} + +void X509_OBJECT_free(X509_OBJECT *obj) { + if (obj == NULL) { + return; + } + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); +} + +static int X509_OBJECT_up_ref_count(X509_OBJECT *a) { switch (a->type) { case X509_LU_X509: X509_up_ref(a->data.x509); @@ -380,6 +318,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a) { X509_CRL_free(a->data.crl); break; } + + OPENSSL_memset(a, 0, sizeof(X509_OBJECT)); } int X509_OBJECT_get_type(const X509_OBJECT *a) { return a->type; } @@ -436,13 +376,13 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, return (int)idx; } -int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, - X509_NAME *name) { +static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name) { return x509_object_idx_cnt(h, type, name, NULL); } -X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, - X509_NAME *name) { +static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, + int type, X509_NAME *name) { int idx; idx = X509_OBJECT_idx_by_subject(h, type, name); if (idx == -1) { @@ -455,23 +395,20 @@ STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st) { return st->objs; } -STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { - int i, idx, cnt; - STACK_OF(X509) *sk; - X509 *x; - X509_OBJECT *obj; - sk = sk_X509_new_null(); +STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { + int cnt; + STACK_OF(X509) *sk = sk_X509_new_null(); if (sk == NULL) { return NULL; } CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); + int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { // Nothing found in cache: do lookup to possibly add new objects to // cache X509_OBJECT xobj; CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); - if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { + if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { sk_X509_free(sk); return NULL; } @@ -484,9 +421,9 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { return NULL; } } - for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); - x = obj->data.x509; + for (int i = 0; i < cnt; i++, idx++) { + X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); + X509 *x = obj->data.x509; if (!sk_X509_push(sk, x)) { CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); sk_X509_pop_free(sk, X509_free); @@ -498,33 +435,32 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { return sk; } -STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) { - int i, idx, cnt; - STACK_OF(X509_CRL) *sk; - X509_CRL *x; - X509_OBJECT *obj, xobj; - sk = sk_X509_CRL_new_null(); +STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, + X509_NAME *nm) { + int cnt; + X509_OBJECT xobj; + STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); if (sk == NULL) { return NULL; } // Always do lookup to possibly add new CRLs to cache. - if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { + if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { sk_X509_CRL_free(sk); return NULL; } X509_OBJECT_free_contents(&xobj); CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); + int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); if (idx < 0) { CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); sk_X509_CRL_free(sk); return NULL; } - for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); - x = obj->data.crl; + for (int i = 0; i < cnt; i++, idx++) { + X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); + X509_CRL *x = obj->data.crl; X509_CRL_up_ref(x); if (!sk_X509_CRL_push(sk, x)) { CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); @@ -537,8 +473,8 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) { return sk; } -X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, - X509_OBJECT *x) { +static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, + X509_OBJECT *x) { sk_X509_OBJECT_sort(h); size_t idx; if (!sk_X509_OBJECT_find(h, &idx, x)) { @@ -567,28 +503,25 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, return NULL; } -// Try to get issuer certificate from store. Due to limitations of the API -// this can only retrieve a single certificate matching a given subject name. -// However it will fill the cache with all matching certificates, so we can -// examine the cache for all matches. Return values are: 1 lookup -// successful. 0 certificate not found. -1 some other error. -int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { +int X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx, + X509 *x) { X509_NAME *xn; X509_OBJECT obj, *pobj; int idx, ret; size_t i; xn = X509_get_issuer_name(x); - if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj)) { + if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, &obj)) { return 0; } // If certificate matches all OK - if (ctx->check_issued(ctx, x, obj.data.x509)) { - *issuer = obj.data.x509; + if (x509_check_issued_with_callback(ctx, x, obj.data.x509)) { + *out_issuer = obj.data.x509; return 1; } X509_OBJECT_free_contents(&obj); - // Else find index of first cert accepted by 'check_issued' + // Else find index of first cert accepted by + // |x509_check_issued_with_callback|. ret = 0; CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock); idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); @@ -604,8 +537,8 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) { break; } - if (ctx->check_issued(ctx, x, pobj->data.x509)) { - *issuer = pobj->data.x509; + if (x509_check_issued_with_callback(ctx, x, pobj->data.x509)) { + *out_issuer = pobj->data.x509; X509_OBJECT_up_ref_count(pobj); ret = 1; break; @@ -633,109 +566,27 @@ int X509_STORE_set_trust(X509_STORE *ctx, int trust) { return X509_VERIFY_PARAM_set_trust(ctx->param, trust); } -int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) { +int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param) { return X509_VERIFY_PARAM_set1(ctx->param, param); } X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) { return ctx->param; } -void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) { - ctx->verify = verify; -} - -X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) { - return ctx->verify; -} - void X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb) { ctx->verify_cb = verify_cb; } -X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) { - return ctx->verify_cb; -} - -void X509_STORE_set_get_issuer(X509_STORE *ctx, - X509_STORE_CTX_get_issuer_fn get_issuer) { - ctx->get_issuer = get_issuer; -} - -X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) { - return ctx->get_issuer; -} - -void X509_STORE_set_check_issued(X509_STORE *ctx, - X509_STORE_CTX_check_issued_fn check_issued) { - ctx->check_issued = check_issued; -} - -X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) { - return ctx->check_issued; -} - -void X509_STORE_set_check_revocation( - X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation) { - ctx->check_revocation = check_revocation; -} - -X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation( - X509_STORE *ctx) { - return ctx->check_revocation; -} - void X509_STORE_set_get_crl(X509_STORE *ctx, X509_STORE_CTX_get_crl_fn get_crl) { ctx->get_crl = get_crl; } -X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) { - return ctx->get_crl; -} - void X509_STORE_set_check_crl(X509_STORE *ctx, X509_STORE_CTX_check_crl_fn check_crl) { ctx->check_crl = check_crl; } -X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) { - return ctx->check_crl; -} - -void X509_STORE_set_cert_crl(X509_STORE *ctx, - X509_STORE_CTX_cert_crl_fn cert_crl) { - ctx->cert_crl = cert_crl; -} - -X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) { - return ctx->cert_crl; +X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx) { + return ctx->ctx; } - -void X509_STORE_set_lookup_certs(X509_STORE *ctx, - X509_STORE_CTX_lookup_certs_fn lookup_certs) { - ctx->lookup_certs = lookup_certs; -} - -X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) { - return ctx->lookup_certs; -} - -void X509_STORE_set_lookup_crls(X509_STORE *ctx, - X509_STORE_CTX_lookup_crls_fn lookup_crls) { - ctx->lookup_crls = lookup_crls; -} - -X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) { - return ctx->lookup_crls; -} - -void X509_STORE_set_cleanup(X509_STORE *ctx, - X509_STORE_CTX_cleanup_fn ctx_cleanup) { - ctx->cleanup = ctx_cleanup; -} - -X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) { - return ctx->cleanup; -} - -X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) { return ctx->ctx; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_req.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_req.c index 60757c1f..8d036660 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_req.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_req.c @@ -76,45 +76,55 @@ X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req) { return req->req_info->subject; } -EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) { - if ((req == NULL) || (req->req_info == NULL)) { +EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req) { + if (req == NULL) { return NULL; } - return (X509_PUBKEY_get(req->req_info->pubkey)); + return X509_PUBKEY_get(req->req_info->pubkey); } -int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) { - EVP_PKEY *xk = NULL; - int ok = 0; +EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req) { + if (req == NULL) { + return NULL; + } + return X509_PUBKEY_get0(req->req_info->pubkey); +} + +int X509_REQ_check_private_key(const X509_REQ *x, const EVP_PKEY *k) { + const EVP_PKEY *xk = X509_REQ_get0_pubkey(x); + if (xk == NULL) { + return 0; + } + + int ret = EVP_PKEY_cmp(xk, k); + if (ret > 0) { + return 1; + } - xk = X509_REQ_get_pubkey(x); - switch (EVP_PKEY_cmp(xk, k)) { - case 1: - ok = 1; - break; + switch (ret) { case 0: OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH); - break; + return 0; case -1: OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH); - break; + return 0; case -2: if (EVP_PKEY_id(k) == EVP_PKEY_EC) { OPENSSL_PUT_ERROR(X509, ERR_R_EC_LIB); - break; + } else { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); } - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); + return 0; } - EVP_PKEY_free(xk); - return ok; + return 0; } int X509_REQ_extension_nid(int req_nid) { return req_nid == NID_ext_req || req_nid == NID_ms_ext_req; } -STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) { +STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req) { if (req == NULL || req->req_info == NULL) { return NULL; } @@ -127,8 +137,10 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) { return NULL; } - X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx); - ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type(attr, 0); + const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx); + // TODO(davidben): |X509_ATTRIBUTE_get0_type| is not const-correct. It should + // take and return a const pointer. + const ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE *)attr, 0); if (!ext || ext->type != V_ASN1_SEQUENCE) { return NULL; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c index 2eba853a..8e1f3b48 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c @@ -54,29 +54,24 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). */ +#include +#include + #include #include #include -#include +#include -#include "../x509v3/internal.h" +#include "../internal.h" #include "internal.h" -static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b); -static void trtable_free(X509_TRUST *p); - -static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); -static int trust_1oid(X509_TRUST *trust, X509 *x, int flags); -static int trust_compat(X509_TRUST *trust, X509 *x, int flags); +static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags); +static int trust_compat(const X509_TRUST *trust, X509 *x, int flags); static int obj_trust(int id, X509 *x, int flags); -// WARNING: the following table should be kept in order of trust and without -// any gaps so we can just subtract the minimum trust value to get an index -// into the table - -static X509_TRUST trstandard[] = { +static const X509_TRUST trstandard[] = { {X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL}, {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, (char *)"SSL Client", NID_client_auth, NULL}, @@ -86,76 +81,47 @@ static X509_TRUST trstandard[] = { NID_email_protect, NULL}, {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer", NID_code_sign, NULL}, - {X509_TRUST_OCSP_SIGN, 0, trust_1oid, (char *)"OCSP responder", - NID_OCSP_sign, NULL}, - {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, (char *)"OCSP request", - NID_ad_OCSP, NULL}, {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp, NULL}}; -#define X509_TRUST_COUNT (sizeof(trstandard) / sizeof(X509_TRUST)) - -static STACK_OF(X509_TRUST) *trtable = NULL; - -static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b) { - return (*a)->trust - (*b)->trust; -} - int X509_check_trust(X509 *x, int id, int flags) { - X509_TRUST *pt; - int idx; if (id == -1) { - return 1; + return X509_TRUST_TRUSTED; } // We get this as a default value if (id == 0) { - int rv; - rv = obj_trust(NID_anyExtendedKeyUsage, x, 0); + int rv = obj_trust(NID_anyExtendedKeyUsage, x, 0); if (rv != X509_TRUST_UNTRUSTED) { return rv; } return trust_compat(NULL, x, 0); } - idx = X509_TRUST_get_by_id(id); + int idx = X509_TRUST_get_by_id(id); if (idx == -1) { return obj_trust(id, x, flags); } - pt = X509_TRUST_get0(idx); + const X509_TRUST *pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } -int X509_TRUST_get_count(void) { - if (!trtable) { - return X509_TRUST_COUNT; - } - return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; -} +int X509_TRUST_get_count(void) { return OPENSSL_ARRAY_SIZE(trstandard); } -X509_TRUST *X509_TRUST_get0(int idx) { - if (idx < 0) { +const X509_TRUST *X509_TRUST_get0(int idx) { + if (idx < 0 || (size_t)idx >= OPENSSL_ARRAY_SIZE(trstandard)) { return NULL; } - if (idx < (int)X509_TRUST_COUNT) { - return trstandard + idx; - } - return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); + return trstandard + idx; } int X509_TRUST_get_by_id(int id) { - X509_TRUST tmp; - size_t idx; - - if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) { - return id - X509_TRUST_MIN; - } - tmp.trust = id; - if (!trtable) { - return -1; - } - if (!sk_X509_TRUST_find(trtable, &idx, &tmp)) { - return -1; + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(trstandard); i++) { + if (trstandard[i].trust == id) { + static_assert(OPENSSL_ARRAY_SIZE(trstandard) <= INT_MAX, + "indices must fit in int"); + return (int)i; + } } - return idx + X509_TRUST_COUNT; + return -1; } int X509_TRUST_set(int *t, int trust) { @@ -167,99 +133,13 @@ int X509_TRUST_set(int *t, int trust) { return 1; } -int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2) { - int idx; - X509_TRUST *trtmp; - char *name_dup; - - // This is set according to what we change: application can't set it - flags &= ~X509_TRUST_DYNAMIC; - // This will always be set for application modified trust entries - flags |= X509_TRUST_DYNAMIC_NAME; - // Get existing entry if any - idx = X509_TRUST_get_by_id(id); - // Need a new entry - if (idx == -1) { - if (!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) { - return 0; - } - trtmp->flags = X509_TRUST_DYNAMIC; - } else { - trtmp = X509_TRUST_get0(idx); - } - - // Duplicate the supplied name. - name_dup = OPENSSL_strdup(name); - if (name_dup == NULL) { - if (idx == -1) { - OPENSSL_free(trtmp); - } - return 0; - } - - // OPENSSL_free existing name if dynamic - if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) { - OPENSSL_free(trtmp->name); - } - trtmp->name = name_dup; - // Keep the dynamic flag of existing entry - trtmp->flags &= X509_TRUST_DYNAMIC; - // Set all other flags - trtmp->flags |= flags; - - trtmp->trust = id; - trtmp->check_trust = ck; - trtmp->arg1 = arg1; - trtmp->arg2 = arg2; - - // If its a new entry manage the dynamic table - if (idx == -1) { - // TODO(davidben): This should be locked. Alternatively, remove the dynamic - // registration mechanism entirely. The trouble is there no way to pass in - // the various parameters into an |X509_VERIFY_PARAM| directly. You can only - // register it in the global table and get an ID. - if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { - trtable_free(trtmp); - return 0; - } - if (!sk_X509_TRUST_push(trtable, trtmp)) { - trtable_free(trtmp); - return 0; - } - sk_X509_TRUST_sort(trtable); - } - return 1; -} - -static void trtable_free(X509_TRUST *p) { - if (!p) { - return; - } - if (p->flags & X509_TRUST_DYNAMIC) { - if (p->flags & X509_TRUST_DYNAMIC_NAME) { - OPENSSL_free(p->name); - } - OPENSSL_free(p); - } -} - -void X509_TRUST_cleanup(void) { - unsigned int i; - for (i = 0; i < X509_TRUST_COUNT; i++) { - trtable_free(trstandard + i); - } - sk_X509_TRUST_pop_free(trtable, trtable_free); - trtable = NULL; -} - int X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; } char *X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; } int X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; } -static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { +static int trust_1oidany(const X509_TRUST *trust, X509 *x, int flags) { if (x->aux && (x->aux->trust || x->aux->reject)) { return obj_trust(trust->arg1, x, flags); } @@ -268,14 +148,7 @@ static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { return trust_compat(trust, x, flags); } -static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - if (x->aux) { - return obj_trust(trust->arg1, x, flags); - } - return X509_TRUST_UNTRUSTED; -} - -static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { +static int trust_compat(const X509_TRUST *trust, X509 *x, int flags) { if (!x509v3_cache_extensions(x)) { return X509_TRUST_UNTRUSTED; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_v3.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_v3.c index 63857326..891c0f23 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_v3.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_v3.c @@ -60,7 +60,6 @@ #include #include #include -#include #include "internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c index a0c02ab9..1d6e6e9b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c @@ -55,6 +55,7 @@ * [including the GNU Public Licence.] */ #include +#include #include #include @@ -65,10 +66,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" static CRYPTO_EX_DATA_CLASS g_ex_data_class = @@ -77,44 +76,31 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class = // CRL score values // No unhandled critical extensions - #define CRL_SCORE_NOCRITICAL 0x100 // certificate is within CRL scope - #define CRL_SCORE_SCOPE 0x080 // CRL times valid - #define CRL_SCORE_TIME 0x040 // Issuer name matches certificate - #define CRL_SCORE_ISSUER_NAME 0x020 // If this score or above CRL is probably valid - #define CRL_SCORE_VALID \ (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE) // CRL issuer is certificate issuer - #define CRL_SCORE_ISSUER_CERT 0x018 // CRL issuer is on certificate path - #define CRL_SCORE_SAME_PATH 0x008 // CRL issuer matches CRL AKID - #define CRL_SCORE_AKID 0x004 -// Have a delta CRL with valid times - -#define CRL_SCORE_TIME_DELTA 0x002 - static int null_callback(int ok, X509_STORE_CTX *e); -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); @@ -124,19 +110,14 @@ static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); -static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, X509_CRL *crl, X509 *x); -static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, +static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x); +static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl, X509 *x); -static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, - X509_CRL *base, STACK_OF(X509_CRL) *crls); -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, - int *pcrl_score); -static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons); -static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); -static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path); +static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x); +static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score); +static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score); +static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); static int internal_verify(X509_STORE_CTX *ctx); @@ -153,14 +134,24 @@ static int cert_self_signed(X509 *x, int *out_is_self_signed) { return 1; } -// Given a certificate try and find an exact match in the store +static int call_verify_cb(int ok, X509_STORE_CTX *ctx) { + ok = ctx->verify_cb(ok, ctx); + // Historically, callbacks returning values like -1 would be treated as a mix + // of success or failure. Insert that callers check correctly. + // + // TODO(davidben): Also use this wrapper to constrain which errors may be + // suppressed, and ensure all |verify_cb| calls remember to fill in an error. + BSSL_CHECK(ok == 0 || ok == 1); + return ok; +} +// Given a certificate try and find an exact match in the store static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) { STACK_OF(X509) *certs; X509 *xtmp = NULL; size_t i; // Lookup all certs with matching subject name - certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); + certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x)); if (certs == NULL) { return NULL; } @@ -181,24 +172,35 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) { } int X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; + X509 *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; - int depth, i, ok = 0; - int num, j, retry, trust; + int i, ok = 0; + int j, retry, trust; STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; - return -1; + return 0; } + if (ctx->chain != NULL) { // This X509_STORE_CTX has already been used to verify a cert. We // cannot do another one. OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); ctx->error = X509_V_ERR_INVALID_CALL; - return -1; + return 0; + } + + if (ctx->param->flags & + (X509_V_FLAG_EXTENDED_CRL_SUPPORT | X509_V_FLAG_USE_DELTAS)) { + // We do not support indirect or delta CRLs. The flags still exist for + // compatibility with bindings libraries, but to ensure we do not + // inadvertently skip a CRL check that the caller expects, fail closed. + OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return 0; } // first we make sure the chain we are going to build is present and that @@ -217,17 +219,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { goto end; } - num = (int)sk_X509_num(ctx->chain); - x = sk_X509_value(ctx->chain, num - 1); - depth = param->depth; + int num = (int)sk_X509_num(ctx->chain); + X509 *x = sk_X509_value(ctx->chain, num - 1); + // |param->depth| does not include the leaf certificate or the trust anchor, + // so the maximum size is 2 more. + int max_chain = param->depth >= INT_MAX - 2 ? INT_MAX : param->depth + 2; for (;;) { - // If we have enough, we break - if (depth < num) { - break; // FIXME: If this happens, we should take - // note of it and, if appropriate, use the - // X509_V_ERR_CERT_CHAIN_TOO_LONG error code - // later. + if (num >= max_chain) { + // FIXME: If this happens, we should take note of it and, if appropriate, + // use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later. + break; } int is_self_signed; @@ -242,32 +244,26 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { } // If asked see if we can find issuer in trusted store first if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { - ok = ctx->get_issuer(&xtmp, ctx, x); - if (ok < 0) { - ctx->error = X509_V_ERR_STORE_LOOKUP; - goto end; - } - // If successful for now free up cert so it will be picked up - // again later. - if (ok > 0) { - X509_free(xtmp); + X509 *issuer = get_trusted_issuer(ctx, x); + if (issuer != NULL) { + // Free the certificate. It will be picked up again later. + X509_free(issuer); break; } } // If we were passed a cert chain, use it first if (sktmp != NULL) { - xtmp = find_issuer(ctx, sktmp, x); - if (xtmp != NULL) { - if (!sk_X509_push(ctx->chain, xtmp)) { + X509 *issuer = find_issuer(ctx, sktmp, x); + if (issuer != NULL) { + if (!sk_X509_push(ctx->chain, issuer)) { ctx->error = X509_V_ERR_OUT_OF_MEM; - ok = 0; goto end; } - X509_up_ref(xtmp); - (void)sk_X509_delete_ptr(sktmp, xtmp); + X509_up_ref(issuer); + (void)sk_X509_delete_ptr(sktmp, issuer); ctx->last_untrusted++; - x = xtmp; + x = issuer; num++; // reparse the full chain for the next one continue; @@ -299,24 +295,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { // We have a single self signed certificate: see if we can // find it in the store. We must have an exact match to avoid // possible impersonation. - ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) { + X509 *issuer = get_trusted_issuer(ctx, x); + if (issuer == NULL || X509_cmp(x, issuer) != 0) { + X509_free(issuer); ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert = x; ctx->error_depth = i - 1; - if (ok == 1) { - X509_free(xtmp); - } bad_chain = 1; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { goto end; } } else { // We have a match: replace certificate with store // version so we get any trust settings. X509_free(x); - x = xtmp; + x = issuer; (void)sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted = 0; } @@ -331,8 +324,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { } // We now lookup certs from the certificate store for (;;) { - // If we have enough, we break - if (depth < num) { + if (num >= max_chain) { + // FIXME: If this happens, we should take note of it and, if + // appropriate, use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later. break; } if (!cert_self_signed(x, &is_self_signed)) { @@ -343,20 +337,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { if (is_self_signed) { break; } - ok = ctx->get_issuer(&xtmp, ctx, x); - - if (ok < 0) { - ctx->error = X509_V_ERR_STORE_LOOKUP; - goto end; - } - if (ok == 0) { + X509 *issuer = get_trusted_issuer(ctx, x); + if (issuer == NULL) { break; } - x = xtmp; + x = issuer; if (!sk_X509_push(ctx->chain, x)) { - X509_free(xtmp); + X509_free(issuer); ctx->error = X509_V_ERR_OUT_OF_MEM; - ok = 0; goto end; } num++; @@ -367,7 +355,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { // If explicitly rejected error if (trust == X509_TRUST_REJECTED) { - ok = 0; goto end; } // If it's not explicitly trusted then check if there is an alternative @@ -379,21 +366,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { - xtmp2 = sk_X509_value(ctx->chain, j - 1); - ok = ctx->get_issuer(&xtmp, ctx, xtmp2); - if (ok < 0) { - goto end; - } + X509 *issuer = + get_trusted_issuer(ctx, sk_X509_value(ctx->chain, j - 1)); // Check if we found an alternate chain - if (ok > 0) { + if (issuer != NULL) { // Free up the found cert we'll add it again later - X509_free(xtmp); + X509_free(issuer); // Dump all the certs above this point - we've found an // alternate chain while (num > j) { - xtmp = sk_X509_pop(ctx->chain); - X509_free(xtmp); + X509_free(sk_X509_pop(ctx->chain)); num--; } ctx->last_untrusted = (int)sk_X509_num(ctx->chain); @@ -408,7 +391,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { // self signed certificate in which case we've indicated an error already // and set bad_chain == 1 if (trust != X509_TRUST_TRUSTED && !bad_chain) { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { + if (chain_ss == NULL || + !x509_check_issued_with_callback(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) { ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; } else { @@ -416,7 +400,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { } ctx->current_cert = x; } else { - sk_X509_push(ctx->chain, chain_ss); + if (!sk_X509_push(ctx->chain, chain_ss)) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto end; + } num++; ctx->last_untrusted = num; ctx->current_cert = chain_ss; @@ -426,63 +413,33 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { ctx->error_depth = num - 1; bad_chain = 1; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { goto end; } } // We have the chain complete: now we need to check its purpose - ok = check_chain_extensions(ctx); - - if (!ok) { + if (!check_chain_extensions(ctx) || // + !check_id(ctx) || + // We check revocation status after copying parameters because they may be + // needed for CRL signature verification. + !check_revocation(ctx) || // + !internal_verify(ctx) || // + !check_name_constraints(ctx) || + // TODO(davidben): Does |check_policy| still need to be conditioned on + // |!bad_chain|? DoS concerns have been resolved. + (!bad_chain && !check_policy(ctx))) { goto end; } - ok = check_id(ctx); - - if (!ok) { - goto end; - } - - // Check revocation status: we do this after copying parameters because - // they may be needed for CRL signature verification. - ok = ctx->check_revocation(ctx); - if (!ok) { - goto end; - } - - // At this point, we have a chain and need to verify it - if (ctx->verify != NULL) { - ok = ctx->verify(ctx); - } else { - ok = internal_verify(ctx); - } - if (!ok) { - goto end; - } - - // Check name constraints - ok = check_name_constraints(ctx); - if (!ok) { - goto end; - } - - // If we get this far, evaluate policies. - if (!bad_chain) { - ok = ctx->check_policy(ctx); - } + ok = 1; end: - if (sktmp != NULL) { - sk_X509_free(sktmp); - } - if (chain_ss != NULL) { - X509_free(chain_ss); - } + sk_X509_free(sktmp); + X509_free(chain_ss); // Safety net, error returns must set ctx->error - if (ok <= 0 && ctx->error == X509_V_OK) { + if (!ok && ctx->error == X509_V_OK) { ctx->error = X509_V_ERR_UNSPECIFIED; } return ok; @@ -495,7 +452,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { X509 *issuer; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) { + if (x509_check_issued_with_callback(ctx, x, issuer)) { return issuer; } } @@ -504,7 +461,8 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { // Given a possible certificate and issuer check them -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { +int x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x, + X509 *issuer) { int ret; ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) { @@ -517,31 +475,32 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { ctx->error = ret; ctx->current_cert = x; - ctx->current_issuer = issuer; - return ctx->verify_cb(0, ctx); + return call_verify_cb(0, ctx); } -// Alternative lookup method: look from a STACK stored in other_ctx +static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x) { + X509 *issuer; + if (ctx->trusted_stack != NULL) { + // Ignore the store and use the configured stack instead. + issuer = find_issuer(ctx, ctx->trusted_stack, x); + if (issuer != NULL) { + X509_up_ref(issuer); + } + return issuer; + } -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { - *issuer = find_issuer(ctx, ctx->other_ctx, x); - if (*issuer) { - X509_up_ref(*issuer); - return 1; - } else { - return 0; + if (!X509_STORE_CTX_get1_issuer(&issuer, ctx, x)) { + return NULL; } + return issuer; } // Check a certificate chains extensions for consistency with the supplied // purpose static int check_chain_extensions(X509_STORE_CTX *ctx) { - int ok = 0, plen = 0; - - // If |ctx->parent| is set, this is CRL path validation. - int purpose = - ctx->parent == NULL ? ctx->param->purpose : X509_PURPOSE_CRL_SIGN; + int plen = 0; + int purpose = ctx->param->purpose; // Check all untrusted certificates for (int i = 0; i < ctx->last_untrusted; i++) { @@ -551,9 +510,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } @@ -562,9 +520,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_INVALID_CA; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } if (ctx->param->purpose > 0 && @@ -572,9 +529,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } // Check pathlen if not self issued @@ -583,9 +539,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } // Increment path length if not self issued @@ -593,9 +548,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { plen++; } } - ok = 1; -end: - return ok; + + return 1; } static int reject_dns_name_in_common_name(X509 *x509) { @@ -653,7 +607,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } break; @@ -685,7 +639,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = leaf; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } break; @@ -699,7 +653,7 @@ static int check_id_error(X509_STORE_CTX *ctx, int errcode) { ctx->error = errcode; ctx->current_cert = ctx->cert; ctx->error_depth = 0; - return ctx->verify_cb(0, ctx); + return call_verify_cb(0, ctx); } static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) { @@ -707,14 +661,9 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) { size_t n = sk_OPENSSL_STRING_num(param->hosts); char *name; - if (param->peername != NULL) { - OPENSSL_free(param->peername); - param->peername = NULL; - } for (i = 0; i < n; ++i) { name = sk_OPENSSL_STRING_value(param->hosts, i); - if (X509_check_host(x, name, strlen(name), param->hostflags, - ¶m->peername) > 0) { + if (X509_check_host(x, name, strlen(name), param->hostflags, NULL) > 0) { return 1; } } @@ -748,24 +697,22 @@ static int check_id(X509_STORE_CTX *ctx) { } static int check_trust(X509_STORE_CTX *ctx) { - int ok; X509 *x = NULL; // Check all trusted certificates in chain for (size_t i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); - ok = X509_check_trust(x, ctx->param->trust, 0); + int trust = X509_check_trust(x, ctx->param->trust, 0); // If explicitly trusted return trusted - if (ok == X509_TRUST_TRUSTED) { + if (trust == X509_TRUST_TRUSTED) { return X509_TRUST_TRUSTED; } // If explicitly rejected notify callback and reject if not // overridden. - if (ok == X509_TRUST_REJECTED) { + if (trust == X509_TRUST_REJECTED) { ctx->error_depth = (int)i; ctx->current_cert = x; ctx->error = X509_V_ERR_CERT_REJECTED; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { return X509_TRUST_REJECTED; } } @@ -800,96 +747,52 @@ static int check_revocation(X509_STORE_CTX *ctx) { if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) { last = (int)sk_X509_num(ctx->chain) - 1; } else { - // If checking CRL paths this isn't the EE certificate - if (ctx->parent) { - return 1; - } last = 0; } for (int i = 0; i <= last; i++) { ctx->error_depth = i; - int ok = check_cert(ctx); - if (!ok) { - return ok; + if (!check_cert(ctx)) { + return 0; } } return 1; } static int check_cert(X509_STORE_CTX *ctx) { - X509_CRL *crl = NULL, *dcrl = NULL; - X509 *x; - int ok = 0, cnum; - unsigned int last_reasons; - cnum = ctx->error_depth; - x = sk_X509_value(ctx->chain, cnum); + X509_CRL *crl = NULL; + int ok = 0, cnum = ctx->error_depth; + X509 *x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; - ctx->current_issuer = NULL; + ctx->current_crl_issuer = NULL; ctx->current_crl_score = 0; - ctx->current_reasons = 0; - while (ctx->current_reasons != CRLDP_ALL_REASONS) { - last_reasons = ctx->current_reasons; - // Try to retrieve relevant CRL - if (ctx->get_crl) { - ok = ctx->get_crl(ctx, &crl, x); - } else { - ok = get_crl_delta(ctx, &crl, &dcrl, x); - } - // If error looking up CRL, nothing we can do except notify callback - if (!ok) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; - ok = ctx->verify_cb(0, ctx); - goto err; - } - ctx->current_crl = crl; - ok = ctx->check_crl(ctx, crl); - if (!ok) { - goto err; - } - if (dcrl) { - ok = ctx->check_crl(ctx, dcrl); - if (!ok) { - goto err; - } - ok = ctx->cert_crl(ctx, dcrl, x); - if (!ok) { - goto err; - } - } else { - ok = 1; - } - - // Don't look in full CRL if delta reason is removefromCRL - if (ok != 2) { - ok = ctx->cert_crl(ctx, crl, x); - if (!ok) { - goto err; - } - } + // Try to retrieve the relevant CRL. Note that |get_crl| sets + // |current_crl_issuer| and |current_crl_score|, which |check_crl| then reads. + // + // TODO(davidben): Remove these callbacks. gRPC currently sets them, but + // implements them incorrectly. It is not actually possible to implement + // |get_crl| from outside the library. + if (!ctx->get_crl(ctx, &crl, x)) { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = call_verify_cb(0, ctx); + goto err; + } - X509_CRL_free(crl); - X509_CRL_free(dcrl); - crl = NULL; - dcrl = NULL; - // If reasons not updated we wont get anywhere by another iteration, - // so exit loop. - if (last_reasons == ctx->current_reasons) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; - ok = ctx->verify_cb(0, ctx); - goto err; - } + ctx->current_crl = crl; + if (!ctx->check_crl(ctx, crl) || // + !cert_crl(ctx, crl, x)) { + goto err; } + + ok = 1; + err: X509_CRL_free(crl); - X509_CRL_free(dcrl); - ctx->current_crl = NULL; return ok; } // Check CRL times against values in X509_STORE_CTX - static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) { return 1; @@ -911,7 +814,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 0; } ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -921,7 +824,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 0; } ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -934,17 +837,16 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 0; } ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } - // Ignore expiry of base CRL is delta is valid - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { + if (i < 0) { if (!notify) { return 0; } ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -957,20 +859,16 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 1; } -static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, - X509 **pissuer, int *pscore, unsigned int *preasons, - STACK_OF(X509_CRL) *crls) { +static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer, + int *pscore, STACK_OF(X509_CRL) *crls) { int crl_score, best_score = *pscore; - size_t i; - unsigned int reasons, best_reasons = 0; X509 *x = ctx->current_cert; - X509_CRL *crl, *best_crl = NULL; + X509_CRL *best_crl = NULL; X509 *crl_issuer = NULL, *best_crl_issuer = NULL; - for (i = 0; i < sk_X509_CRL_num(crls); i++) { - crl = sk_X509_CRL_value(crls, i); - reasons = *preasons; - crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); + for (size_t i = 0; i < sk_X509_CRL_num(crls); i++) { + X509_CRL *crl = sk_X509_CRL_value(crls, i); + crl_score = get_crl_score(ctx, &crl_issuer, crl, x); if (crl_score < best_score || crl_score == 0) { continue; } @@ -990,7 +888,6 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, best_crl = crl; best_crl_issuer = crl_issuer; best_score = crl_score; - best_reasons = reasons; } if (best_crl) { @@ -1000,13 +897,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, *pcrl = best_crl; *pissuer = best_crl_issuer; *pscore = best_score; - *preasons = best_reasons; X509_CRL_up_ref(best_crl); - if (*pdcrl) { - X509_CRL_free(*pdcrl); - *pdcrl = NULL; - } - get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } if (best_score >= CRL_SCORE_VALID) { @@ -1016,119 +907,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, return 0; } -// Compare two CRL extensions for delta checking purposes. They should be -// both present or both absent. If both present all fields must be identical. - -static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { - const ASN1_OCTET_STRING *exta, *extb; - int i; - i = X509_CRL_get_ext_by_NID(a, nid, -1); - if (i >= 0) { - // Can't have multiple occurrences - if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) { - return 0; - } - exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); - } else { - exta = NULL; - } - - i = X509_CRL_get_ext_by_NID(b, nid, -1); - - if (i >= 0) { - if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) { - return 0; - } - extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); - } else { - extb = NULL; - } - - if (!exta && !extb) { - return 1; - } - - if (!exta || !extb) { - return 0; - } - - if (ASN1_OCTET_STRING_cmp(exta, extb)) { - return 0; - } - - return 1; -} - -// See if a base and delta are compatible - -static int check_delta_base(X509_CRL *delta, X509_CRL *base) { - // Delta CRL must be a delta - if (!delta->base_crl_number) { - return 0; - } - // Base must have a CRL number - if (!base->crl_number) { - return 0; - } - // Issuer names must match - if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) { - return 0; - } - // AKID and IDP must match - if (!crl_extension_match(delta, base, NID_authority_key_identifier)) { - return 0; - } - if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) { - return 0; - } - // Delta CRL base number must not exceed Full CRL number. - if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) { - return 0; - } - // Delta CRL number must exceed full CRL number - if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) { - return 1; - } - return 0; -} - -// For a given base CRL find a delta... maybe extend to delta scoring or -// retrieve a chain of deltas... - -static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, - X509_CRL *base, STACK_OF(X509_CRL) *crls) { - X509_CRL *delta; - size_t i; - if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) { - return; - } - if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) { - return; - } - for (i = 0; i < sk_X509_CRL_num(crls); i++) { - delta = sk_X509_CRL_value(crls, i); - if (check_delta_base(delta, base)) { - if (check_crl_time(ctx, delta, 0)) { - *pscore |= CRL_SCORE_TIME_DELTA; - } - X509_CRL_up_ref(delta); - *dcrl = delta; - return; - } - } - *dcrl = NULL; -} - // For a given CRL return how suitable it is for the supplied certificate // 'x'. The return value is a mask of several criteria. If the issuer is not -// the certificate issuer this is returned in *pissuer. The reasons mask is -// also used to determine if the CRL is suitable: if no new reasons the CRL -// is rejected, otherwise reasons is updated. - -static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, X509_CRL *crl, X509 *x) { +// the certificate issuer this is returned in *pissuer. +static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl, + X509 *x) { int crl_score = 0; - unsigned int tmp_reasons = *preasons, crl_reasons; // First see if we can reject CRL straight away @@ -1136,29 +920,15 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (crl->idp_flags & IDP_INVALID) { return 0; } - // Reason codes or indirect CRLs need extended CRL support - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { - if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) { - return 0; - } - } else if (crl->idp_flags & IDP_REASONS) { - // If no new reasons reject - if (!(crl->idp_reasons & ~tmp_reasons)) { - return 0; - } - } - // Don't process deltas at this stage - else if (crl->base_crl_number) { + // Reason codes and indirect CRLs are not supported. + if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) { return 0; } - // If issuer name doesn't match certificate need indirect CRL + // We do not support indirect CRLs, so the issuer names must match. if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { - if (!(crl->idp_flags & IDP_INDIRECT)) { - return 0; - } - } else { - crl_score |= CRL_SCORE_ISSUER_NAME; + return 0; } + crl_score |= CRL_SCORE_ISSUER_NAME; if (!(crl->flags & EXFLAG_CRITICAL)) { crl_score |= CRL_SCORE_NOCRITICAL; @@ -1170,36 +940,24 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, } // Check authority key ID and locate certificate issuer - crl_akid_check(ctx, crl, pissuer, &crl_score); - - // If we can't locate certificate issuer at this point forget it - - if (!(crl_score & CRL_SCORE_AKID)) { + if (!crl_akid_check(ctx, crl, pissuer, &crl_score)) { + // If we can't locate certificate issuer at this point forget it return 0; } // Check cert for matching CRL distribution points - - if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { - // If no new reasons reject - if (!(crl_reasons & ~tmp_reasons)) { - return 0; - } - tmp_reasons |= crl_reasons; + if (crl_crldp_check(x, crl, crl_score)) { crl_score |= CRL_SCORE_SCOPE; } - *preasons = tmp_reasons; - return crl_score; } -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, - int *pcrl_score) { +static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score) { X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); int cidx = ctx->error_depth; - size_t i; if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) { cidx++; @@ -1208,11 +966,9 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, crl_issuer = sk_X509_value(ctx->chain, cidx); if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { - if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { - *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT; - *pissuer = crl_issuer; - return; - } + *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT; + *pissuer = crl_issuer; + return 1; } for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) { @@ -1223,84 +979,10 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH; *pissuer = crl_issuer; - return; - } - } - - // Anything else needs extended CRL support - - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { - return; - } - - // Otherwise the CRL issuer is not on the path. Look for it in the set of - // untrusted certificates. - for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { - crl_issuer = sk_X509_value(ctx->untrusted, i); - if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) { - continue; - } - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { - *pissuer = crl_issuer; - *pcrl_score |= CRL_SCORE_AKID; - return; + return 1; } } -} - -// Check the path of a CRL issuer certificate. This creates a new -// X509_STORE_CTX and populates it with most of the parameters from the -// parent. This could be optimised somewhat since a lot of path checking will -// be duplicated by the parent, but this will rarely be used in practice. - -static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { - X509_STORE_CTX crl_ctx; - int ret; - // Don't allow recursive CRL path validation - if (ctx->parent) { - return 0; - } - if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) { - return -1; - } - - crl_ctx.crls = ctx->crls; - // Copy verify params across - X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); - - crl_ctx.parent = ctx; - crl_ctx.verify_cb = ctx->verify_cb; - - // Verify CRL issuer - ret = X509_verify_cert(&crl_ctx); - - if (ret <= 0) { - goto err; - } - // Check chain is acceptable - - ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); -err: - X509_STORE_CTX_cleanup(&crl_ctx); - return ret; -} - -// RFC 3280 says nothing about the relationship between CRL path and -// certificate path, which could lead to situations where a certificate could -// be revoked or validated by a CA not authorised to do so. RFC 5280 is more -// strict and states that the two paths must end in the same trust anchor, -// though some discussions remain... until this is resolved we use the -// RFC 5280 version - -static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path) { - X509 *cert_ta, *crl_ta; - cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); - crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); - if (!X509_cmp(cert_ta, crl_ta)) { - return 1; - } return 0; } @@ -1308,7 +990,6 @@ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, // Both are relative names and compare X509_NAME types. 2. One full, one // relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and // compare two GENERAL_NAMES. 4. One is NULL: automatic match. - static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; @@ -1373,30 +1054,8 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { return 0; } -static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) { - size_t i; - X509_NAME *nm = X509_CRL_get_issuer(crl); - // If no CRLissuer return is successful iff don't need a match - if (!dp->CRLissuer) { - return !!(crl_score & CRL_SCORE_ISSUER_NAME); - } - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); - if (gen->type != GEN_DIRNAME) { - continue; - } - if (!X509_NAME_cmp(gen->d.directoryName, nm)) { - return 1; - } - } - return 0; -} - // Check CRLDP and IDP - -static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons) { - size_t i; +static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score) { if (crl->idp_flags & IDP_ONLYATTR) { return 0; } @@ -1409,52 +1068,49 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, return 0; } } - *preasons = crl->idp_reasons; - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { + for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); - if (crldp_check_crlissuer(dp, crl, crl_score)) { - if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) { - *preasons &= dp->dp_reasons; - return 1; - } + // Skip distribution points with a reasons field or a CRL issuer: + // + // We do not support CRLs partitioned by reason code. RFC 5280 requires CAs + // include at least one DistributionPoint that covers all reasons. + // + // We also do not support indirect CRLs, and a CRL issuer can only match + // indirect CRLs (RFC 5280, section 6.3.3, step b.1). + // support. + if (dp->reasons != NULL && dp->CRLissuer != NULL && + (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint))) { + return 1; } } - if ((!crl->idp || !crl->idp->distpoint) && - (crl_score & CRL_SCORE_ISSUER_NAME)) { - return 1; - } - return 0; -} -// Retrieve CRL corresponding to current certificate. If deltas enabled try -// to find a delta CRL too + // If the CRL does not specify an issuing distribution point, allow it to + // match anything. + // + // TODO(davidben): Does this match RFC 5280? It's hard to follow because RFC + // 5280 starts from distribution points, while this starts from CRLs. + return !crl->idp || !crl->idp->distpoint; +} -static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, - X509 *x) { - int ok; +// Retrieve CRL corresponding to current certificate. +static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) { X509 *issuer = NULL; int crl_score = 0; - unsigned int reasons; - X509_CRL *crl = NULL, *dcrl = NULL; - STACK_OF(X509_CRL) *skcrl; - X509_NAME *nm = X509_get_issuer_name(x); - reasons = ctx->current_reasons; - ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls); - - if (ok) { + X509_CRL *crl = NULL; + if (get_crl_sk(ctx, &crl, &issuer, &crl_score, ctx->crls)) { goto done; } // Lookup CRLs from store - - skcrl = ctx->lookup_crls(ctx, nm); + STACK_OF(X509_CRL) *skcrl = + X509_STORE_CTX_get1_crls(ctx, X509_get_issuer_name(x)); // If no CRLs found and a near match from get_crl_sk use that if (!skcrl && crl) { goto done; } - get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); + get_crl_sk(ctx, &crl, &issuer, &crl_score, skcrl); sk_X509_CRL_pop_free(skcrl, X509_CRL_free); @@ -1462,11 +1118,9 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, // If we got any kind of CRL use it and return success if (crl) { - ctx->current_issuer = issuer; + ctx->current_crl_issuer = issuer; ctx->current_crl_score = crl_score; - ctx->current_reasons = reasons; *pcrl = crl; - *pdcrl = dcrl; return 1; } @@ -1476,110 +1130,78 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, // Check CRL validity static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; - EVP_PKEY *ikey = NULL; - int ok = 0; int cnum = ctx->error_depth; int chnum = (int)sk_X509_num(ctx->chain) - 1; - // if we have an alternative CRL issuer cert use that - if (ctx->current_issuer) { - issuer = ctx->current_issuer; - } - - // Else find CRL issuer: if not last certificate then issuer is next - // certificate in chain. - else if (cnum < chnum) { + // If we have an alternative CRL issuer cert use that. Otherwise, it is the + // issuer of the current certificate. + if (ctx->current_crl_issuer) { + issuer = ctx->current_crl_issuer; + } else if (cnum < chnum) { issuer = sk_X509_value(ctx->chain, cnum + 1); } else { issuer = sk_X509_value(ctx->chain, chnum); // If not self signed, can't check signature - if (!ctx->check_issued(ctx, issuer, issuer)) { + if (!x509_check_issued_with_callback(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; + if (!call_verify_cb(0, ctx)) { + return 0; } } } if (issuer) { - // Skip most tests for deltas because they have already been done - if (!crl->base_crl_number) { - // Check for cRLSign bit if keyUsage present - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) { - ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } - } - - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { - ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } + // Check for cRLSign bit if keyUsage present + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & X509v3_KU_CRL_SIGN)) { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + if (!call_verify_cb(0, ctx)) { + return 0; } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) { - ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } - } + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { + ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; + if (!call_verify_cb(0, ctx)) { + return 0; } + } - if (crl->idp_flags & IDP_INVALID) { - ctx->error = X509_V_ERR_INVALID_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } + if (crl->idp_flags & IDP_INVALID) { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + if (!call_verify_cb(0, ctx)) { + return 0; } } if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { - ok = check_crl_time(ctx, crl, 1); - if (!ok) { - goto err; + if (!check_crl_time(ctx, crl, 1)) { + return 0; } } // Attempt to get issuer certificate public key - ikey = X509_get_pubkey(issuer); - + EVP_PKEY *ikey = X509_get0_pubkey(issuer); if (!ikey) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; + if (!call_verify_cb(0, ctx)) { + return 0; } } else { // Verify CRL signature if (X509_CRL_verify(crl, ikey) <= 0) { ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; + if (!call_verify_cb(0, ctx)) { + return 0; } } } } - ok = 1; - -err: - EVP_PKEY_free(ikey); - return ok; + return 1; } // Check certificate against CRL static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { - int ok; - X509_REVOKED *rev; // The rules changed for this... previously if a CRL contained unhandled // critical extensions it could still be used to indicate a certificate // was revoked. This has since been changed since critical extension can @@ -1587,20 +1209,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { return 0; } } - // Look for serial number of certificate in CRL If found make sure reason - // is not removeFromCRL. + // Look for serial number of certificate in CRL. + X509_REVOKED *rev; if (X509_CRL_get0_by_cert(crl, &rev, x)) { - if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) { - return 2; - } ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1609,11 +1226,6 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { } static int check_policy(X509_STORE_CTX *ctx) { - // TODO(davidben): Why do we disable policy validation for CRL paths? - if (ctx->parent) { - return 1; - } - X509 *current_cert = NULL; int ret = X509_policy_check(ctx->chain, ctx->param->policies, ctx->param->flags, ¤t_cert); @@ -1623,18 +1235,7 @@ static int check_policy(X509_STORE_CTX *ctx) { if (ret == X509_V_ERR_OUT_OF_MEM) { return 0; } - return ctx->verify_cb(0, ctx); - } - - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { - ctx->current_cert = NULL; - // Verification errors need to be "sticky", a callback may have allowed - // an SSL handshake to continue despite an error, and we must then - // remain in an error state. Therefore, we MUST NOT clear earlier - // verification errors by setting the error to X509_V_OK. - if (!ctx->verify_cb(2, ctx)) { - return 0; - } + return call_verify_cb(0, ctx); } return 1; @@ -1656,7 +1257,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i == 0) { ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1664,7 +1265,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i > 0) { ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1673,7 +1274,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i == 0) { ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1681,7 +1282,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i < 0) { ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1690,16 +1291,20 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { } static int internal_verify(X509_STORE_CTX *ctx) { - int ok = 0; - X509 *xs, *xi; - EVP_PKEY *pkey = NULL; - + // TODO(davidben): This logic is incredibly confusing. Rewrite this: + // + // First, don't allow the verify callback to suppress + // X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, which will simplify the + // signature check. Then replace jumping into the middle of the loop. It's + // trying to ensure that all certificates see |check_cert_time|, then checking + // the root's self signature when requested, but not breaking partial chains + // in the process. int n = (int)sk_X509_num(ctx->chain); ctx->error_depth = n - 1; n--; - xi = sk_X509_value(ctx->chain, n); - - if (ctx->check_issued(ctx, xi, xi)) { + X509 *xi = sk_X509_value(ctx->chain, n); + X509 *xs; + if (x509_check_issued_with_callback(ctx, xi, xi)) { xs = xi; } else { if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { @@ -1709,13 +1314,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { if (n <= 0) { ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert = xi; - ok = ctx->verify_cb(0, ctx); - goto end; - } else { - n--; - ctx->error_depth = n; - xs = sk_X509_value(ctx->chain, n); + return call_verify_cb(0, ctx); } + n--; + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); } // ctx->error=0; not needed @@ -1726,38 +1329,31 @@ static int internal_verify(X509_STORE_CTX *ctx) { // explicitly asked for. It doesn't add any security and just wastes // time. if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { - if ((pkey = X509_get_pubkey(xi)) == NULL) { + EVP_PKEY *pkey = X509_get0_pubkey(xi); + if (pkey == NULL) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert = xi; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } else if (X509_verify(xs, pkey) <= 0) { ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert = xs; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - EVP_PKEY_free(pkey); - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } - EVP_PKEY_free(pkey); - pkey = NULL; } check_cert: - ok = check_cert_time(ctx, xs); - if (!ok) { - goto end; + if (!check_cert_time(ctx, xs)) { + return 0; } // The last error (if any) is still in the error value - ctx->current_issuer = xi; ctx->current_cert = xs; - ok = ctx->verify_cb(1, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(1, ctx)) { + return 0; } n--; @@ -1766,16 +1362,15 @@ static int internal_verify(X509_STORE_CTX *ctx) { xs = sk_X509_value(ctx->chain, n); } } - ok = 1; -end: - return ok; + + return 1; } int X509_cmp_current_time(const ASN1_TIME *ctm) { return X509_cmp_time_posix(ctm, time(NULL)); } -int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { +int X509_cmp_time(const ASN1_TIME *ctm, const time_t *cmp_time) { int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time; return X509_cmp_time_posix(ctm, compare_time); } @@ -1793,12 +1388,12 @@ ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) { return X509_time_adj(s, offset_sec, NULL); } -ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) { +ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *in_tm) { return X509_time_adj_ex(s, 0, offset_sec, in_tm); } ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, - time_t *in_tm) { + const time_t *in_tm) { int64_t t = 0; if (in_tm) { @@ -1810,117 +1405,6 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, return ASN1_TIME_adj(s, t, offset_day, offset_sec); } -// Make a delta CRL as the diff between two full CRLs - -X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey, - const EVP_MD *md, unsigned int flags) { - X509_CRL *crl = NULL; - int i; - size_t j; - STACK_OF(X509_REVOKED) *revs = NULL; - // CRLs can't be delta already - if (base->base_crl_number || newer->base_crl_number) { - OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA); - return NULL; - } - // Base and new CRL must have a CRL number - if (!base->crl_number || !newer->crl_number) { - OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER); - return NULL; - } - // Issuer names must match - if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) { - OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH); - return NULL; - } - // AKID and IDP must match - if (!crl_extension_match(base, newer, NID_authority_key_identifier)) { - OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH); - return NULL; - } - if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) { - OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH); - return NULL; - } - // Newer CRL number must exceed full CRL number - if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) { - OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER); - return NULL; - } - // CRLs must verify - if (skey && - (X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) { - OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE); - return NULL; - } - // Create new CRL - crl = X509_CRL_new(); - if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) { - goto memerr; - } - // Set issuer name - if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) { - goto memerr; - } - - if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) { - goto memerr; - } - if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) { - goto memerr; - } - - // Set base CRL number: must be critical - - if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) { - goto memerr; - } - - // Copy extensions across from newest CRL to delta: this will set CRL - // number to correct value too. - - for (i = 0; i < X509_CRL_get_ext_count(newer); i++) { - const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i); - if (!X509_CRL_add_ext(crl, ext, -1)) { - goto memerr; - } - } - - // Go through revoked entries, copying as needed - - revs = X509_CRL_get_REVOKED(newer); - - for (j = 0; j < sk_X509_REVOKED_num(revs); j++) { - X509_REVOKED *rvn, *rvtmp; - rvn = sk_X509_REVOKED_value(revs, j); - // Add only if not also in base. TODO: need something cleverer here - // for some more complex CRLs covering multiple CAs. - if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) { - rvtmp = X509_REVOKED_dup(rvn); - if (!rvtmp) { - goto memerr; - } - if (!X509_CRL_add0_revoked(crl, rvtmp)) { - X509_REVOKED_free(rvtmp); - goto memerr; - } - } - } - // TODO: optionally prune deleted entries - - if (skey && md && !X509_CRL_sign(crl, skey, md)) { - goto memerr; - } - - return crl; - -memerr: - if (crl) { - X509_CRL_free(crl); - } - return NULL; -} - int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, @@ -1943,54 +1427,51 @@ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) { return CRYPTO_get_ex_data(&ctx->ex_data, idx); } -int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; } +int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx) { return ctx->error; } void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) { ctx->error = err; } -int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) { +int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx) { return ctx->error_depth; } -X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { +X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) { return ctx->current_cert; } -STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get_chain(const X509_STORE_CTX *ctx) { return ctx->chain; } -STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx) { return ctx->chain; } -STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) { if (!ctx->chain) { return NULL; } return X509_chain_up_ref(ctx->chain); } -X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) { - return ctx->current_issuer; -} - -X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) { +X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx) { return ctx->current_crl; } -X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) { - return ctx->parent; +X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) { + // In OpenSSL, an |X509_STORE_CTX| sometimes has a parent context during CRL + // path validation for indirect CRLs. We require the CRL to be issued + // somewhere along the certificate path, so this is always NULL. + return NULL; } -void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert = x; } - void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->untrusted = sk; } -STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx) { return ctx->untrusted; } @@ -1999,80 +1480,47 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { } int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { - return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); -} + // If |purpose| is zero, this function historically silently did nothing. + if (purpose == 0) { + return 1; + } -int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { - return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); -} - -// This function is used to set the X509_STORE_CTX purpose and trust values. -// This is intended to be used when another structure has its own trust and -// purpose values which (if set) will be inherited by the ctx. If they aren't -// set then we will usually have a default purpose in mind which should then -// be used to set the trust value. An example of this is SSL use: an SSL -// structure will have its own purpose and trust settings which the -// application can set: if they aren't set then we use the default of SSL -// client/server. - -int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, - int purpose, int trust) { - int idx; - // If purpose not set use default - if (!purpose) { - purpose = def_purpose; - } - // If we have a purpose then check it is valid - if (purpose) { - X509_PURPOSE *ptmp; - idx = X509_PURPOSE_get_by_id(purpose); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); - return 0; - } - ptmp = X509_PURPOSE_get0(idx); - if (ptmp->trust == X509_TRUST_DEFAULT) { - idx = X509_PURPOSE_get_by_id(def_purpose); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); - return 0; - } - ptmp = X509_PURPOSE_get0(idx); - } - // If trust not set then get from purpose default - if (!trust) { - trust = ptmp->trust; - } + int idx = X509_PURPOSE_get_by_id(purpose); + if (idx == -1) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); + return 0; } - if (trust) { - idx = X509_TRUST_get_by_id(trust); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); - return 0; - } + + int trust = X509_PURPOSE_get_trust(X509_PURPOSE_get0(idx)); + if (!X509_STORE_CTX_set_trust(ctx, trust)) { + return 0; } - if (purpose && !ctx->param->purpose) { + if (ctx->param->purpose == 0) { ctx->param->purpose = purpose; } - if (trust && !ctx->param->trust) { - ctx->param->trust = trust; - } return 1; } -X509_STORE_CTX *X509_STORE_CTX_new(void) { - X509_STORE_CTX *ctx; - ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); - if (!ctx) { - return NULL; +int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { + // If |trust| is zero, this function historically silently did nothing. + if (trust == 0) { + return 1; + } + + if (X509_TRUST_get_by_id(trust) == -1) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); + return 0; } - X509_STORE_CTX_zero(ctx); - return ctx; + + if (ctx->param->trust == 0) { + ctx->param->trust = trust; + } + return 1; } -void X509_STORE_CTX_zero(X509_STORE_CTX *ctx) { - OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX)); +X509_STORE_CTX *X509_STORE_CTX_new(void) { + return OPENSSL_zalloc(sizeof(X509_STORE_CTX)); } void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { @@ -2085,7 +1533,8 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) { - X509_STORE_CTX_zero(ctx); + X509_STORE_CTX_cleanup(ctx); + ctx->ctx = store; ctx->cert = x509; ctx->untrusted = chain; @@ -2105,7 +1554,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, // Inherit callbacks and flags from X509_STORE. ctx->verify_cb = store->verify_cb; - ctx->cleanup = store->cleanup; if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) || !X509_VERIFY_PARAM_inherit(ctx->param, @@ -2113,40 +1561,16 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, goto err; } - if (store->check_issued) { - ctx->check_issued = store->check_issued; - } else { - ctx->check_issued = check_issued; - } - - if (store->get_issuer) { - ctx->get_issuer = store->get_issuer; - } else { - ctx->get_issuer = X509_STORE_CTX_get1_issuer; - } - if (store->verify_cb) { ctx->verify_cb = store->verify_cb; } else { ctx->verify_cb = null_callback; } - if (store->verify) { - ctx->verify = store->verify; - } else { - ctx->verify = internal_verify; - } - - if (store->check_revocation) { - ctx->check_revocation = store->check_revocation; - } else { - ctx->check_revocation = check_revocation; - } - if (store->get_crl) { ctx->get_crl = store->get_crl; } else { - ctx->get_crl = NULL; + ctx->get_crl = get_crl; } if (store->check_crl) { @@ -2155,26 +1579,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->check_crl = check_crl; } - if (store->cert_crl) { - ctx->cert_crl = store->cert_crl; - } else { - ctx->cert_crl = cert_crl; - } - - if (store->lookup_certs) { - ctx->lookup_certs = store->lookup_certs; - } else { - ctx->lookup_certs = X509_STORE_get1_certs; - } - - if (store->lookup_crls) { - ctx->lookup_crls = store->lookup_crls; - } else { - ctx->lookup_crls = X509_STORE_get1_crls; - } - - ctx->check_policy = check_policy; - return 1; err: @@ -2192,8 +1596,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { - ctx->other_ctx = sk; - ctx->get_issuer = get_issuer_sk; + ctx->trusted_stack = sk; } void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { @@ -2201,24 +1604,10 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { - // We need to be idempotent because, unfortunately, |X509_STORE_CTX_free| - // also calls this function. - if (ctx->cleanup != NULL) { - ctx->cleanup(ctx); - ctx->cleanup = NULL; - } - if (ctx->param != NULL) { - if (ctx->parent == NULL) { - X509_VERIFY_PARAM_free(ctx->param); - } - ctx->param = NULL; - } - if (ctx->chain != NULL) { - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = NULL; - } CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data)); - OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); + X509_VERIFY_PARAM_free(ctx->param); + sk_X509_pop_free(ctx->chain, X509_free); + OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX)); } void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) { @@ -2230,7 +1619,7 @@ void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) { } void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags, - int64_t t) { + int64_t t) { X509_VERIFY_PARAM_set_time_posix(ctx->param, t); } @@ -2239,9 +1628,7 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, X509_STORE_CTX_set_time_posix(ctx, flags, t); } -X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) { - return ctx->cert; -} +X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) { return ctx->cert; } void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) { @@ -2249,8 +1636,7 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, } int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { - const X509_VERIFY_PARAM *param; - param = X509_VERIFY_PARAM_lookup(name); + const X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_lookup(name); if (!param) { return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c index 971369a4..5793ad91 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c @@ -60,10 +60,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" @@ -74,8 +72,6 @@ static void str_free(char *s) { OPENSSL_free(s); } -#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free) - static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode, const char *name, size_t namelen) { char *copy; @@ -92,7 +88,7 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode, } if (mode == SET_HOST && param->hosts) { - string_stack_free(param->hosts); + sk_OPENSSL_STRING_pop_free(param->hosts, str_free); param->hosts = NULL; } @@ -119,50 +115,12 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode, return 1; } -static void x509_verify_param_zero(X509_VERIFY_PARAM *param) { - if (!param) { - return; - } - param->name = NULL; - param->purpose = 0; - param->trust = 0; - // param->inh_flags = X509_VP_FLAG_DEFAULT; - param->inh_flags = 0; - param->flags = 0; - param->depth = -1; - if (param->policies) { - sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); - param->policies = NULL; - } - if (param->hosts) { - string_stack_free(param->hosts); - param->hosts = NULL; - } - if (param->peername) { - OPENSSL_free(param->peername); - param->peername = NULL; - } - if (param->email) { - OPENSSL_free(param->email); - param->email = NULL; - param->emaillen = 0; - } - if (param->ip) { - OPENSSL_free(param->ip); - param->ip = NULL; - param->iplen = 0; - } - param->poison = 0; -} - X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) { - X509_VERIFY_PARAM *param; - param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM)); + X509_VERIFY_PARAM *param = OPENSSL_zalloc(sizeof(X509_VERIFY_PARAM)); if (!param) { return NULL; } - OPENSSL_memset(param, 0, sizeof(X509_VERIFY_PARAM)); - x509_verify_param_zero(param); + param->depth = -1; return param; } @@ -170,147 +128,105 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { if (param == NULL) { return; } - x509_verify_param_zero(param); + sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); + sk_OPENSSL_STRING_pop_free(param->hosts, str_free); + OPENSSL_free(param->email); + OPENSSL_free(param->ip); OPENSSL_free(param); } -//- -// This function determines how parameters are "inherited" from one structure -// to another. There are several different ways this can happen. -// -// 1. If a child structure needs to have its values initialized from a parent -// they are simply copied across. For example SSL_CTX copied to SSL. -// 2. If the structure should take on values only if they are currently unset. -// For example the values in an SSL structure will take appropriate value -// for SSL servers or clients but only if the application has not set new -// ones. -// -// The "inh_flags" field determines how this function behaves. -// -// Normally any values which are set in the default are not copied from the -// destination and verify flags are ORed together. -// -// If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied -// to the destination. Effectively the values in "to" become default values -// which will be used only if nothing new is set in "from". -// -// If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether -// they are set or not. Flags is still Ored though. -// -// If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead -// of ORed. -// -// If X509_VP_FLAG_LOCKED is set then no values are copied. -// -// If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed -// after the next call. - -// Macro to test if a field should be copied from src to dest - -#define test_x509_verify_param_copy(field, def) \ - (to_overwrite || \ - ((src->field != (def)) && (to_default || (dest->field == (def))))) - -// Macro to test and copy a field if necessary - -#define x509_verify_param_copy(field, def) \ - if (test_x509_verify_param_copy(field, def)) \ - dest->field = src->field - -int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, - const X509_VERIFY_PARAM *src) { - unsigned long inh_flags; - int to_default, to_overwrite; - if (!src) { - return 1; - } - inh_flags = dest->inh_flags | src->inh_flags; - - if (inh_flags & X509_VP_FLAG_ONCE) { - dest->inh_flags = 0; +static int should_copy(int dest_is_set, int src_is_set, int prefer_src) { + if (prefer_src) { + // We prefer the source, so as long as there is a value to copy, copy it. + return src_is_set; } - if (inh_flags & X509_VP_FLAG_LOCKED) { - return 1; - } + // We prefer the destination, so only copy if the destination is unset. + return src_is_set && !dest_is_set; +} - if (inh_flags & X509_VP_FLAG_DEFAULT) { - to_default = 1; - } else { - to_default = 0; +static void copy_int_param(int *dest, const int *src, int default_val, + int prefer_src) { + if (should_copy(*dest != default_val, *src != default_val, prefer_src)) { + *dest = *src; } +} - if (inh_flags & X509_VP_FLAG_OVERWRITE) { - to_overwrite = 1; - } else { - to_overwrite = 0; +// x509_verify_param_copy copies fields from |src| to |dest|. If both |src| and +// |dest| have some field set, |prefer_src| determines whether |src| or |dest|'s +// version is used. +static int x509_verify_param_copy(X509_VERIFY_PARAM *dest, + const X509_VERIFY_PARAM *src, + int prefer_src) { + if (src == NULL) { + return 1; } - x509_verify_param_copy(purpose, 0); - x509_verify_param_copy(trust, 0); - x509_verify_param_copy(depth, -1); + copy_int_param(&dest->purpose, &src->purpose, /*default_val=*/0, prefer_src); + copy_int_param(&dest->trust, &src->trust, /*default_val=*/0, prefer_src); + copy_int_param(&dest->depth, &src->depth, /*default_val=*/-1, prefer_src); - // If overwrite or check time not set, copy across - - if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { + // |check_time|, unlike all other parameters, does not honor |prefer_src|. + // This means |X509_VERIFY_PARAM_set1| will not overwrite it. This behavior + // comes from OpenSSL but may have been a bug. + if (!(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { dest->check_time = src->check_time; - dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; - // Don't need to copy flag: that is done below - } - - if (inh_flags & X509_VP_FLAG_RESET_FLAGS) { - dest->flags = 0; + // The source |X509_V_FLAG_USE_CHECK_TIME| flag, if set, is copied below. } dest->flags |= src->flags; - if (test_x509_verify_param_copy(policies, NULL)) { + if (should_copy(dest->policies != NULL, src->policies != NULL, prefer_src)) { if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) { return 0; } } - // Copy the host flags if and only if we're copying the host list - if (test_x509_verify_param_copy(hosts, NULL)) { - if (dest->hosts) { - string_stack_free(dest->hosts); - dest->hosts = NULL; - } + if (should_copy(dest->hosts != NULL, src->hosts != NULL, prefer_src)) { + sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); + dest->hosts = NULL; if (src->hosts) { dest->hosts = sk_OPENSSL_STRING_deep_copy(src->hosts, OPENSSL_strdup, str_free); if (dest->hosts == NULL) { return 0; } + // Copy the host flags if and only if we're copying the host list. Note + // this means mechanisms like |X509_STORE_CTX_set_default| cannot be used + // to set host flags. E.g. we cannot change the defaults using + // |kDefaultParam| below. dest->hostflags = src->hostflags; } } - if (test_x509_verify_param_copy(email, NULL)) { + if (should_copy(dest->email != NULL, src->email != NULL, prefer_src)) { if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) { return 0; } } - if (test_x509_verify_param_copy(ip, NULL)) { + if (should_copy(dest->ip != NULL, src->ip != NULL, prefer_src)) { if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) { return 0; } } dest->poison = src->poison; - return 1; } +int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, + const X509_VERIFY_PARAM *src) { + // Prefer the destination. That is, this function only changes unset + // parameters in |dest|. + return x509_verify_param_copy(dest, src, /*prefer_src=*/0); +} + int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) { - unsigned long save_flags = to->inh_flags; - int ret; - to->inh_flags |= X509_VP_FLAG_DEFAULT; - ret = X509_VERIFY_PARAM_inherit(to, from); - to->inh_flags = save_flags; - return ret; + // Prefer the source. That is, values in |to| are only preserved if they were + // unset in |from|. + return x509_verify_param_copy(to, from, /*prefer_src=*/1); } static int int_x509_param_set1(char **pdest, size_t *pdestlen, const char *src, @@ -337,17 +253,6 @@ static int int_x509_param_set1(char **pdest, size_t *pdestlen, const char *src, return 1; } -int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) { - if (param->name) { - OPENSSL_free(param->name); - } - param->name = OPENSSL_strdup(name); - if (param->name) { - return 1; - } - return 0; -} - int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; return 1; @@ -359,7 +264,7 @@ int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, return 1; } -unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) { +unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param) { return param->flags; } @@ -442,10 +347,6 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, param->hostflags = flags; } -char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) { - return param->peername; -} - int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen) { if (OPENSSL_memchr(email, '\0', emaillen) != NULL || @@ -484,68 +385,45 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) { return param->depth; } -const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) { - return param->name; -} - -#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0, 0 - -// Default verify parameters: these are used for various applications and can -// be overridden by the user specified table. NB: the 'name' field *must* be -// in alphabetical order because it will be searched using OBJ_search. - -static const X509_VERIFY_PARAM default_table[] = { - {(char *)"default", // X509 default parameters - 0, // Check time - 0, // internal flags - X509_V_FLAG_TRUSTED_FIRST, // flags - 0, // purpose - 0, // trust - 100, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"pkcs7", // S/MIME sign parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SMIME_SIGN, // purpose - X509_TRUST_EMAIL, // trust - -1, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"smime_sign", // S/MIME sign parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SMIME_SIGN, // purpose - X509_TRUST_EMAIL, // trust - -1, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"ssl_client", // SSL/TLS client parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SSL_CLIENT, // purpose - X509_TRUST_SSL_CLIENT, // trust - -1, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"ssl_server", // SSL/TLS server parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SSL_SERVER, // purpose - X509_TRUST_SSL_SERVER, // trust - -1, // depth - NULL, // policies - vpm_empty_id}}; +static const X509_VERIFY_PARAM kDefaultParam = { + .flags = X509_V_FLAG_TRUSTED_FIRST, + .depth = 100, +}; + +static const X509_VERIFY_PARAM kSMIMESignParam = { + .purpose = X509_PURPOSE_SMIME_SIGN, + .trust = X509_TRUST_EMAIL, + .depth = -1, +}; + +static const X509_VERIFY_PARAM kSSLClientParam = { + .purpose = X509_PURPOSE_SSL_CLIENT, + .trust = X509_TRUST_SSL_CLIENT, + .depth = -1, +}; + +static const X509_VERIFY_PARAM kSSLServerParam = { + .purpose = X509_PURPOSE_SSL_SERVER, + .trust = X509_TRUST_SSL_SERVER, + .depth = -1, +}; const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) { - for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(default_table); i++) { - if (strcmp(default_table[i].name, name) == 0) { - return &default_table[i]; - } + if (strcmp(name, "default") == 0) { + return &kDefaultParam; + } + if (strcmp(name, "pkcs7") == 0) { + // PKCS#7 and S/MIME signing use the same defaults. + return &kSMIMESignParam; + } + if (strcmp(name, "smime_sign") == 0) { + return &kSMIMESignParam; + } + if (strcmp(name, "ssl_client") == 0) { + return &kSSLClientParam; + } + if (strcmp(name, "ssl_server") == 0) { + return &kSSLServerParam; } return NULL; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c index a07a9167..a9ea8792 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c @@ -57,6 +57,7 @@ #include #include +#include #include #include #include @@ -86,13 +87,34 @@ int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, } const ASN1_STRING *data = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i)); - i = (data->length > (len - 1)) ? (len - 1) : data->length; - if (buf == NULL) { - return data->length; + unsigned char *text = NULL; + int ret = -1; + int text_len = ASN1_STRING_to_UTF8(&text, data); + // Fail if we could not encode as UTF-8. + if (text_len < 0) { + goto out; + } + CBS cbs; + CBS_init(&cbs, text, text_len); + // Fail if the UTF-8 encoding constains a 0 byte because this is + // returned as a C string and callers very often do not check. + if (CBS_contains_zero_byte(&cbs)) { + goto out; + } + // We still support the "pass NULL to find out how much" API + if (buf != NULL) { + if (text_len >= len || len <= 0 || + !CBS_copy_bytes(&cbs, (uint8_t *)buf, text_len)) { + goto out; + } + // It must be a C string + buf[text_len] = '\0'; } - OPENSSL_memcpy(buf, data->data, i); - buf[i] = '\0'; - return i; + ret = text_len; + +out: + OPENSSL_free(text); + return ret; } int X509_NAME_entry_count(const X509_NAME *name) { diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509spki.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509spki.c index 189e05a3..834ed55e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509spki.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509spki.c @@ -68,7 +68,7 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey) { return (X509_PUBKEY_set(&(x->spkac->pubkey), pkey)); } -EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x) { +EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *x) { if ((x == NULL) || (x->spkac == NULL)) { return NULL; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c index c10731ec..60074176 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c @@ -81,8 +81,8 @@ ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SEQUENCE_OF_OPT(X509_REVOKED, extensions, X509_EXTENSION), } ASN1_SEQUENCE_END(X509_REVOKED) -static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, - X509_NAME *issuer); +static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, + const ASN1_INTEGER *serial, X509_NAME *issuer); // The X509_CRL_INFO structure needs a bit of customisation. Since we cache // the original encoding the signature wont be affected by reordering of the @@ -115,45 +115,15 @@ ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0), } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) -// Set CRL entry issuer according to CRL certificate issuer extension. Check -// for unhandled critical CRL entry extensions. - -static int crl_set_issuers(X509_CRL *crl) { - size_t i, k; - int j; - GENERAL_NAMES *gens, *gtmp; - STACK_OF(X509_REVOKED) *revoked; - - revoked = X509_CRL_get_REVOKED(crl); - - gens = NULL; - for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) { +static int crl_parse_entry_extensions(X509_CRL *crl) { + STACK_OF(X509_REVOKED) *revoked = X509_CRL_get_REVOKED(crl); + for (size_t i = 0; i < sk_X509_REVOKED_num(revoked); i++) { X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i); - STACK_OF(X509_EXTENSION) *exts; - ASN1_ENUMERATED *reason; - X509_EXTENSION *ext; - gtmp = X509_REVOKED_get_ext_d2i(rev, NID_certificate_issuer, &j, NULL); - if (!gtmp && (j != -1)) { - crl->flags |= EXFLAG_INVALID; - return 1; - } - - if (gtmp) { - gens = gtmp; - if (!crl->issuers) { - crl->issuers = sk_GENERAL_NAMES_new_null(); - if (!crl->issuers) { - return 0; - } - } - if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) { - return 0; - } - } - rev->issuer = gens; - reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &j, NULL); - if (!reason && (j != -1)) { + int crit; + ASN1_ENUMERATED *reason = + X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &crit, NULL); + if (!reason && crit != -1) { crl->flags |= EXFLAG_INVALID; return 1; } @@ -165,17 +135,11 @@ static int crl_set_issuers(X509_CRL *crl) { rev->reason = CRL_REASON_NONE; } - // Check for critical CRL entry extensions - - exts = rev->extensions; - - for (k = 0; k < sk_X509_EXTENSION_num(exts); k++) { - ext = sk_X509_EXTENSION_value(exts, k); + // We do not support any critical CRL entry extensions. + const STACK_OF(X509_EXTENSION) *exts = rev->extensions; + for (size_t j = 0; j < sk_X509_EXTENSION_num(exts); j++) { + const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, j); if (X509_EXTENSION_get_critical(ext)) { - if (OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == - NID_certificate_issuer) { - continue; - } crl->flags |= EXFLAG_CRITICAL; break; } @@ -190,9 +154,6 @@ static int crl_set_issuers(X509_CRL *crl) { static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509_CRL *crl = (X509_CRL *)*pval; - STACK_OF(X509_EXTENSION) *exts; - X509_EXTENSION *ext; - size_t idx; int i; switch (operation) { @@ -201,10 +162,6 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, crl->akid = NULL; crl->flags = 0; crl->idp_flags = 0; - crl->idp_reasons = CRLDP_ALL_REASONS; - crl->issuers = NULL; - crl->crl_number = NULL; - crl->base_crl_number = NULL; break; case ASN1_OP_D2I_POST: { @@ -247,39 +204,17 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, return 0; } - crl->crl_number = X509_CRL_get_ext_d2i(crl, NID_crl_number, &i, NULL); - if (crl->crl_number == NULL && i != -1) { - return 0; - } - - crl->base_crl_number = X509_CRL_get_ext_d2i(crl, NID_delta_crl, &i, NULL); - if (crl->base_crl_number == NULL && i != -1) { - return 0; - } - // Delta CRLs must have CRL number - if (crl->base_crl_number && !crl->crl_number) { - OPENSSL_PUT_ERROR(X509, X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER); - return 0; - } - // See if we have any unhandled critical CRL extensions and indicate // this in a flag. We only currently handle IDP so anything else // critical sets the flag. This code accesses the X509_CRL structure // directly: applications shouldn't do this. - - exts = crl->crl->extensions; - - for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { - int nid; - ext = sk_X509_EXTENSION_value(exts, idx); - nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); - if (nid == NID_freshest_crl) { - crl->flags |= EXFLAG_FRESHEST; - } + const STACK_OF(X509_EXTENSION) *exts = crl->crl->extensions; + for (size_t idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { + const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, idx); + int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); if (X509_EXTENSION_get_critical(ext)) { - // We handle IDP and deltas - if ((nid == NID_issuing_distribution_point) || - (nid == NID_authority_key_identifier) || (nid == NID_delta_crl)) { + if (nid == NID_issuing_distribution_point || + nid == NID_authority_key_identifier) { continue; } crl->flags |= EXFLAG_CRITICAL; @@ -287,7 +222,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, } } - if (!crl_set_issuers(crl)) { + if (!crl_parse_entry_extensions(crl)) { return 0; } @@ -297,16 +232,15 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_FREE_POST: AUTHORITY_KEYID_free(crl->akid); ISSUING_DIST_POINT_free(crl->idp); - ASN1_INTEGER_free(crl->crl_number); - ASN1_INTEGER_free(crl->base_crl_number); - sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); break; } return 1; } // Convert IDP into a more convenient form - +// +// TODO(davidben): Each of these flags are already booleans, so this is not +// really more convenient. We can probably remove |idp_flags|. static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { int idp_only = 0; // Set various flags according to IDP @@ -324,6 +258,11 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { crl->idp_flags |= IDP_ONLYATTR; } + // Per RFC 5280, section 5.2.5, at most one of onlyContainsUserCerts, + // onlyContainsCACerts, and onlyContainsAttributeCerts may be true. + // + // TODO(crbug.com/boringssl/443): Move this check to the |ISSUING_DIST_POINT| + // parser. if (idp_only > 1) { crl->idp_flags |= IDP_INVALID; } @@ -334,15 +273,10 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { if (idp->onlysomereasons) { crl->idp_flags |= IDP_REASONS; - if (idp->onlysomereasons->length > 0) { - crl->idp_reasons = idp->onlysomereasons->data[0]; - } - if (idp->onlysomereasons->length > 1) { - crl->idp_reasons |= (idp->onlysomereasons->data[1] << 8); - } - crl->idp_reasons &= CRLDP_ALL_REASONS; } + // TODO(davidben): The new verifier does not support nameRelativeToCRLIssuer. + // Remove this? return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); } @@ -391,7 +325,7 @@ int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey) { } int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, - ASN1_INTEGER *serial) { + const ASN1_INTEGER *serial) { return crl_lookup(crl, ret, serial, NULL); } @@ -402,57 +336,32 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) { static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, X509_REVOKED *rev) { - size_t i; - - if (!rev->issuer) { - if (!nm) { - return 1; - } - if (!X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) { - return 1; - } - return 0; - } - - if (!nm) { - nm = X509_CRL_get_issuer(crl); - } - - for (i = 0; i < sk_GENERAL_NAME_num(rev->issuer); i++) { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(rev->issuer, i); - if (gen->type != GEN_DIRNAME) { - continue; - } - if (!X509_NAME_cmp(nm, gen->d.directoryName)) { - return 1; - } - } - return 0; + return nm == NULL || X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)) == 0; } -static struct CRYPTO_STATIC_MUTEX g_crl_sort_lock = CRYPTO_STATIC_MUTEX_INIT; +static CRYPTO_MUTEX g_crl_sort_lock = CRYPTO_MUTEX_INIT; -static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, - X509_NAME *issuer) { +static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, + const ASN1_INTEGER *serial, X509_NAME *issuer) { // Use an assert, rather than a runtime error, because returning nothing for a // CRL is arguably failing open, rather than closed. assert(serial->type == V_ASN1_INTEGER || serial->type == V_ASN1_NEG_INTEGER); X509_REVOKED rtmp, *rev; size_t idx; - rtmp.serialNumber = serial; + rtmp.serialNumber = (ASN1_INTEGER *)serial; // Sort revoked into serial number order if not already sorted. Do this // under a lock to avoid race condition. - CRYPTO_STATIC_MUTEX_lock_read(&g_crl_sort_lock); + CRYPTO_MUTEX_lock_read(&g_crl_sort_lock); const int is_sorted = sk_X509_REVOKED_is_sorted(crl->crl->revoked); - CRYPTO_STATIC_MUTEX_unlock_read(&g_crl_sort_lock); + CRYPTO_MUTEX_unlock_read(&g_crl_sort_lock); if (!is_sorted) { - CRYPTO_STATIC_MUTEX_lock_write(&g_crl_sort_lock); + CRYPTO_MUTEX_lock_write(&g_crl_sort_lock); if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) { sk_X509_REVOKED_sort(crl->crl->revoked); } - CRYPTO_STATIC_MUTEX_unlock_write(&g_crl_sort_lock); + CRYPTO_MUTEX_unlock_write(&g_crl_sort_lock); } if (!sk_X509_REVOKED_find(crl->crl->revoked, &idx, &rtmp)) { @@ -468,9 +377,6 @@ static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, if (ret) { *ret = rev; } - if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) { - return 2; - } return 1; } } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c index 8e92a4fb..ca949435 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c @@ -99,7 +99,7 @@ ASN1_SEQUENCE(X509_NAME_ENTRY) = { ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE), } ASN1_SEQUENCE_END(X509_NAME_ENTRY) -IMPLEMENT_ASN1_FUNCTIONS_const(X509_NAME_ENTRY) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_NAME_ENTRY) IMPLEMENT_ASN1_DUP_FUNCTION_const(X509_NAME_ENTRY) // For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so @@ -122,7 +122,6 @@ ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL) static const ASN1_EXTERN_FUNCS x509_name_ff = { x509_name_ex_new, x509_name_ex_free, - 0, // Default clear behaviour is OK x509_name_ex_d2i, x509_name_ex_i2d, }; @@ -512,17 +511,17 @@ int X509_NAME_set(X509_NAME **xn, X509_NAME *name) { int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { return ne->set; } -int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, - size_t *pderlen) { +int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **out_der, + size_t *out_der_len) { // Make sure encoding is valid if (i2d_X509_NAME(nm, NULL) <= 0) { return 0; } - if (pder != NULL) { - *pder = (unsigned char *)nm->bytes->data; + if (out_der != NULL) { + *out_der = (unsigned char *)nm->bytes->data; } - if (pderlen != NULL) { - *pderlen = nm->bytes->length; + if (out_der_len != NULL) { + *out_der_len = nm->bytes->length; } return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_pkey.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_pkey.c deleted file mode 100644 index d5f4b951..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_pkey.c +++ /dev/null @@ -1,111 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include - -#include - -#include -#include -#include -#include - -#include "../internal.h" - - -X509_PKEY *X509_PKEY_new(void) { - X509_PKEY *ret = OPENSSL_malloc(sizeof(X509_PKEY)); - if (ret == NULL) { - goto err; - } - OPENSSL_memset(ret, 0, sizeof(X509_PKEY)); - - ret->enc_algor = X509_ALGOR_new(); - if (ret->enc_algor == NULL) { - goto err; - } - ret->enc_pkey = ASN1_OCTET_STRING_new(); - if (ret->enc_pkey == NULL) { - goto err; - } - return ret; - -err: - if (ret != NULL) { - X509_PKEY_free(ret); - } - return NULL; -} - -void X509_PKEY_free(X509_PKEY *x) { - if (x == NULL) { - return; - } - - if (x->enc_algor != NULL) { - X509_ALGOR_free(x->enc_algor); - } - if (x->enc_pkey != NULL) { - ASN1_OCTET_STRING_free(x->enc_pkey); - } - if (x->dec_pkey != NULL) { - EVP_PKEY_free(x->dec_pkey); - } - if ((x->key_data != NULL) && (x->key_free)) { - OPENSSL_free(x->key_data); - } - OPENSSL_free(x); -} diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_pubkey.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_pubkey.c index 3b3b6a04..040ae5ea 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_pubkey.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_pubkey.c @@ -65,17 +65,46 @@ #include #include #include -#include #include "../internal.h" #include "internal.h" -// Minor tweak to operation: free up EVP_PKEY + +static void x509_pubkey_changed(X509_PUBKEY *pub) { + EVP_PKEY_free(pub->pkey); + pub->pkey = NULL; + + // Re-encode the |X509_PUBKEY| to DER and parse it with EVP's APIs. + uint8_t *spki = NULL; + int spki_len = i2d_X509_PUBKEY(pub, &spki); + if (spki_len < 0) { + goto err; + } + + CBS cbs; + CBS_init(&cbs, spki, (size_t)spki_len); + EVP_PKEY *pkey = EVP_parse_public_key(&cbs); + if (pkey == NULL || CBS_len(&cbs) != 0) { + EVP_PKEY_free(pkey); + goto err; + } + + pub->pkey = pkey; + +err: + OPENSSL_free(spki); + // If the operation failed, clear errors. An |X509_PUBKEY| whose key we cannot + // parse is still a valid SPKI. It just cannot be converted to an |EVP_PKEY|. + ERR_clear_error(); +} + static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { + X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; if (operation == ASN1_OP_FREE_POST) { - X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); + } else if (operation == ASN1_OP_D2I_POST) { + x509_pubkey_changed(pubkey); } return 1; } @@ -124,60 +153,25 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { return 0; } -// g_pubkey_lock is used to protect the initialisation of the |pkey| member of -// |X509_PUBKEY| objects. Really |X509_PUBKEY| should have a |CRYPTO_once_t| -// inside it for this, but |CRYPTO_once_t| is private and |X509_PUBKEY| is -// not. -static struct CRYPTO_STATIC_MUTEX g_pubkey_lock = CRYPTO_STATIC_MUTEX_INIT; - -EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) { - EVP_PKEY *ret = NULL; - uint8_t *spki = NULL; - +EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key) { if (key == NULL) { - goto error; - } - - CRYPTO_STATIC_MUTEX_lock_read(&g_pubkey_lock); - if (key->pkey != NULL) { - CRYPTO_STATIC_MUTEX_unlock_read(&g_pubkey_lock); - EVP_PKEY_up_ref(key->pkey); - return key->pkey; + return NULL; } - CRYPTO_STATIC_MUTEX_unlock_read(&g_pubkey_lock); - // Re-encode the |X509_PUBKEY| to DER and parse it. - int spki_len = i2d_X509_PUBKEY(key, &spki); - if (spki_len < 0) { - goto error; - } - CBS cbs; - CBS_init(&cbs, spki, (size_t)spki_len); - ret = EVP_parse_public_key(&cbs); - if (ret == NULL || CBS_len(&cbs) != 0) { + if (key->pkey == NULL) { OPENSSL_PUT_ERROR(X509, X509_R_PUBLIC_KEY_DECODE_ERROR); - goto error; + return NULL; } - // Check to see if another thread set key->pkey first - CRYPTO_STATIC_MUTEX_lock_write(&g_pubkey_lock); - if (key->pkey) { - CRYPTO_STATIC_MUTEX_unlock_write(&g_pubkey_lock); - EVP_PKEY_free(ret); - ret = key->pkey; - } else { - key->pkey = ret; - CRYPTO_STATIC_MUTEX_unlock_write(&g_pubkey_lock); - } - - OPENSSL_free(spki); - EVP_PKEY_up_ref(ret); - return ret; + return key->pkey; +} -error: - OPENSSL_free(spki); - EVP_PKEY_free(ret); - return NULL; +EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key) { + EVP_PKEY *pkey = X509_PUBKEY_get0(key); + if (pkey != NULL) { + EVP_PKEY_up_ref(pkey); + } + return pkey; } int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, int param_type, @@ -190,6 +184,8 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, int param_type, // Set the number of unused bits to zero. pub->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); pub->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT; + + x509_pubkey_changed(pub); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_spki.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_spki.c index 087f67de..c28d239e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_spki.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_spki.c @@ -60,6 +60,8 @@ #include #include +#include "internal.h" + ASN1_SEQUENCE(NETSCAPE_SPKAC) = { ASN1_SIMPLE(NETSCAPE_SPKAC, pubkey, X509_PUBKEY), diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c index b610b69b..43272add 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c @@ -65,7 +65,6 @@ #include #include #include -#include #include "../asn1/internal.h" #include "../bytestring/internal.h" @@ -92,11 +91,10 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_CINF) // x509_new_null returns a new |X509| object where the |cert_info|, |sig_alg|, // and |signature| fields are not yet filled in. static X509 *x509_new_null(void) { - X509 *ret = OPENSSL_malloc(sizeof(X509)); + X509 *ret = OPENSSL_zalloc(sizeof(X509)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(X509)); ret->references = 1; ret->ex_pathlen = -1; @@ -343,7 +341,6 @@ static int x509_i2d_cb(ASN1_VALUE **pval, unsigned char **out, static const ASN1_EXTERN_FUNCS x509_extern_funcs = { x509_new_cb, x509_free_cb, - /*asn1_ex_clear=*/NULL, x509_d2i_cb, x509_i2d_cb, }; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c index 1fdd51a6..cfef53e6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c @@ -90,7 +90,7 @@ static X509_CERT_AUX *aux_get(X509 *x) { return x->aux; } -int X509_alias_set1(X509 *x, const unsigned char *name, ossl_ssize_t len) { +int X509_alias_set1(X509 *x, const uint8_t *name, ossl_ssize_t len) { X509_CERT_AUX *aux; // TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the // getters cannot quite represent them. Also erase the object if |len| is @@ -112,7 +112,7 @@ int X509_alias_set1(X509 *x, const unsigned char *name, ossl_ssize_t len) { return ASN1_STRING_set(aux->alias, name, len); } -int X509_keyid_set1(X509 *x, const unsigned char *id, ossl_ssize_t len) { +int X509_keyid_set1(X509 *x, const uint8_t *id, ossl_ssize_t len) { X509_CERT_AUX *aux; // TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the // getters cannot quite represent them. Also erase the object if |len| is @@ -134,7 +134,7 @@ int X509_keyid_set1(X509 *x, const unsigned char *id, ossl_ssize_t len) { return ASN1_STRING_set(aux->keyid, id, len); } -unsigned char *X509_alias_get0(X509 *x, int *out_len) { +const uint8_t *X509_alias_get0(const X509 *x, int *out_len) { const ASN1_UTF8STRING *alias = x->aux != NULL ? x->aux->alias : NULL; if (out_len != NULL) { *out_len = alias != NULL ? alias->length : 0; @@ -142,7 +142,7 @@ unsigned char *X509_alias_get0(X509 *x, int *out_len) { return alias != NULL ? alias->data : NULL; } -unsigned char *X509_keyid_get0(X509 *x, int *out_len) { +const uint8_t *X509_keyid_get0(const X509 *x, int *out_len) { const ASN1_OCTET_STRING *keyid = x->aux != NULL ? x->aux->keyid : NULL; if (out_len != NULL) { *out_len = keyid != NULL ? keyid->length : 0; @@ -150,7 +150,7 @@ unsigned char *X509_keyid_get0(X509 *x, int *out_len) { return keyid != NULL ? keyid->data : NULL; } -int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) { +int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj) { ASN1_OBJECT *objtmp = OBJ_dup(obj); if (objtmp == NULL) { goto err; @@ -172,7 +172,7 @@ int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) { return 0; } -int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) { +int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj) { ASN1_OBJECT *objtmp = OBJ_dup(obj); if (objtmp == NULL) { goto err; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h b/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h deleted file mode 100644 index 46f03d38..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h +++ /dev/null @@ -1,197 +0,0 @@ -/* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef OPENSSL_HEADER_X509V3_INTERNAL_H -#define OPENSSL_HEADER_X509V3_INTERNAL_H - -#include - -#include -#include -#include - -// TODO(davidben): Merge x509 and x509v3. This include is needed because some -// internal typedefs are shared between the two, but the two modules depend on -// each other circularly. -#include "../x509/internal.h" - -#if defined(__cplusplus) -extern "C" { -#endif - - -// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a -// newly-allocated NUL-terminated string containing the result, or NULL on -// allocation error. -// -// This function was historically named |hex_to_string| in OpenSSL. Despite the -// name, |hex_to_string| converted to hex. -OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); - -// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated -// array containing the result, or NULL on error. On success, it sets |*len| to -// the length of the result. Colon separators between bytes in the input are -// allowed and ignored. -// -// This function was historically named |string_to_hex| in OpenSSL. Despite the -// name, |string_to_hex| converted from hex. -unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len); - -// x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins -// with |cmp| followed by '.', and zero otherwise. -int x509v3_conf_name_matches(const char *name, const char *cmp); - -// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero -// otherwise. -OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in, - size_t len); - -// x509v3_cache_extensions fills in a number of fields relating to X.509 -// extensions in |x|. It returns one on success and zero if some extensions were -// invalid. -OPENSSL_EXPORT int x509v3_cache_extensions(X509 *x); - -// x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses -// use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If -// it decodes an IPv4 address, it writes the result to the first four bytes of -// |ipout| and returns four. If it decodes an IPv6 address, it writes the result -// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero. -int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc); - -// A |BIT_STRING_BITNAME| is used to contain a list of bit names. -typedef struct { - int bitnum; - const char *lname; - const char *sname; -} BIT_STRING_BITNAME; - -// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name -// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a -// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and -// zero on error. -int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, - STACK_OF(CONF_VALUE) **extlist); - -// X509V3_NAME_from_section adds attributes to |nm| by interpreting the -// key/value pairs in |dn_sk|. It returns one on success and zero on error. -// |chtype|, which should be one of |MBSTRING_*| constants, determines the -// character encoding used to interpret values. -int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk, - int chtype); - -// X509V3_bool_from_string decodes |str| as a boolean. On success, it returns -// one and sets |*out_bool| to resulting value. Otherwise, it returns zero. -int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool); - -// X509V3_get_value_bool decodes |value| as a boolean. On success, it returns -// one and sets |*out_bool| to the resulting value. Otherwise, it returns zero. -int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool); - -// X509V3_get_value_int decodes |value| as an integer. On success, it returns -// one and sets |*aint| to the resulting value. Otherwise, it returns zero. If -// |*aint| was non-NULL at the start of the function, it frees the previous -// value before writing a new one. -int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); - -// X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s -// config database. -const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, - const char *section); - -// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to -// |*extlist|. It returns one on success and zero on error. If |*extlist| is -// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the result. Either |name| or |value| may be NULL to omit the -// field. -// -// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the -// function returns. -int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value -// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. -int X509V3_add_value_bool(const char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string -// representation of |aint|. Note this string representation may be decimal or -// hexadecimal, depending on the size of |aint|. -int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, - STACK_OF(CONF_VALUE) **extlist); - -STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); - -#define X509V3_conf_err(val) \ - ERR_add_error_data(6, "section:", (val)->section, ",name:", (val)->name, \ - ",value:", (val)->value); - -// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero -// value otherwise. Note this function does not provide a comparison suitable -// for sorting. -// -// This function is exported for testing. -OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, - const GENERAL_NAME *b); - - -#if defined(__cplusplus) -} // extern C -#endif - -#endif // OPENSSL_HEADER_X509V3_INTERNAL_H diff --git a/Sources/CJWTKitBoringSSL/hash.txt b/Sources/CJWTKitBoringSSL/hash.txt index 8f21a2b3..3779c26f 100644 --- a/Sources/CJWTKitBoringSSL/hash.txt +++ b/Sources/CJWTKitBoringSSL/hash.txt @@ -1 +1 @@ -This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision e106b536ee6233fec2e8876a16686d10607911c5 +This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision 58a318edc892a595a5b043359a5d441869158699 diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h index fba350fb..11a7f8b3 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h @@ -1,5 +1,18 @@ -#ifndef C_JWT_KIT_BORINGSSL_H -#define C_JWT_KIT_BORINGSSL_H +//===----------------------------------------------------------------------===// +// +// This source file is part of the SwiftCrypto open source project +// +// Copyright (c) 2019 Apple Inc. and the SwiftCrypto project authors +// Licensed under Apache License v2.0 +// +// See LICENSE.txt for license information +// See CONTRIBUTORS.md for the list of SwiftCrypto project authors +// +// SPDX-License-Identifier: Apache-2.0 +// +//===----------------------------------------------------------------------===// +#ifndef C_CRYPTO_BORINGSSL_H +#define C_CRYPTO_BORINGSSL_H #include "CJWTKitBoringSSL_aes.h" #include "CJWTKitBoringSSL_arm_arch.h" @@ -18,7 +31,6 @@ #include "CJWTKitBoringSSL_cpu.h" #include "CJWTKitBoringSSL_curve25519.h" #include "CJWTKitBoringSSL_des.h" -#include "CJWTKitBoringSSL_dtls1.h" #include "CJWTKitBoringSSL_e_os2.h" #include "CJWTKitBoringSSL_ec.h" #include "CJWTKitBoringSSL_ec_key.h" @@ -47,4 +59,4 @@ #include "CJWTKitBoringSSL_trust_token.h" #include "CJWTKitBoringSSL_x509v3.h" -#endif // C_JWT_KIT_BORINGSSL_H +#endif // C_CRYPTO_BORINGSSL_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h index 7215f62e..d6d58d1f 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h @@ -53,12 +53,13 @@ #ifndef OPENSSL_HEADER_ARM_ARCH_H #define OPENSSL_HEADER_ARM_ARCH_H +#include "CJWTKitBoringSSL_target.h" + // arm_arch.h contains symbols used by ARM assembly, and the C code that calls // it. It is included as a public header to simplify the build, but is not // intended for external use. -#if defined(__ARMEL__) || defined(_M_ARM) || defined(__AARCH64EL__) || \ - defined(_M_ARM64) +#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) // ARMV7_NEON is true when a NEON unit is present in the current CPU. #define ARMV7_NEON (1 << 0) @@ -78,143 +79,6 @@ // ARMV8_SHA512 indicates support for hardware SHA-512 instructions. #define ARMV8_SHA512 (1 << 6) -#if defined(__ASSEMBLER__) - -// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language -// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does -// not implement ACLE, but we require Clang's assembler on Windows. -#if !defined(__ARM_ARCH) -#error "ARM assembler must define __ARM_ARCH" -#endif - -// __ARM_ARCH__ is used by OpenSSL assembly to determine the minimum target ARM -// version. -// -// TODO(davidben): Switch the assembly to use |__ARM_ARCH| directly. -#define __ARM_ARCH__ __ARM_ARCH - -// Even when building for 32-bit ARM, support for aarch64 crypto instructions -// will be included. -#define __ARM_MAX_ARCH__ 8 - -// Support macros for -// - Armv8.3-A Pointer Authentication and -// - Armv8.5-A Branch Target Identification -// features which require emitting a .note.gnu.property section with the -// appropriate architecture-dependent feature bits set. -// -// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to -// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be -// used immediately before saving the LR register (x30) to the stack. -// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring -// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone -// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also -// have the same value at the two points. For example: -// -// .global f -// f: -// AARCH64_SIGN_LINK_REGISTER -// stp x29, x30, [sp, #-96]! -// mov x29, sp -// ... -// ldp x29, x30, [sp], #96 -// AARCH64_VALIDATE_LINK_REGISTER -// ret -// -// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or -// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an -// indirect call target. In particular, all symbols exported from a file must -// begin with one of these macros. For example, a leaf function that does not -// save LR can instead use |AARCH64_VALID_CALL_TARGET|: -// -// .globl return_zero -// return_zero: -// AARCH64_VALID_CALL_TARGET -// mov x0, #0 -// ret -// -// A non-leaf function which does not immediately save LR may need both macros -// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function -// may jump to an alternate implementation before setting up the stack: -// -// .globl with_early_jump -// with_early_jump: -// AARCH64_VALID_CALL_TARGET -// cmp x0, #128 -// b.lt .Lwith_early_jump_128 -// AARCH64_SIGN_LINK_REGISTER -// stp x29, x30, [sp, #-96]! -// mov x29, sp -// ... -// ldp x29, x30, [sp], #96 -// AARCH64_VALIDATE_LINK_REGISTER -// ret -// -// .Lwith_early_jump_128: -// ... -// ret -// -// These annotations are only required with indirect calls. Private symbols that -// are only the target of direct calls do not require annotations. Also note -// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not -// indirect jumps (BR). Indirect jumps in assembly are currently not supported -// and would require a macro for BTI 'j'. -// -// Although not necessary, it is safe to use these macros in 32-bit ARM -// assembly. This may be used to simplify dual 32-bit and 64-bit files. -// -// References: -// - "ELF for the Arm® 64-bit Architecture" -// https://github.com/ARM-software/abi-aa/blob/master/aaelf64/aaelf64.rst -// - "Providing protection for complex software" -// https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software - -#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 -#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification -#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c' -#else -#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification -#define AARCH64_VALID_CALL_TARGET -#endif - -#if defined(__ARM_FEATURE_PAC_DEFAULT) && \ - (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 // Signed with A-key -#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ - (1 << 1) // Has Pointer Authentication -#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP -#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP -#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ - (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 // Signed with B-key -#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ - (1 << 1) // Has Pointer Authentication -#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP -#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP -#else -#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication -#if GNU_PROPERTY_AARCH64_BTI != 0 -#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET -#else -#define AARCH64_SIGN_LINK_REGISTER -#endif -#define AARCH64_VALIDATE_LINK_REGISTER -#endif - -#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 -.pushsection .note.gnu.property, "a"; -.balign 8; -.long 4; -.long 0x10; -.long 0x5; -.asciz "GNU"; -.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ -.long 4; -.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); -.long 0; -.popsection; -#endif - -#endif // __ASSEMBLER__ - -#endif // __ARMEL__ || _M_ARM || __AARCH64EL__ || _M_ARM64 +#endif // ARM || AARCH64 #endif // OPENSSL_HEADER_ARM_ARCH_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asm_base.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asm_base.h new file mode 100644 index 00000000..932b60d5 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asm_base.h @@ -0,0 +1,206 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_ASM_BASE_H +#define OPENSSL_HEADER_ASM_BASE_H + +#include "CJWTKitBoringSSL_target.h" + + +// This header contains symbols and common sections used by assembly files. It +// is included as a public header to simplify the build, but is not intended for +// external use. +// +// Every assembly file must include this header. Some linker features require +// all object files to be tagged with some section metadata. This header file, +// when included in assembly, adds that metadata. It also makes defines like +// |OPENSSL_X86_64| available and includes the prefixing macros. +// +// Including this header in an assembly file imples: +// +// - The file does not require an executable stack. +// +// - The file, on aarch64, uses the macros defined below to be compatible with +// BTI and PAC. +// +// - The file, on x86_64, requires the program to be compatible with Intel IBT +// and SHSTK + +#if defined(__ASSEMBLER__) + +#if defined(BORINGSSL_PREFIX) +#include "CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h" +#endif + +#if defined(__ELF__) +// Every ELF object file, even empty ones, should disable executable stacks. See +// https://www.airs.com/blog/archives/518. +.pushsection .note.GNU-stack, "", %progbits +.popsection +#endif + +#if defined(__CET__) && defined(OPENSSL_X86_64) +// Clang and GCC define __CET__ and provide when they support Intel's +// Indirect Branch Tracking. +// https://lpc.events/event/7/contributions/729/attachments/496/903/CET-LPC-2020.pdf +// +// cet.h defines _CET_ENDBR which is used to mark function entry points for IBT. +// and adds the assembly marker. The value of _CET_ENDBR is made dependant on if +// '-fcf-protection' is passed to the compiler. _CET_ENDBR is only required when +// the function is the target of an indirect jump, but BoringSSL chooses to mark +// all assembly entry points because it is easier, and allows BoringSSL's ABI +// tester to call the assembly entry points via an indirect jump. +#include +#else +#define _CET_ENDBR +#endif + +#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) + +// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language +// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does +// not implement ACLE, but we require Clang's assembler on Windows. +#if !defined(__ARM_ARCH) +#error "ARM assembler must define __ARM_ARCH" +#endif + +// Even when building for 32-bit ARM, support for aarch64 crypto instructions +// will be included. +// +// TODO(davidben): Remove this and the corresponding ifdefs? This is only +// defined because some OpenSSL assembly files would allow disabling the NEON +// code entirely. I think we'd prefer to do that by lifting the dispatch to C +// anyway. +#define __ARM_MAX_ARCH__ 8 + +// Support macros for +// - Armv8.3-A Pointer Authentication and +// - Armv8.5-A Branch Target Identification +// features which require emitting a .note.gnu.property section with the +// appropriate architecture-dependent feature bits set. +// +// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to +// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be +// used immediately before saving the LR register (x30) to the stack. +// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring +// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone +// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also +// have the same value at the two points. For example: +// +// .global f +// f: +// AARCH64_SIGN_LINK_REGISTER +// stp x29, x30, [sp, #-96]! +// mov x29, sp +// ... +// ldp x29, x30, [sp], #96 +// AARCH64_VALIDATE_LINK_REGISTER +// ret +// +// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or +// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an +// indirect call target. In particular, all symbols exported from a file must +// begin with one of these macros. For example, a leaf function that does not +// save LR can instead use |AARCH64_VALID_CALL_TARGET|: +// +// .globl return_zero +// return_zero: +// AARCH64_VALID_CALL_TARGET +// mov x0, #0 +// ret +// +// A non-leaf function which does not immediately save LR may need both macros +// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function +// may jump to an alternate implementation before setting up the stack: +// +// .globl with_early_jump +// with_early_jump: +// AARCH64_VALID_CALL_TARGET +// cmp x0, #128 +// b.lt .Lwith_early_jump_128 +// AARCH64_SIGN_LINK_REGISTER +// stp x29, x30, [sp, #-96]! +// mov x29, sp +// ... +// ldp x29, x30, [sp], #96 +// AARCH64_VALIDATE_LINK_REGISTER +// ret +// +// .Lwith_early_jump_128: +// ... +// ret +// +// These annotations are only required with indirect calls. Private symbols that +// are only the target of direct calls do not require annotations. Also note +// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not +// indirect jumps (BR). Indirect jumps in assembly are currently not supported +// and would require a macro for BTI 'j'. +// +// Although not necessary, it is safe to use these macros in 32-bit ARM +// assembly. This may be used to simplify dual 32-bit and 64-bit files. +// +// References: +// - "ELF for the Arm® 64-bit Architecture" +// https://github.com/ARM-software/abi-aa/blob/master/aaelf64/aaelf64.rst +// - "Providing protection for complex software" +// https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software + +#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1 +#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification +#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c' +#else +#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification +#define AARCH64_VALID_CALL_TARGET +#endif + +#if defined(__ARM_FEATURE_PAC_DEFAULT) && \ + (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 // Signed with A-key +#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ + (1 << 1) // Has Pointer Authentication +#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP +#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP +#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \ + (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 // Signed with B-key +#define GNU_PROPERTY_AARCH64_POINTER_AUTH \ + (1 << 1) // Has Pointer Authentication +#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP +#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP +#else +#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication +#if GNU_PROPERTY_AARCH64_BTI != 0 +#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET +#else +#define AARCH64_SIGN_LINK_REGISTER +#endif +#define AARCH64_VALIDATE_LINK_REGISTER +#endif + +#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0 +.pushsection .note.gnu.property, "a"; +.balign 8; +.long 4; +.long 0x10; +.long 0x5; +.asciz "GNU"; +.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */ +.long 4; +.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI); +.long 0; +.popsection; +#endif +#endif // ARM || AARCH64 + +#endif // __ASSEMBLER__ + +#endif // OPENSSL_HEADER_ASM_BASE_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h index 1e0bb885..07336734 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h @@ -1355,6 +1355,11 @@ OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime( // GeneralizedTime. If |str| is neither, it returns zero. OPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); +// ASN1_TIME_set_string_X509 behaves like |ASN1_TIME_set_string| except it +// additionally converts GeneralizedTime to UTCTime if it is in the range where +// UTCTime is used. See RFC 5280, section 4.1.2.5. +OPENSSL_EXPORT int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str); + // ASN1_TIME_to_time_t converts |t| to a time_t value in |out|. On // success, one is returned. On failure zero is returned. This function // will fail if the time can not be represented in a time_t. diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h index 881d168e..2405557a 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h @@ -66,6 +66,7 @@ #include #include +#include #include #if defined(__MINGW32__) @@ -82,6 +83,7 @@ // opensslconf.h. #include "CJWTKitBoringSSL_is_boringssl.h" #include "CJWTKitBoringSSL_opensslconf.h" +#include "CJWTKitBoringSSL_target.h" // IWYU pragma: export #if defined(BORINGSSL_PREFIX) #include "CJWTKitBoringSSL_boringssl_prefix_symbols.h" @@ -92,48 +94,7 @@ extern "C" { #endif -#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) -#define OPENSSL_64_BIT -#define OPENSSL_X86_64 -#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86) -#define OPENSSL_32_BIT -#define OPENSSL_X86 -#elif defined(__AARCH64EL__) || defined(_M_ARM64) -#define OPENSSL_64_BIT -#define OPENSSL_AARCH64 -#elif defined(__ARMEL__) || defined(_M_ARM) -#define OPENSSL_32_BIT -#define OPENSSL_ARM -#elif defined(__MIPSEL__) && !defined(__LP64__) -#define OPENSSL_32_BIT -#define OPENSSL_MIPS -#elif defined(__MIPSEL__) && defined(__LP64__) -#define OPENSSL_64_BIT -#define OPENSSL_MIPS64 -#elif defined(__riscv) && __SIZEOF_POINTER__ == 8 -#define OPENSSL_64_BIT -#define OPENSSL_RISCV64 -#elif defined(__riscv) && __SIZEOF_POINTER__ == 4 -#define OPENSSL_32_BIT -#elif defined(__pnacl__) -#define OPENSSL_32_BIT -#define OPENSSL_PNACL -#elif defined(__wasm__) -#define OPENSSL_32_BIT -#elif defined(__asmjs__) -#define OPENSSL_32_BIT -#elif defined(__myriad2__) -#define OPENSSL_32_BIT -#else -// Note BoringSSL only supports standard 32-bit and 64-bit two's-complement, -// little-endian architectures. Functions will not produce the correct answer -// on other systems. Run the crypto_test binary, notably -// crypto/compiler_test.cc, before adding a new architecture. -#error "Unknown target CPU" -#endif - #if defined(__APPLE__) -#define OPENSSL_APPLE // Note |TARGET_OS_MAC| is set for all Apple OS variants. |TARGET_OS_OSX| // targets macOS specifically. #if defined(TARGET_OS_OSX) && TARGET_OS_OSX @@ -144,55 +105,6 @@ extern "C" { #endif #endif -#if defined(_WIN32) -#define OPENSSL_WINDOWS -#endif - -// Trusty isn't Linux but currently defines __linux__. As a workaround, we -// exclude it here. -// TODO(b/169780122): Remove this workaround once Trusty no longer defines it. -#if defined(__linux__) && !defined(__TRUSTY__) -#define OPENSSL_LINUX -#endif - -#if defined(__Fuchsia__) -#define OPENSSL_FUCHSIA -#endif - -#if defined(__TRUSTY__) -#define OPENSSL_TRUSTY -#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED -#endif - -#if defined(__ANDROID_API__) -#define OPENSSL_ANDROID -#endif - -#if defined(__FreeBSD__) -#define OPENSSL_FREEBSD -#endif - -#if defined(__OpenBSD__) -#define OPENSSL_OPENBSD -#endif - -// BoringSSL requires platform's locking APIs to make internal global state -// thread-safe, including the PRNG. On some single-threaded embedded platforms, -// locking APIs may not exist, so this dependency may be disabled with the -// following build flag. -// -// IMPORTANT: Doing so means the consumer promises the library will never be -// used in any multi-threaded context. It causes BoringSSL to be globally -// thread-unsafe. Setting it inappropriately will subtly and unpredictably -// corrupt memory and leak secret keys. -// -// Do not set this flag on any platform where threads are possible. BoringSSL -// maintainers will not provide support for any consumers that do so. Changes -// which break such unsupported configurations will not be reverted. -#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED) -#define OPENSSL_THREADS -#endif - #define OPENSSL_IS_BORINGSSL #define OPENSSL_VERSION_NUMBER 0x1010107f #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER @@ -205,7 +117,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 22 +#define BORINGSSL_API_VERSION 29 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -319,31 +231,6 @@ extern "C" { #define OPENSSL_INLINE static inline OPENSSL_UNUSED #endif -#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \ - !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) -#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE -#endif - -#if defined(__has_feature) -#if __has_feature(address_sanitizer) -#define OPENSSL_ASAN -#endif -#if __has_feature(thread_sanitizer) -#define OPENSSL_TSAN -#endif -#if __has_feature(memory_sanitizer) -#define OPENSSL_MSAN -#define OPENSSL_ASM_INCOMPATIBLE -#endif -#endif - -#if defined(OPENSSL_ASM_INCOMPATIBLE) -#undef OPENSSL_ASM_INCOMPATIBLE -#if !defined(OPENSSL_NO_ASM) -#define OPENSSL_NO_ASM -#endif -#endif // OPENSSL_ASM_INCOMPATIBLE - #if defined(__cplusplus) // enums can be predeclared, but only in C++ and only if given an explicit type. // C doesn't support setting an explicit type for enums thus a #define is used @@ -407,6 +294,7 @@ typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct BASIC_CONSTRAINTS_st BASIC_CONSTRAINTS; typedef struct DIST_POINT_st DIST_POINT; typedef struct DSA_SIG_st DSA_SIG; +typedef struct GENERAL_NAME_st GENERAL_NAME; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; typedef struct Netscape_spkac_st NETSCAPE_SPKAC; @@ -493,6 +381,7 @@ typedef struct trust_token_client_st TRUST_TOKEN_CLIENT; typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER; typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; +typedef struct v3_ext_method X509V3_EXT_METHOD; typedef struct x509_attributes_st X509_ATTRIBUTE; typedef struct x509_lookup_st X509_LOOKUP; typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; @@ -505,6 +394,13 @@ typedef struct x509_trust_st X509_TRUST; typedef void *OPENSSL_BLOCK; +// BSSL_CHECK aborts if |condition| is not true. +#define BSSL_CHECK(condition) \ + do { \ + if (!(condition)) { \ + abort(); \ + } \ + } while (0); #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h index b5e84bc9..429650a8 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h @@ -269,11 +269,11 @@ OPENSSL_EXPORT int BIO_set_close(BIO *bio, int close_flag); // BIO_number_read returns the number of bytes that have been read from // |bio|. -OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio); +OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio); // BIO_number_written returns the number of bytes that have been written to // |bio|. -OPENSSL_EXPORT size_t BIO_number_written(const BIO *bio); +OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio); // Managing chains of BIOs. @@ -431,12 +431,14 @@ OPENSSL_EXPORT int BIO_set_mem_eof_return(BIO *bio, int eof_value); // |BIO_reset| attempts to seek the file pointer to the start of file using // |lseek|. +#if !defined(OPENSSL_NO_POSIX_IO) // BIO_s_fd returns a |BIO_METHOD| for file descriptor fds. OPENSSL_EXPORT const BIO_METHOD *BIO_s_fd(void); // BIO_new_fd creates a new file descriptor BIO wrapping |fd|. If |close_flag| // is non-zero, then |fd| will be closed when the BIO is. OPENSSL_EXPORT BIO *BIO_new_fd(int fd, int close_flag); +#endif // BIO_set_fd sets the file descriptor of |bio| to |fd|. If |close_flag| is // non-zero then |fd| will be closed when |bio| is. It returns one on success @@ -540,12 +542,14 @@ OPENSSL_EXPORT long BIO_seek(BIO *bio, long offset); // TODO(davidben): Add separate APIs and fix the internals to use |SOCKET|s // around rather than rely on int casts. +#if !defined(OPENSSL_NO_SOCK) OPENSSL_EXPORT const BIO_METHOD *BIO_s_socket(void); // BIO_new_socket allocates and initialises a fresh BIO which will read and // write to the socket |fd|. If |close_flag| is |BIO_CLOSE| then closing the // BIO will close |fd|. It returns the fresh |BIO| or NULL on error. OPENSSL_EXPORT BIO *BIO_new_socket(int fd, int close_flag); +#endif // !OPENSSL_NO_SOCK // Connect BIOs. @@ -553,6 +557,7 @@ OPENSSL_EXPORT BIO *BIO_new_socket(int fd, int close_flag); // A connection BIO creates a network connection and transfers data over the // resulting socket. +#if !defined(OPENSSL_NO_SOCK) OPENSSL_EXPORT const BIO_METHOD *BIO_s_connect(void); // BIO_new_connect returns a BIO that connects to the given hostname and port. @@ -580,12 +585,17 @@ OPENSSL_EXPORT int BIO_set_conn_port(BIO *bio, const char *port_str); OPENSSL_EXPORT int BIO_set_conn_int_port(BIO *bio, const int *port); // BIO_set_nbio sets whether |bio| will use non-blocking I/O operations. It -// returns one on success and zero otherwise. +// returns one on success and zero otherwise. This only works for connect BIOs +// and must be called before |bio| is connected to take effect. +// +// For socket and fd BIOs, callers must configure blocking vs. non-blocking I/O +// using the underlying platform APIs. OPENSSL_EXPORT int BIO_set_nbio(BIO *bio, int on); // BIO_do_connect connects |bio| if it has not been connected yet. It returns // one on success and <= 0 otherwise. OPENSSL_EXPORT int BIO_do_connect(BIO *bio); +#endif // !OPENSSL_NO_SOCK // Datagram BIOs. @@ -693,9 +703,17 @@ OPENSSL_EXPORT int BIO_meth_set_ctrl(BIO_METHOD *method, // BIO_set_data sets custom data on |bio|. It may be retried with // |BIO_get_data|. +// +// This function should only be called by the implementation of a custom |BIO|. +// In particular, the data pointer of a built-in |BIO| is private to the +// library. For other uses, see |BIO_set_ex_data| and |BIO_set_app_data|. OPENSSL_EXPORT void BIO_set_data(BIO *bio, void *ptr); // BIO_get_data returns custom data on |bio| set by |BIO_get_data|. +// +// This function should only be called by the implementation of a custom |BIO|. +// In particular, the data pointer of a built-in |BIO| is private to the +// library. For other uses, see |BIO_get_ex_data| and |BIO_get_app_data|. OPENSSL_EXPORT void *BIO_get_data(BIO *bio); // BIO_set_init sets whether |bio| has been fully initialized. Until fully @@ -751,6 +769,21 @@ OPENSSL_EXPORT int BIO_get_init(BIO *bio); #define BIO_CTRL_SET_FILENAME 30 +// ex_data functions. +// +// See |ex_data.h| for details. + +OPENSSL_EXPORT int BIO_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func); +OPENSSL_EXPORT int BIO_set_ex_data(BIO *bio, int idx, void *arg); +OPENSSL_EXPORT void *BIO_get_ex_data(const BIO *bio, int idx); + +#define BIO_set_app_data(bio, arg) (BIO_set_ex_data(bio, 0, (char *)(arg))) +#define BIO_get_app_data(bio) (BIO_get_ex_data(bio, 0)) + + // Deprecated functions. // BIO_f_base64 returns a filter |BIO| that base64-encodes data written into @@ -842,6 +875,7 @@ struct bio_method_st { struct bio_st { const BIO_METHOD *method; + CRYPTO_EX_DATA ex_data; // init is non-zero if this |BIO| has been initialised. int init; @@ -860,7 +894,7 @@ struct bio_st { // next_bio points to the next |BIO| in a chain. This |BIO| owns a reference // to |next_bio|. BIO *next_bio; // used by filter BIOs - size_t num_read, num_write; + uint64_t num_read, num_write; }; #define BIO_C_SET_CONNECT 100 diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h index 90e8657f..6c21a14b 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h @@ -255,11 +255,11 @@ OPENSSL_EXPORT BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret); // |in| is secret, use |BN_bn2bin_padded| instead. OPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out); -// BN_le2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as +// BN_lebin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as // a little-endian number, and returns |ret|. If |ret| is NULL then a fresh // |BIGNUM| is allocated and returned. It returns NULL on allocation // failure. -OPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret); +OPENSSL_EXPORT BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret); // BN_bn2le_padded serialises the absolute value of |in| to |out| as a // little-endian integer, which must have |len| of space available, padding @@ -667,11 +667,11 @@ OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); // The callback receives the address of that |BN_GENCB| structure as its last // argument and the user is free to put an arbitrary pointer in |arg|. The other // arguments are set as follows: -// event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime +// - event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime // number. -// event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality +// - event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality // checks. -// event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished. +// - event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished. // // The callback can return zero to abort the generation progress or one to // allow it to continue. @@ -973,6 +973,12 @@ OPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, // Use |BN_bn2bin_padded| instead. It is |size_t|-clean. OPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len); +// BN_bn2lebinpad behaves like |BN_bn2le_padded|, but it returns |len| on +// success and -1 on error. +// +// Use |BN_bn2le_padded| instead. It is |size_t|-clean. +OPENSSL_EXPORT int BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len); + // BN_prime_checks is a deprecated alias for |BN_prime_checks_for_validation|. // Use |BN_prime_checks_for_generation| or |BN_prime_checks_for_validation| // instead. (This defaults to the |_for_validation| value in order to be @@ -982,6 +988,9 @@ OPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len); // BN_secure_new calls |BN_new|. OPENSSL_EXPORT BIGNUM *BN_secure_new(void); +// BN_le2bn calls |BN_lebin2bn|. +OPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret); + // Private functions diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h index edeaa171..891f020f 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h @@ -142,6 +142,7 @@ #define ASN1_TIME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set) #define ASN1_TIME_set_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set_posix) #define ASN1_TIME_set_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set_string) +#define ASN1_TIME_set_string_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set_string_X509) #define ASN1_TIME_to_generalizedtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_generalizedtime) #define ASN1_TIME_to_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_posix) #define ASN1_TIME_to_time_t BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_time_t) @@ -225,6 +226,8 @@ #define BIO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_free) #define BIO_free_all BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_free_all) #define BIO_get_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_data) +#define BIO_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_ex_data) +#define BIO_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_ex_new_index) #define BIO_get_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_fd) #define BIO_get_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_fp) #define BIO_get_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_init) @@ -282,6 +285,7 @@ #define BIO_set_conn_int_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_int_port) #define BIO_set_conn_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_port) #define BIO_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_data) +#define BIO_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_ex_data) #define BIO_set_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_fd) #define BIO_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_flags) #define BIO_set_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_fp) @@ -348,6 +352,7 @@ #define BN_bn2dec BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2dec) #define BN_bn2hex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2hex) #define BN_bn2le_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2le_padded) +#define BN_bn2lebinpad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2lebinpad) #define BN_bn2mpi BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2mpi) #define BN_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_clear) #define BN_clear_bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_clear_bit) @@ -387,6 +392,7 @@ #define BN_is_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_word) #define BN_is_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_zero) #define BN_le2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_le2bn) +#define BN_lebin2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_lebin2bn) #define BN_lshift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_lshift) #define BN_lshift1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_lshift1) #define BN_marshal_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_marshal_asn1) @@ -452,6 +458,7 @@ #define BN_value_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_value_one) #define BN_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_zero) #define BORINGSSL_keccak BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak) +#define BORINGSSL_keccak_absorb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak_absorb) #define BORINGSSL_keccak_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak_init) #define BORINGSSL_keccak_squeeze BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak_squeeze) #define BORINGSSL_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_self_test) @@ -476,6 +483,7 @@ #define CBB_add_asn1_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_uint64) #define CBB_add_asn1_uint64_with_tag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_uint64_with_tag) #define CBB_add_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_bytes) +#define CBB_add_latin1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_latin1) #define CBB_add_space BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_space) #define CBB_add_u16 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u16) #define CBB_add_u16_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u16_length_prefixed) @@ -488,6 +496,9 @@ #define CBB_add_u64le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u64le) #define CBB_add_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u8) #define CBB_add_u8_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u8_length_prefixed) +#define CBB_add_ucs2_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_ucs2_be) +#define CBB_add_utf32_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_utf32_be) +#define CBB_add_utf8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_utf8) #define CBB_add_zeros BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_zeros) #define CBB_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_cleanup) #define CBB_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_data) @@ -497,6 +508,7 @@ #define CBB_finish_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_finish_i2d) #define CBB_flush BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_flush) #define CBB_flush_asn1_set_of BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_flush_asn1_set_of) +#define CBB_get_utf8_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_get_utf8_len) #define CBB_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_init) #define CBB_init_fixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_init_fixed) #define CBB_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_len) @@ -519,6 +531,7 @@ #define CBS_get_asn1_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1_uint64) #define CBS_get_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_bytes) #define CBS_get_last_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_last_u8) +#define CBS_get_latin1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_latin1) #define CBS_get_optional_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1) #define CBS_get_optional_asn1_bool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1_bool) #define CBS_get_optional_asn1_octet_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1_octet_string) @@ -535,7 +548,10 @@ #define CBS_get_u64le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u64le) #define CBS_get_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u8) #define CBS_get_u8_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u8_length_prefixed) +#define CBS_get_ucs2_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_ucs2_be) #define CBS_get_until_first BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_until_first) +#define CBS_get_utf32_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_utf32_be) +#define CBS_get_utf8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_utf8) #define CBS_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_init) #define CBS_is_unsigned_asn1_integer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_unsigned_asn1_integer) #define CBS_is_valid_asn1_bitstring BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_valid_asn1_bitstring) @@ -586,10 +602,6 @@ #define CRYPTO_POLYVAL_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_POLYVAL_finish) #define CRYPTO_POLYVAL_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_POLYVAL_init) #define CRYPTO_POLYVAL_update_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_POLYVAL_update_blocks) -#define CRYPTO_STATIC_MUTEX_lock_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_lock_read) -#define CRYPTO_STATIC_MUTEX_lock_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_lock_write) -#define CRYPTO_STATIC_MUTEX_unlock_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_unlock_read) -#define CRYPTO_STATIC_MUTEX_unlock_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_unlock_write) #define CRYPTO_THREADID_current BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_current) #define CRYPTO_THREADID_set_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_set_callback) #define CRYPTO_THREADID_set_numeric BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_set_numeric) @@ -603,6 +615,7 @@ #define CRYPTO_cleanup_all_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cleanup_all_ex_data) #define CRYPTO_ctr128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt) #define CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32) +#define CRYPTO_fips_186_2_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fips_186_2_prf) #define CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fork_detect_force_madv_wipeonfork_for_testing) #define CRYPTO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free) #define CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free_ex_data) @@ -628,9 +641,6 @@ #define CRYPTO_has_asm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_has_asm) #define CRYPTO_hchacha20 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_hchacha20) #define CRYPTO_init_sysrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_init_sysrand) -#define CRYPTO_is_ARMv8_AES_capable_at_runtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_AES_capable_at_runtime) -#define CRYPTO_is_ARMv8_PMULL_capable_at_runtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_PMULL_capable_at_runtime) -#define CRYPTO_is_NEON_capable_at_runtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_NEON_capable_at_runtime) #define CRYPTO_is_confidential_build BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_confidential_build) #define CRYPTO_library_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_library_init) #define CRYPTO_malloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_malloc) @@ -671,15 +681,24 @@ #define CTR_DRBG_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_init) #define CTR_DRBG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_new) #define CTR_DRBG_reseed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_reseed) -#define ChaCha20_ctr32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32) +#define ChaCha20_ctr32_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2) +#define ChaCha20_ctr32_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_neon) +#define ChaCha20_ctr32_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_nohw) +#define ChaCha20_ctr32_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3) +#define ChaCha20_ctr32_ssse3_4x BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x) #define DES_decrypt3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_decrypt3) #define DES_ecb3_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb3_encrypt) +#define DES_ecb3_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb3_encrypt_ex) #define DES_ecb_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb_encrypt) +#define DES_ecb_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb_encrypt_ex) #define DES_ede2_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede2_cbc_encrypt) #define DES_ede3_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt) +#define DES_ede3_cbc_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt_ex) #define DES_encrypt3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_encrypt3) #define DES_ncbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ncbc_encrypt) +#define DES_ncbc_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ncbc_encrypt_ex) #define DES_set_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key) +#define DES_set_key_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key_ex) #define DES_set_key_unchecked BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key_unchecked) #define DES_set_odd_parity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_odd_parity) #define DH_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_bits) @@ -865,6 +884,10 @@ #define EC_curve_nid2nist BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_curve_nid2nist) #define EC_curve_nist2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_curve_nist2nid) #define EC_get_builtin_curves BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_get_builtin_curves) +#define EC_group_p224 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p224) +#define EC_group_p256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p256) +#define EC_group_p384 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p384) +#define EC_group_p521 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p521) #define EC_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_hash_to_curve_p256_xmd_sha256_sswu) #define EC_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_hash_to_curve_p384_xmd_sha384_sswu) #define ED25519_keypair BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ED25519_keypair) @@ -1037,6 +1060,7 @@ #define EVP_HPKE_KEY_generate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_generate) #define EVP_HPKE_KEY_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_init) #define EVP_HPKE_KEY_kem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_kem) +#define EVP_HPKE_KEY_move BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_move) #define EVP_HPKE_KEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_new) #define EVP_HPKE_KEY_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_private_key) #define EVP_HPKE_KEY_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_public_key) @@ -1359,6 +1383,7 @@ #define OBJ_find_sigid_algs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_find_sigid_algs) #define OBJ_find_sigid_by_algs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_find_sigid_by_algs) #define OBJ_get0_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_get0_data) +#define OBJ_get_undef BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_get_undef) #define OBJ_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_length) #define OBJ_ln2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_ln2nid) #define OBJ_nid2cbb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_nid2cbb) @@ -1373,7 +1398,7 @@ #define OPENSSL_add_all_algorithms_conf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_add_all_algorithms_conf) #define OPENSSL_armcap_P BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_armcap_P) #define OPENSSL_asprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_asprintf) -#define OPENSSL_built_in_curves BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_built_in_curves) +#define OPENSSL_calloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_calloc) #define OPENSSL_cleanse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_cleanse) #define OPENSSL_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_cleanup) #define OPENSSL_clear_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_clear_free) @@ -1381,7 +1406,9 @@ #define OPENSSL_cpuid_setup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_cpuid_setup) #define OPENSSL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_free) #define OPENSSL_fromxdigit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_fromxdigit) +#define OPENSSL_get_armcap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_get_armcap) #define OPENSSL_get_armcap_pointer_for_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_get_armcap_pointer_for_test) +#define OPENSSL_get_ia32cap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_get_ia32cap) #define OPENSSL_gmtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime) #define OPENSSL_gmtime_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime_adj) #define OPENSSL_gmtime_diff BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime_diff) @@ -1410,6 +1437,27 @@ #define OPENSSL_realloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_realloc) #define OPENSSL_secure_clear_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_secure_clear_free) #define OPENSSL_secure_malloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_secure_malloc) +#define OPENSSL_sk_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_deep_copy) +#define OPENSSL_sk_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_delete) +#define OPENSSL_sk_delete_if BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_delete_if) +#define OPENSSL_sk_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_delete_ptr) +#define OPENSSL_sk_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_dup) +#define OPENSSL_sk_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_find) +#define OPENSSL_sk_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_free) +#define OPENSSL_sk_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_insert) +#define OPENSSL_sk_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_is_sorted) +#define OPENSSL_sk_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_new) +#define OPENSSL_sk_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_new_null) +#define OPENSSL_sk_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_num) +#define OPENSSL_sk_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_pop) +#define OPENSSL_sk_pop_free_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_pop_free_ex) +#define OPENSSL_sk_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_push) +#define OPENSSL_sk_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_set) +#define OPENSSL_sk_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_set_cmp_func) +#define OPENSSL_sk_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_shift) +#define OPENSSL_sk_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_sort) +#define OPENSSL_sk_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_value) +#define OPENSSL_sk_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_zero) #define OPENSSL_strcasecmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strcasecmp) #define OPENSSL_strdup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strdup) #define OPENSSL_strhash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strhash) @@ -1423,6 +1471,7 @@ #define OPENSSL_tolower BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_tolower) #define OPENSSL_vasprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_vasprintf) #define OPENSSL_vasprintf_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_vasprintf_internal) +#define OPENSSL_zalloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_zalloc) #define OTHERNAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OTHERNAME_free) #define OTHERNAME_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OTHERNAME_it) #define OTHERNAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OTHERNAME_new) @@ -1576,6 +1625,7 @@ #define RAND_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_bytes) #define RAND_bytes_with_additional_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_bytes_with_additional_data) #define RAND_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_cleanup) +#define RAND_disable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_disable_fork_unsafe_buffering) #define RAND_egd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_egd) #define RAND_enable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_enable_fork_unsafe_buffering) #define RAND_file_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_file_name) @@ -1748,7 +1798,6 @@ #define X509V3_EXT_nconf_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_nconf_nid) #define X509V3_EXT_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_print) #define X509V3_EXT_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_print_fp) -#define X509V3_EXT_val_prn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_val_prn) #define X509V3_NAME_from_section BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_NAME_from_section) #define X509V3_add1_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add1_i2d) #define X509V3_add_standard_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add_standard_extensions) @@ -1802,7 +1851,6 @@ #define X509_CRL_add_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_add_ext) #define X509_CRL_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_cmp) #define X509_CRL_delete_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_delete_ext) -#define X509_CRL_diff BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_diff) #define X509_CRL_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_digest) #define X509_CRL_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_dup) #define X509_CRL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_free) @@ -1854,15 +1902,12 @@ #define X509_EXTENSION_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_data) #define X509_EXTENSION_set_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_object) #define X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_INFO_free) -#define X509_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_INFO_new) -#define X509_LOOKUP_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_by_subject) +#define X509_LOOKUP_add_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_add_dir) #define X509_LOOKUP_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_ctrl) #define X509_LOOKUP_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_file) #define X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_free) #define X509_LOOKUP_hash_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_hash_dir) -#define X509_LOOKUP_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_init) -#define X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_new) -#define X509_LOOKUP_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_shutdown) +#define X509_LOOKUP_load_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_load_file) #define X509_NAME_ENTRIES_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRIES_it) #define X509_NAME_ENTRY_create_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_NID) #define X509_NAME_ENTRY_create_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_OBJ) @@ -1902,25 +1947,20 @@ #define X509_NAME_print_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print_ex) #define X509_NAME_print_ex_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print_ex_fp) #define X509_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_set) +#define X509_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_free) #define X509_OBJECT_free_contents BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_free_contents) #define X509_OBJECT_get0_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_get0_X509) #define X509_OBJECT_get_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_get_type) -#define X509_OBJECT_idx_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_idx_by_subject) -#define X509_OBJECT_retrieve_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_retrieve_by_subject) -#define X509_OBJECT_retrieve_match BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_retrieve_match) -#define X509_OBJECT_up_ref_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_up_ref_count) -#define X509_PKEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PKEY_free) -#define X509_PKEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PKEY_new) +#define X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_new) #define X509_PUBKEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_free) #define X509_PUBKEY_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get) +#define X509_PUBKEY_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0) #define X509_PUBKEY_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0_param) #define X509_PUBKEY_get0_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0_public_key) #define X509_PUBKEY_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_it) #define X509_PUBKEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_new) #define X509_PUBKEY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_set) #define X509_PUBKEY_set0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_set0_param) -#define X509_PURPOSE_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_add) -#define X509_PURPOSE_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_cleanup) #define X509_PURPOSE_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0) #define X509_PURPOSE_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0_name) #define X509_PURPOSE_get0_sname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0_sname) @@ -1945,6 +1985,7 @@ #define X509_REQ_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_dup) #define X509_REQ_extension_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_extension_nid) #define X509_REQ_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_free) +#define X509_REQ_get0_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get0_pubkey) #define X509_REQ_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get0_signature) #define X509_REQ_get1_email BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get1_email) #define X509_REQ_get_attr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_attr) @@ -1997,13 +2038,15 @@ #define X509_STORE_CTX_get0_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_cert) #define X509_STORE_CTX_get0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_chain) #define X509_STORE_CTX_get0_current_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_crl) -#define X509_STORE_CTX_get0_current_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_issuer) #define X509_STORE_CTX_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_param) #define X509_STORE_CTX_get0_parent_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_parent_ctx) #define X509_STORE_CTX_get0_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_store) #define X509_STORE_CTX_get0_untrusted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_untrusted) +#define X509_STORE_CTX_get1_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_certs) #define X509_STORE_CTX_get1_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_chain) +#define X509_STORE_CTX_get1_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_crls) #define X509_STORE_CTX_get1_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_issuer) +#define X509_STORE_CTX_get_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_by_subject) #define X509_STORE_CTX_get_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_chain) #define X509_STORE_CTX_get_current_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_current_cert) #define X509_STORE_CTX_get_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_error) @@ -2012,11 +2055,9 @@ #define X509_STORE_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_new_index) #define X509_STORE_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_init) #define X509_STORE_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_new) -#define X509_STORE_CTX_purpose_inherit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_purpose_inherit) #define X509_STORE_CTX_set0_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_crls) #define X509_STORE_CTX_set0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_param) #define X509_STORE_CTX_set0_trusted_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_trusted_stack) -#define X509_STORE_CTX_set_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_cert) #define X509_STORE_CTX_set_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_chain) #define X509_STORE_CTX_set_default BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_default) #define X509_STORE_CTX_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_depth) @@ -2029,49 +2070,24 @@ #define X509_STORE_CTX_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_trust) #define X509_STORE_CTX_set_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_verify_cb) #define X509_STORE_CTX_trusted_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_trusted_stack) -#define X509_STORE_CTX_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_zero) #define X509_STORE_add_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_cert) #define X509_STORE_add_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_crl) #define X509_STORE_add_lookup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_lookup) #define X509_STORE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_free) #define X509_STORE_get0_objects BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get0_objects) #define X509_STORE_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get0_param) -#define X509_STORE_get1_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get1_certs) -#define X509_STORE_get1_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get1_crls) -#define X509_STORE_get_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_by_subject) -#define X509_STORE_get_cert_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_cert_crl) -#define X509_STORE_get_check_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_check_crl) -#define X509_STORE_get_check_issued BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_check_issued) -#define X509_STORE_get_check_revocation BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_check_revocation) -#define X509_STORE_get_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_cleanup) -#define X509_STORE_get_get_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_get_crl) -#define X509_STORE_get_get_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_get_issuer) -#define X509_STORE_get_lookup_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_lookup_certs) -#define X509_STORE_get_lookup_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_lookup_crls) -#define X509_STORE_get_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_verify) -#define X509_STORE_get_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_verify_cb) #define X509_STORE_load_locations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_load_locations) #define X509_STORE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_new) #define X509_STORE_set1_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set1_param) -#define X509_STORE_set_cert_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_cert_crl) #define X509_STORE_set_check_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_crl) -#define X509_STORE_set_check_issued BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_issued) -#define X509_STORE_set_check_revocation BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_revocation) -#define X509_STORE_set_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_cleanup) #define X509_STORE_set_default_paths BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_default_paths) #define X509_STORE_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_depth) #define X509_STORE_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_flags) #define X509_STORE_set_get_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_get_crl) -#define X509_STORE_set_get_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_get_issuer) -#define X509_STORE_set_lookup_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_lookup_certs) -#define X509_STORE_set_lookup_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_lookup_crls) #define X509_STORE_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_purpose) #define X509_STORE_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_trust) -#define X509_STORE_set_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_verify) #define X509_STORE_set_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_verify_cb) #define X509_STORE_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_up_ref) -#define X509_TRUST_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_add) -#define X509_TRUST_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_cleanup) #define X509_TRUST_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get0) #define X509_TRUST_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get0_name) #define X509_TRUST_get_by_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_by_id) @@ -2086,8 +2102,6 @@ #define X509_VERIFY_PARAM_add1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add1_host) #define X509_VERIFY_PARAM_clear_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_clear_flags) #define X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_free) -#define X509_VERIFY_PARAM_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_name) -#define X509_VERIFY_PARAM_get0_peername BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_peername) #define X509_VERIFY_PARAM_get_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_depth) #define X509_VERIFY_PARAM_get_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_flags) #define X509_VERIFY_PARAM_inherit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_inherit) @@ -2098,7 +2112,6 @@ #define X509_VERIFY_PARAM_set1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_host) #define X509_VERIFY_PARAM_set1_ip BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip) #define X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip_asc) -#define X509_VERIFY_PARAM_set1_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_name) #define X509_VERIFY_PARAM_set1_policies BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_policies) #define X509_VERIFY_PARAM_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_depth) #define X509_VERIFY_PARAM_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_flags) @@ -2141,6 +2154,7 @@ #define X509_get0_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_extensions) #define X509_get0_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_notAfter) #define X509_get0_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_notBefore) +#define X509_get0_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_pubkey) #define X509_get0_pubkey_bitstr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_pubkey_bitstr) #define X509_get0_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_serialNumber) #define X509_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_signature) @@ -2231,7 +2245,6 @@ #define X509v3_get_ext_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_by_OBJ) #define X509v3_get_ext_by_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_by_critical) #define X509v3_get_ext_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_count) -#define a2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_GENERAL_NAME) #define a2i_IPADDRESS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_IPADDRESS) #define a2i_IPADDRESS_NC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_IPADDRESS_NC) #define aes128gcmsiv_aes_ks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks) @@ -2286,14 +2299,16 @@ #define asn1_refcount_set_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_refcount_set_one) #define asn1_set_choice_selector BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_set_choice_selector) #define asn1_type_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_cleanup) +#define asn1_type_set0_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_set0_string) #define asn1_type_value_as_pointer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_value_as_pointer) #define asn1_utctime_to_tm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_utctime_to_tm) #define beeu_mod_inverse_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, beeu_mod_inverse_vartime) #define bio_clear_socket_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_clear_socket_error) -#define bio_fd_should_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_fd_should_retry) +#define bio_errno_should_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_errno_should_retry) #define bio_ip_and_port_to_socket_and_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_ip_and_port_to_socket_and_addr) #define bio_sock_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_sock_error) #define bio_socket_nbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_socket_nbio) +#define bio_socket_should_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_socket_should_retry) #define bn_abs_sub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_abs_sub_consttime) #define bn_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_add_words) #define bn_assert_fits_in_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_assert_fits_in_bytes) @@ -2316,7 +2331,6 @@ #define bn_minimal_width BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_minimal_width) #define bn_mod_add_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_add_consttime) #define bn_mod_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_add_words) -#define bn_mod_exp_base_2_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_exp_base_2_consttime) #define bn_mod_exp_mont_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_exp_mont_small) #define bn_mod_inverse0_prime_mont_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_inverse0_prime_mont_small) #define bn_mod_inverse_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_inverse_consttime) @@ -2328,15 +2342,21 @@ #define bn_mod_sub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_sub_consttime) #define bn_mod_sub_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_sub_words) #define bn_mod_u16_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_u16_consttime) +#define bn_mont_ctx_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_cleanup) +#define bn_mont_ctx_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_init) +#define bn_mont_ctx_set_RR_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_set_RR_consttime) #define bn_mont_n0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_n0) +#define bn_mul4x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont) #define bn_mul_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_add_words) #define bn_mul_comba4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_comba4) #define bn_mul_comba8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_comba8) #define bn_mul_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_consttime) #define bn_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont) #define bn_mul_mont_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_gather5) +#define bn_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_nohw) #define bn_mul_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_small) #define bn_mul_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_words) +#define bn_mulx4x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont) #define bn_odd_number_is_obviously_composite BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_odd_number_is_obviously_composite) #define bn_one_to_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_one_to_montgomery) #define bn_power5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_power5) @@ -2354,6 +2374,7 @@ #define bn_set_static_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_static_words) #define bn_set_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_words) #define bn_sqr8x_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_internal) +#define bn_sqr8x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_mont) #define bn_sqr_comba4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_comba4) #define bn_sqr_comba8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_comba8) #define bn_sqr_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_consttime) @@ -2372,15 +2393,6 @@ #define c2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_BIT_STRING) #define c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_INTEGER) #define c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_OBJECT) -#define cbb_add_latin1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbb_add_latin1) -#define cbb_add_ucs2_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbb_add_ucs2_be) -#define cbb_add_utf32_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbb_add_utf32_be) -#define cbb_add_utf8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbb_add_utf8) -#define cbb_get_utf8_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbb_get_utf8_len) -#define cbs_get_latin1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbs_get_latin1) -#define cbs_get_ucs2_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbs_get_ucs2_be) -#define cbs_get_utf32_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbs_get_utf32_be) -#define cbs_get_utf8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, cbs_get_utf8) #define chacha20_poly1305_open BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open) #define chacha20_poly1305_seal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal) #define crypto_gcm_clmul_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, crypto_gcm_clmul_enabled) @@ -2436,7 +2448,6 @@ #define d2i_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY) #define d2i_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY_bio) #define d2i_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY_fp) -#define d2i_EDIPARTYNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EDIPARTYNAME) #define d2i_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EXTENDED_KEY_USAGE) #define d2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_GENERAL_NAME) #define d2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_GENERAL_NAMES) @@ -2444,7 +2455,6 @@ #define d2i_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKAC) #define d2i_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKI) #define d2i_NOTICEREF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NOTICEREF) -#define d2i_OTHERNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_OTHERNAME) #define d2i_PKCS12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12) #define d2i_PKCS12_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12_bio) #define d2i_PKCS12_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12_fp) @@ -2490,7 +2500,6 @@ #define d2i_X509_EXTENSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_EXTENSION) #define d2i_X509_EXTENSIONS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_EXTENSIONS) #define d2i_X509_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_NAME) -#define d2i_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_NAME_ENTRY) #define d2i_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_PUBKEY) #define d2i_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ) #define d2i_X509_REQ_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ_INFO) @@ -2501,6 +2510,7 @@ #define d2i_X509_VAL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_VAL) #define d2i_X509_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_bio) #define d2i_X509_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_fp) +#define dh_check_params_fast BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_check_params_fast) #define dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test) #define dsa_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_asn1_meth) #define dsa_check_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_check_key) @@ -2512,9 +2522,6 @@ #define ec_GFp_mont_felem_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_reduce) #define ec_GFp_mont_felem_sqr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_sqr) #define ec_GFp_mont_felem_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_to_bytes) -#define ec_GFp_mont_group_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_group_finish) -#define ec_GFp_mont_group_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_group_init) -#define ec_GFp_mont_group_set_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_group_set_curve) #define ec_GFp_mont_init_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_init_precomp) #define ec_GFp_mont_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul) #define ec_GFp_mont_mul_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul_base) @@ -2525,9 +2532,7 @@ #define ec_GFp_simple_cmp_x_coordinate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_cmp_x_coordinate) #define ec_GFp_simple_felem_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_felem_from_bytes) #define ec_GFp_simple_felem_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_felem_to_bytes) -#define ec_GFp_simple_group_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_group_finish) #define ec_GFp_simple_group_get_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_group_get_curve) -#define ec_GFp_simple_group_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_group_init) #define ec_GFp_simple_group_set_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_group_set_curve) #define ec_GFp_simple_invert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_invert) #define ec_GFp_simple_is_at_infinity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_is_at_infinity) @@ -2549,13 +2554,13 @@ #define ec_felem_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_from_bytes) #define ec_felem_neg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_neg) #define ec_felem_non_zero_mask BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_non_zero_mask) +#define ec_felem_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_one) #define ec_felem_select BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_select) #define ec_felem_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_sub) #define ec_felem_to_bignum BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_to_bignum) #define ec_felem_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_to_bytes) #define ec_get_x_coordinate_as_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_get_x_coordinate_as_bytes) #define ec_get_x_coordinate_as_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_get_x_coordinate_as_scalar) -#define ec_group_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_group_new) #define ec_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_curve_p256_xmd_sha256_sswu) #define ec_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha384_sswu) #define ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha512_sswu_draft07) @@ -2615,6 +2620,10 @@ #define ecp_nistz256_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sub) #define ed25519_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_asn1_meth) #define ed25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_pkey_meth) +#define fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_curve25519_adx_mul) +#define fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_curve25519_adx_square) +#define fiat_p256_adx_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_p256_adx_mul) +#define fiat_p256_adx_sqr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_p256_adx_sqr) #define gcm_ghash_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_avx) #define gcm_ghash_clmul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_clmul) #define gcm_ghash_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_neon) @@ -2634,7 +2643,6 @@ #define gcm_init_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_ssse3) #define gcm_init_v8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_v8) #define hkdf_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, hkdf_pkey_meth) -#define i2a_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ACCESS_DESCRIPTION) #define i2a_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_ENUMERATED) #define i2a_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_INTEGER) #define i2a_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_OBJECT) @@ -2692,7 +2700,6 @@ #define i2d_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY) #define i2d_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY_bio) #define i2d_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY_fp) -#define i2d_EDIPARTYNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EDIPARTYNAME) #define i2d_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EXTENDED_KEY_USAGE) #define i2d_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_GENERAL_NAME) #define i2d_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_GENERAL_NAMES) @@ -2700,7 +2707,6 @@ #define i2d_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKAC) #define i2d_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKI) #define i2d_NOTICEREF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NOTICEREF) -#define i2d_OTHERNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_OTHERNAME) #define i2d_PKCS12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12) #define i2d_PKCS12_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12_bio) #define i2d_PKCS12_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12_fp) @@ -2751,7 +2757,6 @@ #define i2d_X509_EXTENSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_EXTENSION) #define i2d_X509_EXTENSIONS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_EXTENSIONS) #define i2d_X509_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_NAME) -#define i2d_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_NAME_ENTRY) #define i2d_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_PUBKEY) #define i2d_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ) #define i2d_X509_REQ_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ_INFO) @@ -2773,6 +2778,7 @@ #define i2t_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2t_ASN1_OBJECT) #define i2v_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2v_GENERAL_NAME) #define i2v_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2v_GENERAL_NAMES) +#define k25519Precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, k25519Precomp) #define kBoringSSLRSASqrtTwo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwo) #define kBoringSSLRSASqrtTwoLen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwoLen) #define kOpenSSLReasonStringData BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kOpenSSLReasonStringData) @@ -2836,31 +2842,62 @@ #define rsaz_1024_sqr_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_sqr_avx2) #define s2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, s2i_ASN1_INTEGER) #define s2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, s2i_ASN1_OCTET_STRING) -#define sha1_block_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order) -#define sha256_block_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order) -#define sha512_block_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order) -#define sk_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_deep_copy) -#define sk_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_delete) -#define sk_delete_if BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_delete_if) -#define sk_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_delete_ptr) -#define sk_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_dup) -#define sk_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_find) +#define sha1_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_avx) +#define sha1_block_data_order_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_avx2) +#define sha1_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_hw) +#define sha1_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_nohw) +#define sha1_block_data_order_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_ssse3) +#define sha256_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_avx) +#define sha256_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_hw) +#define sha256_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_nohw) +#define sha256_block_data_order_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_ssse3) +#define sha512_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_avx) +#define sha512_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_hw) +#define sha512_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_nohw) #define sk_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_free) -#define sk_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_insert) -#define sk_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_is_sorted) -#define sk_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_new) #define sk_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_new_null) #define sk_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_num) #define sk_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop) #define sk_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop_free) #define sk_pop_free_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop_free_ex) #define sk_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_push) -#define sk_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_set) -#define sk_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_set_cmp_func) -#define sk_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_shift) -#define sk_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_sort) #define sk_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_value) -#define sk_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_zero) +#define spx_base_b BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_base_b) +#define spx_copy_keypair_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_copy_keypair_addr) +#define spx_fors_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_pk_from_sig) +#define spx_fors_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_sign) +#define spx_fors_sk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_sk_gen) +#define spx_fors_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_treehash) +#define spx_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_generate_key) +#define spx_generate_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_generate_key_from_seed) +#define spx_get_tree_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_get_tree_index) +#define spx_ht_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_ht_sign) +#define spx_ht_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_ht_verify) +#define spx_set_chain_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_chain_addr) +#define spx_set_hash_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_hash_addr) +#define spx_set_keypair_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_keypair_addr) +#define spx_set_layer_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_layer_addr) +#define spx_set_tree_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_tree_addr) +#define spx_set_tree_height BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_tree_height) +#define spx_set_tree_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_tree_index) +#define spx_set_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_type) +#define spx_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_sign) +#define spx_thash_f BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_f) +#define spx_thash_h BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_h) +#define spx_thash_hmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_hmsg) +#define spx_thash_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_prf) +#define spx_thash_prfmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_prfmsg) +#define spx_thash_tk BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_tk) +#define spx_thash_tl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_tl) +#define spx_to_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_to_uint64) +#define spx_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_treehash) +#define spx_uint64_to_len_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_uint64_to_len_bytes) +#define spx_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_verify) +#define spx_wots_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_wots_pk_from_sig) +#define spx_wots_pk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_wots_pk_gen) +#define spx_wots_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_wots_sign) +#define spx_xmss_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_xmss_pk_from_sig) +#define spx_xmss_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_xmss_sign) #define v2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAME) #define v2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAMES) #define v2i_GENERAL_NAME_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAME_ex) @@ -2919,12 +2956,15 @@ #define x25519_ge_p3_to_cached BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_p3_to_cached) #define x25519_ge_scalarmult BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult) #define x25519_ge_scalarmult_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult_base) +#define x25519_ge_scalarmult_base_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult_base_adx) #define x25519_ge_scalarmult_small_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult_small_precomp) #define x25519_ge_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_sub) #define x25519_ge_tobytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_tobytes) #define x25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_pkey_meth) #define x25519_sc_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_sc_reduce) +#define x25519_scalar_mult_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_scalar_mult_adx) #define x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509V3_add_value_asn1_string) +#define x509_check_issued_with_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_check_issued_with_callback) #define x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_sign_algorithm) #define x509_digest_verify_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_verify_init) #define x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_print_rsa_pss_params) @@ -3005,6 +3045,29 @@ #define sk_BIGNUM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_is_sorted) #define sk_BIGNUM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_set_cmp_func) #define sk_BIGNUM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_deep_copy) +#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func) +#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func) +#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func) +#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new) +#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null) +#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num) +#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero) +#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value) +#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set) +#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free) +#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free) +#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert) +#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete) +#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr) +#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find) +#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift) +#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push) +#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop) +#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup) +#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort) +#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted) +#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func) +#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy) #define sk_STACK_OF_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_free_func) #define sk_STACK_OF_X509_NAME_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_copy_func) #define sk_STACK_OF_X509_NAME_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_cmp_func) @@ -3143,6 +3206,29 @@ #define sk_X509_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_is_sorted) #define sk_X509_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_set_cmp_func) #define sk_X509_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_deep_copy) +#define sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func) +#define sk_GENERAL_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_copy_func) +#define sk_GENERAL_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_cmp_func) +#define sk_GENERAL_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new) +#define sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null) +#define sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_num) +#define sk_GENERAL_NAME_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_zero) +#define sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_value) +#define sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set) +#define sk_GENERAL_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_free) +#define sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free) +#define sk_GENERAL_NAME_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_insert) +#define sk_GENERAL_NAME_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete) +#define sk_GENERAL_NAME_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete_ptr) +#define sk_GENERAL_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_find) +#define sk_GENERAL_NAME_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_shift) +#define sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_push) +#define sk_GENERAL_NAME_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop) +#define sk_GENERAL_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_dup) +#define sk_GENERAL_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_sort) +#define sk_GENERAL_NAME_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_is_sorted) +#define sk_GENERAL_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set_cmp_func) +#define sk_GENERAL_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_deep_copy) #define sk_X509_CRL_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_free_func) #define sk_X509_CRL_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_copy_func) #define sk_X509_CRL_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_cmp_func) @@ -3166,6 +3252,29 @@ #define sk_X509_CRL_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_is_sorted) #define sk_X509_CRL_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_set_cmp_func) #define sk_X509_CRL_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_deep_copy) +#define sk_X509_REVOKED_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_free_func) +#define sk_X509_REVOKED_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_copy_func) +#define sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func) +#define sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new) +#define sk_X509_REVOKED_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new_null) +#define sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_num) +#define sk_X509_REVOKED_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_zero) +#define sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_value) +#define sk_X509_REVOKED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set) +#define sk_X509_REVOKED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_free) +#define sk_X509_REVOKED_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop_free) +#define sk_X509_REVOKED_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_insert) +#define sk_X509_REVOKED_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete) +#define sk_X509_REVOKED_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete_ptr) +#define sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_find) +#define sk_X509_REVOKED_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_shift) +#define sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_push) +#define sk_X509_REVOKED_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop) +#define sk_X509_REVOKED_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_dup) +#define sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_sort) +#define sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted) +#define sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func) +#define sk_X509_REVOKED_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_deep_copy) #define sk_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_free_func) #define sk_X509_NAME_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_copy_func) #define sk_X509_NAME_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_cmp_func) @@ -3281,52 +3390,6 @@ #define sk_X509_ATTRIBUTE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_is_sorted) #define sk_X509_ATTRIBUTE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_set_cmp_func) #define sk_X509_ATTRIBUTE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_deep_copy) -#define sk_X509_TRUST_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_free_func) -#define sk_X509_TRUST_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_copy_func) -#define sk_X509_TRUST_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_cmp_func) -#define sk_X509_TRUST_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_new) -#define sk_X509_TRUST_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_new_null) -#define sk_X509_TRUST_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_num) -#define sk_X509_TRUST_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_zero) -#define sk_X509_TRUST_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_value) -#define sk_X509_TRUST_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_set) -#define sk_X509_TRUST_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_free) -#define sk_X509_TRUST_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_pop_free) -#define sk_X509_TRUST_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_insert) -#define sk_X509_TRUST_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_delete) -#define sk_X509_TRUST_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_delete_ptr) -#define sk_X509_TRUST_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_find) -#define sk_X509_TRUST_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_shift) -#define sk_X509_TRUST_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_push) -#define sk_X509_TRUST_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_pop) -#define sk_X509_TRUST_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_dup) -#define sk_X509_TRUST_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_sort) -#define sk_X509_TRUST_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_is_sorted) -#define sk_X509_TRUST_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_set_cmp_func) -#define sk_X509_TRUST_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_deep_copy) -#define sk_X509_REVOKED_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_free_func) -#define sk_X509_REVOKED_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_copy_func) -#define sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func) -#define sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new) -#define sk_X509_REVOKED_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new_null) -#define sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_num) -#define sk_X509_REVOKED_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_zero) -#define sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_value) -#define sk_X509_REVOKED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set) -#define sk_X509_REVOKED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_free) -#define sk_X509_REVOKED_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop_free) -#define sk_X509_REVOKED_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_insert) -#define sk_X509_REVOKED_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete) -#define sk_X509_REVOKED_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete_ptr) -#define sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_find) -#define sk_X509_REVOKED_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_shift) -#define sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_push) -#define sk_X509_REVOKED_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop) -#define sk_X509_REVOKED_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_dup) -#define sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_sort) -#define sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted) -#define sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func) -#define sk_X509_REVOKED_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_deep_copy) #define sk_X509_INFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_free_func) #define sk_X509_INFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_copy_func) #define sk_X509_INFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_cmp_func) @@ -3350,29 +3413,29 @@ #define sk_X509_INFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_is_sorted) #define sk_X509_INFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set_cmp_func) #define sk_X509_INFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_deep_copy) -#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func) -#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func) -#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func) -#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new) -#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null) -#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num) -#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero) -#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value) -#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set) -#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free) -#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free) -#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert) -#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete) -#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr) -#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find) -#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift) -#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push) -#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop) -#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup) -#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort) -#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted) -#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func) -#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy) +#define sk_X509_TRUST_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_free_func) +#define sk_X509_TRUST_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_copy_func) +#define sk_X509_TRUST_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_cmp_func) +#define sk_X509_TRUST_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_new) +#define sk_X509_TRUST_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_new_null) +#define sk_X509_TRUST_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_num) +#define sk_X509_TRUST_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_zero) +#define sk_X509_TRUST_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_value) +#define sk_X509_TRUST_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_set) +#define sk_X509_TRUST_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_free) +#define sk_X509_TRUST_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_pop_free) +#define sk_X509_TRUST_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_insert) +#define sk_X509_TRUST_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_delete) +#define sk_X509_TRUST_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_delete_ptr) +#define sk_X509_TRUST_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_find) +#define sk_X509_TRUST_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_shift) +#define sk_X509_TRUST_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_push) +#define sk_X509_TRUST_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_pop) +#define sk_X509_TRUST_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_dup) +#define sk_X509_TRUST_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_sort) +#define sk_X509_TRUST_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_is_sorted) +#define sk_X509_TRUST_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_set_cmp_func) +#define sk_X509_TRUST_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_deep_copy) #define sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func) #define sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func) #define sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func) @@ -3396,144 +3459,6 @@ #define sk_X509_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_is_sorted) #define sk_X509_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set_cmp_func) #define sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy) -#define sk_X509_VERIFY_PARAM_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_free_func) -#define sk_X509_VERIFY_PARAM_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_copy_func) -#define sk_X509_VERIFY_PARAM_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_cmp_func) -#define sk_X509_VERIFY_PARAM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new) -#define sk_X509_VERIFY_PARAM_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new_null) -#define sk_X509_VERIFY_PARAM_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_num) -#define sk_X509_VERIFY_PARAM_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_zero) -#define sk_X509_VERIFY_PARAM_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_value) -#define sk_X509_VERIFY_PARAM_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set) -#define sk_X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_free) -#define sk_X509_VERIFY_PARAM_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop_free) -#define sk_X509_VERIFY_PARAM_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_insert) -#define sk_X509_VERIFY_PARAM_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete) -#define sk_X509_VERIFY_PARAM_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete_ptr) -#define sk_X509_VERIFY_PARAM_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_find) -#define sk_X509_VERIFY_PARAM_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_shift) -#define sk_X509_VERIFY_PARAM_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_push) -#define sk_X509_VERIFY_PARAM_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop) -#define sk_X509_VERIFY_PARAM_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_dup) -#define sk_X509_VERIFY_PARAM_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_sort) -#define sk_X509_VERIFY_PARAM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_is_sorted) -#define sk_X509_VERIFY_PARAM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set_cmp_func) -#define sk_X509_VERIFY_PARAM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_deep_copy) -#define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func) -#define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func) -#define sk_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_cmp_func) -#define sk_CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new) -#define sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null) -#define sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num) -#define sk_CRYPTO_BUFFER_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_zero) -#define sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value) -#define sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set) -#define sk_CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_free) -#define sk_CRYPTO_BUFFER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop_free) -#define sk_CRYPTO_BUFFER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_insert) -#define sk_CRYPTO_BUFFER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_delete) -#define sk_CRYPTO_BUFFER_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_delete_ptr) -#define sk_CRYPTO_BUFFER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_find) -#define sk_CRYPTO_BUFFER_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_shift) -#define sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push) -#define sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop) -#define sk_CRYPTO_BUFFER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_dup) -#define sk_CRYPTO_BUFFER_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_sort) -#define sk_CRYPTO_BUFFER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_is_sorted) -#define sk_CRYPTO_BUFFER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set_cmp_func) -#define sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy) -#define sk_ASN1_INTEGER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_free_func) -#define sk_ASN1_INTEGER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_copy_func) -#define sk_ASN1_INTEGER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_cmp_func) -#define sk_ASN1_INTEGER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_new) -#define sk_ASN1_INTEGER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_new_null) -#define sk_ASN1_INTEGER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_num) -#define sk_ASN1_INTEGER_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_zero) -#define sk_ASN1_INTEGER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_value) -#define sk_ASN1_INTEGER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set) -#define sk_ASN1_INTEGER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_free) -#define sk_ASN1_INTEGER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_pop_free) -#define sk_ASN1_INTEGER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_insert) -#define sk_ASN1_INTEGER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_delete) -#define sk_ASN1_INTEGER_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_delete_ptr) -#define sk_ASN1_INTEGER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_find) -#define sk_ASN1_INTEGER_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_shift) -#define sk_ASN1_INTEGER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_push) -#define sk_ASN1_INTEGER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_pop) -#define sk_ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_dup) -#define sk_ASN1_INTEGER_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_sort) -#define sk_ASN1_INTEGER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_is_sorted) -#define sk_ASN1_INTEGER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set_cmp_func) -#define sk_ASN1_INTEGER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_deep_copy) -#define sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func) -#define sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func) -#define sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func) -#define sk_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new) -#define sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null) -#define sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num) -#define sk_ASN1_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_zero) -#define sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value) -#define sk_ASN1_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set) -#define sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free) -#define sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free) -#define sk_ASN1_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_insert) -#define sk_ASN1_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete) -#define sk_ASN1_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete_ptr) -#define sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find) -#define sk_ASN1_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_shift) -#define sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push) -#define sk_ASN1_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop) -#define sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup) -#define sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort) -#define sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted) -#define sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func) -#define sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy) -#define sk_ASN1_TYPE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_free_func) -#define sk_ASN1_TYPE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_copy_func) -#define sk_ASN1_TYPE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_cmp_func) -#define sk_ASN1_TYPE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_new) -#define sk_ASN1_TYPE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_new_null) -#define sk_ASN1_TYPE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_num) -#define sk_ASN1_TYPE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_zero) -#define sk_ASN1_TYPE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_value) -#define sk_ASN1_TYPE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_set) -#define sk_ASN1_TYPE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_free) -#define sk_ASN1_TYPE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_pop_free) -#define sk_ASN1_TYPE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_insert) -#define sk_ASN1_TYPE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_delete) -#define sk_ASN1_TYPE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_delete_ptr) -#define sk_ASN1_TYPE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_find) -#define sk_ASN1_TYPE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_shift) -#define sk_ASN1_TYPE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_push) -#define sk_ASN1_TYPE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_pop) -#define sk_ASN1_TYPE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_dup) -#define sk_ASN1_TYPE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_sort) -#define sk_ASN1_TYPE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_is_sorted) -#define sk_ASN1_TYPE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_set_cmp_func) -#define sk_ASN1_TYPE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_deep_copy) -#define sk_BIO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_free_func) -#define sk_BIO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_copy_func) -#define sk_BIO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_cmp_func) -#define sk_BIO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_new) -#define sk_BIO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_new_null) -#define sk_BIO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_num) -#define sk_BIO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_zero) -#define sk_BIO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_value) -#define sk_BIO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set) -#define sk_BIO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_free) -#define sk_BIO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_pop_free) -#define sk_BIO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_insert) -#define sk_BIO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_delete) -#define sk_BIO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_delete_ptr) -#define sk_BIO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_find) -#define sk_BIO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_shift) -#define sk_BIO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_push) -#define sk_BIO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_pop) -#define sk_BIO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_dup) -#define sk_BIO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_sort) -#define sk_BIO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_is_sorted) -#define sk_BIO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set_cmp_func) -#define sk_BIO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_deep_copy) #define sk_X509V3_EXT_METHOD_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_free_func) #define sk_X509V3_EXT_METHOD_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_copy_func) #define sk_X509V3_EXT_METHOD_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_cmp_func) @@ -3557,52 +3482,6 @@ #define sk_X509V3_EXT_METHOD_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_is_sorted) #define sk_X509V3_EXT_METHOD_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set_cmp_func) #define sk_X509V3_EXT_METHOD_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_deep_copy) -#define sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func) -#define sk_GENERAL_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_copy_func) -#define sk_GENERAL_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_cmp_func) -#define sk_GENERAL_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new) -#define sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null) -#define sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_num) -#define sk_GENERAL_NAME_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_zero) -#define sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_value) -#define sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set) -#define sk_GENERAL_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_free) -#define sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free) -#define sk_GENERAL_NAME_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_insert) -#define sk_GENERAL_NAME_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete) -#define sk_GENERAL_NAME_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete_ptr) -#define sk_GENERAL_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_find) -#define sk_GENERAL_NAME_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_shift) -#define sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_push) -#define sk_GENERAL_NAME_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop) -#define sk_GENERAL_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_dup) -#define sk_GENERAL_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_sort) -#define sk_GENERAL_NAME_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_is_sorted) -#define sk_GENERAL_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set_cmp_func) -#define sk_GENERAL_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_deep_copy) -#define sk_GENERAL_NAMES_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_call_free_func) -#define sk_GENERAL_NAMES_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_call_copy_func) -#define sk_GENERAL_NAMES_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_call_cmp_func) -#define sk_GENERAL_NAMES_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_new) -#define sk_GENERAL_NAMES_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_new_null) -#define sk_GENERAL_NAMES_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_num) -#define sk_GENERAL_NAMES_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_zero) -#define sk_GENERAL_NAMES_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_value) -#define sk_GENERAL_NAMES_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_set) -#define sk_GENERAL_NAMES_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_free) -#define sk_GENERAL_NAMES_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_pop_free) -#define sk_GENERAL_NAMES_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_insert) -#define sk_GENERAL_NAMES_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_delete) -#define sk_GENERAL_NAMES_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_delete_ptr) -#define sk_GENERAL_NAMES_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_find) -#define sk_GENERAL_NAMES_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_shift) -#define sk_GENERAL_NAMES_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_push) -#define sk_GENERAL_NAMES_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_pop) -#define sk_GENERAL_NAMES_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_dup) -#define sk_GENERAL_NAMES_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_sort) -#define sk_GENERAL_NAMES_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_is_sorted) -#define sk_GENERAL_NAMES_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_set_cmp_func) -#define sk_GENERAL_NAMES_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_deep_copy) #define sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_free_func) #define sk_ACCESS_DESCRIPTION_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_copy_func) #define sk_ACCESS_DESCRIPTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_cmp_func) @@ -3764,6 +3643,121 @@ #define sk_X509_PURPOSE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_is_sorted) #define sk_X509_PURPOSE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_set_cmp_func) #define sk_X509_PURPOSE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_deep_copy) +#define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func) +#define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func) +#define sk_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_cmp_func) +#define sk_CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new) +#define sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null) +#define sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num) +#define sk_CRYPTO_BUFFER_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_zero) +#define sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value) +#define sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set) +#define sk_CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_free) +#define sk_CRYPTO_BUFFER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop_free) +#define sk_CRYPTO_BUFFER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_insert) +#define sk_CRYPTO_BUFFER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_delete) +#define sk_CRYPTO_BUFFER_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_delete_ptr) +#define sk_CRYPTO_BUFFER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_find) +#define sk_CRYPTO_BUFFER_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_shift) +#define sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push) +#define sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop) +#define sk_CRYPTO_BUFFER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_dup) +#define sk_CRYPTO_BUFFER_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_sort) +#define sk_CRYPTO_BUFFER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_is_sorted) +#define sk_CRYPTO_BUFFER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set_cmp_func) +#define sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy) +#define sk_ASN1_INTEGER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_free_func) +#define sk_ASN1_INTEGER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_copy_func) +#define sk_ASN1_INTEGER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_cmp_func) +#define sk_ASN1_INTEGER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_new) +#define sk_ASN1_INTEGER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_new_null) +#define sk_ASN1_INTEGER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_num) +#define sk_ASN1_INTEGER_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_zero) +#define sk_ASN1_INTEGER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_value) +#define sk_ASN1_INTEGER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set) +#define sk_ASN1_INTEGER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_free) +#define sk_ASN1_INTEGER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_pop_free) +#define sk_ASN1_INTEGER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_insert) +#define sk_ASN1_INTEGER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_delete) +#define sk_ASN1_INTEGER_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_delete_ptr) +#define sk_ASN1_INTEGER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_find) +#define sk_ASN1_INTEGER_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_shift) +#define sk_ASN1_INTEGER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_push) +#define sk_ASN1_INTEGER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_pop) +#define sk_ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_dup) +#define sk_ASN1_INTEGER_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_sort) +#define sk_ASN1_INTEGER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_is_sorted) +#define sk_ASN1_INTEGER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set_cmp_func) +#define sk_ASN1_INTEGER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_deep_copy) +#define sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func) +#define sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func) +#define sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func) +#define sk_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new) +#define sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null) +#define sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num) +#define sk_ASN1_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_zero) +#define sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value) +#define sk_ASN1_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set) +#define sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free) +#define sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free) +#define sk_ASN1_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_insert) +#define sk_ASN1_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete) +#define sk_ASN1_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete_ptr) +#define sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find) +#define sk_ASN1_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_shift) +#define sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push) +#define sk_ASN1_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop) +#define sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup) +#define sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort) +#define sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted) +#define sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func) +#define sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy) +#define sk_ASN1_TYPE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_free_func) +#define sk_ASN1_TYPE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_copy_func) +#define sk_ASN1_TYPE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_cmp_func) +#define sk_ASN1_TYPE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_new) +#define sk_ASN1_TYPE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_new_null) +#define sk_ASN1_TYPE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_num) +#define sk_ASN1_TYPE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_zero) +#define sk_ASN1_TYPE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_value) +#define sk_ASN1_TYPE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_set) +#define sk_ASN1_TYPE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_free) +#define sk_ASN1_TYPE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_pop_free) +#define sk_ASN1_TYPE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_insert) +#define sk_ASN1_TYPE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_delete) +#define sk_ASN1_TYPE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_delete_ptr) +#define sk_ASN1_TYPE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_find) +#define sk_ASN1_TYPE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_shift) +#define sk_ASN1_TYPE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_push) +#define sk_ASN1_TYPE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_pop) +#define sk_ASN1_TYPE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_dup) +#define sk_ASN1_TYPE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_sort) +#define sk_ASN1_TYPE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_is_sorted) +#define sk_ASN1_TYPE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_set_cmp_func) +#define sk_ASN1_TYPE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_deep_copy) +#define sk_BIO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_free_func) +#define sk_BIO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_copy_func) +#define sk_BIO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_cmp_func) +#define sk_BIO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_new) +#define sk_BIO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_new_null) +#define sk_BIO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_num) +#define sk_BIO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_zero) +#define sk_BIO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_value) +#define sk_BIO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set) +#define sk_BIO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_free) +#define sk_BIO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_pop_free) +#define sk_BIO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_insert) +#define sk_BIO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_delete) +#define sk_BIO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_delete_ptr) +#define sk_BIO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_find) +#define sk_BIO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_shift) +#define sk_BIO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_push) +#define sk_BIO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_pop) +#define sk_BIO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_dup) +#define sk_BIO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_sort) +#define sk_BIO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_is_sorted) +#define sk_BIO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set_cmp_func) +#define sk_BIO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_deep_copy) #define sk_CONF_VALUE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_free_func) #define sk_CONF_VALUE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_copy_func) #define sk_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_cmp_func) @@ -3907,6 +3901,20 @@ #define lh_ASN1_OBJECT_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_doall_arg) #define lh_ASN1_OBJECT_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_doall) #define lh_ASN1_OBJECT_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_doall_arg) +#define lh_CONF_SECTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_func) +#define lh_CONF_SECTION_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_hash_func) +#define lh_CONF_SECTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_new) +#define lh_CONF_SECTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_free) +#define lh_CONF_SECTION_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_num_items) +#define lh_CONF_SECTION_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve) +#define lh_CONF_SECTION_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_key) +#define lh_CONF_SECTION_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve_key) +#define lh_CONF_SECTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_insert) +#define lh_CONF_SECTION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_delete) +#define lh_CONF_SECTION_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall) +#define lh_CONF_SECTION_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall_arg) +#define lh_CONF_SECTION_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall) +#define lh_CONF_SECTION_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall_arg) #define lh_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_cmp_func) #define lh_CONF_VALUE_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_hash_func) #define lh_CONF_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_new) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h index 5c2ee410..356bc9c2 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h @@ -147,6 +147,7 @@ #define _ASN1_TIME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set) #define _ASN1_TIME_set_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set_posix) #define _ASN1_TIME_set_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set_string) +#define _ASN1_TIME_set_string_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set_string_X509) #define _ASN1_TIME_to_generalizedtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_generalizedtime) #define _ASN1_TIME_to_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_posix) #define _ASN1_TIME_to_time_t BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_time_t) @@ -230,6 +231,8 @@ #define _BIO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_free) #define _BIO_free_all BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_free_all) #define _BIO_get_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_data) +#define _BIO_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_ex_data) +#define _BIO_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_ex_new_index) #define _BIO_get_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_fd) #define _BIO_get_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_fp) #define _BIO_get_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_init) @@ -287,6 +290,7 @@ #define _BIO_set_conn_int_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_int_port) #define _BIO_set_conn_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_port) #define _BIO_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_data) +#define _BIO_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_ex_data) #define _BIO_set_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_fd) #define _BIO_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_flags) #define _BIO_set_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_fp) @@ -353,6 +357,7 @@ #define _BN_bn2dec BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2dec) #define _BN_bn2hex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2hex) #define _BN_bn2le_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2le_padded) +#define _BN_bn2lebinpad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2lebinpad) #define _BN_bn2mpi BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2mpi) #define _BN_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_clear) #define _BN_clear_bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_clear_bit) @@ -392,6 +397,7 @@ #define _BN_is_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_word) #define _BN_is_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_zero) #define _BN_le2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_le2bn) +#define _BN_lebin2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_lebin2bn) #define _BN_lshift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_lshift) #define _BN_lshift1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_lshift1) #define _BN_marshal_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_marshal_asn1) @@ -457,6 +463,7 @@ #define _BN_value_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_value_one) #define _BN_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_zero) #define _BORINGSSL_keccak BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak) +#define _BORINGSSL_keccak_absorb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak_absorb) #define _BORINGSSL_keccak_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak_init) #define _BORINGSSL_keccak_squeeze BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak_squeeze) #define _BORINGSSL_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_self_test) @@ -481,6 +488,7 @@ #define _CBB_add_asn1_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_uint64) #define _CBB_add_asn1_uint64_with_tag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_uint64_with_tag) #define _CBB_add_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_bytes) +#define _CBB_add_latin1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_latin1) #define _CBB_add_space BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_space) #define _CBB_add_u16 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u16) #define _CBB_add_u16_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u16_length_prefixed) @@ -493,6 +501,9 @@ #define _CBB_add_u64le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u64le) #define _CBB_add_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u8) #define _CBB_add_u8_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u8_length_prefixed) +#define _CBB_add_ucs2_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_ucs2_be) +#define _CBB_add_utf32_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_utf32_be) +#define _CBB_add_utf8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_utf8) #define _CBB_add_zeros BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_zeros) #define _CBB_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_cleanup) #define _CBB_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_data) @@ -502,6 +513,7 @@ #define _CBB_finish_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_finish_i2d) #define _CBB_flush BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_flush) #define _CBB_flush_asn1_set_of BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_flush_asn1_set_of) +#define _CBB_get_utf8_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_get_utf8_len) #define _CBB_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_init) #define _CBB_init_fixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_init_fixed) #define _CBB_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_len) @@ -524,6 +536,7 @@ #define _CBS_get_asn1_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1_uint64) #define _CBS_get_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_bytes) #define _CBS_get_last_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_last_u8) +#define _CBS_get_latin1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_latin1) #define _CBS_get_optional_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1) #define _CBS_get_optional_asn1_bool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1_bool) #define _CBS_get_optional_asn1_octet_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1_octet_string) @@ -540,7 +553,10 @@ #define _CBS_get_u64le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u64le) #define _CBS_get_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u8) #define _CBS_get_u8_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u8_length_prefixed) +#define _CBS_get_ucs2_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_ucs2_be) #define _CBS_get_until_first BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_until_first) +#define _CBS_get_utf32_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_utf32_be) +#define _CBS_get_utf8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_utf8) #define _CBS_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_init) #define _CBS_is_unsigned_asn1_integer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_unsigned_asn1_integer) #define _CBS_is_valid_asn1_bitstring BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_valid_asn1_bitstring) @@ -591,10 +607,6 @@ #define _CRYPTO_POLYVAL_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_POLYVAL_finish) #define _CRYPTO_POLYVAL_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_POLYVAL_init) #define _CRYPTO_POLYVAL_update_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_POLYVAL_update_blocks) -#define _CRYPTO_STATIC_MUTEX_lock_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_lock_read) -#define _CRYPTO_STATIC_MUTEX_lock_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_lock_write) -#define _CRYPTO_STATIC_MUTEX_unlock_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_unlock_read) -#define _CRYPTO_STATIC_MUTEX_unlock_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_STATIC_MUTEX_unlock_write) #define _CRYPTO_THREADID_current BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_current) #define _CRYPTO_THREADID_set_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_set_callback) #define _CRYPTO_THREADID_set_numeric BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_set_numeric) @@ -608,6 +620,7 @@ #define _CRYPTO_cleanup_all_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cleanup_all_ex_data) #define _CRYPTO_ctr128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt) #define _CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32) +#define _CRYPTO_fips_186_2_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fips_186_2_prf) #define _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fork_detect_force_madv_wipeonfork_for_testing) #define _CRYPTO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free) #define _CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free_ex_data) @@ -633,9 +646,6 @@ #define _CRYPTO_has_asm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_has_asm) #define _CRYPTO_hchacha20 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_hchacha20) #define _CRYPTO_init_sysrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_init_sysrand) -#define _CRYPTO_is_ARMv8_AES_capable_at_runtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_AES_capable_at_runtime) -#define _CRYPTO_is_ARMv8_PMULL_capable_at_runtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_PMULL_capable_at_runtime) -#define _CRYPTO_is_NEON_capable_at_runtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_NEON_capable_at_runtime) #define _CRYPTO_is_confidential_build BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_confidential_build) #define _CRYPTO_library_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_library_init) #define _CRYPTO_malloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_malloc) @@ -676,15 +686,24 @@ #define _CTR_DRBG_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_init) #define _CTR_DRBG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_new) #define _CTR_DRBG_reseed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_reseed) -#define _ChaCha20_ctr32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32) +#define _ChaCha20_ctr32_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2) +#define _ChaCha20_ctr32_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_neon) +#define _ChaCha20_ctr32_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_nohw) +#define _ChaCha20_ctr32_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3) +#define _ChaCha20_ctr32_ssse3_4x BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x) #define _DES_decrypt3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_decrypt3) #define _DES_ecb3_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb3_encrypt) +#define _DES_ecb3_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb3_encrypt_ex) #define _DES_ecb_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb_encrypt) +#define _DES_ecb_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb_encrypt_ex) #define _DES_ede2_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede2_cbc_encrypt) #define _DES_ede3_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt) +#define _DES_ede3_cbc_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt_ex) #define _DES_encrypt3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_encrypt3) #define _DES_ncbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ncbc_encrypt) +#define _DES_ncbc_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ncbc_encrypt_ex) #define _DES_set_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key) +#define _DES_set_key_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key_ex) #define _DES_set_key_unchecked BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key_unchecked) #define _DES_set_odd_parity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_odd_parity) #define _DH_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_bits) @@ -870,6 +889,10 @@ #define _EC_curve_nid2nist BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_curve_nid2nist) #define _EC_curve_nist2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_curve_nist2nid) #define _EC_get_builtin_curves BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_get_builtin_curves) +#define _EC_group_p224 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p224) +#define _EC_group_p256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p256) +#define _EC_group_p384 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p384) +#define _EC_group_p521 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p521) #define _EC_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_hash_to_curve_p256_xmd_sha256_sswu) #define _EC_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_hash_to_curve_p384_xmd_sha384_sswu) #define _ED25519_keypair BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ED25519_keypair) @@ -1042,6 +1065,7 @@ #define _EVP_HPKE_KEY_generate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_generate) #define _EVP_HPKE_KEY_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_init) #define _EVP_HPKE_KEY_kem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_kem) +#define _EVP_HPKE_KEY_move BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_move) #define _EVP_HPKE_KEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_new) #define _EVP_HPKE_KEY_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_private_key) #define _EVP_HPKE_KEY_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_public_key) @@ -1364,6 +1388,7 @@ #define _OBJ_find_sigid_algs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_find_sigid_algs) #define _OBJ_find_sigid_by_algs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_find_sigid_by_algs) #define _OBJ_get0_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_get0_data) +#define _OBJ_get_undef BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_get_undef) #define _OBJ_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_length) #define _OBJ_ln2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_ln2nid) #define _OBJ_nid2cbb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_nid2cbb) @@ -1378,7 +1403,7 @@ #define _OPENSSL_add_all_algorithms_conf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_add_all_algorithms_conf) #define _OPENSSL_armcap_P BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_armcap_P) #define _OPENSSL_asprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_asprintf) -#define _OPENSSL_built_in_curves BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_built_in_curves) +#define _OPENSSL_calloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_calloc) #define _OPENSSL_cleanse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_cleanse) #define _OPENSSL_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_cleanup) #define _OPENSSL_clear_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_clear_free) @@ -1386,7 +1411,9 @@ #define _OPENSSL_cpuid_setup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_cpuid_setup) #define _OPENSSL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_free) #define _OPENSSL_fromxdigit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_fromxdigit) +#define _OPENSSL_get_armcap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_get_armcap) #define _OPENSSL_get_armcap_pointer_for_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_get_armcap_pointer_for_test) +#define _OPENSSL_get_ia32cap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_get_ia32cap) #define _OPENSSL_gmtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime) #define _OPENSSL_gmtime_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime_adj) #define _OPENSSL_gmtime_diff BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime_diff) @@ -1415,6 +1442,27 @@ #define _OPENSSL_realloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_realloc) #define _OPENSSL_secure_clear_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_secure_clear_free) #define _OPENSSL_secure_malloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_secure_malloc) +#define _OPENSSL_sk_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_deep_copy) +#define _OPENSSL_sk_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_delete) +#define _OPENSSL_sk_delete_if BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_delete_if) +#define _OPENSSL_sk_delete_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_delete_ptr) +#define _OPENSSL_sk_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_dup) +#define _OPENSSL_sk_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_find) +#define _OPENSSL_sk_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_free) +#define _OPENSSL_sk_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_insert) +#define _OPENSSL_sk_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_is_sorted) +#define _OPENSSL_sk_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_new) +#define _OPENSSL_sk_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_new_null) +#define _OPENSSL_sk_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_num) +#define _OPENSSL_sk_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_pop) +#define _OPENSSL_sk_pop_free_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_pop_free_ex) +#define _OPENSSL_sk_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_push) +#define _OPENSSL_sk_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_set) +#define _OPENSSL_sk_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_set_cmp_func) +#define _OPENSSL_sk_shift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_shift) +#define _OPENSSL_sk_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_sort) +#define _OPENSSL_sk_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_value) +#define _OPENSSL_sk_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_zero) #define _OPENSSL_strcasecmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strcasecmp) #define _OPENSSL_strdup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strdup) #define _OPENSSL_strhash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strhash) @@ -1428,6 +1476,7 @@ #define _OPENSSL_tolower BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_tolower) #define _OPENSSL_vasprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_vasprintf) #define _OPENSSL_vasprintf_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_vasprintf_internal) +#define _OPENSSL_zalloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_zalloc) #define _OTHERNAME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OTHERNAME_free) #define _OTHERNAME_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OTHERNAME_it) #define _OTHERNAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OTHERNAME_new) @@ -1581,6 +1630,7 @@ #define _RAND_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_bytes) #define _RAND_bytes_with_additional_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_bytes_with_additional_data) #define _RAND_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_cleanup) +#define _RAND_disable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_disable_fork_unsafe_buffering) #define _RAND_egd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_egd) #define _RAND_enable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_enable_fork_unsafe_buffering) #define _RAND_file_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_file_name) @@ -1753,7 +1803,6 @@ #define _X509V3_EXT_nconf_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_nconf_nid) #define _X509V3_EXT_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_print) #define _X509V3_EXT_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_print_fp) -#define _X509V3_EXT_val_prn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_val_prn) #define _X509V3_NAME_from_section BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_NAME_from_section) #define _X509V3_add1_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add1_i2d) #define _X509V3_add_standard_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add_standard_extensions) @@ -1807,7 +1856,6 @@ #define _X509_CRL_add_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_add_ext) #define _X509_CRL_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_cmp) #define _X509_CRL_delete_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_delete_ext) -#define _X509_CRL_diff BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_diff) #define _X509_CRL_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_digest) #define _X509_CRL_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_dup) #define _X509_CRL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_free) @@ -1859,15 +1907,12 @@ #define _X509_EXTENSION_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_data) #define _X509_EXTENSION_set_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_object) #define _X509_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_INFO_free) -#define _X509_INFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_INFO_new) -#define _X509_LOOKUP_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_by_subject) +#define _X509_LOOKUP_add_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_add_dir) #define _X509_LOOKUP_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_ctrl) #define _X509_LOOKUP_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_file) #define _X509_LOOKUP_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_free) #define _X509_LOOKUP_hash_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_hash_dir) -#define _X509_LOOKUP_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_init) -#define _X509_LOOKUP_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_new) -#define _X509_LOOKUP_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_shutdown) +#define _X509_LOOKUP_load_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_load_file) #define _X509_NAME_ENTRIES_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRIES_it) #define _X509_NAME_ENTRY_create_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_NID) #define _X509_NAME_ENTRY_create_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_OBJ) @@ -1907,25 +1952,20 @@ #define _X509_NAME_print_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print_ex) #define _X509_NAME_print_ex_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print_ex_fp) #define _X509_NAME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_set) +#define _X509_OBJECT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_free) #define _X509_OBJECT_free_contents BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_free_contents) #define _X509_OBJECT_get0_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_get0_X509) #define _X509_OBJECT_get_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_get_type) -#define _X509_OBJECT_idx_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_idx_by_subject) -#define _X509_OBJECT_retrieve_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_retrieve_by_subject) -#define _X509_OBJECT_retrieve_match BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_retrieve_match) -#define _X509_OBJECT_up_ref_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_up_ref_count) -#define _X509_PKEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PKEY_free) -#define _X509_PKEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PKEY_new) +#define _X509_OBJECT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_new) #define _X509_PUBKEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_free) #define _X509_PUBKEY_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get) +#define _X509_PUBKEY_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0) #define _X509_PUBKEY_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0_param) #define _X509_PUBKEY_get0_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0_public_key) #define _X509_PUBKEY_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_it) #define _X509_PUBKEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_new) #define _X509_PUBKEY_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_set) #define _X509_PUBKEY_set0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_set0_param) -#define _X509_PURPOSE_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_add) -#define _X509_PURPOSE_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_cleanup) #define _X509_PURPOSE_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0) #define _X509_PURPOSE_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0_name) #define _X509_PURPOSE_get0_sname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0_sname) @@ -1950,6 +1990,7 @@ #define _X509_REQ_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_dup) #define _X509_REQ_extension_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_extension_nid) #define _X509_REQ_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_free) +#define _X509_REQ_get0_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get0_pubkey) #define _X509_REQ_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get0_signature) #define _X509_REQ_get1_email BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get1_email) #define _X509_REQ_get_attr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_attr) @@ -2002,13 +2043,15 @@ #define _X509_STORE_CTX_get0_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_cert) #define _X509_STORE_CTX_get0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_chain) #define _X509_STORE_CTX_get0_current_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_crl) -#define _X509_STORE_CTX_get0_current_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_issuer) #define _X509_STORE_CTX_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_param) #define _X509_STORE_CTX_get0_parent_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_parent_ctx) #define _X509_STORE_CTX_get0_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_store) #define _X509_STORE_CTX_get0_untrusted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_untrusted) +#define _X509_STORE_CTX_get1_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_certs) #define _X509_STORE_CTX_get1_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_chain) +#define _X509_STORE_CTX_get1_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_crls) #define _X509_STORE_CTX_get1_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_issuer) +#define _X509_STORE_CTX_get_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_by_subject) #define _X509_STORE_CTX_get_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_chain) #define _X509_STORE_CTX_get_current_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_current_cert) #define _X509_STORE_CTX_get_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_error) @@ -2017,11 +2060,9 @@ #define _X509_STORE_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_new_index) #define _X509_STORE_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_init) #define _X509_STORE_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_new) -#define _X509_STORE_CTX_purpose_inherit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_purpose_inherit) #define _X509_STORE_CTX_set0_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_crls) #define _X509_STORE_CTX_set0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_param) #define _X509_STORE_CTX_set0_trusted_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_trusted_stack) -#define _X509_STORE_CTX_set_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_cert) #define _X509_STORE_CTX_set_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_chain) #define _X509_STORE_CTX_set_default BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_default) #define _X509_STORE_CTX_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_depth) @@ -2034,49 +2075,24 @@ #define _X509_STORE_CTX_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_trust) #define _X509_STORE_CTX_set_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_verify_cb) #define _X509_STORE_CTX_trusted_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_trusted_stack) -#define _X509_STORE_CTX_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_zero) #define _X509_STORE_add_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_cert) #define _X509_STORE_add_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_crl) #define _X509_STORE_add_lookup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_lookup) #define _X509_STORE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_free) #define _X509_STORE_get0_objects BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get0_objects) #define _X509_STORE_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get0_param) -#define _X509_STORE_get1_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get1_certs) -#define _X509_STORE_get1_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get1_crls) -#define _X509_STORE_get_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_by_subject) -#define _X509_STORE_get_cert_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_cert_crl) -#define _X509_STORE_get_check_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_check_crl) -#define _X509_STORE_get_check_issued BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_check_issued) -#define _X509_STORE_get_check_revocation BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_check_revocation) -#define _X509_STORE_get_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_cleanup) -#define _X509_STORE_get_get_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_get_crl) -#define _X509_STORE_get_get_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_get_issuer) -#define _X509_STORE_get_lookup_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_lookup_certs) -#define _X509_STORE_get_lookup_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_lookup_crls) -#define _X509_STORE_get_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_verify) -#define _X509_STORE_get_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_verify_cb) #define _X509_STORE_load_locations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_load_locations) #define _X509_STORE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_new) #define _X509_STORE_set1_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set1_param) -#define _X509_STORE_set_cert_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_cert_crl) #define _X509_STORE_set_check_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_crl) -#define _X509_STORE_set_check_issued BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_issued) -#define _X509_STORE_set_check_revocation BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_revocation) -#define _X509_STORE_set_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_cleanup) #define _X509_STORE_set_default_paths BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_default_paths) #define _X509_STORE_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_depth) #define _X509_STORE_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_flags) #define _X509_STORE_set_get_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_get_crl) -#define _X509_STORE_set_get_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_get_issuer) -#define _X509_STORE_set_lookup_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_lookup_certs) -#define _X509_STORE_set_lookup_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_lookup_crls) #define _X509_STORE_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_purpose) #define _X509_STORE_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_trust) -#define _X509_STORE_set_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_verify) #define _X509_STORE_set_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_verify_cb) #define _X509_STORE_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_up_ref) -#define _X509_TRUST_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_add) -#define _X509_TRUST_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_cleanup) #define _X509_TRUST_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get0) #define _X509_TRUST_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get0_name) #define _X509_TRUST_get_by_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_by_id) @@ -2091,8 +2107,6 @@ #define _X509_VERIFY_PARAM_add1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add1_host) #define _X509_VERIFY_PARAM_clear_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_clear_flags) #define _X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_free) -#define _X509_VERIFY_PARAM_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_name) -#define _X509_VERIFY_PARAM_get0_peername BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_peername) #define _X509_VERIFY_PARAM_get_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_depth) #define _X509_VERIFY_PARAM_get_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_flags) #define _X509_VERIFY_PARAM_inherit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_inherit) @@ -2103,7 +2117,6 @@ #define _X509_VERIFY_PARAM_set1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_host) #define _X509_VERIFY_PARAM_set1_ip BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip) #define _X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip_asc) -#define _X509_VERIFY_PARAM_set1_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_name) #define _X509_VERIFY_PARAM_set1_policies BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_policies) #define _X509_VERIFY_PARAM_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_depth) #define _X509_VERIFY_PARAM_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_flags) @@ -2146,6 +2159,7 @@ #define _X509_get0_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_extensions) #define _X509_get0_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_notAfter) #define _X509_get0_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_notBefore) +#define _X509_get0_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_pubkey) #define _X509_get0_pubkey_bitstr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_pubkey_bitstr) #define _X509_get0_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_serialNumber) #define _X509_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_signature) @@ -2236,7 +2250,6 @@ #define _X509v3_get_ext_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_by_OBJ) #define _X509v3_get_ext_by_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_by_critical) #define _X509v3_get_ext_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_count) -#define _a2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_GENERAL_NAME) #define _a2i_IPADDRESS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_IPADDRESS) #define _a2i_IPADDRESS_NC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_IPADDRESS_NC) #define _aes128gcmsiv_aes_ks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks) @@ -2291,14 +2304,16 @@ #define _asn1_refcount_set_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_refcount_set_one) #define _asn1_set_choice_selector BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_set_choice_selector) #define _asn1_type_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_cleanup) +#define _asn1_type_set0_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_set0_string) #define _asn1_type_value_as_pointer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_value_as_pointer) #define _asn1_utctime_to_tm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_utctime_to_tm) #define _beeu_mod_inverse_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, beeu_mod_inverse_vartime) #define _bio_clear_socket_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_clear_socket_error) -#define _bio_fd_should_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_fd_should_retry) +#define _bio_errno_should_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_errno_should_retry) #define _bio_ip_and_port_to_socket_and_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_ip_and_port_to_socket_and_addr) #define _bio_sock_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_sock_error) #define _bio_socket_nbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_socket_nbio) +#define _bio_socket_should_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_socket_should_retry) #define _bn_abs_sub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_abs_sub_consttime) #define _bn_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_add_words) #define _bn_assert_fits_in_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_assert_fits_in_bytes) @@ -2321,7 +2336,6 @@ #define _bn_minimal_width BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_minimal_width) #define _bn_mod_add_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_add_consttime) #define _bn_mod_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_add_words) -#define _bn_mod_exp_base_2_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_exp_base_2_consttime) #define _bn_mod_exp_mont_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_exp_mont_small) #define _bn_mod_inverse0_prime_mont_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_inverse0_prime_mont_small) #define _bn_mod_inverse_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_inverse_consttime) @@ -2333,15 +2347,21 @@ #define _bn_mod_sub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_sub_consttime) #define _bn_mod_sub_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_sub_words) #define _bn_mod_u16_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_u16_consttime) +#define _bn_mont_ctx_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_cleanup) +#define _bn_mont_ctx_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_init) +#define _bn_mont_ctx_set_RR_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_set_RR_consttime) #define _bn_mont_n0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_n0) +#define _bn_mul4x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont) #define _bn_mul_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_add_words) #define _bn_mul_comba4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_comba4) #define _bn_mul_comba8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_comba8) #define _bn_mul_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_consttime) #define _bn_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont) #define _bn_mul_mont_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_gather5) +#define _bn_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_nohw) #define _bn_mul_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_small) #define _bn_mul_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_words) +#define _bn_mulx4x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont) #define _bn_odd_number_is_obviously_composite BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_odd_number_is_obviously_composite) #define _bn_one_to_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_one_to_montgomery) #define _bn_power5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_power5) @@ -2359,6 +2379,7 @@ #define _bn_set_static_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_static_words) #define _bn_set_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_words) #define _bn_sqr8x_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_internal) +#define _bn_sqr8x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_mont) #define _bn_sqr_comba4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_comba4) #define _bn_sqr_comba8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_comba8) #define _bn_sqr_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_consttime) @@ -2377,15 +2398,6 @@ #define _c2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_BIT_STRING) #define _c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_INTEGER) #define _c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_OBJECT) -#define _cbb_add_latin1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbb_add_latin1) -#define _cbb_add_ucs2_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbb_add_ucs2_be) -#define _cbb_add_utf32_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbb_add_utf32_be) -#define _cbb_add_utf8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbb_add_utf8) -#define _cbb_get_utf8_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbb_get_utf8_len) -#define _cbs_get_latin1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbs_get_latin1) -#define _cbs_get_ucs2_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbs_get_ucs2_be) -#define _cbs_get_utf32_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbs_get_utf32_be) -#define _cbs_get_utf8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, cbs_get_utf8) #define _chacha20_poly1305_open BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open) #define _chacha20_poly1305_seal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal) #define _crypto_gcm_clmul_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, crypto_gcm_clmul_enabled) @@ -2441,7 +2453,6 @@ #define _d2i_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY) #define _d2i_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY_bio) #define _d2i_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY_fp) -#define _d2i_EDIPARTYNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EDIPARTYNAME) #define _d2i_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EXTENDED_KEY_USAGE) #define _d2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_GENERAL_NAME) #define _d2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_GENERAL_NAMES) @@ -2449,7 +2460,6 @@ #define _d2i_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKAC) #define _d2i_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKI) #define _d2i_NOTICEREF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NOTICEREF) -#define _d2i_OTHERNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_OTHERNAME) #define _d2i_PKCS12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12) #define _d2i_PKCS12_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12_bio) #define _d2i_PKCS12_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12_fp) @@ -2495,7 +2505,6 @@ #define _d2i_X509_EXTENSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_EXTENSION) #define _d2i_X509_EXTENSIONS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_EXTENSIONS) #define _d2i_X509_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_NAME) -#define _d2i_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_NAME_ENTRY) #define _d2i_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_PUBKEY) #define _d2i_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ) #define _d2i_X509_REQ_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ_INFO) @@ -2506,6 +2515,7 @@ #define _d2i_X509_VAL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_VAL) #define _d2i_X509_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_bio) #define _d2i_X509_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_fp) +#define _dh_check_params_fast BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_check_params_fast) #define _dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test) #define _dsa_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_asn1_meth) #define _dsa_check_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_check_key) @@ -2517,9 +2527,6 @@ #define _ec_GFp_mont_felem_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_reduce) #define _ec_GFp_mont_felem_sqr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_sqr) #define _ec_GFp_mont_felem_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_to_bytes) -#define _ec_GFp_mont_group_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_group_finish) -#define _ec_GFp_mont_group_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_group_init) -#define _ec_GFp_mont_group_set_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_group_set_curve) #define _ec_GFp_mont_init_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_init_precomp) #define _ec_GFp_mont_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul) #define _ec_GFp_mont_mul_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul_base) @@ -2530,9 +2537,7 @@ #define _ec_GFp_simple_cmp_x_coordinate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_cmp_x_coordinate) #define _ec_GFp_simple_felem_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_felem_from_bytes) #define _ec_GFp_simple_felem_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_felem_to_bytes) -#define _ec_GFp_simple_group_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_group_finish) #define _ec_GFp_simple_group_get_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_group_get_curve) -#define _ec_GFp_simple_group_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_group_init) #define _ec_GFp_simple_group_set_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_group_set_curve) #define _ec_GFp_simple_invert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_invert) #define _ec_GFp_simple_is_at_infinity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_is_at_infinity) @@ -2554,13 +2559,13 @@ #define _ec_felem_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_from_bytes) #define _ec_felem_neg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_neg) #define _ec_felem_non_zero_mask BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_non_zero_mask) +#define _ec_felem_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_one) #define _ec_felem_select BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_select) #define _ec_felem_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_sub) #define _ec_felem_to_bignum BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_to_bignum) #define _ec_felem_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_to_bytes) #define _ec_get_x_coordinate_as_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_get_x_coordinate_as_bytes) #define _ec_get_x_coordinate_as_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_get_x_coordinate_as_scalar) -#define _ec_group_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_group_new) #define _ec_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_curve_p256_xmd_sha256_sswu) #define _ec_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha384_sswu) #define _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha512_sswu_draft07) @@ -2620,6 +2625,10 @@ #define _ecp_nistz256_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sub) #define _ed25519_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_asn1_meth) #define _ed25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_pkey_meth) +#define _fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_curve25519_adx_mul) +#define _fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_curve25519_adx_square) +#define _fiat_p256_adx_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_p256_adx_mul) +#define _fiat_p256_adx_sqr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_p256_adx_sqr) #define _gcm_ghash_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_avx) #define _gcm_ghash_clmul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_clmul) #define _gcm_ghash_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_neon) @@ -2639,7 +2648,6 @@ #define _gcm_init_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_ssse3) #define _gcm_init_v8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_v8) #define _hkdf_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, hkdf_pkey_meth) -#define _i2a_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ACCESS_DESCRIPTION) #define _i2a_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_ENUMERATED) #define _i2a_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_INTEGER) #define _i2a_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_OBJECT) @@ -2697,7 +2705,6 @@ #define _i2d_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY) #define _i2d_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY_bio) #define _i2d_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY_fp) -#define _i2d_EDIPARTYNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EDIPARTYNAME) #define _i2d_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EXTENDED_KEY_USAGE) #define _i2d_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_GENERAL_NAME) #define _i2d_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_GENERAL_NAMES) @@ -2705,7 +2712,6 @@ #define _i2d_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKAC) #define _i2d_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKI) #define _i2d_NOTICEREF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NOTICEREF) -#define _i2d_OTHERNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_OTHERNAME) #define _i2d_PKCS12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12) #define _i2d_PKCS12_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12_bio) #define _i2d_PKCS12_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12_fp) @@ -2756,7 +2762,6 @@ #define _i2d_X509_EXTENSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_EXTENSION) #define _i2d_X509_EXTENSIONS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_EXTENSIONS) #define _i2d_X509_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_NAME) -#define _i2d_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_NAME_ENTRY) #define _i2d_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_PUBKEY) #define _i2d_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ) #define _i2d_X509_REQ_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ_INFO) @@ -2778,6 +2783,7 @@ #define _i2t_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2t_ASN1_OBJECT) #define _i2v_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2v_GENERAL_NAME) #define _i2v_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2v_GENERAL_NAMES) +#define _k25519Precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, k25519Precomp) #define _kBoringSSLRSASqrtTwo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwo) #define _kBoringSSLRSASqrtTwoLen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwoLen) #define _kOpenSSLReasonStringData BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kOpenSSLReasonStringData) @@ -2841,31 +2847,62 @@ #define _rsaz_1024_sqr_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_sqr_avx2) #define _s2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, s2i_ASN1_INTEGER) #define _s2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, s2i_ASN1_OCTET_STRING) -#define _sha1_block_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order) -#define _sha256_block_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order) -#define _sha512_block_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order) -#define _sk_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_deep_copy) -#define _sk_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_delete) -#define _sk_delete_if BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_delete_if) -#define _sk_delete_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_delete_ptr) -#define _sk_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_dup) -#define _sk_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_find) +#define _sha1_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_avx) +#define _sha1_block_data_order_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_avx2) +#define _sha1_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_hw) +#define _sha1_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_nohw) +#define _sha1_block_data_order_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_ssse3) +#define _sha256_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_avx) +#define _sha256_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_hw) +#define _sha256_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_nohw) +#define _sha256_block_data_order_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_ssse3) +#define _sha512_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_avx) +#define _sha512_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_hw) +#define _sha512_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_nohw) #define _sk_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_free) -#define _sk_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_insert) -#define _sk_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_is_sorted) -#define _sk_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_new) #define _sk_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_new_null) #define _sk_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_num) #define _sk_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop) #define _sk_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop_free) #define _sk_pop_free_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop_free_ex) #define _sk_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_push) -#define _sk_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_set) -#define _sk_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_set_cmp_func) -#define _sk_shift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_shift) -#define _sk_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_sort) #define _sk_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_value) -#define _sk_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_zero) +#define _spx_base_b BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_base_b) +#define _spx_copy_keypair_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_copy_keypair_addr) +#define _spx_fors_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_pk_from_sig) +#define _spx_fors_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_sign) +#define _spx_fors_sk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_sk_gen) +#define _spx_fors_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_treehash) +#define _spx_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_generate_key) +#define _spx_generate_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_generate_key_from_seed) +#define _spx_get_tree_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_get_tree_index) +#define _spx_ht_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_ht_sign) +#define _spx_ht_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_ht_verify) +#define _spx_set_chain_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_chain_addr) +#define _spx_set_hash_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_hash_addr) +#define _spx_set_keypair_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_keypair_addr) +#define _spx_set_layer_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_layer_addr) +#define _spx_set_tree_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_tree_addr) +#define _spx_set_tree_height BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_tree_height) +#define _spx_set_tree_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_tree_index) +#define _spx_set_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_type) +#define _spx_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_sign) +#define _spx_thash_f BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_f) +#define _spx_thash_h BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_h) +#define _spx_thash_hmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_hmsg) +#define _spx_thash_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_prf) +#define _spx_thash_prfmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_prfmsg) +#define _spx_thash_tk BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_tk) +#define _spx_thash_tl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_tl) +#define _spx_to_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_to_uint64) +#define _spx_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_treehash) +#define _spx_uint64_to_len_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_uint64_to_len_bytes) +#define _spx_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_verify) +#define _spx_wots_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_wots_pk_from_sig) +#define _spx_wots_pk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_wots_pk_gen) +#define _spx_wots_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_wots_sign) +#define _spx_xmss_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_xmss_pk_from_sig) +#define _spx_xmss_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_xmss_sign) #define _v2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAME) #define _v2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAMES) #define _v2i_GENERAL_NAME_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAME_ex) @@ -2924,12 +2961,15 @@ #define _x25519_ge_p3_to_cached BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_p3_to_cached) #define _x25519_ge_scalarmult BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult) #define _x25519_ge_scalarmult_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult_base) +#define _x25519_ge_scalarmult_base_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult_base_adx) #define _x25519_ge_scalarmult_small_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult_small_precomp) #define _x25519_ge_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_sub) #define _x25519_ge_tobytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_tobytes) #define _x25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_pkey_meth) #define _x25519_sc_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_sc_reduce) +#define _x25519_scalar_mult_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_scalar_mult_adx) #define _x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509V3_add_value_asn1_string) +#define _x509_check_issued_with_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_check_issued_with_callback) #define _x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_sign_algorithm) #define _x509_digest_verify_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_verify_init) #define _x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_print_rsa_pss_params) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h index 2d337af7..29c2e538 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h @@ -635,6 +635,28 @@ OPENSSL_EXPORT int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, OPENSSL_EXPORT int CBB_flush_asn1_set_of(CBB *cbb); +// Unicode utilities. + +// The following functions read one Unicode code point from |cbs| with the +// corresponding encoding and store it in |*out|. They return one on success and +// zero on error. +OPENSSL_EXPORT int CBS_get_utf8(CBS *cbs, uint32_t *out); +OPENSSL_EXPORT int CBS_get_latin1(CBS *cbs, uint32_t *out); +OPENSSL_EXPORT int CBS_get_ucs2_be(CBS *cbs, uint32_t *out); +OPENSSL_EXPORT int CBS_get_utf32_be(CBS *cbs, uint32_t *out); + +// CBB_get_utf8_len returns the number of bytes needed to represent |u| in +// UTF-8. +OPENSSL_EXPORT size_t CBB_get_utf8_len(uint32_t u); + +// The following functions encode |u| to |cbb| with the corresponding +// encoding. They return one on success and zero on error. +OPENSSL_EXPORT int CBB_add_utf8(CBB *cbb, uint32_t u); +OPENSSL_EXPORT int CBB_add_latin1(CBB *cbb, uint32_t u); +OPENSSL_EXPORT int CBB_add_ucs2_be(CBB *cbb, uint32_t u); +OPENSSL_EXPORT int CBB_add_utf32_be(CBB *cbb, uint32_t u); + + #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_chacha.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_chacha.h index eca3fc0e..eb989a37 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_chacha.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_chacha.h @@ -29,6 +29,12 @@ extern "C" { // CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and // nonce and writes the result to |out|. If |in| and |out| alias, they must be // equal. The initial block counter is specified by |counter|. +// +// This function implements a 32-bit block counter as in RFC 8439. On overflow, +// the counter wraps. Reusing a key, nonce, and block counter combination is not +// secure, so wrapping is usually a bug in the caller. While it is possible to +// wrap without reuse with a large initial block counter, this is not +// recommended and may not be portable to other ChaCha20 implementations. OPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t key[32], const uint8_t nonce[12], uint32_t counter); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h index 798bed84..276c7613 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h @@ -542,6 +542,7 @@ OPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, #define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 // EVP_CTRL_GCM_SET_IV_INV sets the GCM invocation field, decrypt only #define EVP_CTRL_GCM_SET_IV_INV 0x18 +#define EVP_CTRL_GET_IVLEN 0x19 // The following constants are unused. #define EVP_GCM_TLS_FIXED_IV_LEN 4 diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_conf.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_conf.h index b8d899f5..bdaf8cc7 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_conf.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_conf.h @@ -67,7 +67,9 @@ extern "C" { #endif -// Config files look like: +// Config files. +// +// This library handles OpenSSL's config files, which look like: // // # Comment // @@ -82,6 +84,7 @@ extern "C" { // untrusted input as a config file risks string injection and denial of service // vulnerabilities. + struct conf_value_st { char *section; char *name; diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_curve25519.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_curve25519.h index 4df94fbf..2455d385 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_curve25519.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_curve25519.h @@ -161,10 +161,10 @@ OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, // |*out_key_len| to the number of bytes written. // // The resulting keying material is suitable for: -// a) Using directly in a key-confirmation step: i.e. each side could +// - Using directly in a key-confirmation step: i.e. each side could // transmit a hash of their role, a channel-binding value and the key // material to prove to the other side that they know the shared key. -// b) Using as input keying material to HKDF to generate a variety of subkeys +// - Using as input keying material to HKDF to generate a variety of subkeys // for encryption etc. // // If |max_out_key_key| is smaller than the amount of key material generated diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_des.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_des.h index 3b03c688..c05eea1d 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_des.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_des.h @@ -163,19 +163,6 @@ OPENSSL_EXPORT void DES_ede3_cfb_encrypt(const uint8_t *in, uint8_t *out, DES_cblock *ivec, int enc); -// Private functions. -// -// These functions are only exported for use in |decrepit|. - -OPENSSL_EXPORT void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, - const DES_key_schedule *ks2, - const DES_key_schedule *ks3); - -OPENSSL_EXPORT void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, - const DES_key_schedule *ks2, - const DES_key_schedule *ks3); - - #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h index dfd43c74..f0166670 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h @@ -193,7 +193,9 @@ OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits, // Diffie-Hellman operations. // DH_generate_key generates a new, random, private key and stores it in -// |dh|. It returns one on success and zero on error. +// |dh|, if |dh| does not already have a private key. Otherwise, it updates +// |dh|'s public key to match the private key. It returns one on success and +// zero on error. OPENSSL_EXPORT int DH_generate_key(DH *dh); // DH_compute_key_padded calculates the shared key between |dh| and |peers_key| @@ -351,5 +353,6 @@ BSSL_NAMESPACE_END #define DH_R_NO_PRIVATE_VALUE 103 #define DH_R_DECODE_ERROR 104 #define DH_R_ENCODE_ERROR 105 +#define DH_R_INVALID_PARAMETERS 106 #endif // OPENSSL_HEADER_DH_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h index 5c75c2f6..5c3adc08 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h @@ -62,9 +62,7 @@ #include "CJWTKitBoringSSL_base.h" -#include "CJWTKitBoringSSL_engine.h" #include "CJWTKitBoringSSL_ex_data.h" -#include "CJWTKitBoringSSL_thread.h" #if defined(__cplusplus) extern "C" { @@ -398,25 +396,6 @@ OPENSSL_EXPORT DSA *DSA_generate_parameters(int bits, unsigned char *seed, void *cb_arg); -struct dsa_st { - long version; - BIGNUM *p; - BIGNUM *q; // == 20 - BIGNUM *g; - - BIGNUM *pub_key; // y public key - BIGNUM *priv_key; // x private key - - int flags; - // Normally used to cache montgomery values - CRYPTO_MUTEX method_mont_lock; - BN_MONT_CTX *method_mont_p; - BN_MONT_CTX *method_mont_q; - CRYPTO_refcount_t references; - CRYPTO_EX_DATA ex_data; -}; - - #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h index 3aa885ed..50f41303 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h @@ -100,26 +100,49 @@ typedef enum { // Elliptic curve groups. +// +// Elliptic curve groups are represented by |EC_GROUP| objects. Unlike OpenSSL, +// if limited to the APIs in this section, callers may treat |EC_GROUP|s as +// static, immutable objects which do not need to be copied or released. In +// BoringSSL, only custom |EC_GROUP|s created by |EC_GROUP_new_curve_GFp| +// (deprecated) are dynamic. +// +// Callers may cast away |const| and use |EC_GROUP_dup| and |EC_GROUP_free| with +// static groups, for compatibility with OpenSSL or dynamic groups, but it is +// otherwise unnecessary. + +// EC_group_p224 returns an |EC_GROUP| for P-224, also known as secp224r1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p224(void); + +// EC_group_p256 returns an |EC_GROUP| for P-256, also known as secp256r1 or +// prime256v1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p256(void); + +// EC_group_p384 returns an |EC_GROUP| for P-384, also known as secp384r1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p384(void); -// EC_GROUP_new_by_curve_name returns a fresh EC_GROUP object for the elliptic -// curve specified by |nid|, or NULL on unsupported NID or allocation failure. +// EC_group_p521 returns an |EC_GROUP| for P-521, also known as secp521r1. +OPENSSL_EXPORT const EC_GROUP *EC_group_p521(void); + +// EC_GROUP_new_by_curve_name returns the |EC_GROUP| object for the elliptic +// curve specified by |nid|, or NULL on unsupported NID. For OpenSSL +// compatibility, this function returns a non-const pointer which may be passed +// to |EC_GROUP_free|. However, the resulting object is actually static and +// calling |EC_GROUP_free| is optional. // // The supported NIDs are: -// NID_secp224r1 (P-224), -// NID_X9_62_prime256v1 (P-256), -// NID_secp384r1 (P-384), -// NID_secp521r1 (P-521) +// - |NID_secp224r1| (P-224) +// - |NID_X9_62_prime256v1| (P-256) +// - |NID_secp384r1| (P-384) +// - |NID_secp521r1| (P-521) +// +// Calling this function causes all four curves to be linked into the binary. +// Prefer calling |EC_group_*| to allow the static linker to drop unused curves. // // If in doubt, use |NID_X9_62_prime256v1|, or see the curve25519.h header for // more modern primitives. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid); -// EC_GROUP_free releases a reference to |group|. -OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group); - -// EC_GROUP_dup takes a reference to |a| and returns it. -OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *a); - // EC_GROUP_cmp returns zero if |a| and |b| are the same group and non-zero // otherwise. OPENSSL_EXPORT int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, @@ -321,24 +344,22 @@ OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, // Hash-to-curve. // -// The following functions implement primitives from -// draft-irtf-cfrg-hash-to-curve-16. The |dst| parameter in each function is the -// domain separation tag and must be unique for each protocol and between the -// |hash_to_curve| and |hash_to_scalar| variants. See section 3.1 of the spec -// for additional guidance on this parameter. +// The following functions implement primitives from RFC 9380. The |dst| +// parameter in each function is the domain separation tag and must be unique +// for each protocol and between the |hash_to_curve| and |hash_to_scalar| +// variants. See section 3.1 of the spec for additional guidance on this +// parameter. // EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); @@ -346,9 +367,27 @@ OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( // Deprecated functions. +// EC_GROUP_free releases a reference to |group|, if |group| was created by +// |EC_GROUP_new_curve_GFp|. If |group| is static, it does nothing. +// +// This function exists for OpenSSL compatibilty, and to manage dynamic +// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need +// either may ignore this function. +OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group); + +// EC_GROUP_dup increments |group|'s reference count and returns it, if |group| +// was created by |EC_GROUP_new_curve_GFp|. If |group| is static, it simply +// returns |group|. +// +// This function exists for OpenSSL compatibilty, and to manage dynamic +// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need +// either may ignore this function. +OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *group); + // EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based // on the equation y² = x³ + a·x + b. It returns the new group or NULL on -// error. +// error. The lifetime of the resulting object must be managed with +// |EC_GROUP_dup| and |EC_GROUP_free|. // // This new group has no generator. It is an error to use a generator-less group // with any functions except for |EC_GROUP_free|, |EC_POINT_new|, diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h index ab246b70..580928e4 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h @@ -259,8 +259,15 @@ OPENSSL_EXPORT int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key, unsigned enc_flags); // EC_KEY_parse_curve_name parses a DER-encoded OBJECT IDENTIFIER as a curve -// name from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP| -// or NULL on error. +// name from |cbs| and advances |cbs|. It returns the decoded |EC_GROUP| or NULL +// on error. +// +// This function returns a non-const pointer which may be passed to +// |EC_GROUP_free|. However, the resulting object is actually static and calling +// |EC_GROUP_free| is optional. +// +// TODO(davidben): Make this return a const pointer, if it does not break too +// many callers. OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs); // EC_KEY_marshal_curve_name marshals |group| as a DER-encoded OBJECT IDENTIFIER @@ -269,10 +276,16 @@ OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs); OPENSSL_EXPORT int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group); // EC_KEY_parse_parameters parses a DER-encoded ECParameters structure (RFC -// 5480) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_GROUP| -// or NULL on error. It supports the namedCurve and specifiedCurve options, but -// use of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name| -// instead. +// 5480) from |cbs| and advances |cbs|. It returns the resulting |EC_GROUP| or +// NULL on error. It supports the namedCurve and specifiedCurve options, but use +// of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name| instead. +// +// This function returns a non-const pointer which may be passed to +// |EC_GROUP_free|. However, the resulting object is actually static and calling +// |EC_GROUP_free| is optional. +// +// TODO(davidben): Make this return a const pointer, if it does not break too +// many callers. OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_parameters(CBS *cbs); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h index ca23c4f9..643cf542 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h @@ -59,7 +59,7 @@ #include "CJWTKitBoringSSL_base.h" -#include "CJWTKitBoringSSL_evp_errors.h" +#include "CJWTKitBoringSSL_evp_errors.h" // IWYU pragma: export #include "CJWTKitBoringSSL_thread.h" // OpenSSL included digest and cipher functions in this header so we include @@ -180,11 +180,6 @@ OPENSSL_EXPORT EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey); #define EVP_PKEY_X25519 NID_X25519 #define EVP_PKEY_HKDF NID_hkdf -// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of -// the given type. It returns one if successful or zero if the |type| argument -// is not one of the |EVP_PKEY_*| values or if |key| is NULL. -OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); - // EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if // successful or zero if the |type| argument is not one of the |EVP_PKEY_*| // values. If |pkey| is NULL, it simply reports whether the type is known. @@ -480,7 +475,7 @@ OPENSSL_EXPORT int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, // returns one on success and zero on allocation failure or if iterations is 0. OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, - unsigned iterations, const EVP_MD *digest, + uint32_t iterations, const EVP_MD *digest, size_t key_len, uint8_t *out_key); // PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with |digest| @@ -488,7 +483,7 @@ OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC_SHA1(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, - unsigned iterations, size_t key_len, + uint32_t iterations, size_t key_len, uint8_t *out_key); // EVP_PBE_scrypt expands |password| into a secret key of length |key_len| using @@ -1032,6 +1027,15 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits); +// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of +// the given type. If successful, it returns one. If the |type| argument +// is not one of |EVP_PKEY_RSA|, |EVP_PKEY_DSA|, or |EVP_PKEY_EC| values or if +// |key| is NULL, it returns zero. This function may not be used with other +// |EVP_PKEY_*| types. +// +// Use the |EVP_PKEY_assign_*| functions instead. +OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); + // Preprocessor compatibility section (hidden). // diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ex_data.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ex_data.h index 05e4c9f6..81061df6 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ex_data.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ex_data.h @@ -163,10 +163,11 @@ OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index); // callback has been passed to |SSL_get_ex_new_index| then it may be called each // time an |SSL*| is destroyed. // -// The callback is passed the new object (i.e. the |SSL*|) in |parent|. The -// arguments |argl| and |argp| contain opaque values that were given to -// |CRYPTO_get_ex_new_index|. The callback should return one on success, but -// the value is ignored. +// The callback is passed the to-be-destroyed object (i.e. the |SSL*|) in +// |parent|. As |parent| will shortly be destroyed, callers must not perform +// operations that would increment its reference count, pass ownership, or +// assume the object outlives the function call. The arguments |argl| and |argp| +// contain opaque values that were given to |CRYPTO_get_ex_new_index|. // // This callback may be called with a NULL value for |ptr| if |parent| has no // value set for this index. However, the callbacks may also be skipped entirely diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h index 6f0c0cf1..683fb24c 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h @@ -140,6 +140,10 @@ OPENSSL_EXPORT void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key); OPENSSL_EXPORT int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src); +// EVP_HPKE_KEY_move sets |out|, which must be initialized or in the zero state, +// to the key in |in|. |in| is mutated and left in the zero state. +OPENSSL_EXPORT void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in); + // EVP_HPKE_KEY_init decodes |priv_key| as a private key for |kem| and // initializes |key| with the result. It returns one on success and zero if // |priv_key| was invalid. On success, the caller must call @@ -389,8 +393,8 @@ using ScopedEVP_HPKE_CTX = internal::StackAllocated; using ScopedEVP_HPKE_KEY = - internal::StackAllocated; + internal::StackAllocatedMovable; BORINGSSL_MAKE_DELETER(EVP_HPKE_CTX, EVP_HPKE_CTX_free) BORINGSSL_MAKE_DELETER(EVP_HPKE_KEY, EVP_HPKE_KEY_free) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_kyber.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_kyber.h index 6150696d..02b1b30c 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_kyber.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_kyber.h @@ -23,6 +23,9 @@ extern "C" { // Kyber768. +// +// This implements the round-3 specification of Kyber, defined at +// https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf // KYBER_public_key contains a Kyber768 public key. The contents of this @@ -47,6 +50,12 @@ struct KYBER_private_key { // key. #define KYBER_PUBLIC_KEY_BYTES 1184 +// KYBER_SHARED_SECRET_BYTES is the number of bytes in the Kyber768 shared +// secret. Although the round-3 specification has a variable-length output, the +// final ML-KEM construction is expected to use a fixed 32-byte output. To +// simplify the future transition, we apply the same restriction. +#define KYBER_SHARED_SECRET_BYTES 32 + // KYBER_generate_key generates a random public/private key pair, writes the // encoded public key to |out_encoded_public_key| and sets |out_private_key| to // the private key. @@ -65,25 +74,24 @@ OPENSSL_EXPORT void KYBER_public_from_private( // KYBER_CIPHERTEXT_BYTES is number of bytes in the Kyber768 ciphertext. #define KYBER_CIPHERTEXT_BYTES 1088 -// KYBER_encap encrypts a random secret key of length |out_shared_secret_len| to -// |public_key|, writes the ciphertext to |ciphertext|, and writes the random -// key to |out_shared_secret|. The party calling |KYBER_decap| must already know -// the correct value of |out_shared_secret_len|. -OPENSSL_EXPORT void KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], - uint8_t *out_shared_secret, - size_t out_shared_secret_len, - const struct KYBER_public_key *public_key); - -// KYBER_decap decrypts a key of length |out_shared_secret_len| from -// |ciphertext| using |private_key| and writes it to |out_shared_secret|. If -// |ciphertext| is invalid, |out_shared_secret| is filled with a key that -// will always be the same for the same |ciphertext| and |private_key|, but -// which appears to be random unless one has access to |private_key|. These -// alternatives occur in constant time. Any subsequent symmetric encryption -// using |out_shared_secret| must use an authenticated encryption scheme in -// order to discover the decapsulation failure. +// KYBER_encap encrypts a random shared secret for |public_key|, writes the +// ciphertext to |out_ciphertext|, and writes the random shared secret to +// |out_shared_secret|. +OPENSSL_EXPORT void KYBER_encap( + uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], + const struct KYBER_public_key *public_key); + +// KYBER_decap decrypts a shared secret from |ciphertext| using |private_key| +// and writes it to |out_shared_secret|. If |ciphertext| is invalid, +// |out_shared_secret| is filled with a key that will always be the same for the +// same |ciphertext| and |private_key|, but which appears to be random unless +// one has access to |private_key|. These alternatives occur in constant time. +// Any subsequent symmetric encryption using |out_shared_secret| must use an +// authenticated encryption scheme in order to discover the decapsulation +// failure. OPENSSL_EXPORT void KYBER_decap( - uint8_t *out_shared_secret, size_t out_shared_secret_len, + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES], const struct KYBER_private_key *private_key); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h index 071cdbd3..9d683de8 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h @@ -81,14 +81,16 @@ extern "C" { // the case of a malloc failure, prior to returning NULL |OPENSSL_malloc| will // push |ERR_R_MALLOC_FAILURE| onto the openssl error stack. OPENSSL_EXPORT void *OPENSSL_malloc(size_t size); -#endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC -// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the -// memory allocated at |ptr| and frees it along with the private data. -// It must only be used on on |ptr| values obtained from |OPENSSL_malloc| -OPENSSL_EXPORT void OPENSSL_free(void *ptr); +// OPENSSL_zalloc behaves like |OPENSSL_malloc| except it also initializes the +// resulting memory to zero. +OPENSSL_EXPORT void *OPENSSL_zalloc(size_t size); + +// OPENSSL_calloc is similar to a regular |calloc|, but allocates data with +// |OPENSSL_malloc|. On overflow, it will push |ERR_R_OVERFLOW| onto the error +// queue. +OPENSSL_EXPORT void *OPENSSL_calloc(size_t num, size_t size); -#ifndef _BORINGSSL_PROHIBIT_OPENSSL_MALLOC // OPENSSL_realloc returns a pointer to a buffer of |new_size| bytes that // contains the contents of |ptr|. Unlike |realloc|, a new buffer is always // allocated and the data at |ptr| is always wiped and freed. Memory is @@ -96,6 +98,11 @@ OPENSSL_EXPORT void OPENSSL_free(void *ptr); OPENSSL_EXPORT void *OPENSSL_realloc(void *ptr, size_t new_size); #endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC +// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the +// memory allocated at |ptr| and frees it along with the private data. +// It must only be used on on |ptr| values obtained from |OPENSSL_malloc| +OPENSSL_EXPORT void OPENSSL_free(void *ptr); + // OPENSSL_cleanse zeros out |len| bytes of memory at |ptr|. This is similar to // |memset_s| from C11. OPENSSL_EXPORT void OPENSSL_cleanse(void *ptr, size_t len); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_obj.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_obj.h index 912be7d2..64f73a59 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_obj.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_obj.h @@ -60,7 +60,7 @@ #include "CJWTKitBoringSSL_base.h" #include "CJWTKitBoringSSL_bytestring.h" -#include "CJWTKitBoringSSL_nid.h" +#include "CJWTKitBoringSSL_nid.h" // IWYU pragma: export #if defined(__cplusplus) extern "C" { @@ -148,6 +148,10 @@ OPENSSL_EXPORT int OBJ_txt2nid(const char *s); // a non-const pointer and manage ownership. OPENSSL_EXPORT ASN1_OBJECT *OBJ_nid2obj(int nid); +// OBJ_get_undef returns the object for |NID_undef|. Prefer this function over +// |OBJ_nid2obj| to avoid pulling in the full OID table. +OPENSSL_EXPORT const ASN1_OBJECT *OBJ_get_undef(void); + // OBJ_nid2sn returns the short name for |nid|, or NULL if |nid| is unknown. OPENSSL_EXPORT const char *OBJ_nid2sn(int nid); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_opensslconf.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_opensslconf.h index 51657030..feb9246c 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_opensslconf.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_opensslconf.h @@ -18,6 +18,7 @@ #ifndef OPENSSL_HEADER_OPENSSLCONF_H #define OPENSSL_HEADER_OPENSSLCONF_H +/* Keep in sync with the list in rust/bssl-sys/build.rs */ #define OPENSSL_NO_ASYNC #define OPENSSL_NO_BF diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pem.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pem.h index 97d60727..29892ad0 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pem.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pem.h @@ -347,9 +347,27 @@ OPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, unsigned char *kstr, int klen, pem_password_cb *cb, void *u); +// PEM_X509_INFO_read_bio reads PEM blocks from |bp| and decodes any +// certificates, CRLs, and private keys found. It returns a +// |STACK_OF(X509_INFO)| structure containing the results, or NULL on error. +// +// If |sk| is NULL, the result on success will be a newly-allocated +// |STACK_OF(X509_INFO)| structure which should be released with +// |sk_X509_INFO_pop_free| and |X509_INFO_free| when done. +// +// If |sk| is non-NULL, it appends the results to |sk| instead and returns |sk| +// on success. In this case, the caller retains ownership of |sk| in both +// success and failure. OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio( BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); +// PEM_X509_INFO_read behaves like |PEM_X509_INFO_read_bio| but reads from a +// |FILE|. +OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, + STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, + void *u); + OPENSSL_EXPORT int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len); OPENSSL_EXPORT int PEM_write(FILE *fp, const char *name, const char *hdr, @@ -360,10 +378,6 @@ OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, void *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *callback, void *u); -OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, - STACK_OF(X509_INFO) *sk, - pem_password_cb *cb, - void *u); // PEM_def_callback treats |userdata| as a string and copies it into |buf|, // assuming its |size| is sufficient. Returns the length of the string, or 0 @@ -454,7 +468,7 @@ OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x, #ifdef __cplusplus -} +} // extern "C" #endif #define PEM_R_BAD_BASE64_DECODE 100 diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_posix_time.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_posix_time.h new file mode 100644 index 00000000..573fa5b9 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_posix_time.h @@ -0,0 +1,51 @@ +/* Copyright (c) 2022, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_POSIX_TIME_H +#define OPENSSL_HEADER_POSIX_TIME_H + +#include "CJWTKitBoringSSL_base.h" + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Time functions. + + +// OPENSSL_posix_to_tm converts a int64_t POSIX time value in |time|, which must +// be in the range of year 0000 to 9999, to a broken out time value in |tm|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm); + +// OPENSSL_tm_to_posix converts a time value between the years 0 and 9999 in +// |tm| to a POSIX time value in |out|. One is returned on success, zero is +// returned on failure. It is a failure if |tm| contains out of range values. +OPENSSL_EXPORT int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out); + +// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to +// a time_t value in |out|. One is returned on success, zero is returned on +// failure. It is a failure if the converted time can not be represented in a +// time_t, or if the tm contains out of range values. +OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_POSIX_TIME_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rand.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rand.h index af8b08f5..5a2ba96c 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rand.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rand.h @@ -29,20 +29,6 @@ extern "C" { // event that sufficient random data can not be obtained, |abort| is called. OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); -// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data -// from a system entropy source to |buf|. The maximum length of entropy which -// may be requested is 256 bytes. If more than 256 bytes of data is requested, -// or if sufficient random data can not be obtained, |abort| is called. -// |RAND_bytes| should normally be used instead of this function. This function -// should only be used for seed values or where |malloc| should not be called -// from BoringSSL. This function is not FIPS compliant. -OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, - size_t len); - -// RAND_cleanup frees any resources used by the RNG. This is not safe if other -// threads might still be calling |RAND_bytes|. -OPENSSL_EXPORT void RAND_cleanup(void); - // Obscure functions. @@ -57,6 +43,11 @@ OPENSSL_EXPORT void RAND_cleanup(void); // It has an unusual name because the buffer is unsafe across calls to |fork|. // Hence, this function should never be called by libraries. OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd); + +// RAND_disable_fork_unsafe_buffering disables efficient buffered reading of +// /dev/urandom, causing BoringSSL to always draw entropy on every request +// for random bytes. +OPENSSL_EXPORT void RAND_disable_fork_unsafe_buffering(void); #endif #if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) @@ -65,6 +56,16 @@ OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd); OPENSSL_EXPORT void RAND_reset_for_fuzzing(void); #endif +// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data +// from a system entropy source to |buf|. The maximum length of entropy which +// may be requested is 256 bytes. If more than 256 bytes of data is requested, +// or if sufficient random data can not be obtained, |abort| is called. +// |RAND_bytes| should normally be used instead of this function. This function +// should only be used for seed values or where |malloc| should not be called +// from BoringSSL. This function is not FIPS compliant. +OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, + size_t len); + // Deprecated functions @@ -93,6 +94,9 @@ OPENSSL_EXPORT int RAND_poll(void); // RAND_status returns one. OPENSSL_EXPORT int RAND_status(void); +// RAND_cleanup does nothing. +OPENSSL_EXPORT void RAND_cleanup(void); + // rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it // exists only to be the return type of |RAND_SSLeay|. It's // external so that variables of this type can be initialized. diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h index 538ba9ac..0c2bce31 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h @@ -236,6 +236,13 @@ OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); // RSA_PKCS1_PADDING denotes PKCS#1 v1.5 padding. When used with encryption, // this is RSAES-PKCS1-v1_5. When used with signing, this is RSASSA-PKCS1-v1_5. +// +// WARNING: The RSAES-PKCS1-v1_5 encryption scheme is vulnerable to a +// chosen-ciphertext attack. Decrypting attacker-supplied ciphertext with +// RSAES-PKCS1-v1_5 may give the attacker control over your private key. This +// does not impact the RSASSA-PKCS1-v1_5 signature scheme. See "Chosen +// Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard +// PKCS #1", Daniel Bleichenbacher, Advances in Cryptology (Crypto '98). #define RSA_PKCS1_PADDING 1 // RSA_NO_PADDING denotes a raw RSA operation. @@ -256,8 +263,7 @@ OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); // It returns 1 on success or zero on error. // // The |padding| argument must be one of the |RSA_*_PADDING| values. If in -// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but -// |RSA_PKCS1_PADDING| is most common. +// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); @@ -271,12 +277,16 @@ OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, // The |padding| argument must be one of the |RSA_*_PADDING| values. If in // doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. // -// Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If -// implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then -// check padding in constant-time combined with a swap to a random session key -// or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based -// on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in -// Cryptology (Crypto '98). +// WARNING: Passing |RSA_PKCS1_PADDING| into this function is deprecated and +// insecure. RSAES-PKCS1-v1_5 is vulnerable to a chosen-ciphertext attack. +// Decrypting attacker-supplied ciphertext with RSAES-PKCS1-v1_5 may give the +// attacker control over your private key. See "Chosen Ciphertext Attacks +// Against Protocols Based on the RSA Encryption Standard PKCS #1", Daniel +// Bleichenbacher, Advances in Cryptology (Crypto '98). +// +// In some limited cases, such as TLS RSA key exchange, it is possible to +// mitigate this flaw with custom, protocol-specific padding logic. This +// should be implemented with |RSA_NO_PADDING|, not |RSA_PKCS1_PADDING|. OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); @@ -285,8 +295,7 @@ OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at // least |RSA_size| bytes of space. It returns the number of bytes written, or // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| -// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but -// |RSA_PKCS1_PADDING| is most common. +// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. // // WARNING: this function is dangerous because it breaks the usual return value // convention. Use |RSA_encrypt| instead. @@ -818,67 +827,6 @@ struct rsa_meth_st { }; -// Private functions. - -typedef struct bn_blinding_st BN_BLINDING; - -struct rsa_st { - RSA_METHOD *meth; - - // Access to the following fields was historically allowed, but - // deprecated. Use |RSA_get0_*| and |RSA_set0_*| instead. Access to all other - // fields is forbidden and will cause threading errors. - BIGNUM *n; - BIGNUM *e; - BIGNUM *d; - BIGNUM *p; - BIGNUM *q; - BIGNUM *dmp1; - BIGNUM *dmq1; - BIGNUM *iqmp; - - // be careful using this if the RSA structure is shared - CRYPTO_EX_DATA ex_data; - CRYPTO_refcount_t references; - int flags; - - CRYPTO_MUTEX lock; - - // Used to cache montgomery values. The creation of these values is protected - // by |lock|. - BN_MONT_CTX *mont_n; - BN_MONT_CTX *mont_p; - BN_MONT_CTX *mont_q; - - // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, - // but with the correct widths to prevent side channels. These must use - // separate copies due to threading concerns caused by OpenSSL's API - // mistakes. See https://github.com/openssl/openssl/issues/5158 and - // the |freeze_private_key| implementation. - BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed; - - // inv_small_mod_large_mont is q^-1 mod p in Montgomery form, using |mont_p|, - // if |p| >= |q|. Otherwise, it is p^-1 mod q in Montgomery form, using - // |mont_q|. - BIGNUM *inv_small_mod_large_mont; - - // num_blindings contains the size of the |blindings| and |blindings_inuse| - // arrays. This member and the |blindings_inuse| array are protected by - // |lock|. - size_t num_blindings; - // blindings is an array of BN_BLINDING structures that can be reserved by a - // thread by locking |lock| and changing the corresponding element in - // |blindings_inuse| from 0 to 1. - BN_BLINDING **blindings; - unsigned char *blindings_inuse; - uint64_t blinding_fork_generation; - - // private_key_frozen is one if the key has been used for a private key - // operation and may no longer be mutated. - unsigned private_key_frozen:1; -}; - - #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_sha.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_sha.h index 9e8465af..b8d4cd95 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_sha.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_sha.h @@ -96,12 +96,29 @@ OPENSSL_EXPORT uint8_t *SHA1(const uint8_t *data, size_t len, OPENSSL_EXPORT void SHA1_Transform(SHA_CTX *sha, const uint8_t block[SHA_CBLOCK]); +// CRYPTO_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF +// defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b +// parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user +// input is all zeros. +// +// The PRF generates a sequence of 320-bit numbers. Each number is encoded as a +// 40-byte string in big-endian and then concatenated to form |out|. If +// |out_len| is not a multiple of 40, the result is truncated. This matches the +// construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187. +// +// This PRF is based on SHA-1, a weak hash function, and should not be used +// in new protocols. It is provided for compatibility with some legacy EAP +// methods. +OPENSSL_EXPORT void CRYPTO_fips_186_2_prf( + uint8_t *out, size_t out_len, const uint8_t xkey[SHA_DIGEST_LENGTH]); + struct sha_state_st { -#if defined(OPENSSL_WINDOWS) +#if defined(__cplusplus) || defined(OPENSSL_WINDOWS) uint32_t h[5]; #else - // wpa_supplicant accesses |h0|..|h4| so we must support those names - // for compatibility with it until it can be updated. + // wpa_supplicant accesses |h0|..|h4| so we must support those names for + // compatibility with it until it can be updated. Anonymous unions are only + // standard in C11, so disable this workaround in C++. union { uint32_t h[5]; struct { diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h index 31e5e9ff..b4f30553 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h @@ -26,6 +26,10 @@ extern "C++" { #include #include +#if __cplusplus >= 201703L +#include +#endif + BSSL_NAMESPACE_BEGIN template @@ -40,20 +44,7 @@ class SpanBase { "Span must be derived from SpanBase"); friend bool operator==(Span lhs, Span rhs) { - // MSVC issues warning C4996 because std::equal is unsafe. The pragma to - // suppress the warning mysteriously has no effect, hence this - // implementation. See - // https://msdn.microsoft.com/en-us/library/aa985974.aspx. - if (lhs.size() != rhs.size()) { - return false; - } - for (T *l = lhs.begin(), *r = rhs.begin(); l != lhs.end() && r != rhs.end(); - ++l, ++r) { - if (*l != *r) { - return false; - } - } - return true; + return std::equal(lhs.begin(), lhs.end(), rhs.begin(), rhs.end()); } friend bool operator!=(Span lhs, Span rhs) { return !(lhs == rhs); } @@ -94,8 +85,6 @@ class SpanBase { template class Span : private internal::SpanBase { private: - static const size_t npos = static_cast(-1); - // Heuristically test whether C is a container type that can be converted into // a Span by checking for data() and size() member functions. // @@ -106,6 +95,19 @@ class Span : private internal::SpanBase { std::is_integral().size())>::value>; public: + static const size_t npos = static_cast(-1); + + using element_type = T; + using value_type = std::remove_cv_t; + using size_type = size_t; + using difference_type = ptrdiff_t; + using pointer = T *; + using const_pointer = const T *; + using reference = T &; + using const_reference = const T &; + using iterator = T *; + using const_iterator = const T *; + constexpr Span() : Span(nullptr, 0) {} constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {} @@ -114,36 +116,37 @@ class Span : private internal::SpanBase { template , typename = std::enable_if_t::value, C>> - Span(const C &container) : data_(container.data()), size_(container.size()) {} + constexpr Span(const C &container) + : data_(container.data()), size_(container.size()) {} template , typename = std::enable_if_t::value, C>> - explicit Span(C &container) + constexpr explicit Span(C &container) : data_(container.data()), size_(container.size()) {} - T *data() const { return data_; } - size_t size() const { return size_; } - bool empty() const { return size_ == 0; } + constexpr T *data() const { return data_; } + constexpr size_t size() const { return size_; } + constexpr bool empty() const { return size_ == 0; } - T *begin() const { return data_; } - const T *cbegin() const { return data_; } - T *end() const { return data_ + size_; } - const T *cend() const { return end(); } + constexpr iterator begin() const { return data_; } + constexpr const_iterator cbegin() const { return data_; } + constexpr iterator end() const { return data_ + size_; } + constexpr const_iterator cend() const { return end(); } - T &front() const { + constexpr T &front() const { if (size_ == 0) { abort(); } return data_[0]; } - T &back() const { + constexpr T &back() const { if (size_ == 0) { abort(); } return data_[size_ - 1]; } - T &operator[](size_t i) const { + constexpr T &operator[](size_t i) const { if (i >= size_) { abort(); } @@ -151,7 +154,7 @@ class Span : private internal::SpanBase { } T &at(size_t i) const { return (*this)[i]; } - Span subspan(size_t pos = 0, size_t len = npos) const { + constexpr Span subspan(size_t pos = 0, size_t len = npos) const { if (pos > size_) { // absl::Span throws an exception here. Note std::span and Chromium // base::span additionally forbid pos + len being out of range, with a @@ -163,14 +166,14 @@ class Span : private internal::SpanBase { return Span(data_ + pos, std::min(size_ - pos, len)); } - Span first(size_t len) { + constexpr Span first(size_t len) const { if (len > size_) { abort(); } return Span(data_, len); } - Span last(size_t len) { + constexpr Span last(size_t len) const { if (len > size_) { abort(); } @@ -186,30 +189,41 @@ template const size_t Span::npos; template -Span MakeSpan(T *ptr, size_t size) { +constexpr Span MakeSpan(T *ptr, size_t size) { return Span(ptr, size); } template -auto MakeSpan(C &c) -> decltype(MakeSpan(c.data(), c.size())) { +constexpr auto MakeSpan(C &c) -> decltype(MakeSpan(c.data(), c.size())) { return MakeSpan(c.data(), c.size()); } template -Span MakeConstSpan(T *ptr, size_t size) { +constexpr Span MakeConstSpan(T *ptr, size_t size) { return Span(ptr, size); } template -auto MakeConstSpan(const C &c) -> decltype(MakeConstSpan(c.data(), c.size())) { +constexpr auto MakeConstSpan(const C &c) + -> decltype(MakeConstSpan(c.data(), c.size())) { return MakeConstSpan(c.data(), c.size()); } template -Span MakeConstSpan(T (&array)[size]) { +constexpr Span MakeConstSpan(T (&array)[size]) { return array; } +#if __cplusplus >= 201703L +inline Span StringAsBytes(std::string_view s) { + return MakeConstSpan(reinterpret_cast(s.data()), s.size()); +} + +inline std::string_view BytesAsStringView(bssl::Span b) { + return std::string_view(reinterpret_cast(b.data()), b.size()); +} +#endif + BSSL_NAMESPACE_END } // extern C++ diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h index 5501c67d..5108b183 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h @@ -245,8 +245,11 @@ STACK_OF(SAMPLE) *sk_SAMPLE_deep_copy(const STACK_OF(SAMPLE) *sk, // Private functions. // -// TODO(https://crbug.com/boringssl/499): Rename to |OPENSSL_sk_foo|, after -// external code that calls them is fixed. +// The |sk_*| functions generated above are implemented internally using the +// type-erased functions below. Callers should use the typed wrappers instead. +// When using the type-erased functions, callers are responsible for ensuring +// the underlying types are correct. Casting pointers to the wrong types will +// result in memory errors. // OPENSSL_sk_free_func is a function that frees an element in a stack. Note its // actual type is void (*)(T *) for some T. Low-level |sk_*| functions will be @@ -276,69 +279,87 @@ typedef int (*OPENSSL_sk_delete_if_func)(void *obj, void *data); // true types. typedef void (*OPENSSL_sk_call_free_func)(OPENSSL_sk_free_func, void *); typedef void *(*OPENSSL_sk_call_copy_func)(OPENSSL_sk_copy_func, const void *); -typedef int (*OPENSSL_sk_call_cmp_func)(OPENSSL_sk_cmp_func, - const void *const *, - const void *const *); +typedef int (*OPENSSL_sk_call_cmp_func)(OPENSSL_sk_cmp_func, const void *, + const void *); typedef int (*OPENSSL_sk_call_delete_if_func)(OPENSSL_sk_delete_if_func, void *, void *); -// stack_st contains an array of pointers. It is not designed to be used +// An OPENSSL_STACK contains an array of pointers. It is not designed to be used // directly, rather the wrapper macros should be used. -typedef struct stack_st { - // num contains the number of valid pointers in |data|. - size_t num; - void **data; - // sorted is non-zero if the values pointed to by |data| are in ascending - // order, based on |comp|. - int sorted; - // num_alloc contains the number of pointers allocated in the buffer pointed - // to by |data|, which may be larger than |num|. - size_t num_alloc; - // comp is an optional comparison function. - OPENSSL_sk_cmp_func comp; -} _STACK; +typedef struct stack_st OPENSSL_STACK; // The following are raw stack functions. They implement the corresponding typed // |sk_SAMPLE_*| functions generated by |DEFINE_STACK_OF|. Callers shouldn't be // using them. Rather, callers should use the typed functions. -OPENSSL_EXPORT _STACK *sk_new(OPENSSL_sk_cmp_func comp); -OPENSSL_EXPORT _STACK *sk_new_null(void); -OPENSSL_EXPORT size_t sk_num(const _STACK *sk); -OPENSSL_EXPORT void sk_zero(_STACK *sk); -OPENSSL_EXPORT void *sk_value(const _STACK *sk, size_t i); -OPENSSL_EXPORT void *sk_set(_STACK *sk, size_t i, void *p); -OPENSSL_EXPORT void sk_free(_STACK *sk); -OPENSSL_EXPORT void sk_pop_free_ex(_STACK *sk, - OPENSSL_sk_call_free_func call_free_func, - OPENSSL_sk_free_func free_func); -OPENSSL_EXPORT size_t sk_insert(_STACK *sk, void *p, size_t where); -OPENSSL_EXPORT void *sk_delete(_STACK *sk, size_t where); -OPENSSL_EXPORT void *sk_delete_ptr(_STACK *sk, const void *p); -OPENSSL_EXPORT void sk_delete_if(_STACK *sk, - OPENSSL_sk_call_delete_if_func call_func, - OPENSSL_sk_delete_if_func func, void *data); -OPENSSL_EXPORT int sk_find(const _STACK *sk, size_t *out_index, const void *p, - OPENSSL_sk_call_cmp_func call_cmp_func); -OPENSSL_EXPORT void *sk_shift(_STACK *sk); -OPENSSL_EXPORT size_t sk_push(_STACK *sk, void *p); -OPENSSL_EXPORT void *sk_pop(_STACK *sk); -OPENSSL_EXPORT _STACK *sk_dup(const _STACK *sk); -OPENSSL_EXPORT void sk_sort(_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func); -OPENSSL_EXPORT int sk_is_sorted(const _STACK *sk); -OPENSSL_EXPORT OPENSSL_sk_cmp_func sk_set_cmp_func(_STACK *sk, - OPENSSL_sk_cmp_func comp); -OPENSSL_EXPORT _STACK *sk_deep_copy(const _STACK *sk, - OPENSSL_sk_call_copy_func call_copy_func, - OPENSSL_sk_copy_func copy_func, - OPENSSL_sk_call_free_func call_free_func, - OPENSSL_sk_free_func free_func); - -// sk_pop_free behaves like |sk_pop_free_ex| but performs an invalid function -// pointer cast. It exists because some existing callers called |sk_pop_free| -// directly. +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp); +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new_null(void); +OPENSSL_EXPORT size_t OPENSSL_sk_num(const OPENSSL_STACK *sk); +OPENSSL_EXPORT void OPENSSL_sk_zero(OPENSSL_STACK *sk); +OPENSSL_EXPORT void *OPENSSL_sk_value(const OPENSSL_STACK *sk, size_t i); +OPENSSL_EXPORT void *OPENSSL_sk_set(OPENSSL_STACK *sk, size_t i, void *p); +OPENSSL_EXPORT void OPENSSL_sk_free(OPENSSL_STACK *sk); +OPENSSL_EXPORT void OPENSSL_sk_pop_free_ex( + OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func); +OPENSSL_EXPORT size_t OPENSSL_sk_insert(OPENSSL_STACK *sk, void *p, + size_t where); +OPENSSL_EXPORT void *OPENSSL_sk_delete(OPENSSL_STACK *sk, size_t where); +OPENSSL_EXPORT void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *sk, const void *p); +OPENSSL_EXPORT void OPENSSL_sk_delete_if( + OPENSSL_STACK *sk, OPENSSL_sk_call_delete_if_func call_func, + OPENSSL_sk_delete_if_func func, void *data); +OPENSSL_EXPORT int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, + const void *p, + OPENSSL_sk_call_cmp_func call_cmp_func); +OPENSSL_EXPORT void *OPENSSL_sk_shift(OPENSSL_STACK *sk); +OPENSSL_EXPORT size_t OPENSSL_sk_push(OPENSSL_STACK *sk, void *p); +OPENSSL_EXPORT void *OPENSSL_sk_pop(OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk); +OPENSSL_EXPORT void OPENSSL_sk_sort(OPENSSL_STACK *sk, + OPENSSL_sk_call_cmp_func call_cmp_func); +OPENSSL_EXPORT int OPENSSL_sk_is_sorted(const OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_sk_cmp_func +OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, OPENSSL_sk_cmp_func comp); +OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_deep_copy( + const OPENSSL_STACK *sk, OPENSSL_sk_call_copy_func call_copy_func, + OPENSSL_sk_copy_func copy_func, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func); + + +// Deprecated private functions (hidden). +// +// TODO(crbug.com/boringssl/499): Migrate callers to the typed wrappers, or at +// least the new names and remove the old ones. +// +// TODO(b/290792019, b/290785937): Ideally these would at least be inline +// functions, so we do not squat the symbols. + +typedef OPENSSL_STACK _STACK; + +// The following functions call the corresponding |OPENSSL_sk_*| function. +OPENSSL_EXPORT OPENSSL_DEPRECATED OPENSSL_STACK *sk_new_null(void); +OPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_num(const OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_value(const OPENSSL_STACK *sk, + size_t i); +OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_free(OPENSSL_STACK *sk); +OPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_push(OPENSSL_STACK *sk, void *p); +OPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_pop(OPENSSL_STACK *sk); + +// sk_pop_free_ex calls |OPENSSL_sk_pop_free_ex|. +// +// TODO(b/291994116): Remove this. +OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free_ex( + OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func, + OPENSSL_sk_free_func free_func); + +// sk_pop_free behaves like |OPENSSL_sk_pop_free_ex| but performs an invalid +// function pointer cast. It exists because some existing callers called +// |sk_pop_free| directly. // // TODO(davidben): Migrate callers to bssl::UniquePtr and remove this. -OPENSSL_EXPORT void sk_pop_free(_STACK *sk, OPENSSL_sk_free_func free_func); +OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free( + OPENSSL_STACK *sk, OPENSSL_sk_free_func free_func); + #if !defined(BORINGSSL_NO_CXX) extern "C++" { @@ -368,153 +389,151 @@ BSSL_NAMESPACE_END #define BORINGSSL_DEFINE_STACK_TRAITS(name, type, is_const) #endif -#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \ - /* We disable MSVC C4191 in this macro, which warns when pointers are cast \ - * to the wrong type. While the cast itself is valid, it is often a bug \ - * because calling it through the cast is UB. However, we never actually \ - * call functions as |OPENSSL_sk_cmp_func|. The type is just a type-erased \ - * function pointer. (C does not guarantee function pointers fit in \ - * |void*|, and GCC will warn on this.) Thus we just disable the false \ - * positive warning. */ \ - OPENSSL_MSVC_PRAGMA(warning(push)) \ - OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ - \ - DECLARE_STACK_OF(name) \ - \ - typedef void (*sk_##name##_free_func)(ptrtype); \ - typedef ptrtype (*sk_##name##_copy_func)(constptrtype); \ - typedef int (*sk_##name##_cmp_func)(constptrtype const *, \ - constptrtype const *); \ - typedef int (*sk_##name##_delete_if_func)(ptrtype, void *); \ - \ - OPENSSL_INLINE void sk_##name##_call_free_func( \ - OPENSSL_sk_free_func free_func, void *ptr) { \ - ((sk_##name##_free_func)free_func)((ptrtype)ptr); \ - } \ - \ - OPENSSL_INLINE void *sk_##name##_call_copy_func( \ - OPENSSL_sk_copy_func copy_func, const void *ptr) { \ - return (void *)((sk_##name##_copy_func)copy_func)((constptrtype)ptr); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_call_cmp_func(OPENSSL_sk_cmp_func cmp_func, \ - const void *const *a, \ - const void *const *b) { \ - /* The data is actually stored as |void*| pointers, so read the pointer \ - * as |void*| and then pass the corrected type into the caller-supplied \ - * function, which expects |constptrtype*|. */ \ - constptrtype a_ptr = (constptrtype)*a; \ - constptrtype b_ptr = (constptrtype)*b; \ - return ((sk_##name##_cmp_func)cmp_func)(&a_ptr, &b_ptr); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_call_delete_if_func( \ - OPENSSL_sk_delete_if_func func, void *obj, void *data) { \ - return ((sk_##name##_delete_if_func)func)((ptrtype)obj, data); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_new(sk_##name##_cmp_func comp) { \ - return (STACK_OF(name) *)sk_new((OPENSSL_sk_cmp_func)comp); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_new_null(void) { \ - return (STACK_OF(name) *)sk_new_null(); \ - } \ - \ - OPENSSL_INLINE size_t sk_##name##_num(const STACK_OF(name) *sk) { \ - return sk_num((const _STACK *)sk); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_zero(STACK_OF(name) *sk) { \ - sk_zero((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_value(const STACK_OF(name) *sk, \ - size_t i) { \ - return (ptrtype)sk_value((const _STACK *)sk, i); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_set(STACK_OF(name) *sk, size_t i, \ - ptrtype p) { \ - return (ptrtype)sk_set((_STACK *)sk, i, (void *)p); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_free(STACK_OF(name) *sk) { \ - sk_free((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_pop_free(STACK_OF(name) *sk, \ - sk_##name##_free_func free_func) { \ - sk_pop_free_ex((_STACK *)sk, sk_##name##_call_free_func, \ - (OPENSSL_sk_free_func)free_func); \ - } \ - \ - OPENSSL_INLINE size_t sk_##name##_insert(STACK_OF(name) *sk, ptrtype p, \ - size_t where) { \ - return sk_insert((_STACK *)sk, (void *)p, where); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_delete(STACK_OF(name) *sk, \ - size_t where) { \ - return (ptrtype)sk_delete((_STACK *)sk, where); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_delete_ptr(STACK_OF(name) *sk, \ - constptrtype p) { \ - return (ptrtype)sk_delete_ptr((_STACK *)sk, (const void *)p); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_delete_if( \ - STACK_OF(name) *sk, sk_##name##_delete_if_func func, void *data) { \ - sk_delete_if((_STACK *)sk, sk_##name##_call_delete_if_func, \ - (OPENSSL_sk_delete_if_func)func, data); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_find(const STACK_OF(name) *sk, \ - size_t *out_index, constptrtype p) { \ - return sk_find((const _STACK *)sk, out_index, (const void *)p, \ - sk_##name##_call_cmp_func); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_shift(STACK_OF(name) *sk) { \ - return (ptrtype)sk_shift((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE size_t sk_##name##_push(STACK_OF(name) *sk, ptrtype p) { \ - return sk_push((_STACK *)sk, (void *)p); \ - } \ - \ - OPENSSL_INLINE ptrtype sk_##name##_pop(STACK_OF(name) *sk) { \ - return (ptrtype)sk_pop((_STACK *)sk); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_dup(const STACK_OF(name) *sk) { \ - return (STACK_OF(name) *)sk_dup((const _STACK *)sk); \ - } \ - \ - OPENSSL_INLINE void sk_##name##_sort(STACK_OF(name) *sk) { \ - sk_sort((_STACK *)sk, sk_##name##_call_cmp_func); \ - } \ - \ - OPENSSL_INLINE int sk_##name##_is_sorted(const STACK_OF(name) *sk) { \ - return sk_is_sorted((const _STACK *)sk); \ - } \ - \ - OPENSSL_INLINE sk_##name##_cmp_func sk_##name##_set_cmp_func( \ - STACK_OF(name) *sk, sk_##name##_cmp_func comp) { \ - return (sk_##name##_cmp_func)sk_set_cmp_func((_STACK *)sk, \ - (OPENSSL_sk_cmp_func)comp); \ - } \ - \ - OPENSSL_INLINE STACK_OF(name) *sk_##name##_deep_copy( \ - const STACK_OF(name) *sk, sk_##name##_copy_func copy_func, \ - sk_##name##_free_func free_func) { \ - return (STACK_OF(name) *)sk_deep_copy( \ - (const _STACK *)sk, sk_##name##_call_copy_func, \ - (OPENSSL_sk_copy_func)copy_func, sk_##name##_call_free_func, \ - (OPENSSL_sk_free_func)free_func); \ - } \ - \ +#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \ + /* We disable MSVC C4191 in this macro, which warns when pointers are cast \ + * to the wrong type. While the cast itself is valid, it is often a bug \ + * because calling it through the cast is UB. However, we never actually \ + * call functions as |OPENSSL_sk_cmp_func|. The type is just a type-erased \ + * function pointer. (C does not guarantee function pointers fit in \ + * |void*|, and GCC will warn on this.) Thus we just disable the false \ + * positive warning. */ \ + OPENSSL_MSVC_PRAGMA(warning(push)) \ + OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ + \ + DECLARE_STACK_OF(name) \ + \ + typedef void (*sk_##name##_free_func)(ptrtype); \ + typedef ptrtype (*sk_##name##_copy_func)(constptrtype); \ + typedef int (*sk_##name##_cmp_func)(constptrtype const *, \ + constptrtype const *); \ + typedef int (*sk_##name##_delete_if_func)(ptrtype, void *); \ + \ + OPENSSL_INLINE void sk_##name##_call_free_func( \ + OPENSSL_sk_free_func free_func, void *ptr) { \ + ((sk_##name##_free_func)free_func)((ptrtype)ptr); \ + } \ + \ + OPENSSL_INLINE void *sk_##name##_call_copy_func( \ + OPENSSL_sk_copy_func copy_func, const void *ptr) { \ + return (void *)((sk_##name##_copy_func)copy_func)((constptrtype)ptr); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_call_cmp_func(OPENSSL_sk_cmp_func cmp_func, \ + const void *a, const void *b) { \ + constptrtype a_ptr = (constptrtype)a; \ + constptrtype b_ptr = (constptrtype)b; \ + /* |cmp_func| expects an extra layer of pointers to match qsort. */ \ + return ((sk_##name##_cmp_func)cmp_func)(&a_ptr, &b_ptr); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_call_delete_if_func( \ + OPENSSL_sk_delete_if_func func, void *obj, void *data) { \ + return ((sk_##name##_delete_if_func)func)((ptrtype)obj, data); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_new(sk_##name##_cmp_func comp) { \ + return (STACK_OF(name) *)OPENSSL_sk_new((OPENSSL_sk_cmp_func)comp); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_new_null(void) { \ + return (STACK_OF(name) *)OPENSSL_sk_new_null(); \ + } \ + \ + OPENSSL_INLINE size_t sk_##name##_num(const STACK_OF(name) *sk) { \ + return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_zero(STACK_OF(name) *sk) { \ + OPENSSL_sk_zero((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_value(const STACK_OF(name) *sk, \ + size_t i) { \ + return (ptrtype)OPENSSL_sk_value((const OPENSSL_STACK *)sk, i); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_set(STACK_OF(name) *sk, size_t i, \ + ptrtype p) { \ + return (ptrtype)OPENSSL_sk_set((OPENSSL_STACK *)sk, i, (void *)p); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_free(STACK_OF(name) *sk) { \ + OPENSSL_sk_free((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_pop_free(STACK_OF(name) *sk, \ + sk_##name##_free_func free_func) { \ + OPENSSL_sk_pop_free_ex((OPENSSL_STACK *)sk, sk_##name##_call_free_func, \ + (OPENSSL_sk_free_func)free_func); \ + } \ + \ + OPENSSL_INLINE size_t sk_##name##_insert(STACK_OF(name) *sk, ptrtype p, \ + size_t where) { \ + return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (void *)p, where); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_delete(STACK_OF(name) *sk, \ + size_t where) { \ + return (ptrtype)OPENSSL_sk_delete((OPENSSL_STACK *)sk, where); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_delete_ptr(STACK_OF(name) *sk, \ + constptrtype p) { \ + return (ptrtype)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \ + (const void *)p); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_delete_if( \ + STACK_OF(name) *sk, sk_##name##_delete_if_func func, void *data) { \ + OPENSSL_sk_delete_if((OPENSSL_STACK *)sk, sk_##name##_call_delete_if_func, \ + (OPENSSL_sk_delete_if_func)func, data); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_find(const STACK_OF(name) *sk, \ + size_t *out_index, constptrtype p) { \ + return OPENSSL_sk_find((const OPENSSL_STACK *)sk, out_index, \ + (const void *)p, sk_##name##_call_cmp_func); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_shift(STACK_OF(name) *sk) { \ + return (ptrtype)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE size_t sk_##name##_push(STACK_OF(name) *sk, ptrtype p) { \ + return OPENSSL_sk_push((OPENSSL_STACK *)sk, (void *)p); \ + } \ + \ + OPENSSL_INLINE ptrtype sk_##name##_pop(STACK_OF(name) *sk) { \ + return (ptrtype)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_dup(const STACK_OF(name) *sk) { \ + return (STACK_OF(name) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE void sk_##name##_sort(STACK_OF(name) *sk) { \ + OPENSSL_sk_sort((OPENSSL_STACK *)sk, sk_##name##_call_cmp_func); \ + } \ + \ + OPENSSL_INLINE int sk_##name##_is_sorted(const STACK_OF(name) *sk) { \ + return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \ + } \ + \ + OPENSSL_INLINE sk_##name##_cmp_func sk_##name##_set_cmp_func( \ + STACK_OF(name) *sk, sk_##name##_cmp_func comp) { \ + return (sk_##name##_cmp_func)OPENSSL_sk_set_cmp_func( \ + (OPENSSL_STACK *)sk, (OPENSSL_sk_cmp_func)comp); \ + } \ + \ + OPENSSL_INLINE STACK_OF(name) *sk_##name##_deep_copy( \ + const STACK_OF(name) *sk, sk_##name##_copy_func copy_func, \ + sk_##name##_free_func free_func) { \ + return (STACK_OF(name) *)OPENSSL_sk_deep_copy( \ + (const OPENSSL_STACK *)sk, sk_##name##_call_copy_func, \ + (OPENSSL_sk_copy_func)copy_func, sk_##name##_call_free_func, \ + (OPENSSL_sk_free_func)free_func); \ + } \ + \ OPENSSL_MSVC_PRAGMA(warning(pop)) @@ -542,7 +561,9 @@ namespace internal { // Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|. template struct DeleterImpl::kIsConst>> { - static void Free(Stack *sk) { sk_free(reinterpret_cast<_STACK *>(sk)); } + static void Free(Stack *sk) { + OPENSSL_sk_free(reinterpret_cast(sk)); + } }; // Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the @@ -553,11 +574,12 @@ struct DeleterImpl::kIsConst>> { // sk_FOO_pop_free is defined by macros and bound by name, so we cannot // access it from C++ here. using Type = typename StackTraits::Type; - sk_pop_free_ex(reinterpret_cast<_STACK *>(sk), - [](OPENSSL_sk_free_func /* unused */, void *ptr) { - DeleterImpl::Free(reinterpret_cast(ptr)); - }, - nullptr); + OPENSSL_sk_pop_free_ex( + reinterpret_cast(sk), + [](OPENSSL_sk_free_func /* unused */, void *ptr) { + DeleterImpl::Free(reinterpret_cast(ptr)); + }, + nullptr); } }; @@ -578,7 +600,7 @@ class StackIteratorImpl { Type *operator*() const { return reinterpret_cast( - sk_value(reinterpret_cast(sk_), idx_)); + OPENSSL_sk_value(reinterpret_cast(sk_), idx_)); } StackIteratorImpl &operator++(/* prefix */) { @@ -609,10 +631,10 @@ template inline std::enable_if_t::kIsConst, bool> PushToStack(Stack *sk, UniquePtr::Type> elem) { - if (!sk_push(reinterpret_cast<_STACK *>(sk), elem.get())) { + if (!OPENSSL_sk_push(reinterpret_cast(sk), elem.get())) { return false; } - // sk_push takes ownership on success. + // OPENSSL_sk_push takes ownership on success. elem.release(); return true; } @@ -628,7 +650,7 @@ inline bssl::internal::StackIterator begin(const Stack *sk) { template inline bssl::internal::StackIterator end(const Stack *sk) { return bssl::internal::StackIterator( - sk, sk_num(reinterpret_cast(sk))); + sk, OPENSSL_sk_num(reinterpret_cast(sk))); } } // extern C++ diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_target.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_target.h new file mode 100644 index 00000000..29b1dc61 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_target.h @@ -0,0 +1,226 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_TARGET_H +#define OPENSSL_HEADER_TARGET_H + +// Preprocessor symbols that define the target platform. +// +// This file may be included in C, C++, and assembler and must be compatible +// with each environment. It is separated out only to share code between +// and . Prefer to include those headers +// instead. + +#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64) +#define OPENSSL_64_BIT +#define OPENSSL_X86_64 +#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86) +#define OPENSSL_32_BIT +#define OPENSSL_X86 +#elif defined(__AARCH64EL__) || defined(_M_ARM64) +#define OPENSSL_64_BIT +#define OPENSSL_AARCH64 +#elif defined(__ARMEL__) || defined(_M_ARM) +#define OPENSSL_32_BIT +#define OPENSSL_ARM +#elif defined(__MIPSEL__) && !defined(__LP64__) +#define OPENSSL_32_BIT +#define OPENSSL_MIPS +#elif defined(__MIPSEL__) && defined(__LP64__) +#define OPENSSL_64_BIT +#define OPENSSL_MIPS64 +#elif defined(__riscv) && __SIZEOF_POINTER__ == 8 +#define OPENSSL_64_BIT +#define OPENSSL_RISCV64 +#elif defined(__riscv) && __SIZEOF_POINTER__ == 4 +#define OPENSSL_32_BIT +#elif defined(__pnacl__) +#define OPENSSL_32_BIT +#define OPENSSL_PNACL +#elif defined(__wasm__) +#define OPENSSL_32_BIT +#elif defined(__asmjs__) +#define OPENSSL_32_BIT +#elif defined(__myriad2__) +#define OPENSSL_32_BIT +#else +// The list above enumerates the platforms that BoringSSL supports. For these +// platforms we keep a reasonable bar of not breaking them: automated test +// coverage, for one, but also we need access to these types for machines for +// fixing them. +// +// However, we know that anything that seems to work will soon be expected +// to work and, quickly, the implicit expectation is that every machine will +// always work. So this list serves to mark the boundary of what we guarantee. +// Of course, you can run the code any many more machines, but then you're +// taking on the burden of fixing it and, if you're doing that, then you must +// be able to carry local patches. In which case patching this list is trivial. +// +// BoringSSL will only possibly work on standard 32-bit and 64-bit +// two's-complement, little-endian architectures. Functions will not produce +// the correct answer on other systems. Run the crypto_test binary, notably +// crypto/compiler_test.cc, before trying a new architecture. +#error "Unknown target CPU" +#endif + +#if defined(__APPLE__) +#define OPENSSL_APPLE +#endif + +#if defined(_WIN32) +#define OPENSSL_WINDOWS +#endif + +// Trusty and Android baremetal aren't Linux but currently define __linux__. +// As a workaround, we exclude them here. +// We also exclude nanolibc/CrOS EC/Zephyr. nanolibc/CrOS EC/Zephyr +// sometimes build for a non-Linux target (which should not define __linux__), +// but also sometimes build for Linux. Although technically running in Linux +// userspace, this lacks all the libc APIs we'd normally expect on Linux, so we +// treat it as a non-Linux target. +// +// TODO(b/169780122): Remove this workaround once Trusty no longer defines it. +// TODO(b/291101350): Remove this workaround once Android baremetal no longer +// defines it. +#if defined(__linux__) && !defined(__TRUSTY__) && \ + !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) && \ + !defined(CROS_EC) && !defined(CROS_ZEPHYR) +#define OPENSSL_LINUX +#endif + +#if defined(__Fuchsia__) +#define OPENSSL_FUCHSIA +#endif + +// Trusty is Android's TEE target. See +// https://source.android.com/docs/security/features/trusty +// +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +#if defined(__TRUSTY__) +#define OPENSSL_TRUSTY +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// nanolibc is a particular minimal libc implementation. Defining this on any +// other platform is not supported. Other embedded platforms must introduce +// their own defines. +#if defined(OPENSSL_NANOLIBC) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// Android baremetal is an embedded target that uses a subset of bionic. +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +#if defined(ANDROID_BAREMETAL) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// CROS_EC is an embedded target for ChromeOS Embedded Controller. Defining +// this on any other platform is not supported. Other embedded platforms must +// introduce their own defines. +// +// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/README.md +#if defined(CROS_EC) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// CROS_ZEPHYR is an embedded target for ChromeOS Zephyr Embedded Controller. +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +// +// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/zephyr/README.md +#if defined(CROS_ZEPHYR) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +#if defined(__ANDROID_API__) +#define OPENSSL_ANDROID +#endif + +#if defined(__FreeBSD__) +#define OPENSSL_FREEBSD +#endif + +#if defined(__OpenBSD__) +#define OPENSSL_OPENBSD +#endif + +// BoringSSL requires platform's locking APIs to make internal global state +// thread-safe, including the PRNG. On some single-threaded embedded platforms, +// locking APIs may not exist, so this dependency may be disabled with the +// following build flag. +// +// IMPORTANT: Doing so means the consumer promises the library will never be +// used in any multi-threaded context. It causes BoringSSL to be globally +// thread-unsafe. Setting it inappropriately will subtly and unpredictably +// corrupt memory and leak secret keys. +// +// Do not set this flag on any platform where threads are possible. BoringSSL +// maintainers will not provide support for any consumers that do so. Changes +// which break such unsupported configurations will not be reverted. +#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED) +#define OPENSSL_THREADS +#endif + +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \ + !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE +#endif + +#if defined(__has_feature) +#if __has_feature(address_sanitizer) +#define OPENSSL_ASAN +#endif +#if __has_feature(thread_sanitizer) +#define OPENSSL_TSAN +#endif +#if __has_feature(memory_sanitizer) +#define OPENSSL_MSAN +#define OPENSSL_ASM_INCOMPATIBLE +#endif +#if __has_feature(hwaddress_sanitizer) +#define OPENSSL_HWASAN +#endif +#endif + +// Disable 32-bit Arm assembly on Apple platforms. The last iOS version that +// supported 32-bit Arm was iOS 10. +#if defined(OPENSSL_APPLE) && defined(OPENSSL_ARM) +#define OPENSSL_ASM_INCOMPATIBLE +#endif + +#if defined(OPENSSL_ASM_INCOMPATIBLE) +#undef OPENSSL_ASM_INCOMPATIBLE +#if !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif +#endif // OPENSSL_ASM_INCOMPATIBLE + +#endif // OPENSSL_HEADER_TARGET_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h index f519e6b7..080b453d 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h @@ -66,34 +66,6 @@ extern "C" { #endif -#if !defined(OPENSSL_THREADS) -typedef struct crypto_mutex_st { - char padding; // Empty structs have different sizes in C and C++. -} CRYPTO_MUTEX; -#elif defined(OPENSSL_WINDOWS) -// CRYPTO_MUTEX can appear in public header files so we really don't want to -// pull in windows.h. It's statically asserted that this structure is large -// enough to contain a Windows SRWLOCK by thread_win.c. -typedef union crypto_mutex_st { - void *handle; -} CRYPTO_MUTEX; -#elif !defined(__GLIBC__) -#if defined(OPENSSL_OPENBSD) -// OpenBSD does not guarantee pthread_rwlock_t in sys/types.h yet. -#include -#endif -typedef pthread_rwlock_t CRYPTO_MUTEX; -#else -// On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't -// ensure that we'll be able to get it from a public header. It's statically -// asserted that this structure is large enough to contain a |pthread_rwlock_t| -// by thread_pthread.c. -typedef union crypto_mutex_st { - double alignment; - uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8]; -} CRYPTO_MUTEX; -#endif - // CRYPTO_refcount_t is the type of a reference count. // // Since some platforms use C11 atomics to access this, it should have the diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_time.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_time.h index 2566fb89..7aaacbba 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_time.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_time.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2022, Google Inc. +/* Copyright (c) 2024, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -15,27 +15,8 @@ #ifndef OPENSSL_HEADER_TIME_H #define OPENSSL_HEADER_TIME_H -#include "CJWTKitBoringSSL_base.h" +// Compatibility header, to be deprecated. use instead. -#include - -#if defined(__cplusplus) -extern "C" { -#endif - -// OPENSSL_posix_to_tm converts a int64_t POSIX time value in |time|, which must -// be in the range of year 0000 to 9999, to a broken out time value in |tm|. It -// returns one on success and zero on error. -OPENSSL_EXPORT int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm); - -// OPENSSL_tm_to_posix converts a time value between the years 0 and 9999 in -// |tm| to a POSIX time value in |out|. One is returned on success, zero is -// returned on failure. It is a failure if |tm| contains out of range values. -OPENSSL_EXPORT int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out); - - -#if defined(__cplusplus) -} // extern C -#endif +#include "CJWTKitBoringSSL_posix_time.h" #endif // OPENSSL_HEADER_TIME_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h index c5083347..6b8b8702 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h @@ -63,16 +63,21 @@ #ifndef OPENSSL_HEADER_X509_H #define OPENSSL_HEADER_X509_H -#include "CJWTKitBoringSSL_asn1.h" #include "CJWTKitBoringSSL_base.h" + +#include + +#include "CJWTKitBoringSSL_asn1.h" #include "CJWTKitBoringSSL_bio.h" #include "CJWTKitBoringSSL_cipher.h" +#include "CJWTKitBoringSSL_conf.h" #include "CJWTKitBoringSSL_dh.h" #include "CJWTKitBoringSSL_dsa.h" #include "CJWTKitBoringSSL_ec.h" #include "CJWTKitBoringSSL_ecdh.h" #include "CJWTKitBoringSSL_ecdsa.h" #include "CJWTKitBoringSSL_evp.h" +#include "CJWTKitBoringSSL_lhash.h" #include "CJWTKitBoringSSL_obj.h" #include "CJWTKitBoringSSL_pkcs7.h" #include "CJWTKitBoringSSL_pool.h" @@ -80,7 +85,7 @@ #include "CJWTKitBoringSSL_sha.h" #include "CJWTKitBoringSSL_stack.h" #include "CJWTKitBoringSSL_thread.h" -#include +#include "CJWTKitBoringSSL_x509v3_errors.h" // IWYU pragma: export #if defined(__cplusplus) extern "C" { @@ -193,11 +198,16 @@ OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509); // object. OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); -// X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the -// public key was unsupported or could not be decoded. This function returns a -// reference to the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509); +// X509_get0_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the +// public key was unsupported or could not be decoded. The |EVP_PKEY| is cached +// in |x509|, so callers must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_get0_pubkey(const X509 *x509); + +// X509_get_pubkey behaves like |X509_get0_pubkey| but increments the reference +// count on the |EVP_PKEY|. The caller must release the result with +// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |x509|, so callers +// must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(const X509 *x509); // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public // key. Note this does not contain the AlgorithmIdentifier portion. @@ -207,6 +217,11 @@ OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509); // internal invariants in |x509|. OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509); +// X509_check_private_key returns one if |x509|'s public key matches |pkey| and +// zero otherwise. +OPENSSL_EXPORT int X509_check_private_key(const X509 *x509, + const EVP_PKEY *pkey); + // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly // outputs |x509|'s subjectUID field to |*out_subject_uid|. @@ -217,6 +232,146 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, const ASN1_BIT_STRING **out_issuer_uid, const ASN1_BIT_STRING **out_subject_uid); +// The following bits are returned from |X509_get_extension_flags|. + +// EXFLAG_BCONS indicates the certificate has a basic constraints extension. +#define EXFLAG_BCONS 0x1 +// EXFLAG_KUSAGE indicates the certifcate has a key usage extension. +#define EXFLAG_KUSAGE 0x2 +// EXFLAG_XKUSAGE indicates the certifcate has an extended key usage extension. +#define EXFLAG_XKUSAGE 0x4 +// EXFLAG_CA indicates the certificate has a basic constraints extension with +// the CA bit set. +#define EXFLAG_CA 0x10 +// EXFLAG_SI indicates the certificate is self-issued, i.e. its subject and +// issuer names match. +#define EXFLAG_SI 0x20 +// EXFLAG_V1 indicates an X.509v1 certificate. +#define EXFLAG_V1 0x40 +// EXFLAG_INVALID indicates an error processing some extension. The certificate +// should not be accepted. Note the lack of this bit does not imply all +// extensions are valid, only those used to compute extension flags. +#define EXFLAG_INVALID 0x80 +// EXFLAG_SET is an internal bit that indicates extension flags were computed. +#define EXFLAG_SET 0x100 +// EXFLAG_CRITICAL indicates an unsupported critical extension. The certificate +// should not be accepted. +#define EXFLAG_CRITICAL 0x200 +// EXFLAG_SS indicates the certificate is likely self-signed. That is, if it is +// self-issued, its authority key identifer (if any) matches itself, and its key +// usage extension (if any) allows certificate signatures. The signature itself +// is not checked in computing this bit. +#define EXFLAG_SS 0x2000 + +// X509_get_extension_flags decodes a set of extensions from |x509| and returns +// a collection of |EXFLAG_*| bits which reflect |x509|. If there was an error +// in computing this bitmask, the result will include the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x509); + +// X509_get_pathlen returns path length constraint from the basic constraints +// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the +// constraint is not present, or if some extension in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); + +// X509v3_KU_* are key usage bits returned from |X509_get_key_usage|. +#define X509v3_KU_DIGITAL_SIGNATURE 0x0080 +#define X509v3_KU_NON_REPUDIATION 0x0040 +#define X509v3_KU_KEY_ENCIPHERMENT 0x0020 +#define X509v3_KU_DATA_ENCIPHERMENT 0x0010 +#define X509v3_KU_KEY_AGREEMENT 0x0008 +#define X509v3_KU_KEY_CERT_SIGN 0x0004 +#define X509v3_KU_CRL_SIGN 0x0002 +#define X509v3_KU_ENCIPHER_ONLY 0x0001 +#define X509v3_KU_DECIPHER_ONLY 0x8000 + +// X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of +// RFC 5280) which |x509| is valid for. This function only reports the first 16 +// bits, in a little-endian byte order, but big-endian bit order. That is, bits +// 0 though 7 are reported at 1<<7 through 1<<0, and bits 8 through 15 are +// reported at 1<<15 through 1<<8. +// +// Instead of depending on this bit order, callers should compare against the +// |X509v3_KU_*| constants. +// +// If |x509| has no key usage extension, all key usages are valid and this +// function returns |UINT32_MAX|. If there was an error processing |x509|'s +// extensions, or if the first 16 bits in the key usage extension were all zero, +// this function returns zero. +OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509); + +// XKU_* are extended key usage bits returned from +// |X509_get_extended_key_usage|. +#define XKU_SSL_SERVER 0x1 +#define XKU_SSL_CLIENT 0x2 +#define XKU_SMIME 0x4 +#define XKU_CODE_SIGN 0x8 +#define XKU_SGC 0x10 +#define XKU_OCSP_SIGN 0x20 +#define XKU_TIMESTAMP 0x40 +#define XKU_DVCS 0x80 +#define XKU_ANYEKU 0x100 + +// X509_get_extended_key_usage returns a bitmask of extended key usages (see +// Section 4.2.1.12 of RFC 5280) which |x509| is valid for. The result will be +// a combination of |XKU_*| constants. If checking an extended key usage not +// defined above, callers should extract the extended key usage extension +// separately, e.g. via |X509_get_ext_d2i|. +// +// If |x509| has no extended key usage extension, all extended key usages are +// valid and this function returns |UINT32_MAX|. If there was an error +// processing |x509|'s extensions, or if |x509|'s extended key usage extension +// contained no recognized usages, this function returns zero. +OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x509); + +// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. +// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not +// present or if some extension in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); + +// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key +// identifier, if the extension and field are present. (See RFC 5280, +// section 4.2.1.1.) It returns NULL if the extension is not present, if it is +// present but lacks a keyIdentifier field, or if some extension in |x509| was +// invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); + +DEFINE_STACK_OF(GENERAL_NAME) +typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; + +// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s +// authority key identifier, if the extension and field are present. (See +// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// if it is present but lacks a authorityCertIssuer field, or if some extension +// in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); + +// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s +// authority key identifier, if the extension and field are present. (See +// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// if it is present but lacks a authorityCertSerialNumber field, or if some +// extension in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); + // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits // it. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions( @@ -244,6 +399,14 @@ OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit, // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc); +// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in +// |x509|'s extension list. +// +// WARNING: This function is difficult to use correctly. See the documentation +// for |X509V3_get_d2i| for details. +OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, + int *out_critical, int *out_idx); + // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|. // @@ -283,6 +446,30 @@ OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp); // validation. OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); +// X509_get1_email returns a newly-allocated list of NUL-terminated strings +// containing all email addresses in |x509|'s subject and all rfc822name names +// in |x509|'s subject alternative names. Email addresses which contain embedded +// NUL bytes are skipped. +// +// On error, or if there are no such email addresses, it returns NULL. When +// done, the caller must release the result with |X509_email_free|. +OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x509); + +// X509_get1_ocsp returns a newly-allocated list of NUL-terminated strings +// containing all OCSP URIs in |x509|. That is, it collects all URI +// AccessDescriptions with an accessMethod of id-ad-ocsp in |x509|'s authority +// information access extension. URIs which contain embedded NUL bytes are +// skipped. +// +// On error, or if there are no such URIs, it returns NULL. When done, the +// caller must release the result with |X509_email_free|. +OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x509); + +// X509_email_free releases memory associated with |sk|, including |sk| itself. +// Each |OPENSSL_STRING| in |sk| must be a NUL-terminated string allocated with +// |OPENSSL_malloc|. If |sk| is NULL, no action is taken. +OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); + // Issuing certificates. // @@ -347,6 +534,15 @@ OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); // list. OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc); +// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to +// |x|'s extension list. +// +// WARNING: This function may return zero or -1 on error. The caller must also +// ensure |value|'s type matches |nid|. See the documentation for +// |X509V3_add1_i2d| for details. +OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, + unsigned long flags); + // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and // signature fields. It returns the length of the signature on success and zero // on error. This function uses digest algorithm |md|, or |pkey|'s default if @@ -359,6 +555,9 @@ OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); // zero on error. The signature algorithm and parameters come from |ctx|, which // must have been initialized with |EVP_DigestSignInit|. The caller should // configure the corresponding |EVP_PKEY_CTX| before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described @@ -401,7 +600,9 @@ OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig, // Unlike similarly-named functions, this function does not output a single // ASN.1 element. Directly embedding the output in a larger ASN.1 structure will // not behave correctly. -OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp); +// +// TODO(crbug.com/boringssl/407): |x509| should be const. +OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, uint8_t **outp); // d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 // Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific @@ -413,19 +614,19 @@ OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp); // Unlike similarly-named functions, this function does not parse a single // ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 // structure will not behave correctly. -OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp, +OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const uint8_t **inp, long length); // X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is // NULL, the alias is cleared instead. Aliases are not part of the certificate // itself and will not be serialized by |i2d_X509|. -OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name, +OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const uint8_t *name, ossl_ssize_t len); // X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is // NULL, the key ID is cleared instead. Key IDs are not part of the certificate // itself and will not be serialized by |i2d_X509|. -OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, +OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const uint8_t *id, ossl_ssize_t len); // X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the @@ -440,7 +641,7 @@ OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was // missing. Callers that target both OpenSSL and BoringSSL should set the value // to zero before calling this function. -OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); +OPENSSL_EXPORT const uint8_t *X509_alias_get0(const X509 *x509, int *out_len); // X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the // key ID's length and returns a pointer to a buffer containing the contents. If @@ -450,29 +651,50 @@ OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was // missing. Callers that target both OpenSSL and BoringSSL should set the value // to zero before calling this function. -OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len); +OPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len); + +// X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|. +// It returns one on success and zero on error. |obj| should be a certificate +// usage OID associated with an |X509_TRUST| object. +// +// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. +OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj); + +// X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns +// one on success and zero on error. |obj| should be a certificate usage OID +// associated with an |X509_TRUST| object. +// +// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. +OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj); + +// X509_trust_clear clears the list of OIDs for which |x509| is trusted. See +// also |X509_add1_trust_object|. +OPENSSL_EXPORT void X509_trust_clear(X509 *x509); + +// X509_reject_clear clears the list of OIDs for which |x509| is distrusted. See +// also |X509_add1_reject_object|. +OPENSSL_EXPORT void X509_reject_clear(X509 *x509); // Certificate revocation lists. // // An |X509_CRL| object represents an X.509 certificate revocation list (CRL), -// defined in RFC 5280. A CRL is a signed list of certificates which are no -// longer considered valid. +// defined in RFC 5280. A CRL is a signed list of certificates, the +// revokedCertificates field, which are no longer considered valid. Each entry +// of this list is represented with an |X509_REVOKED| object, documented in the +// "CRL entries" section below. // -// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| can give -// incorrect results. Callers typically obtain |X509_CRL|s by parsing some input -// with |d2i_X509_CRL|, etc. Such objects carry information such as the -// serialized TBSCertList and decoded extensions, which will become inconsistent -// when mutated. +// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| or its +// |X509_REVOKED|s can give incorrect results. Callers typically obtain +// |X509_CRL|s by parsing some input with |d2i_X509_CRL|, etc. Such objects +// carry information such as the serialized TBSCertList and decoded extensions, +// which will become inconsistent when mutated. // // Instead, mutation functions should only be used when issuing new CRLs, as // described in a later section. DEFINE_STACK_OF(X509_CRL) - -// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC -// 5280) and C type is |X509_CRL*|. -DECLARE_ASN1_ITEM(X509_CRL) +DEFINE_STACK_OF(X509_REVOKED) // X509_CRL_up_ref adds one to the reference count of |crl| and returns one. OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl); @@ -522,6 +744,24 @@ OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); // const-correct for legacy reasons. OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); +// X509_CRL_get0_by_serial finds the entry in |crl| whose serial number is +// |serial|. If found, it sets |*out| to the entry and returns one. If not +// found, it returns zero. +// +// On success, |*out| continues to be owned by |crl|. It is an error to free or +// otherwise modify |*out|. +// +// TODO(crbug.com/boringssl/600): Ideally |crl| would be const. It is broadly +// thread-safe, but changes the order of entries in |crl|. It cannot be called +// concurrently with |i2d_X509_CRL|. +OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **out, + const ASN1_INTEGER *serial); + +// X509_CRL_get0_by_cert behaves like |X509_CRL_get0_by_serial|, except it looks +// for the entry that matches |x509|. +OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **out, + X509 *x509); + // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or // NULL if |crl| omits it. // @@ -531,7 +771,9 @@ OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl| -// omits it. +// omits it. A CRL can have extensions on individual entries, which is +// |X509_REVOKED_get0_extensions|, or on the overall CRL, which is this +// function. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions( const X509_CRL *crl); @@ -558,6 +800,14 @@ OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); +// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the +// extension in |crl|'s extension list. +// +// WARNING: This function is difficult to use correctly. See the documentation +// for |X509V3_get_d2i| for details. +OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, + int *out_critical, int *out_idx); + // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and // signature algorithm of |crl|, respectively. Either output pointer may be NULL // to ignore the value. @@ -619,6 +869,15 @@ OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm); // on success and zero on error. OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm); +// X509_CRL_add0_revoked adds |rev| to |crl|. On success, it takes ownership of +// |rev| and returns one. On error, it returns zero. If this function fails, the +// caller retains ownership of |rev| and must release it when done. +OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); + +// X509_CRL_sort sorts the entries in |crl| by serial number. It returns one on +// success and zero on error. +OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); + // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the // caller must release the result with |X509_EXTENSION_free|. @@ -634,6 +893,15 @@ OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc); +// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension +// to |x|'s extension list. +// +// WARNING: This function may return zero or -1 on error. The caller must also +// ensure |value|'s type matches |nid|. See the documentation for +// |X509V3_add1_i2d| for details. +OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, + int crit, unsigned long flags); + // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and // zero on error. This function uses digest algorithm |md|, or |pkey|'s default @@ -647,6 +915,9 @@ OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, // zero on error. The signature algorithm and parameters come from |ctx|, which // must have been initialized with |EVP_DigestSignInit|. The caller should // configure the corresponding |EVP_PKEY_CTX| before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described @@ -677,6 +948,123 @@ OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, size_t sig_len); +// CRL entries. +// +// Each entry of a CRL is represented as an |X509_REVOKED| object, which +// describes a revoked certificate by serial number. +// +// When an |X509_REVOKED| is obtained from an |X509_CRL| object, it is an error +// to mutate the object. Doing so may break |X509_CRL|'s and cause the library +// to behave incorrectly. + +// X509_REVOKED_new returns a newly-allocated, empty |X509_REVOKED| object, or +// NULL on allocation error. +OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_new(void); + +// X509_REVOKED_free releases memory associated with |rev|. +OPENSSL_EXPORT void X509_REVOKED_free(X509_REVOKED *rev); + +// d2i_X509_REVOKED parses up to |len| bytes from |*inp| as a DER-encoded X.509 +// CRL entry, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **out, + const uint8_t **inp, long len); + +// i2d_X509_REVOKED marshals |alg| as a DER-encoded X.509 CRL entry, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_REVOKED(const X509_REVOKED *alg, uint8_t **outp); + +// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. +// This function works by serializing the structure, so if |rev| is incomplete, +// it may fail. +OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); + +// X509_REVOKED_get0_serialNumber returns the serial number of the certificate +// revoked by |revoked|. +OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( + const X509_REVOKED *revoked); + +// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It +// returns one on success or zero on error. +OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, + const ASN1_INTEGER *serial); + +// X509_REVOKED_get0_revocationDate returns the revocation time of the +// certificate revoked by |revoked|. +OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( + const X509_REVOKED *revoked); + +// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It +// returns one on success or zero on error. +OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, + const ASN1_TIME *tm); + +// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| +// omits it. A CRL can have extensions on individual entries, which is this +// function, or on the overall CRL, which is |X509_CRL_get0_extensions|. +OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( + const X509_REVOKED *r); + + // X509_REVOKED_get_ext_count returns the number of extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); + +// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches +// for extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, + int lastpos); + +// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches +// for extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, + const ASN1_OBJECT *obj, + int lastpos); + +// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| +// but searches for extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, + int crit, int lastpos); + +// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if +// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL +// compatibility, but callers should not mutate the result. +OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, + int loc); + +// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and +// returns the removed extension, or NULL if |loc| was out of bounds. If +// non-NULL, the caller must release the result with |X509_EXTENSION_free|. +OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, + int loc); + +// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success +// and zero on failure. The caller retains ownership of |ex| and can release it +// independently of |x|. +// +// The new extension is inserted at index |loc|, shifting extensions to the +// right. If |loc| is -1 or out of bounds, the new extension is appended to the +// list. +OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, + const X509_EXTENSION *ex, int loc); + +// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the +// extension in |revoked|'s extension list. +// +// WARNING: This function is difficult to use correctly. See the documentation +// for |X509V3_get_d2i| for details. +OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, + int nid, int *out_critical, + int *out_idx); + +// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the +// extension to |x|'s extension list. +// +// WARNING: This function may return zero or -1 on error. The caller must also +// ensure |value|'s type matches |nid|. See the documentation for +// |X509V3_add1_i2d| for details. +OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, + void *value, int crit, + unsigned long flags); + + // Certificate requests. // // An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are @@ -692,10 +1080,6 @@ OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, // Instead, mutation functions should only be used when issuing new CRLs, as // described in a later section. -// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986) -// and C type is |X509_REQ*|. -DECLARE_ASN1_ITEM(X509_REQ) - // X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This // function works by serializing the structure, so if |req| is incomplete, it // may fail. @@ -735,11 +1119,21 @@ OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req); // not const-correct for legacy reasons. OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); -// X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if -// the public key was unsupported or could not be decoded. This function returns -// a reference to the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); +// X509_REQ_get0_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if +// the public key was unsupported or could not be decoded. The |EVP_PKEY| is +// cached in |req|, so callers must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req); + +// X509_REQ_get_pubkey behaves like |X509_REQ_get0_pubkey| but increments the +// reference count on the |EVP_PKEY|. The caller must release the result with +// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |req|, so callers must +// not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req); + +// X509_REQ_check_private_key returns one if |req|'s public key matches |pkey| +// and zero otherwise. +OPENSSL_EXPORT int X509_REQ_check_private_key(const X509_REQ *req, + const EVP_PKEY *pkey); // X509_REQ_get_attr_count returns the number of attributes in |req|. OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); @@ -770,16 +1164,18 @@ OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, // (a Microsoft szOID_CERT_EXTENSIONS variant). OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); -// X509_REQ_get_extensions decodes the list of requested extensions in |req| and -// returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. -// It returns NULL on error, or if |req| did not request extensions. +// X509_REQ_get_extensions decodes the most preferred list of requested +// extensions in |req| and returns a newly-allocated |STACK_OF(X509_EXTENSION)| +// containing the result. It returns NULL on error, or if |req| did not request +// extensions. // // CSRs do not store extensions directly. Instead there are attribute types // which are defined to hold extensions. See |X509_REQ_extension_nid|. This // function supports both pkcs-9-at-extensionRequest from RFC 2985 and the // Microsoft szOID_CERT_EXTENSIONS variant. If both are present, // pkcs-9-at-extensionRequest is preferred. -OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); +OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions( + const X509_REQ *req); // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and // signature algorithm of |req|, respectively. Either output pointer may be NULL @@ -797,6 +1193,17 @@ OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); // one if the signature is valid and zero otherwise. OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); +// X509_REQ_get1_email returns a newly-allocated list of NUL-terminated strings +// containing all email addresses in |req|'s subject and all rfc822name names +// in |req|'s subject alternative names. The subject alternative names extension +// is extracted from the result of |X509_REQ_get_extensions|. Email addresses +// which contain embedded NUL bytes are skipped. +// +// On error, or if there are no such email addresses, it returns NULL. When +// done, the caller must release the result with |X509_email_free|. +OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email( + const X509_REQ *req); + // Issuing certificate requests. // @@ -886,6 +1293,9 @@ OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, // zero on error. The signature algorithm and parameters come from |ctx|, which // must have been initialized with |EVP_DigestSignInit|. The caller should // configure the corresponding |EVP_PKEY_CTX| before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) @@ -944,8 +1354,7 @@ DEFINE_STACK_OF(X509_NAME) // type is |X509_NAME*|. DECLARE_ASN1_ITEM(X509_NAME) -// X509_NAME_new returns a new, empty |X509_NAME_new|, or NULL on -// error. +// X509_NAME_new returns a new, empty |X509_NAME|, or NULL on error. OPENSSL_EXPORT X509_NAME *X509_NAME_new(void); // X509_NAME_free releases memory associated with |name|. @@ -971,12 +1380,30 @@ OPENSSL_EXPORT int i2d_X509_NAME(X509_NAME *in, uint8_t **outp); // mutated. OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *name); -// X509_NAME_get0_der sets |*out_der| and |*out_der_len| +// X509_NAME_cmp compares |a| and |b|'s canonicalized forms. It returns zero if +// they are equal, one if |a| sorts after |b|, -1 if |b| sorts after |a|, and -2 +// on error. +// +// TODO(https://crbug.com/boringssl/407): This function is const, but it is not +// always thread-safe, notably if |name| was mutated. +// +// TODO(https://crbug.com/boringssl/355): The -2 return is very inconvenient to +// pass to a sorting function. Can we make this infallible? In the meantime, +// prefer to use this function only for equality checks rather than comparisons. +// Although even the library itself passes this to a sorting function. +OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); + +// X509_NAME_get0_der marshals |name| as a DER-encoded X.509 Name (RFC 5280). On +// success, it returns one and sets |*out_der| and |*out_der_len| to a buffer +// containing the result. Otherwise, it returns zero. |*out_der| is owned by +// |name| and must not be freed by the caller. It is invalidated after |name| is +// mutated or freed. // // Avoid this function and prefer |i2d_X509_NAME|. It is one of the reasons -// these functions are not consistently thread-safe or const-correct. Depending -// on the resolution of https://crbug.com/boringssl/407, this function may be -// removed or cause poor performance. +// |X509_NAME| functions, including this one, are not consistently thread-safe +// or const-correct. Depending on the resolution of +// https://crbug.com/boringssl/407, this function may be removed or cause poor +// performance. OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *name, const uint8_t **out_der, size_t *out_der_len); @@ -1063,28 +1490,12 @@ OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name, ossl_ssize_t len, int loc, int set); -// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue -// (RFC 5280) and C type is |X509_NAME_ENTRY*|. -DECLARE_ASN1_ITEM(X509_NAME_ENTRY) - -// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY_new|, or NULL on -// error. +// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY|, or NULL on error. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void); // X509_NAME_ENTRY_free releases memory associated with |entry|. OPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry); -// d2i_X509_NAME_ENTRY parses up to |len| bytes from |*inp| as a DER-encoded -// AttributeTypeAndValue (RFC 5280), as described in |d2i_SAMPLE|. -OPENSSL_EXPORT X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **out, - const uint8_t **inp, - long len); - -// i2d_X509_NAME_ENTRY marshals |in| as a DER-encoded AttributeTypeAndValue (RFC -// 5280), as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_X509_NAME_ENTRY(const X509_NAME_ENTRY *in, - uint8_t **outp); - // X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on // error. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup( @@ -1160,6 +1571,81 @@ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( ossl_ssize_t len); +// Public keys. +// +// X.509 encodes public keys as SubjectPublicKeyInfo (RFC 5280), sometimes +// referred to as SPKI. These are represented in this library by |X509_PUBKEY|. + +// X509_PUBKEY_new returns a newly-allocated, empty |X509_PUBKEY| object, or +// NULL on error. +OPENSSL_EXPORT X509_PUBKEY *X509_PUBKEY_new(void); + +// X509_PUBKEY_free releases memory associated with |key|. +OPENSSL_EXPORT void X509_PUBKEY_free(X509_PUBKEY *key); + +// d2i_X509_PUBKEY parses up to |len| bytes from |*inp| as a DER-encoded +// SubjectPublicKeyInfo, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **out, + const uint8_t **inp, long len); + +// i2d_X509_PUBKEY marshals |key| as a DER-encoded SubjectPublicKeyInfo, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_PUBKEY(const X509_PUBKEY *key, uint8_t **outp); + +// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| +// structure. On success, it frees |*x| if non-NULL, then sets |*x| to the new +// object, and returns one. Otherwise, it returns zero. +OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); + +// X509_PUBKEY_get0 returns |key| as an |EVP_PKEY|, or NULL if |key| either +// could not be parsed or is an unrecognized algorithm. The |EVP_PKEY| is cached +// in |key|, so callers must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key); + +// X509_PUBKEY_get behaves like |X509_PUBKEY_get0| but increments the reference +// count on the |EVP_PKEY|. The caller must release the result with +// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must +// not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key); + +// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier +// determined by |obj|, |param_type|, and |param_value|, and an encoded +// public key of |key|. On success, it gives |pub| ownership of all the other +// parameters and returns one. Otherwise, it returns zero. |key| must have been +// allocated by |OPENSSL_malloc|. |obj| and, if applicable, |param_value| must +// not be freed after a successful call, and must have been allocated in a +// manner compatible with |ASN1_OBJECT_free| or |ASN1_STRING_free|. +// +// |obj|, |param_type|, and |param_value| are interpreted as in +// |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. +OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, + int param_type, void *param_value, + uint8_t *key, int key_len); + +// X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| +// is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| +// is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. +// If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. +// +// All pointers outputted by this function are internal to |pub| and must not be +// freed by the caller. Additionally, although some outputs are non-const, +// callers must not mutate the resulting objects. +// +// Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a +// BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero +// bits if |pub| did not contain a whole number of bytes. Use +// |X509_PUBKEY_get0_public_key| to preserve this information. +OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, + const uint8_t **out_key, + int *out_key_len, + X509_ALGOR **out_alg, + X509_PUBKEY *pub); + +// X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. +OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( + const X509_PUBKEY *pub); + + // Extensions. // // X.509 certificates and CRLs may contain a list of extensions (RFC 5280). @@ -1250,10 +1736,6 @@ OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, DEFINE_STACK_OF(X509_EXTENSION) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; -// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension -// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|. -DECLARE_ASN1_ITEM(X509_EXTENSIONS) - // d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded // SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|. OPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out, @@ -1317,7 +1799,182 @@ OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc); -// Algorithm identifiers. +// General names. +// +// A |GENERAL_NAME| represents an X.509 GeneralName structure, defined in RFC +// 5280, Section 4.2.1.6. General names are distinct from names (|X509_NAME|). A +// general name is a CHOICE type which may contain one of several name types, +// most commonly a DNS name or an IP address. General names most commonly appear +// in the subject alternative name (SAN) extension, though they are also used in +// other extensions. +// +// Many extensions contain a SEQUENCE OF GeneralName, or GeneralNames, so +// |STACK_OF(GENERAL_NAME)| is defined and aliased to |GENERAL_NAMES|. + +typedef struct otherName_st { + ASN1_OBJECT *type_id; + ASN1_TYPE *value; +} OTHERNAME; + +typedef struct EDIPartyName_st { + ASN1_STRING *nameAssigner; + ASN1_STRING *partyName; +} EDIPARTYNAME; + +// GEN_* are constants for the |type| field of |GENERAL_NAME|, defined below. +#define GEN_OTHERNAME 0 +#define GEN_EMAIL 1 +#define GEN_DNS 2 +#define GEN_X400 3 +#define GEN_DIRNAME 4 +#define GEN_EDIPARTY 5 +#define GEN_URI 6 +#define GEN_IPADD 7 +#define GEN_RID 8 + +// A GENERAL_NAME_st, aka |GENERAL_NAME|, represents an X.509 GeneralName. The +// |type| field determines which member of |d| is active. A |GENERAL_NAME| may +// also be empty, in which case |type| is -1 and |d| is NULL. Empty +// |GENERAL_NAME|s are invalid and will never be returned from the parser, but +// may be created temporarily, e.g. by |GENERAL_NAME_new|. +struct GENERAL_NAME_st { + int type; + union { + char *ptr; + OTHERNAME *otherName; + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; + ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; + ASN1_OCTET_STRING *iPAddress; + ASN1_OBJECT *registeredID; + + // Old names + ASN1_OCTET_STRING *ip; // iPAddress + X509_NAME *dirn; // dirn + ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier + ASN1_OBJECT *rid; // registeredID + } d; +} /* GENERAL_NAME */; + +// GENERAL_NAME_new returns a new, empty |GENERAL_NAME|, or NULL on error. +OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_new(void); + +// GENERAL_NAME_free releases memory associated with |gen|. +OPENSSL_EXPORT void GENERAL_NAME_free(GENERAL_NAME *gen); + +// d2i_GENERAL_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509 +// GeneralName (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **out, + const uint8_t **inp, long len); + +// i2d_GENERAL_NAME marshals |in| as a DER-encoded X.509 GeneralName (RFC 5280), +// as described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): This function should be const and +// thread-safe but is currently neither in some cases, notably if |in| is an +// directoryName and the |X509_NAME| has been modified. +OPENSSL_EXPORT int i2d_GENERAL_NAME(GENERAL_NAME *in, uint8_t **outp); + +// GENERAL_NAME_dup returns a newly-allocated copy of |gen|, or NULL on error. +// This function works by serializing the structure, so it will fail if |gen| is +// empty. +// +// TODO(https://crbug.com/boringssl/407): This function should be const and +// thread-safe but is currently neither in some cases, notably if |gen| is an +// directoryName and the |X509_NAME| has been modified. +OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *gen); + +// GENERAL_NAMES_new returns a new, empty |GENERAL_NAMES|, or NULL on error. +OPENSSL_EXPORT GENERAL_NAMES *GENERAL_NAMES_new(void); + +// GENERAL_NAMES_free releases memory associated with |gens|. +OPENSSL_EXPORT void GENERAL_NAMES_free(GENERAL_NAMES *gens); + +// d2i_GENERAL_NAMES parses up to |len| bytes from |*inp| as a DER-encoded +// SEQUENCE OF GeneralName, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **out, + const uint8_t **inp, long len); + +// i2d_GENERAL_NAMES marshals |in| as a DER-encoded SEQUENCE OF GeneralName, as +// described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): This function should be const and +// thread-safe but is currently neither in some cases, notably if some element +// of |in| is an directoryName and the |X509_NAME| has been modified. +OPENSSL_EXPORT int i2d_GENERAL_NAMES(GENERAL_NAMES *in, uint8_t **outp); + +// OTHERNAME_new returns a new, empty |OTHERNAME|, or NULL on error. +OPENSSL_EXPORT OTHERNAME *OTHERNAME_new(void); + +// OTHERNAME_free releases memory associated with |name|. +OPENSSL_EXPORT void OTHERNAME_free(OTHERNAME *name); + +// EDIPARTYNAME_new returns a new, empty |EDIPARTYNAME|, or NULL on error. +// EDIPartyName is rarely used in practice, so callers are unlikely to need this +// function. +OPENSSL_EXPORT EDIPARTYNAME *EDIPARTYNAME_new(void); + +// EDIPARTYNAME_free releases memory associated with |name|. EDIPartyName is +// rarely used in practice, so callers are unlikely to need this function. +OPENSSL_EXPORT void EDIPARTYNAME_free(EDIPARTYNAME *name); + +// GENERAL_NAME_set0_value set |gen|'s type and value to |type| and |value|. +// |type| must be a |GEN_*| constant and |value| must be an object of the +// corresponding type. |gen| takes ownership of |value|, so |value| must have +// been an allocated object. +// +// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) +// before calling this function. If |gen| already contained a value, the +// previous contents will be leaked. +OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *gen, int type, + void *value); + +// GENERAL_NAME_get0_value returns the in-memory representation of |gen|'s +// contents and, |out_type| is not NULL, sets |*out_type| to the type of |gen|, +// which will be a |GEN_*| constant. If |gen| is incomplete, the return value +// will be NULL and the type will be -1. +// +// WARNING: Casting the result of this function to the wrong type is a +// potentially exploitable memory error. Callers must check |gen|'s type, either +// via |*out_type| or checking |gen->type| directly, before inspecting the +// result. +// +// WARNING: This function is not const-correct. The return value should be +// const. Callers shoudl not mutate the returned object. +OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *gen, + int *out_type); + +// GENERAL_NAME_set0_othername sets |gen| to be an OtherName with type |oid| and +// value |value|. On success, it returns one and takes ownership of |oid| and +// |value|, which must be created in a way compatible with |ASN1_OBJECT_free| +// and |ASN1_TYPE_free|, respectively. On allocation failure, it returns zero. +// In the failure case, the caller retains ownership of |oid| and |value| and +// must release them when done. +// +// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) +// before calling this function. If |gen| already contained a value, the +// previously contents will be leaked. +OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, + ASN1_OBJECT *oid, + ASN1_TYPE *value); + +// GENERAL_NAME_get0_otherName, if |gen| is an OtherName, sets |*out_oid| and +// |*out_value| to the OtherName's type-id and value, respectively, and returns +// one. If |gen| is not an OtherName, it returns zero and leaves |*out_oid| and +// |*out_value| unmodified. Either of |out_oid| or |out_value| may be NULL to +// ignore the value. +// +// WARNING: This function is not const-correct. |out_oid| and |out_value| are +// not const, but callers should not mutate the resulting objects. +OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, + ASN1_OBJECT **out_oid, + ASN1_TYPE **out_value); + + +// Algorithm identifiers. // // An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509 // to represent signature algorithms and public key algorithms. @@ -1407,10 +2064,6 @@ OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); DEFINE_STACK_OF(X509_ATTRIBUTE) -// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and -// C type is |X509_ATTRIBUTE*|. -DECLARE_ASN1_ITEM(X509_ATTRIBUTE) - // X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object, // or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing // it. @@ -1480,21 +2133,21 @@ OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, // X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns // one on success or zero on error. The value is determined as follows: // -// If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The -// string is determined by decoding |len| bytes from |data| in the encoding -// specified by |attrtype|, and then re-encoding it in a form appropriate for -// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See -// |ASN1_STRING_set_by_NID| for details. +// If |attrtype| is zero, this function returns one and does nothing. This form +// may be used when calling |X509_ATTRIBUTE_create_by_*| to create an attribute +// with an empty value set. Such attributes are invalid, but OpenSSL supports +// creating them. +// +// Otherwise, if |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 +// string. The string is determined by decoding |len| bytes from |data| in the +// encoding specified by |attrtype|, and then re-encoding it in a form +// appropriate for |attr|'s type. If |len| is -1, |strlen(data)| is used +// instead. See |ASN1_STRING_set_by_NID| for details. // // Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an // |ASN1_STRING| type value and the |len| bytes from |data| are copied as the // type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. // -// WARNING: If this form is used to construct a negative INTEGER or ENUMERATED, -// |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function -// forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is -// probably a bug. For now, do not use this form with negative values. -// // Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and // |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, // and |data| is cast to the corresponding pointer type. @@ -1533,148 +2186,911 @@ OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); -// SignedPublicKeyAndChallenge structures. +// Certificate stores. // -// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request -// certificates, primarily in the legacy HTML tag. An SPKAC structure -// is represented by a |NETSCAPE_SPKI| structure. +// An |X509_STORE| contains trusted certificates, CRLs, and verification +// parameters that are shared between multiple certificate verifications. // -// The structure is described in -// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen - -// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a -// SignedPublicKeyAndChallenge structure. Although this structure contains a -// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the -// entire structure, not the signed portion. -struct Netscape_spki_st { - NETSCAPE_SPKAC *spkac; - X509_ALGOR *sig_algor; - ASN1_BIT_STRING *signature; -} /* NETSCAPE_SPKI */; +// Certificates in an |X509_STORE| are referred to as "trusted certificates", +// but an individual certificate verification may not necessarily treat every +// trusted certificate as a trust anchor. See |X509_VERIFY_PARAM_set_trust| for +// details. +// +// WARNING: Although a trusted certificate which fails the +// |X509_VERIFY_PARAM_set_trust| check is functionally an untrusted +// intermediate certificate, callers should not rely on this to configure +// untrusted intermediates in an |X509_STORE|. The trust check is complex, so +// this risks inadvertently treating it as a trust anchor. Instead, configure +// untrusted intermediates with the |chain| parameter of |X509_STORE_CTX_init|. +// +// Certificates in |X509_STORE| may be specified in several ways: +// - Added by |X509_STORE_add_cert|. +// - Returned by an |X509_LOOKUP| added by |X509_STORE_add_lookup|. +// +// |X509_STORE|s are reference-counted and may be shared by certificate +// verifications running concurrently on multiple threads. However, an +// |X509_STORE|'s verification parameters may not be modified concurrently with +// certificate verification or other operations. Unless otherwise documented, +// functions which take const pointer may be used concurrently, while +// functions which take a non-const pointer may not. Callers that wish to modify +// verification parameters in a shared |X509_STORE| should instead modify +// |X509_STORE_CTX|s individually. + +// X509_STORE_new returns a newly-allocated |X509_STORE|, or NULL on error. +OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); -// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is -// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. -DECLARE_ASN1_ITEM(NETSCAPE_SPKI) +// X509_STORE_up_ref adds one to the reference count of |store| and returns one. +// Although |store| is not const, this function's use of |store| is thread-safe. +OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); -// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or -// NULL on error. -OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); +// X509_STORE_free releases memory associated with |store|. +OPENSSL_EXPORT void X509_STORE_free(X509_STORE *store); -// NETSCAPE_SPKI_free releases memory associated with |spki|. -OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); +// X509_STORE_add_cert adds |x509| to |store| as a trusted certificate. It +// returns one on success and zero on error. This function internally increments +// |x509|'s reference count, so the caller retains ownership of |x509|. +// +// Certificates configured by this function are still subject to the checks +// described in |X509_VERIFY_PARAM_set_trust|. +// +// Although |store| is not const, this function's use of |store| is thread-safe. +// However, if this function is called concurrently with |X509_verify_cert|, it +// is a race condition whether |x509| is available for issuer lookups. +// Moreover, the result may differ for each issuer lookup performed by a single +// |X509_verify_cert| call. +OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *store, X509 *x509); + +// X509_STORE_add_crl adds |crl| to |store|. It returns one on success and zero +// on error. This function internally increments |crl|'s reference count, so the +// caller retains ownership of |crl|. CRLs added in this way are candidates for +// CRL lookup when |X509_V_FLAG_CRL_CHECK| is set. +// +// Although |store| is not const, this function's use of |store| is thread-safe. +// However, if this function is called concurrently with |X509_verify_cert|, it +// is a race condition whether |crl| is available for CRL checks. Moreover, the +// result may differ for each CRL check performed by a single +// |X509_verify_cert| call. +// +// Note there are no supported APIs to remove CRLs from |store| once inserted. +// To vary the set of CRLs over time, callers should either create a new +// |X509_STORE| or configure CRLs on a per-verification basis with +// |X509_STORE_CTX_set0_crls|. +OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *store, X509_CRL *crl); + +// X509_STORE_get0_param returns |store|'s verification parameters. This object +// is mutable and may be modified by the caller. For an individual certificate +// verification operation, |X509_STORE_CTX_init| initializes the +// |X509_STORE_CTX|'s parameters with these parameters. +// +// WARNING: |X509_STORE_CTX_init| applies some default parameters (as in +// |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means +// it is impossible to leave some parameters unset at |store|. They must be +// explicitly unset after creating the |X509_STORE_CTX|. +// +// As of writing these late defaults are a depth limit (see +// |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This +// warning does not apply if the parameters were set in |store|. +// +// TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we +// remove this notion of late defaults? The unsettable value at |X509_STORE| is +// -1, which rejects everything but explicitly-trusted self-signed certificates. +// |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store); + +// X509_STORE_set1_param copies verification parameters from |param| as in +// |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store, + const X509_VERIFY_PARAM *param); + +// X509_STORE_set_flags enables all values in |flags| in |store|'s verification +// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. +// +// WARNING: These flags will be combined with default flags when copied to an +// |X509_STORE_CTX|. This means it is impossible to unset those defaults from +// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. +OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); + +// X509_STORE_set_depth configures |store| to, by default, limit certificate +// chains to |depth| intermediate certificates. This count excludes both the +// target certificate and the trust anchor (root certificate). +OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); -// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded -// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. -OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, - const uint8_t **inp, long len); +// X509_STORE_set_purpose configures the purpose check for |store|. See +// |X509_VERIFY_PARAM_set_purpose| for details. +OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose); -// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded -// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); +// X509_STORE_set_trust configures the trust check for |store|. See +// |X509_VERIFY_PARAM_set_trust| for details. +OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust); -// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It -// returns one if the signature is valid and zero otherwise. -OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); -// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded -// SignedPublicKeyAndChallenge structure. It returns a newly-allocated -// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or -// negative, the length is calculated with |strlen| and |str| must be a -// NUL-terminated C string. -OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, - ossl_ssize_t len); +// Certificate verification. +// +// An |X509_STORE_CTX| object represents a single certificate verification +// operation. To verify a certificate chain, callers construct an +// |X509_STORE_CTX|, initialize it with |X509_STORE_CTX_init|, configure extra +// parameters with |X509_STORE_CTX_get0_param|, and call |X509_verify_cert|. -// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded -// SignedPublicKeyAndChallenge structure. It returns a newly-allocated -// NUL-terminated C string with the result, or NULL on error. The caller must -// release the memory with |OPENSSL_free| when done. -OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); +// X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL +// on error. +OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); -// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an -// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting -// pointer and must call |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki); +// X509_STORE_CTX_free releases memory associated with |ctx|. +OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); -// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one -// on success or zero on error. This function does not take ownership of |pkey|, -// so the caller may continue to manage its lifetime independently of |spki|. -OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, - EVP_PKEY *pkey); +// X509_STORE_CTX_init initializes |ctx| to verify |x509|, using trusted +// certificates and parameters in |store|. It returns one on success and zero on +// error. |chain| is a list of untrusted intermediate certificates to use in +// verification. +// +// |ctx| stores pointers to |store|, |x509|, and |chain|. Each of these objects +// must outlive |ctx| and may not be mutated for the duration of the certificate +// verification. +OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, + X509 *x509, STACK_OF(X509) *chain); -// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature -// algorithm and signature fields. It returns the length of the signature on -// success and zero on error. This function uses digest algorithm |md|, or -// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. -OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, - const EVP_MD *md); +// X509_verify_cert performs certifice verification with |ctx|, which must have +// been initialized with |X509_STORE_CTX_init|. It returns one on success and +// zero on error. On success, |X509_STORE_CTX_get0_chain| or +// |X509_STORE_CTX_get1_chain| may be used to return the verified certificate +// chain. On error, |X509_STORE_CTX_get_error| may be used to return additional +// error information. +OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); -// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge -// structure. This type is misnamed. The full SPKAC includes the signature, -// which is represented with the |NETSCAPE_SPKI| type. -struct Netscape_spkac_st { - X509_PUBKEY *pubkey; - ASN1_IA5STRING *challenge; -} /* NETSCAPE_SPKAC */; +// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call, +// returns the verified certificate chain. The chain begins with the leaf and +// ends with trust anchor. +// +// At other points, such as after a failed verification or during the deprecated +// verification callback, it returns the partial chain built so far. Callers +// should avoid relying on this as this exposes unstable library implementation +// details. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain( + const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but +// returns a newly-allocated |STACK_OF(X509)| containing the completed chain, +// with each certificate's reference count incremented. Callers must free the +// result with |sk_X509_pop_free| and |X509_free| when done. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( + const X509_STORE_CTX *ctx); + +// The following values are possible outputs of |X509_STORE_CTX_get_error|. +#define X509_V_OK 0 +#define X509_V_ERR_UNSPECIFIED 1 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 +#define X509_V_ERR_UNABLE_TO_GET_CRL 3 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 +#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 +#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 +#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_HAS_EXPIRED 10 +#define X509_V_ERR_CRL_NOT_YET_VALID 11 +#define X509_V_ERR_CRL_HAS_EXPIRED 12 +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 +#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 +#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 +#define X509_V_ERR_OUT_OF_MEM 17 +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 +#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 +#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 +#define X509_V_ERR_CERT_REVOKED 23 +#define X509_V_ERR_INVALID_CA 24 +#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 +#define X509_V_ERR_INVALID_PURPOSE 26 +#define X509_V_ERR_CERT_UNTRUSTED 27 +#define X509_V_ERR_CERT_REJECTED 28 +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 +#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 +#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 +#define X509_V_ERR_UNNESTED_RESOURCE 46 +#define X509_V_ERR_PERMITTED_VIOLATION 47 +#define X509_V_ERR_EXCLUDED_VIOLATION 48 +#define X509_V_ERR_SUBTREE_MINMAX 49 +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 +#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 +#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 +#define X509_V_ERR_HOSTNAME_MISMATCH 62 +#define X509_V_ERR_EMAIL_MISMATCH 63 +#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 +#define X509_V_ERR_INVALID_CALL 65 +#define X509_V_ERR_STORE_LOOKUP 66 +#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 -// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge -// and C type is |NETSCAPE_SPKAC*|. -DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) +// X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns +// |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why +// verification failed. This will be consistent with |X509_verify_cert|'s return +// value, unless the caller used the deprecated verification callback (see +// |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants. +// +// If called during the deprecated verification callback when |ok| is zero, it +// returns the current error under consideration. +OPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); -// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, -// or NULL on error. -OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); +// X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be +// |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in +// typical |X509_STORE_CTX| usage, but may be used in callback APIs where +// applications synthesize |X509_STORE_CTX| error conditions. See also +// |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|. +OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err); -// NETSCAPE_SPKAC_free releases memory associated with |spkac|. -OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); +// X509_verify_cert_error_string returns |err| as a human-readable string, where +// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns +// a default description. +OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); -// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded -// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. -OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, - const uint8_t **inp, - long len); +// X509_STORE_CTX_get_error_depth returns the depth at which the error returned +// by |X509_STORE_CTX_get_error| occured. This is zero-indexed integer into the +// certificate chain. Zero indicates the target certificate, one its issuer, and +// so on. +OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); -// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge -// structure, as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, - uint8_t **outp); +// X509_STORE_CTX_get_current_cert returns the certificate which caused the +// error returned by |X509_STORE_CTX_get_error|. +OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); +// X509_STORE_CTX_get0_current_crl returns the CRL which caused the error +// returned by |X509_STORE_CTX_get_error|. +OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl( + const X509_STORE_CTX *ctx); -// Printing functions. -// -// The following functions output human-readable representations of -// X.509-related structures. They should only be used for debugging or logging -// and not parsed programmatically. In many cases, the outputs are ambiguous, so -// attempting to parse them can lead to string injection vulnerabilities. +// X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses. +OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); -// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. +// X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is +// verifying. +OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); -// X509_FLAG_COMPAT disables all flags. It additionally causes names to be -// printed with a 16-byte indent. -#define X509_FLAG_COMPAT 0 +// X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates +// used by |ctx| for certificate verification. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( + const X509_STORE_CTX *ctx); -// X509_FLAG_NO_HEADER skips a header identifying the type of object printed. -#define X509_FLAG_NO_HEADER 1L +// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates +// in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this +// function causes |ctx| to ignore any certificates configured in the +// |X509_STORE|. Certificates in |sk| are still subject to the check described +// in |X509_VERIFY_PARAM_set_trust|. +// +// WARNING: This function differs from most |set0| functions in that it does not +// take ownership of its input. The caller is required to ensure the lifetimes +// are consistent. +OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); -// X509_FLAG_NO_VERSION skips printing the X.509 version number. -#define X509_FLAG_NO_VERSION (1L << 1) +// X509_STORE_CTX_set0_crls configures |ctx| to consider the CRLs in |sk| as +// candidates for CRL lookup. |sk| must remain valid for the duration of |ctx|. +// These CRLs are considered in addition to CRLs found in |X509_STORE|. +// +// WARNING: This function differs from most |set0| functions in that it does not +// take ownership of its input. The caller is required to ensure the lifetimes +// are consistent. +OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, + STACK_OF(X509_CRL) *sk); -// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in -// |X509_REQ_print_fp|. -#define X509_FLAG_NO_SERIAL (1L << 2) +// X509_STORE_CTX_set_default looks up the set of parameters named |name| and +// applies those default verification parameters for |ctx|. As in +// |X509_VERIFY_PARAM_inherit|, only unset parameters are changed. This function +// returns one on success and zero on error. +// +// The supported values of |name| are: +// - "default" is an internal value which configures some late defaults. See the +// discussion in |X509_STORE_get0_param|. +// - "pkcs7" configures default trust and purpose checks for PKCS#7 signatures. +// - "smime_sign" configures trust and purpose checks for S/MIME signatures. +// - "ssl_client" configures trust and purpose checks for TLS clients. +// - "ssl_server" configures trust and purpose checks for TLS servers. +// +// TODO(crbug.com/boringssl/441): Make "default" a no-op. +OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, + const char *name); -// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the -// TBSCertificate. It is ignored in |X509_REQ_print_fp|. -#define X509_FLAG_NO_SIGNAME (1L << 3) +// X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This +// object is mutable and may be modified by the caller. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( + X509_STORE_CTX *ctx); -// X509_FLAG_NO_ISSUER skips printing the issuer. -#define X509_FLAG_NO_ISSUER (1L << 4) +// X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param| +// and takes ownership of |param|. After this function returns, the caller +// should not free |param|. +// +// WARNING: This function discards any values which were previously applied in +// |ctx|, including the "default" parameters applied late in +// |X509_STORE_CTX_init|. These late defaults are not applied to parameters +// created standalone by |X509_VERIFY_PARAM_new|. +// +// TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we +// re-apply the late defaults in |param|, or somehow avoid this notion of late +// defaults altogether? +OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, + X509_VERIFY_PARAM *param); -// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is -// ignored in |X509_REQ_print_fp|. -#define X509_FLAG_NO_VALIDITY (1L << 5) +// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s +// verification flags. |flags| should be a combination of |X509_V_FLAG_*| +// constants. +OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, + unsigned long flags); -// X509_FLAG_NO_SUBJECT skips printing the subject. -#define X509_FLAG_NO_SUBJECT (1L << 6) +// X509_STORE_CTX_set_time configures certificate verification to use |t| +// instead of the current time. |flags| is ignored and should be zero. +OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, + unsigned long flags, time_t t); + +// X509_STORE_CTX_set_time_posix configures certificate verification to use |t| +// instead of the current time. |t| is interpreted as a POSIX timestamp in +// seconds. |flags| is ignored and should be zero. +OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, + unsigned long flags, + int64_t t); + +// X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate +// chains to |depth| intermediate certificates. This count excludes both the +// target certificate and the trust anchor (root certificate). +OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); + +// X509_STORE_CTX_set_purpose simultaneously configures |ctx|'s purpose and +// trust checks, if unset. It returns one on success and zero if |purpose| is +// not a valid purpose value. |purpose| should be an |X509_PURPOSE_*| constant. +// If so, it configures |ctx| with a purpose check of |purpose| and a trust +// check of |purpose|'s corresponding trust value. If either the purpose or +// trust check had already been specified for |ctx|, that corresponding +// modification is silently dropped. +// +// See |X509_VERIFY_PARAM_set_purpose| and |X509_VERIFY_PARAM_set_trust| for +// details on the purpose and trust checks, respectively. +// +// If |purpose| is |X509_PURPOSE_ANY|, this function returns an error because it +// has no corresponding |X509_TRUST_*| value. It is not possible to set +// |X509_PURPOSE_ANY| with this function, only |X509_VERIFY_PARAM_set_purpose|. +// +// WARNING: Unlike similarly named functions in this header, this function +// silently does not behave the same as |X509_VERIFY_PARAM_set_purpose|. Callers +// may use |X509_VERIFY_PARAM_set_purpose| with |X509_STORE_CTX_get0_param| to +// avoid this difference. +OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); + +// X509_STORE_CTX_set_trust configures |ctx|'s trust check, if unset. It returns +// one on success and zero if |trust| is not a valid trust value. |trust| should +// be an |X509_TRUST_*| constant. If so, it configures |ctx| with a trust check +// of |trust|. If the trust check had already been specified for |ctx|, it +// silently does nothing. +// +// See |X509_VERIFY_PARAM_set_trust| for details on the purpose and trust check. +// +// WARNING: Unlike similarly named functions in this header, this function +// does not behave the same as |X509_VERIFY_PARAM_set_trust|. Callers may use +// |X509_VERIFY_PARAM_set_trust| with |X509_STORE_CTX_get0_param| to avoid this +// difference. +OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); + + +// Verification parameters. +// +// An |X509_VERIFY_PARAM| contains a set of parameters for certificate +// verification. + +// X509_VERIFY_PARAM_new returns a newly-allocated |X509_VERIFY_PARAM|, or NULL +// on error. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); + +// X509_VERIFY_PARAM_free releases memory associated with |param|. +OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); + +// X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That +// is, for each parameter that is unset in |to|, it copies the value in |from|. +// This function returns one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); + +// X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter +// is unset in |from|, the existing value in |to| is preserved. This function +// returns one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); + +// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, + unsigned long flags); + +// X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. +OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, + unsigned long flags); + +// X509_VERIFY_PARAM_get_flags returns |param|'s verification flags. +OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( + const X509_VERIFY_PARAM *param); + +// X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to +// |depth| intermediate certificates. This count excludes both the target +// certificate and the trust anchor (root certificate). +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, + int depth); + +// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|. +// See |X509_VERIFY_PARAM_set_depth|. +OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); + +// X509_VERIFY_PARAM_set_time configures certificate verification to use |t| +// instead of the current time. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, + time_t t); + +// X509_VERIFY_PARAM_set_time_posix configures certificate verification to use +// |t| instead of the current time. |t| is interpreted as a POSIX timestamp in +// seconds. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, + int64_t t); + +// X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set +// (see Section 6.1.1 of RFC 5280). On success, it takes ownership of +// |policy| and returns one. Otherwise, it returns zero and the caller retains +// owneship of |policy|. +OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, + ASN1_OBJECT *policy); + +// X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see +// Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success +// and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( + X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); + +// X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name +// specified by |name|. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |X509_VERIFY_PARAM_set_hostflags| with +// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// https://crbug.com/boringssl/464 tracks fixing the default. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t name_len); + +// X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by +// |param|. If any configured DNS name matches the certificate, verification +// succeeds. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |X509_VERIFY_PARAM_set_hostflags| with +// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// https://crbug.com/boringssl/464 tracks fixing the default. +OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t name_len); + +// X509_CHECK_FLAG_NO_WILDCARDS disables wildcard matching for DNS names. +#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 + +// X509_CHECK_FLAG_NEVER_CHECK_SUBJECT disables the subject fallback, normally +// enabled when subjectAltNames is missing. +#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 + +// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to +// |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); + +// X509_VERIFY_PARAM_set1_email configures |param| to check for the email +// address specified by |email|. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's email address +// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// used to change this behavior. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, + const char *email, + size_t email_len); + +// X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address +// specified by |ip|. It returns one on success and zero on error. The IP +// address is specified in its binary representation. |ip_len| must be 4 for an +// IPv4 address and 16 for an IPv6 address. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, + const uint8_t *ip, size_t ip_len); + +// X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of +// an IPv4 or IPv6 address, and configures |param| to check for it. It returns +// one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, + const char *ipasc); + +// X509_PURPOSE_SSL_CLIENT validates TLS client certificates. It checks for the +// id-kp-clientAuth EKU and one of digitalSignature or keyAgreement key usages. +// The TLS library is expected to check for the key usage specific to the +// negotiated TLS parameters. +#define X509_PURPOSE_SSL_CLIENT 1 +// X509_PURPOSE_SSL_SERVER validates TLS server certificates. It checks for the +// id-kp-clientAuth EKU and one of digitalSignature, keyAgreement, or +// keyEncipherment key usages. The TLS library is expected to check for the key +// usage specific to the negotiated TLS parameters. +#define X509_PURPOSE_SSL_SERVER 2 +// X509_PURPOSE_NS_SSL_SERVER is a legacy mode. It behaves like +// |X509_PURPOSE_SSL_SERVER|, but only accepts the keyEncipherment key usage, +// used by SSL 2.0 and RSA key exchange. Do not use this. +#define X509_PURPOSE_NS_SSL_SERVER 3 +// X509_PURPOSE_SMIME_SIGN validates S/MIME signing certificates. It checks for +// the id-kp-emailProtection EKU and one of digitalSignature or nonRepudiation +// key usages. +#define X509_PURPOSE_SMIME_SIGN 4 +// X509_PURPOSE_SMIME_ENCRYPT validates S/MIME encryption certificates. It +// checks for the id-kp-emailProtection EKU and keyEncipherment key usage. +#define X509_PURPOSE_SMIME_ENCRYPT 5 +// X509_PURPOSE_CRL_SIGN validates indirect CRL signers. It checks for the +// cRLSign key usage. BoringSSL does not support indirect CRLs and does not use +// this mode. +#define X509_PURPOSE_CRL_SIGN 6 +// X509_PURPOSE_ANY performs no EKU or key usage checks. Such checks are the +// responsibility of the caller. +#define X509_PURPOSE_ANY 7 +// X509_PURPOSE_OCSP_HELPER performs no EKU or key usage checks. It was +// historically used in OpenSSL's OCSP implementation, which left those checks +// to the OCSP implementation itself. +#define X509_PURPOSE_OCSP_HELPER 8 +// X509_PURPOSE_TIMESTAMP_SIGN validates Time Stamping Authority (RFC 3161) +// certificates. It checks for the id-kp-timeStamping EKU and one of +// digitalSignature or nonRepudiation key usages. It additionally checks that +// the EKU extension is critical and that no other EKUs or key usages are +// asserted. +#define X509_PURPOSE_TIMESTAMP_SIGN 9 + +// X509_VERIFY_PARAM_set_purpose configures |param| to validate certificates for +// a specified purpose. It returns one on success and zero if |purpose| is not a +// valid purpose type. |purpose| should be one of the |X509_PURPOSE_*| values. +// +// This option controls checking the extended key usage (EKU) and key usage +// extensions. These extensions specify how a certificate's public key may be +// used and are important to avoid cross-protocol attacks, particularly in PKIs +// that may issue certificates for multiple protocols, or for protocols that use +// keys in multiple ways. If not configured, these security checks are the +// caller's responsibility. +// +// This library applies the EKU checks to all untrusted intermediates. Although +// not defined in RFC 5280, this matches widely-deployed practice. It also does +// not accept anyExtendedKeyUsage. +// +// Many purpose values have a corresponding trust value, which is not configured +// by this function. See |X509_VERIFY_PARAM_set_trust| for details. Callers +// that wish to configure both should either call both functions, or use +// |X509_STORE_CTX_set_purpose|. +// +// It is currently not possible to configure custom EKU OIDs or key usage bits. +// Contact the BoringSSL maintainers if your application needs to do so. OpenSSL +// had an |X509_PURPOSE_add| API, but it was not thread-safe and relied on +// global mutable state, so we removed it. +// +// TODO(davidben): This function additionally configures checking the legacy +// Netscape certificate type extension. Remove this. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, + int purpose); + +// X509_TRUST_COMPAT evaluates trust using only the self-signed fallback. Trust +// and distrust OIDs are ignored. +#define X509_TRUST_COMPAT 1 +// X509_TRUST_SSL_CLIENT evaluates trust with the |NID_client_auth| OID, for +// validating TLS client certificates. +#define X509_TRUST_SSL_CLIENT 2 +// X509_TRUST_SSL_SERVER evaluates trust with the |NID_server_auth| OID, for +// validating TLS server certificates. +#define X509_TRUST_SSL_SERVER 3 +// X509_TRUST_EMAIL evaluates trust with the |NID_email_protect| OID, for +// validating S/MIME email certificates. +#define X509_TRUST_EMAIL 4 +// X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for +// validating code signing certificates. +#define X509_TRUST_OBJECT_SIGN 5 +// X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating +// Time Stamping Authority (RFC 3161) certificates. +#define X509_TRUST_TSA 8 + +// X509_VERIFY_PARAM_set_trust configures which certificates from |X509_STORE| +// are trust anchors. It returns one on success and zero if |trust| is not a +// valid trust value. |trust| should be one of the |X509_TRUST_*| constants. +// This function allows applications to vary trust anchors when the same set of +// trusted certificates is used in multiple contexts. +// +// Two properties determine whether a certificate is a trust anchor: +// +// - Whether it is trusted or distrusted for some OID, via auxiliary information +// configured by |X509_add1_trust_object| or |X509_add1_reject_object|. +// +// - Whether it is "self-signed". That is, whether |X509_get_extension_flags| +// includes |EXFLAG_SS|. The signature itself is not checked. +// +// When this function is called, |trust| determines the OID to check in the +// first case. If the certificate is not explicitly trusted or distrusted for +// any OID, it is trusted if self-signed instead. +// +// If unset, the default behavior is to check for the |NID_anyExtendedKeyUsage| +// OID. If the certificate is not explicitly trusted or distrusted for this OID, +// it is trusted if self-signed instead. Note this slightly differs from the +// above. +// +// It is currently not possible to configure custom trust OIDs. Contact the +// BoringSSL maintainers if your application needs to do so. OpenSSL had an +// |X509_TRUST_add| API, but it was not thread-safe and relied on global mutable +// state, so we removed it. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, + int trust); + + +// SignedPublicKeyAndChallenge structures. +// +// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request +// certificates, primarily in the legacy HTML tag. An SPKAC structure +// is represented by a |NETSCAPE_SPKI| structure. +// +// The structure is described in +// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen + +// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a +// SignedPublicKeyAndChallenge structure. Although this structure contains a +// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the +// entire structure, not the signed portion. +struct Netscape_spki_st { + NETSCAPE_SPKAC *spkac; + X509_ALGOR *sig_algor; + ASN1_BIT_STRING *signature; +} /* NETSCAPE_SPKI */; + +// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or +// NULL on error. +OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); + +// NETSCAPE_SPKI_free releases memory associated with |spki|. +OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); + +// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, + const uint8_t **inp, long len); + +// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); + +// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It +// returns one if the signature is valid and zero otherwise. +OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); + +// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded +// SignedPublicKeyAndChallenge structure. It returns a newly-allocated +// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or +// negative, the length is calculated with |strlen| and |str| must be a +// NUL-terminated C string. +OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, + ossl_ssize_t len); + +// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded +// SignedPublicKeyAndChallenge structure. It returns a newly-allocated +// NUL-terminated C string with the result, or NULL on error. The caller must +// release the memory with |OPENSSL_free| when done. +OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); + +// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an +// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting +// pointer and must call |EVP_PKEY_free| when done. +OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *spki); + +// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one +// on success or zero on error. This function does not take ownership of |pkey|, +// so the caller may continue to manage its lifetime independently of |spki|. +OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, + EVP_PKEY *pkey); + +// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature +// algorithm and signature fields. It returns the length of the signature on +// success and zero on error. This function uses digest algorithm |md|, or +// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. +OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, + const EVP_MD *md); + +// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge +// structure. This type is misnamed. The full SPKAC includes the signature, +// which is represented with the |NETSCAPE_SPKI| type. +struct Netscape_spkac_st { + X509_PUBKEY *pubkey; + ASN1_IA5STRING *challenge; +} /* NETSCAPE_SPKAC */; + +// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, +// or NULL on error. +OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); + +// NETSCAPE_SPKAC_free releases memory associated with |spkac|. +OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); + +// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded +// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, + const uint8_t **inp, + long len); + +// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge +// structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, + uint8_t **outp); + + +// RSASSA-PSS Parameters. +// +// In X.509, RSASSA-PSS signatures and keys use a complex parameter structure, +// defined in RFC 4055. The following functions are provided for compatibility +// with some OpenSSL APIs relating to this. Use of RSASSA-PSS in X.509 is +// discouraged. The parameters structure is very complex, and it takes more +// bytes to merely encode parameters than an entire P-256 ECDSA signature. + +// An rsa_pss_params_st, aka |RSA_PSS_PARAMS|, represents a parsed +// RSASSA-PSS-params structure, as defined in (RFC 4055). +struct rsa_pss_params_st { + X509_ALGOR *hashAlgorithm; + X509_ALGOR *maskGenAlgorithm; + ASN1_INTEGER *saltLength; + ASN1_INTEGER *trailerField; + // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the + // cases apply to BoringSSL, so this is always NULL, but Node expects the + // field to be present. + X509_ALGOR *maskHash; +} /* RSA_PSS_PARAMS */; + +// RSA_PSS_PARAMS is an |ASN1_ITEM| whose ASN.1 type is RSASSA-PSS-params (RFC +// 4055) and C type is |RSA_PSS_PARAMS*|. +DECLARE_ASN1_ITEM(RSA_PSS_PARAMS) + +// RSA_PSS_PARAMS_new returns a new, empty |RSA_PSS_PARAMS|, or NULL on error. +OPENSSL_EXPORT RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void); + +// RSA_PSS_PARAMS_free releases memory associated with |params|. +OPENSSL_EXPORT void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *params); + +// d2i_RSA_PSS_PARAMS parses up to |len| bytes from |*inp| as a DER-encoded +// RSASSA-PSS-params (RFC 4055), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **out, + const uint8_t **inp, + long len); + +// i2d_RSA_PSS_PARAMS marshals |in| as a DER-encoded RSASSA-PSS-params (RFC +// 4055), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_RSA_PSS_PARAMS(const RSA_PSS_PARAMS *in, uint8_t **outp); + + +// PKCS#8 private keys. +// +// The |PKCS8_PRIV_KEY_INFO| type represents a PKCS#8 PrivateKeyInfo (RFC 5208) +// structure. This is analogous to SubjectPublicKeyInfo and uses the same +// AlgorithmIdentifiers, but carries private keys and is not part of X.509 +// itself. +// +// TODO(davidben): Do these functions really belong in this header? + +// PKCS8_PRIV_KEY_INFO_new returns a newly-allocated, empty +// |PKCS8_PRIV_KEY_INFO| object, or NULL on error. +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void); + +// PKCS8_PRIV_KEY_INFO_free releases memory associated with |key|. +OPENSSL_EXPORT void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *key); + +// d2i_PKCS8_PRIV_KEY_INFO parses up to |len| bytes from |*inp| as a DER-encoded +// PrivateKeyInfo, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO( + PKCS8_PRIV_KEY_INFO **out, const uint8_t **inp, long len); + +// i2d_PKCS8_PRIV_KEY_INFO marshals |key| as a DER-encoded PrivateKeyInfo, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO(const PKCS8_PRIV_KEY_INFO *key, + uint8_t **outp); + +// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the +// key was unsupported or could not be decoded. The caller must release the +// result with |EVP_PKEY_free| when done. +// +// Use |EVP_parse_private_key| instead. +OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); + +// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208), +// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The +// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done. +// +// Use |EVP_marshal_private_key| instead. +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); + + +// Algorithm and octet string pairs. +// +// The |X509_SIG| type represents an ASN.1 SEQUENCE type of an +// AlgorithmIdentifier and an OCTET STRING. Although named |X509_SIG|, there is +// no type in X.509 which matches this format. The two common types which do are +// DigestInfo (RFC 2315 and RFC 8017), and EncryptedPrivateKeyInfo (RFC 5208). + +// X509_SIG_new returns a newly-allocated, empty |X509_SIG| object, or NULL on +// error. +OPENSSL_EXPORT X509_SIG *X509_SIG_new(void); + +// X509_SIG_free releases memory associated with |key|. +OPENSSL_EXPORT void X509_SIG_free(X509_SIG *key); + +// d2i_X509_SIG parses up to |len| bytes from |*inp| as a DER-encoded algorithm +// and octet string pair, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_SIG *d2i_X509_SIG(X509_SIG **out, const uint8_t **inp, + long len); + +// i2d_X509_SIG marshals |sig| as a DER-encoded algorithm +// and octet string pair, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_SIG(const X509_SIG *sig, uint8_t **outp); + +// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to +// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and +// |out_digest| may be NULL to skip those fields. +OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, + const X509_ALGOR **out_alg, + const ASN1_OCTET_STRING **out_digest); + +// X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. +OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, + ASN1_OCTET_STRING **out_digest); + + +// Printing functions. +// +// The following functions output human-readable representations of +// X.509-related structures. They should only be used for debugging or logging +// and not parsed programmatically. In many cases, the outputs are ambiguous, so +// attempting to parse them can lead to string injection vulnerabilities. + +// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. These +// flags co-exist with |X509V3_EXT_*|, so avoid collisions when adding new ones. + +// X509_FLAG_COMPAT disables all flags. It additionally causes names to be +// printed with a 16-byte indent. +#define X509_FLAG_COMPAT 0 + +// X509_FLAG_NO_HEADER skips a header identifying the type of object printed. +#define X509_FLAG_NO_HEADER 1L + +// X509_FLAG_NO_VERSION skips printing the X.509 version number. +#define X509_FLAG_NO_VERSION (1L << 1) + +// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in +// |X509_REQ_print_fp|. +#define X509_FLAG_NO_SERIAL (1L << 2) + +// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the +// TBSCertificate. It is ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_SIGNAME (1L << 3) + +// X509_FLAG_NO_ISSUER skips printing the issuer. +#define X509_FLAG_NO_ISSUER (1L << 4) + +// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is +// ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_VALIDITY (1L << 5) + +// X509_FLAG_NO_SUBJECT skips printing the subject. +#define X509_FLAG_NO_SUBJECT (1L << 6) // X509_FLAG_NO_PUBKEY skips printing the public key. #define X509_FLAG_NO_PUBKEY (1L << 7) @@ -1700,10 +3116,34 @@ OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, // certificate. It is ignored in |X509_REQ_print_fp|. #define X509_FLAG_NO_IDS (1L << 12) +// The following flags control |X509_print_ex|, |X509_REQ_print_ex|, +// |X509V3_EXT_print|, and |X509V3_extensions_print|. These flags coexist with +// |X509_FLAG_*|, so avoid collisions when adding new ones. + +// X509V3_EXT_UNKNOWN_MASK is a mask that determines how unknown extensions are +// processed. +#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) + +// X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return +// failure. +#define X509V3_EXT_DEFAULT 0 + +// X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print +// as "" or "", respectively. +#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) + +// X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like +// |X509V3_EXT_DUMP_UNKNOWN|. +#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) + +// X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a +// hexdump. +#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) + // X509_print_ex writes a human-readable representation of |x| to |bp|. It // returns one on success and zero on error. |nmflags| is the flags parameter // for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should -// be some combination of the |X509_FLAG_*| constants. +// be some combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, unsigned long cflag); @@ -1728,7 +3168,7 @@ OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x); // X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It // returns one on success and zero on error. |nmflags| is the flags parameter // for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some -// combination of the |X509_FLAG_*| constants. +// combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag); @@ -1846,6 +3286,40 @@ OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, const ASN1_STRING *sig); +// X509V3_EXT_print prints a human-readable representation of |ext| to out. It +// returns one on success and zero on error. The output is indented by |indent| +// spaces. |flag| is one of the |X509V3_EXT_*| constants and controls printing +// of unknown extensions and syntax errors. +// +// WARNING: Although some applications programmatically parse the output of this +// function to process X.509 extensions, this is not safe. In many cases, the +// outputs are ambiguous to attempting to parse them can lead to string +// injection vulnerabilities. These functions should only be used for debugging +// or logging. +OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, + unsigned long flag, int indent); + +// X509V3_EXT_print_fp behaves like |X509V3_EXT_print| but writes to a |FILE| +// instead of a |BIO|. +OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, + int flag, int indent); + +// X509V3_extensions_print prints |title|, followed by a human-readable +// representation of |exts| to |out|. It returns one on success and zero on +// error. The output is indented by |indent| spaces. |flag| is one of the +// |X509V3_EXT_*| constants and controls printing of unknown extensions and +// syntax errors. +OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, + const STACK_OF(X509_EXTENSION) *exts, + unsigned long flag, int indent); + +// GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. +// It returns one on success and zero on error. +// +// TODO(davidben): Actually, it just returns one and doesn't check for I/O or +// allocation errors. But it should return zero on error. +OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); + // Convenience functions. @@ -1999,7 +3473,7 @@ OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, // // WARNING: Unlike most comparison functions, this function returns zero on // error, not equality. -OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); +OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t); // X509_cmp_time_posix compares |s| against |t|. On success, it returns a // negative number if |s| <= |t| and a positive number if |s| > |t|. On error, @@ -2015,17 +3489,66 @@ OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); // X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, - time_t *t); + const time_t *t); // X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If // |t| is NULL, it uses the current time instead of |*t|. OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, - long offset_sec, time_t *t); + long offset_sec, const time_t *t); // X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the // current time. OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); +// X509_issuer_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s +// issuer names. +OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); + +// X509_subject_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and +// |b|'s subject names. +OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); + +// X509_CRL_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s +// issuer names. +// +// WARNING: This function is misnamed. It does not compare other parts of the +// CRL, only the issuer fields using |X509_NAME_cmp|. +OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); + +// X509_issuer_name_hash returns the hash of |x509|'s issuer name with +// |X509_NAME_hash|. +// +// This hash is specific to the |X509_LOOKUP_hash_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. It also depends on an OpenSSL-specific +// canonicalization process. +OPENSSL_EXPORT uint32_t X509_issuer_name_hash(X509 *x509); + +// X509_subject_name_hash returns the hash of |x509|'s subject name with +// |X509_NAME_hash|. +// +// This hash is specific to the |X509_LOOKUP_hash_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. It also depends on an OpenSSL-specific +// canonicalization process. +OPENSSL_EXPORT uint32_t X509_subject_name_hash(X509 *x509); + +// X509_issuer_name_hash_old returns the hash of |x509|'s issuer name with +// |X509_NAME_hash_old|. +// +// This hash is specific to the |X509_LOOKUP_hash_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. +OPENSSL_EXPORT uint32_t X509_issuer_name_hash_old(X509 *x509); + +// X509_subject_name_hash_old returns the hash of |x509|'s usjbect name with +// |X509_NAME_hash_old|. +// +// This hash is specific to the |X509_LOOKUP_hash_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. +OPENSSL_EXPORT uint32_t X509_subject_name_hash_old(X509 *x509); + // ex_data functions. // @@ -2047,175 +3570,232 @@ OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); -// Deprecated functions. - -// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not -// const-correct for legacy reasons. Use |X509_get0_notBefore| or -// |X509_getm_notBefore| instead. -OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); - -// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not -// const-correct for legacy reasons. Use |X509_get0_notAfter| or -// |X509_getm_notAfter| instead. -OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); - -// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| -// instead. -OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); - -// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| -// instead. -OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); +// Hashing and signing ASN.1 structures. -// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time. -// The OpenSSL API refers to this field as lastUpdate. +// ASN1_digest serializes |data| with |i2d| and then hashes the result with +// |type|. On success, it returns one, writes the digest to |md|, and sets +// |*len| to the digest length if non-NULL. On error, it returns zero. // -// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. -OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); - -// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, -// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or -// |X509_CRL_set1_nextUpdate| instead. -OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); - -// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use -// |X509_get_pubkey| instead. -#define X509_extract_key(x) X509_get_pubkey(x) - -// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. -#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) - -// X509_name_cmp is a legacy alias for |X509_NAME_cmp|. -#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) - -// The following symbols are deprecated aliases to |X509_CRL_set1_*|. -#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate -#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate - -// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. -// Prefer |X509_get0_serialNumber|. -OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); - -// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in -// |name|. If found, it ignores the value's ASN.1 type, writes the raw -// |ASN1_STRING| representation to |buf|, followed by a NUL byte, and -// returns the number of bytes in output, excluding the NUL byte. -// -// This function writes at most |len| bytes, including the NUL byte. If |len| is -// not large enough, it silently truncates the output to fit. If |buf| is NULL, -// it instead writes enough and returns the number of bytes in the output, -// excluding the NUL byte. -// -// WARNING: Do not use this function. It does not return enough information for -// the caller to correctly interpret its output. The attribute value may be of -// any type, including one of several ASN.1 string encodings, but this function -// only outputs the raw |ASN1_STRING| representation. See -// https://crbug.com/boringssl/436. -OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, - const ASN1_OBJECT *obj, char *buf, - int len); - -// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it -// finds an attribute of type |nid|, which should be one of the |NID_*| -// constants. -OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, - char *buf, int len); - - -// Private structures. - -struct X509_algor_st { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameter; -} /* X509_ALGOR */; - - -// Functions below this point have not yet been organized into sections. - -#define X509_FILETYPE_PEM 1 -#define X509_FILETYPE_ASN1 2 -#define X509_FILETYPE_DEFAULT 3 - -#define X509v3_KU_DIGITAL_SIGNATURE 0x0080 -#define X509v3_KU_NON_REPUDIATION 0x0040 -#define X509v3_KU_KEY_ENCIPHERMENT 0x0020 -#define X509v3_KU_DATA_ENCIPHERMENT 0x0010 -#define X509v3_KU_KEY_AGREEMENT 0x0008 -#define X509v3_KU_KEY_CERT_SIGN 0x0004 -#define X509v3_KU_CRL_SIGN 0x0002 -#define X509v3_KU_ENCIPHER_ONLY 0x0001 -#define X509v3_KU_DECIPHER_ONLY 0x8000 -#define X509v3_KU_UNDEF 0xffff - -// This stuff is certificate "auxiliary info" -// it contains details which are useful in certificate -// stores and databases. When used this is tagged onto -// the end of the certificate itself - -DECLARE_STACK_OF(DIST_POINT) -DECLARE_STACK_OF(GENERAL_NAME) +// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The +// buffer must have sufficient space for this output. +OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, + unsigned char *md, unsigned int *len); -// This is used for a table of trust checking functions +// ASN1_item_digest serializes |data| with |it| and then hashes the result with +// |type|. On success, it returns one, writes the digest to |md|, and sets +// |*len| to the digest length if non-NULL. On error, it returns zero. +// +// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The +// buffer must have sufficient space for this output. +// +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, + void *data, unsigned char *md, + unsigned int *len); -struct x509_trust_st { - int trust; - int flags; - int (*check_trust)(struct x509_trust_st *, X509 *, int); - char *name; - int arg1; - void *arg2; -} /* X509_TRUST */; +// ASN1_item_verify serializes |data| with |it| and then verifies |signature| is +// a valid signature for the result with |algor1| and |pkey|. It returns one on +// success and zero on error. The signature and algorithm are interpreted as in +// X.509. +// +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, + const X509_ALGOR *algor1, + const ASN1_BIT_STRING *signature, + void *data, EVP_PKEY *pkey); -DEFINE_STACK_OF(X509_TRUST) +// ASN1_item_sign serializes |data| with |it| and then signs the result with +// the private key |pkey|. It returns the length of the signature on success and +// zero on error. On success, it writes the signature to |signature| and the +// signature algorithm to each of |algor1| and |algor2|. Either of |algor1| or +// |algor2| may be NULL to ignore them. This function uses digest algorithm +// |md|, or |pkey|'s default if NULL. Other signing parameters use |pkey|'s +// defaults. To customize them, use |ASN1_item_sign_ctx|. +// +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, + X509_ALGOR *algor2, + ASN1_BIT_STRING *signature, void *data, + EVP_PKEY *pkey, const EVP_MD *type); -// standard trust ids +// ASN1_item_sign_ctx behaves like |ASN1_item_sign| except the signature is +// signed with |ctx|, |ctx|, which must have been initialized with +// |EVP_DigestSignInit|. The caller should configure the corresponding +// |EVP_PKEY_CTX| with any additional parameters before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. +// +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, + X509_ALGOR *algor2, + ASN1_BIT_STRING *signature, void *asn, + EVP_MD_CTX *ctx); -#define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings -#define X509_TRUST_COMPAT 1 -#define X509_TRUST_SSL_CLIENT 2 -#define X509_TRUST_SSL_SERVER 3 -#define X509_TRUST_EMAIL 4 -#define X509_TRUST_OBJECT_SIGN 5 -#define X509_TRUST_OCSP_SIGN 6 -#define X509_TRUST_OCSP_REQUEST 7 -#define X509_TRUST_TSA 8 +// Verification internals. +// +// The following functions expose portions of certificate validation. They are +// exported for compatibility with existing callers, or to support some obscure +// use cases. Most callers, however, will not need these functions and should +// instead use |X509_STORE_CTX| APIs. -// Keep these up to date! -#define X509_TRUST_MIN 1 -#define X509_TRUST_MAX 8 +// X509_supported_extension returns one if |ex| is a critical X.509 certificate +// extension, supported by |X509_verify_cert|, and zero otherwise. +// +// Note this function only reports certificate extensions (as opposed to CRL or +// CRL extensions), and only extensions that are expected to be marked critical. +// Additionally, |X509_verify_cert| checks for unsupported critical extensions +// internally, so most callers will not need to call this function separately. +OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); + +// X509_check_ca returns one if |x509| may be considered a CA certificate, +// according to basic constraints and key usage extensions. Otherwise, it +// returns zero. If |x509| is an X509v1 certificate, and thus has no extensions, +// it is considered eligible. +// +// This function returning one does not indicate that |x509| is trusted, only +// that it is eligible to be a CA. +// +// TODO(crbug.com/boringssl/407): |x509| should be const. +OPENSSL_EXPORT int X509_check_ca(X509 *x509); +// X509_check_issued checks if |issuer| and |subject|'s name, authority key +// identifier, and key usage fields allow |issuer| to have issued |subject|. It +// returns |X509_V_OK| on success and an |X509_V_ERR_*| value otherwise. +// +// This function does not check the signature on |subject|. Rather, it is +// intended to prune the set of possible issuer certificates during +// path-building. +// +// TODO(crbug.com/boringssl/407): Both parameters should be const. +OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject); -// trust_flags values -#define X509_TRUST_DYNAMIC 1 -#define X509_TRUST_DYNAMIC_NAME 2 +// NAME_CONSTRAINTS_check checks if |x509| satisfies name constraints in |nc|. +// It returns |X509_V_OK| on success and some |X509_V_ERR_*| constant on error. +// +// TODO(crbug.com/boringssl/407): Both parameters should be const. +OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x509, NAME_CONSTRAINTS *nc); + +// X509_check_host checks if |x509| matches the DNS name |chk|. It returns one +// on match, zero on mismatch, or a negative number on error. |flags| should be +// some combination of |X509_CHECK_FLAG_*| and modifies the behavior. On match, +// if |out_peername| is non-NULL, it additionally sets |*out_peername| to a +// newly-allocated, NUL-terminated string containing the DNS name or wildcard in +// the certificate which matched. The caller must then free |*out_peername| with +// |OPENSSL_free| when done. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// include |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| in |flags| to use the standard +// behavior. https://crbug.com/boringssl/464 tracks fixing the default. +// +// This function does not check if |x509| is a trusted certificate, only if, +// were it trusted, it would match |chk|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_host(const X509 *x509, const char *chk, + size_t chklen, unsigned int flags, + char **out_peername); + +// X509_check_email checks if |x509| matches the email address |chk|. It returns +// one on match, zero on mismatch, or a negative number on error. |flags| should +// be some combination of |X509_CHECK_FLAG_*| and modifies the behavior. +// +// By default, both subject alternative names and the subject's email address +// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// used to change this behavior. +// +// This function does not check if |x509| is a trusted certificate, only if, +// were it trusted, it would match |chk|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_email(const X509 *x509, const char *chk, + size_t chklen, unsigned int flags); + +// X509_check_ip checks if |x509| matches the IP address |chk|. The IP address +// is represented in byte form and should be 4 bytes for an IPv4 address and 16 +// bytes for an IPv6 address. It returns one on match, zero on mismatch, or a +// negative number on error. |flags| should be some combination of +// |X509_CHECK_FLAG_*| and modifies the behavior. +// +// This function does not check if |x509| is a trusted certificate, only if, +// were it trusted, it would match |chk|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_ip(const X509 *x509, const uint8_t *chk, + size_t chklen, unsigned int flags); -// check_trust return codes +// X509_check_ip_asc behaves like |X509_check_ip| except the IP address is +// specified in textual form in |ipasc|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_ip_asc(const X509 *x509, const char *ipasc, + unsigned int flags); + +// X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for |x509| out +// of |ctx|'s |X509_STORE|, based on the criteria in |X509_check_issued|. If one +// was found, it returns one and sets |*out_issuer| to the issuer. The caller +// must release |*out_issuer| with |X509_free| when done. If none was found, it +// returns zero and leaves |*out_issuer| unchanged. +// +// This function only searches for trusted issuers. It does not consider +// untrusted intermediates passed in to |X509_STORE_CTX_init|. +// +// TODO(crbug.com/boringssl/407): |x509| should be const. +OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **out_issuer, + X509_STORE_CTX *ctx, X509 *x509); + +// X509_check_purpose performs checks if |x509|'s basic constraints, key usage, +// and extended key usage extensions for the specified purpose. |purpose| should +// be one of |X509_PURPOSE_*| constants. See |X509_VERIFY_PARAM_set_purpose| for +// details. It returns one if |x509|'s extensions are consistent with |purpose| +// and zero otherwise. If |ca| is non-zero, |x509| is checked as a CA +// certificate. Otherwise, it is checked as an end-entity certificate. +// +// If |purpose| is -1, this function performs no purpose checks, but it parses +// some extensions in |x509| and may return zero on syntax error. Historically, +// callers primarily used this function to trigger this parsing, but this is no +// longer necessary. Functions acting on |X509| will internally parse as needed. +OPENSSL_EXPORT int X509_check_purpose(X509 *x509, int purpose, int ca); #define X509_TRUST_TRUSTED 1 #define X509_TRUST_REJECTED 2 #define X509_TRUST_UNTRUSTED 3 -DEFINE_STACK_OF(X509_REVOKED) +// X509_check_trust checks if |x509| is a valid trust anchor for trust type +// |id|. See |X509_VERIFY_PARAM_set_trust| for details. It returns +// |X509_TRUST_TRUSTED| if |x509| is a trust anchor, |X509_TRUST_REJECTED| if it +// was distrusted, and |X509_TRUST_UNTRUSTED| otherwise. |id| should be one of +// the |X509_TRUST_*| constants, or zero to indicate the default behavior. +// |flags| should be zero and is ignored. +OPENSSL_EXPORT int X509_check_trust(X509 *x509, int id, int flags); -DECLARE_STACK_OF(GENERAL_NAMES) -struct private_key_st { - int version; - // The PKCS#8 data types - X509_ALGOR *enc_algor; - ASN1_OCTET_STRING *enc_pkey; // encrypted pub key +// X.509 information. +// +// |X509_INFO| is the return type for |PEM_X509_INFO_read_bio|, defined in +// . It is used to store a certificate, CRL, or private key. This +// type is defined in this header for OpenSSL compatibility. - // When decrypted, the following will not be NULL +struct private_key_st { EVP_PKEY *dec_pkey; - - // used to encrypt and decrypt - int key_length; - char *key_data; - int key_free; // true if we should auto free key_data - - // expanded version of 'enc_algor' - EVP_CIPHER_INFO cipher; } /* X509_PKEY */; struct X509_info_st { @@ -2226,329 +3806,507 @@ struct X509_info_st { EVP_CIPHER_INFO enc_cipher; int enc_len; char *enc_data; - } /* X509_INFO */; DEFINE_STACK_OF(X509_INFO) -// X509_get_pathlen returns path length constraint from the basic constraints -// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the -// constraint is not present, or if some extension in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); - -// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to -// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and -// |out_digest| may be NULL to skip those fields. -OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, - const X509_ALGOR **out_alg, - const ASN1_OCTET_STRING **out_digest); - -// X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. -OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, - ASN1_OCTET_STRING **out_digest); - -// X509_verify_cert_error_string returns |err| as a human-readable string, where -// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns -// a default description. -OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); - -// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. -// This function works by serializing the structure, so if |rev| is incomplete, -// it may fail. -OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); +// X509_INFO_free releases memory associated with |info|. +OPENSSL_EXPORT void X509_INFO_free(X509_INFO *info); -OPENSSL_EXPORT const char *X509_get_default_cert_area(void); -OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); -OPENSSL_EXPORT const char *X509_get_default_cert_file(void); -OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); -OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); -OPENSSL_EXPORT const char *X509_get_default_private_dir(void); -DECLARE_ASN1_FUNCTIONS_const(X509_PUBKEY) +// Deprecated config-based extension creation. +// +// The following functions allow specifying X.509 extensions using OpenSSL's +// config file syntax, from the OpenSSL command-line tool. They are retained, +// for now, for compatibility with legacy software but may be removed in the +// future. Construct the extensions using the typed C APIs instead. +// +// Callers should especially avoid these functions if passing in non-constant +// values. They use ad-hoc, string-based formats which are prone to injection +// vulnerabilities. For a CA, this means using them risks misissuance. +// +// These functions are not safe to use with untrusted inputs. The string formats +// may implicitly reference context information and, in OpenSSL (though not +// BoringSSL), one even allows reading arbitrary files. Many formats can also +// produce far larger outputs than their inputs, so untrusted inputs may lead to +// denial-of-service attacks. Finally, the parsers see much less testing and +// review than most of the library and may have bugs including memory leaks or +// crashes. + +// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for +// constructing extensions. Some string formats reference additional values in +// these objects. It must be initialized with |X509V3_set_ctx| or +// |X509V3_set_ctx_test| before use. +struct v3_ext_ctx { + int flags; + const X509 *issuer_cert; + const X509 *subject_cert; + const X509_REQ *subject_req; + const X509_CRL *crl; + const CONF *db; +}; + +#define X509V3_CTX_TEST 0x1 + +// X509V3_set_ctx initializes |ctx| with the specified objects. Some string +// formats will reference fields in these objects. Each object may be NULL to +// omit it, in which case those formats cannot be used. |flags| should be zero, +// unless called via |X509V3_set_ctx_test|. +// +// |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. +OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, + const X509 *subject, const X509_REQ *req, + const X509_CRL *crl, int flags); + +// X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and +// mocks out some features that use them. The resulting extensions may be +// incomplete and should be discarded. This can be used to partially validate +// syntax. +// +// TODO(davidben): Can we remove this? +#define X509V3_set_ctx_test(ctx) \ + X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) + +// X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must +// have previously been initialized by |X509V3_set_ctx| or +// |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. +// |conf| may be NULL, in which case these formats cannot be used. If non-NULL, +// |conf| must outlive |ctx|. +OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); + +// X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. +#define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) + +// X509V3_EXT_nconf constructs an extension of type specified by |name|, and +// value specified by |value|. It returns a newly-allocated |X509_EXTENSION| +// object on success, or NULL on error. |conf| and |ctx| specify additional +// information referenced by some formats. Either |conf| or |ctx| may be NULL, +// in which case features which use it will be disabled. +// +// If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or +// |X509V3_set_ctx_test|. +// +// Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most +// features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use +// |conf|. Callers should ensure the two match to avoid surprisingly behavior. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, + const X509V3_CTX *ctx, + const char *name, + const char *value); + +// X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension +// type is specified as a NID. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, + const X509V3_CTX *ctx, + int ext_nid, + const char *value); + +// X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. +// +// TODO(davidben): This is the only exposed instance of an LHASH in our public +// headers. cryptography.io wraps this function so we cannot, yet, replace the +// type with a dummy struct. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, + const X509V3_CTX *ctx, + int ext_nid, + const char *value); + +// X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For +// each |CONF_VALUE| in the section, it constructs an extension as in +// |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new +// extension is appended to |*sk|. If |*sk| is non-NULL, and at least one +// extension is added, it sets |*sk| to a newly-allocated +// |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, + const X509V3_CTX *ctx, + const char *section, + STACK_OF(X509_EXTENSION) **sk); + +// X509V3_EXT_add_nconf adds extensions to |cert| as in +// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, + const char *section, X509 *cert); + +// X509V3_EXT_REQ_add_nconf adds extensions to |req| as in +// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, + const X509V3_CTX *ctx, + const char *section, X509_REQ *req); + +// X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in +// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, + const X509V3_CTX *ctx, + const char *section, X509_CRL *crl); + +// i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a +// newly-allocated, NUL-terminated string, or NULL on error. |method| is +// ignored. The caller must release the result with |OPENSSL_free| when done. +OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, + const ASN1_OCTET_STRING *oct); + +// s2i_ASN1_OCTET_STRING decodes |str| as a hexdecimal byte string, with +// optional colon separators between bytes. It returns a newly-allocated +// |ASN1_OCTET_STRING| with the result on success, or NULL on error. |method| +// and |ctx| are ignored. +OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( + const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); + +// i2s_ASN1_INTEGER returns a human-readable representation of |aint| as a +// newly-allocated, NUL-terminated string, or NULL on error. |method| is +// ignored. The caller must release the result with |OPENSSL_free| when done. +OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, + const ASN1_INTEGER *aint); + +// s2i_ASN1_INTEGER decodes |value| as the ASCII representation of an integer, +// and returns a newly-allocated |ASN1_INTEGER| containing the result, or NULL +// on error. |method| is ignored. If |value| begins with "0x" or "0X", the input +// is decoded in hexadecimal, otherwise decimal. +OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method, + const char *value); + +// i2s_ASN1_ENUMERATED returns a human-readable representation of |aint| as a +// newly-allocated, NUL-terminated string, or NULL on error. |method| is +// ignored. The caller must release the result with |OPENSSL_free| when done. +OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method, + const ASN1_ENUMERATED *aint); + +// X509V3_conf_free releases memory associated with |CONF_VALUE|. +OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); + +// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it +// appends the value to |ret| and returns |ret| on success or NULL on error. If +// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| +// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the +// result. |method| is ignored. When done, the caller should release the result +// with |sk_CONF_VALUE_pop_free| and |X509V3_conf_free|. +// +// Do not use this function. This is an internal implementation detail of the +// human-readable print functions. If extracting a SAN list from a certificate, +// look at |gen| directly. +OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( + const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, + STACK_OF(CONF_VALUE) *ret); + +// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is +// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL +// on error. If it returns NULL, the caller is still responsible for freeing +// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| +// containing the results. |method| is ignored. +// +// Do not use this function. This is an internal implementation detail of the +// human-readable print functions. If extracting a SAN list from a certificate, +// look at |gen| directly. +OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( + const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, + STACK_OF(CONF_VALUE) *extlist); + +// a2i_IPADDRESS decodes |ipasc| as the textual representation of an IPv4 or +// IPv6 address. On success, it returns a newly-allocated |ASN1_OCTET_STRING| +// containing the decoded IP address. IPv4 addresses are represented as 4-byte +// strings and IPv6 addresses as 16-byte strings. On failure, it returns NULL. +OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); + +// a2i_IPADDRESS_NC decodes |ipasc| as the textual representation of an IPv4 or +// IPv6 address range. On success, it returns a newly-allocated +// |ASN1_OCTET_STRING| containing the decoded IP address, followed by the +// decoded mask. IPv4 ranges are represented as 8-byte strings and IPv6 ranges +// as 32-byte strings. On failure, it returns NULL. +// +// The text format decoded by this function is not the standard CIDR notiation. +// Instead, the mask after the "/" is represented as another IP address. For +// example, "192.168.0.0/16" would be written "192.168.0.0/255.255.0.0". +OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); -// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| -// structure. On success, it frees |*x|, sets |*x| to the new object, and -// returns one. Otherwise, it returns zero. -OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); -// X509_PUBKEY_get decodes the public key in |key| and returns an |EVP_PKEY| on -// success, or NULL on error. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must -// not mutate the result. -OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); +// Deprecated functions. -DECLARE_ASN1_FUNCTIONS_const(X509_SIG) +// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not +// const-correct for legacy reasons. Use |X509_get0_notBefore| or +// |X509_getm_notBefore| instead. +OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); -OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); -OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); -OPENSSL_EXPORT void X509_trust_clear(X509 *x); -OPENSSL_EXPORT void X509_reject_clear(X509 *x); +// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not +// const-correct for legacy reasons. Use |X509_get0_notAfter| or +// |X509_getm_notAfter| instead. +OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); +// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| +// instead. +OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); -OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); +// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| +// instead. +OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); -DECLARE_ASN1_FUNCTIONS_const(X509_REVOKED) +// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time. +// The OpenSSL API refers to this field as lastUpdate. +// +// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. +OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); -OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); -OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, - ASN1_INTEGER *serial); -OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, - X509 *x); +// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, +// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or +// |X509_CRL_set1_nextUpdate| instead. +OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); -OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void); -OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a); +// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use +// |X509_get_pubkey| instead. +#define X509_extract_key(x) X509_get_pubkey(x) -OPENSSL_EXPORT X509_INFO *X509_INFO_new(void); -OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a); +// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. +#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) -OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, - unsigned char *md, unsigned int *len); +// X509_name_cmp is a legacy alias for |X509_NAME_cmp|. +#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) -OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, - void *data, unsigned char *md, - unsigned int *len); +// The following symbols are deprecated aliases to |X509_CRL_set1_*|. +#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate +#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate -OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, - const X509_ALGOR *algor1, - const ASN1_BIT_STRING *signature, - void *data, EVP_PKEY *pkey); +// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. +// Prefer |X509_get0_serialNumber|. +OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); -OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, - X509_ALGOR *algor2, - ASN1_BIT_STRING *signature, void *data, - EVP_PKEY *pkey, const EVP_MD *type); -OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, - X509_ALGOR *algor2, - ASN1_BIT_STRING *signature, void *asn, - EVP_MD_CTX *ctx); +// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in +// |name|. If found, it writes the value's UTF-8 representation to |buf|. +// followed by a NUL byte, and returns the number of bytes in the output, +// excluding the NUL byte. This is unlike OpenSSL which returns the raw +// ASN1_STRING data. The UTF-8 encoding of the |ASN1_STRING| may not contain a 0 +// codepoint. +// +// This function writes at most |len| bytes, including the NUL byte. If |buf| +// is NULL, it writes nothing and returns the number of bytes in the +// output, excluding the NUL byte that would be required for the full UTF-8 +// output. +// +// This function may return -1 if an error occurs for any reason, including the +// value not being a recognized string type, |len| being of insufficient size to +// hold the full UTF-8 encoding and NUL byte, memory allocation failures, an +// object with type |obj| not existing in |name|, or if the UTF-8 encoding of +// the string contains a zero byte. +OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, + const ASN1_OBJECT *obj, char *buf, + int len); -OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); +// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it +// finds an attribute of type |nid|, which should be one of the |NID_*| +// constants. +OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, + char *buf, int len); -// X509_REVOKED_get0_serialNumber returns the serial number of the certificate -// revoked by |revoked|. -OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( - const X509_REVOKED *revoked); +// X509_STORE_CTX_get0_parent_ctx returns NULL. +OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( + const X509_STORE_CTX *ctx); -// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It -// returns one on success or zero on error. -OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, - const ASN1_INTEGER *serial); +// X509_OBJECT_free_contents sets |obj| to the empty object, freeing any values +// that were previously there. +// +// TODO(davidben): Unexport this function after rust-openssl is fixed to no +// longer call it. +OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *obj); -// X509_REVOKED_get0_revocationDate returns the revocation time of the -// certificate revoked by |revoked|. -OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( - const X509_REVOKED *revoked); +// X509_LOOKUP_free releases memory associated with |ctx|. This function should +// never be used outside the library. No function in the public API hands +// ownership of an |X509_LOOKUP| to the caller. +// +// TODO(davidben): Unexport this function after rust-openssl is fixed to no +// longer call it. +OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); -// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It -// returns one on success or zero on error. -OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, - const ASN1_TIME *tm); +// X509_STORE_CTX_cleanup resets |ctx| to the empty state. +// +// This function is a remnant of when |X509_STORE_CTX| was stack-allocated and +// should not be used. If releasing |ctx|, call |X509_STORE_CTX_free|. If +// reusing |ctx| for a new verification, release the old one and create a new +// one. +OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); -// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| -// omits it. -OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( - const X509_REVOKED *r); +// X509V3_add_standard_extensions returns one. +OPENSSL_EXPORT int X509V3_add_standard_extensions(void); -OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, - EVP_PKEY *skey, const EVP_MD *md, - unsigned int flags); +// The following symbols are legacy aliases for |X509_STORE_CTX| functions. +#define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject +#define X509_STORE_get1_certs X509_STORE_CTX_get1_certs +#define X509_STORE_get1_crls X509_STORE_CTX_get1_crls -OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey); +// X509_STORE_CTX_get_chain is a legacy alias for |X509_STORE_CTX_get0_chain|. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain( + const X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey); +// X509_STORE_CTX_trusted_stack is a deprecated alias for +// |X509_STORE_CTX_set0_trusted_stack|. +OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); -OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); -OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a); +typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); -OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); -OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x); +// X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is +// called multiple times during |X509_verify_cert|. The callback returns zero to +// fail verification and one to proceed. Typically, it will return |ok|, which +// preserves the default behavior. Returning one when |ok| is zero will proceed +// past some error. The callback may inspect |ctx| and the error queue to +// attempt to determine the current stage of certificate verification, but this +// is often unreliable. When synthesizing an error, callbacks should use +// |X509_STORE_CTX_set_error| to set a corresponding error. +// +// WARNING: Do not use this function. It is extremely fragile and unpredictable. +// This callback exposes implementation details of certificate verification, +// which change as the library evolves. Attempting to use it for security checks +// can introduce vulnerabilities if making incorrect assumptions about when the +// callback is called. Some errors, when suppressed, may implicitly suppress +// other errors due to internal implementation details. Additionally, overriding +// |ok| may leave |ctx| in an inconsistent state and break invariants. +// +// Instead, customize certificate verification by configuring options on the +// |X509_STORE_CTX| before verification, or applying additional checks after +// |X509_verify_cert| completes successfully. +OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( + X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); -OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a); -OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x); +// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets +// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| +// +// Do not use this function. See |X509_STORE_CTX_set_verify_cb| for details. +OPENSSL_EXPORT void X509_STORE_set_verify_cb( + X509_STORE *store, X509_STORE_CTX_verify_cb verify_cb); -OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); -OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); -OPENSSL_EXPORT unsigned long X509_NAME_hash(X509_NAME *x); -OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); +// X509_STORE_set_verify_cb_func is a deprecated alias for +// |X509_STORE_set_verify_cb|. +#define X509_STORE_set_verify_cb_func(store, func) \ + X509_STORE_set_verify_cb((store), (func)) -OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); -OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); +typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, + X509 *x); +typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); -// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in -// |x509|'s extension list. +// X509_STORE_set_get_crl override's |store|'s logic for looking up CRLs. // -// WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. -OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, - int *out_critical, int *out_idx); +// Do not use this function. It is temporarily retained to support one caller +// and will be removed after that caller is fixed. It is not possible for +// external callers to correctly implement this callback. The real +// implementation sets some inaccessible internal state on |X509_STORE_CTX|. +OPENSSL_EXPORT void X509_STORE_set_get_crl(X509_STORE *store, + X509_STORE_CTX_get_crl_fn get_crl); -// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to -// |x|'s extension list. +// X509_STORE_set_check_crl override's |store|'s logic for checking CRL +// validity. // -// WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. -OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, - unsigned long flags); +// Do not use this function. It is temporarily retained to support one caller +// and will be removed after that caller is fixed. It is not possible for +// external callers to correctly implement this callback. The real +// implementation relies some inaccessible internal state on |X509_STORE_CTX|. +OPENSSL_EXPORT void X509_STORE_set_check_crl( + X509_STORE *store, X509_STORE_CTX_check_crl_fn check_crl); -// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the -// extension in |crl|'s extension list. +// X509_STORE_CTX_set_chain configures |ctx| to use |sk| for untrusted +// intermediate certificates to use in verification. This function is redundant +// with the |chain| parameter of |X509_STORE_CTX_init|. Use the parameter +// instead. // -// WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. -OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, - int *out_critical, int *out_idx); - -// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension -// to |x|'s extension list. +// WARNING: Despite the similar name, this function is unrelated to +// |X509_STORE_CTX_get0_chain|. // -// WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. -OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, - int crit, unsigned long flags); +// WARNING: This function saves a pointer to |sk| without copying or +// incrementing reference counts. |sk| must outlive |ctx| and may not be mutated +// for the duration of the certificate verification. +OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); -// X509_REVOKED_get_ext_count returns the number of extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); +// The following flags do nothing. The corresponding non-standard options have +// been removed. +#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 +#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 +#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 -// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches -// for extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, - int lastpos); +// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in +// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is +// always enabled. +#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 -// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches -// for extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, - const ASN1_OBJECT *obj, - int lastpos); -// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| -// but searches for extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, - int crit, int lastpos); +// Private structures. -// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if -// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL -// compatibility, but callers should not mutate the result. -OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, - int loc); +struct X509_algor_st { + ASN1_OBJECT *algorithm; + ASN1_TYPE *parameter; +} /* X509_ALGOR */; -// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and -// returns the removed extension, or NULL if |loc| was out of bounds. If -// non-NULL, the caller must release the result with |X509_EXTENSION_free|. -OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, - int loc); -// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success -// and zero on failure. The caller retains ownership of |ex| and can release it -// independently of |x|. -// -// The new extension is inserted at index |loc|, shifting extensions to the -// right. If |loc| is -1 or out of bounds, the new extension is appended to the -// list. -OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, - const X509_EXTENSION *ex, int loc); +// Functions below this point have not yet been organized into sections. -// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the -// extension in |revoked|'s extension list. -// -// WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. -OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, - int nid, int *out_critical, - int *out_idx); +// This stuff is certificate "auxiliary info" +// it contains details which are useful in certificate +// stores and databases. When used this is tagged onto +// the end of the certificate itself -// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the -// extension to |x|'s extension list. -// -// WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. -OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, - void *value, int crit, - unsigned long flags); +DECLARE_STACK_OF(DIST_POINT) + +// This is used for a table of trust checking functions + +struct x509_trust_st { + int trust; + int flags; + int (*check_trust)(const X509_TRUST *, X509 *, int); + char *name; + int arg1; + void *arg2; +} /* X509_TRUST */; + +DEFINE_STACK_OF(X509_TRUST) + +// standard trust ids + +#define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings + +OPENSSL_EXPORT const char *X509_get_default_cert_area(void); +OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); +OPENSSL_EXPORT const char *X509_get_default_cert_file(void); +OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); +OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); +OPENSSL_EXPORT const char *X509_get_default_private_dir(void); -OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); -// PKCS#8 utilities +OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); -DECLARE_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO) +OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); -// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the -// key was unsupported or could not be decoded. If non-NULL, the caller must -// release the result with |EVP_PKEY_free| when done. +// X509_NAME_hash returns a hash of |name|, or zero on error. This is the new +// hash used by |X509_LOOKUP_hash_dir|. // -// Use |EVP_parse_private_key| instead. -OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); - -// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208), -// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The -// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done. +// This hash is specific to the |X509_LOOKUP_hash_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. It also depends on an OpenSSL-specific +// canonicalization process. // -// Use |EVP_marshal_private_key| instead. -OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); - -// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier -// determined by |obj|, |param_type|, and |param_value|, and an encoded -// public key of |key|. On success, it takes ownership of all its parameters and -// returns one. Otherwise, it returns zero. |key| must have been allocated by -// |OPENSSL_malloc|. +// TODO(https://crbug.com/boringssl/407): This should be const and thread-safe +// but currently is neither, notably if |name| was modified from its parsed +// value. +OPENSSL_EXPORT uint32_t X509_NAME_hash(X509_NAME *name); + +// X509_NAME_hash_old returns a hash of |name|, or zero on error. This is the +// legacy hash used by |X509_LOOKUP_hash_dir|, which is still supported for +// compatibility. // -// |obj|, |param_type|, and |param_value| are interpreted as in -// |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. -OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, - int param_type, void *param_value, - uint8_t *key, int key_len); - -// X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| -// is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| -// is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. -// If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. +// This hash is specific to the |X509_LOOKUP_hash_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. // -// Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a -// BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero -// bits if |pub| did not contain a whole number of bytes. Use -// |X509_PUBKEY_get0_public_key| to preserve this information. -OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, - const uint8_t **out_key, - int *out_key_len, - X509_ALGOR **out_alg, - X509_PUBKEY *pub); +// TODO(https://crbug.com/boringssl/407): This should be const and thread-safe +// but currently is neither, notably if |name| was modified from its parsed +// value. +OPENSSL_EXPORT uint32_t X509_NAME_hash_old(X509_NAME *name); -// X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. -OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( - const X509_PUBKEY *pub); +OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); -OPENSSL_EXPORT int X509_check_trust(X509 *x, int id, int flags); OPENSSL_EXPORT int X509_TRUST_get_count(void); -OPENSSL_EXPORT X509_TRUST *X509_TRUST_get0(int idx); +OPENSSL_EXPORT const X509_TRUST *X509_TRUST_get0(int idx); OPENSSL_EXPORT int X509_TRUST_get_by_id(int id); -OPENSSL_EXPORT int X509_TRUST_add(int id, int flags, - int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2); -OPENSSL_EXPORT void X509_TRUST_cleanup(void); OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp); OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); -struct rsa_pss_params_st { - X509_ALGOR *hashAlgorithm; - X509_ALGOR *maskGenAlgorithm; - ASN1_INTEGER *saltLength; - ASN1_INTEGER *trailerField; - // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the - // cases apply to BoringSSL, so this is always NULL, but Node expects the - // field to be present. - X509_ALGOR *maskHash; -} /* RSA_PSS_PARAMS */; - -DECLARE_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS) - /* SSL_CTX -> X509_STORE -> X509_LOOKUP @@ -2566,36 +4324,12 @@ The X509_STORE then calls a function to actually verify the certificate chain. */ +#define X509_LU_NONE 0 #define X509_LU_X509 1 #define X509_LU_CRL 2 #define X509_LU_PKEY 3 -DEFINE_STACK_OF(X509_LOOKUP) DEFINE_STACK_OF(X509_OBJECT) -DEFINE_STACK_OF(X509_VERIFY_PARAM) - -typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, X509_STORE_CTX *ctx, - X509 *x); -typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *x, - X509 *issuer); -typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); -typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, - X509 *x); -typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); -typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 *x); -typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); -typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, - X509_NAME *nm); -typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( - X509_STORE_CTX *ctx, X509_NAME *nm); -typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); - -OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); - -OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_STORE_CTX_set_app_data(ctx, data) \ X509_STORE_CTX_set_ex_data(ctx, 0, data) @@ -2604,85 +4338,27 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_L_FILE_LOAD 1 #define X509_L_ADD_DIR 2 -#define X509_LOOKUP_load_file(x, name, type) \ - X509_LOOKUP_ctrl((x), X509_L_FILE_LOAD, (name), (long)(type), NULL) - -#define X509_LOOKUP_add_dir(x, name, type) \ - X509_LOOKUP_ctrl((x), X509_L_ADD_DIR, (name), (long)(type), NULL) - -#define X509_V_OK 0 -#define X509_V_ERR_UNSPECIFIED 1 - -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 -#define X509_V_ERR_UNABLE_TO_GET_CRL 3 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 -#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 -#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 -#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 -#define X509_V_ERR_CERT_HAS_EXPIRED 10 -#define X509_V_ERR_CRL_NOT_YET_VALID 11 -#define X509_V_ERR_CRL_HAS_EXPIRED 12 -#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 -#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 -#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 -#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 -#define X509_V_ERR_OUT_OF_MEM 17 -#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 -#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 -#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 -#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 -#define X509_V_ERR_CERT_REVOKED 23 -#define X509_V_ERR_INVALID_CA 24 -#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 -#define X509_V_ERR_INVALID_PURPOSE 26 -#define X509_V_ERR_CERT_UNTRUSTED 27 -#define X509_V_ERR_CERT_REJECTED 28 -// These are 'informational' when looking for issuer cert -#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 -#define X509_V_ERR_AKID_SKID_MISMATCH 30 -#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 -#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 - -#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 -#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 -#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 -#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 -#define X509_V_ERR_INVALID_NON_CA 37 -#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 -#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 - -#define X509_V_ERR_INVALID_EXTENSION 41 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 -#define X509_V_ERR_NO_EXPLICIT_POLICY 43 -#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 -#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 - -#define X509_V_ERR_UNNESTED_RESOURCE 46 - -#define X509_V_ERR_PERMITTED_VIOLATION 47 -#define X509_V_ERR_EXCLUDED_VIOLATION 48 -#define X509_V_ERR_SUBTREE_MINMAX 49 -#define X509_V_ERR_APPLICATION_VERIFICATION 50 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 -#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 -#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 - -// Host, email and IP check errors -#define X509_V_ERR_HOSTNAME_MISMATCH 62 -#define X509_V_ERR_EMAIL_MISMATCH 63 -#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 - -// Caller error -#define X509_V_ERR_INVALID_CALL 65 -// Issuer lookup error -#define X509_V_ERR_STORE_LOOKUP 66 +// The following constants are used to specify the format of files in an +// |X509_LOOKUP|. +#define X509_FILETYPE_PEM 1 +#define X509_FILETYPE_ASN1 2 +#define X509_FILETYPE_DEFAULT 3 -#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 +// X509_LOOKUP_load_file configures |lookup| to load information from the file +// at |path|. It returns one on success and zero on error. |type| should be one +// of the |X509_FILETYPE_*| constants to determine if the contents are PEM or +// DER. If |type| is |X509_FILETYPE_DEFAULT|, |path| is ignored and instead some +// default system path is used. +OPENSSL_EXPORT int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *path, + int type); + +// X509_LOOKUP_add_dir configures |lookup| to load information from the +// directory at |path|. It returns one on success and zero on error. |type| +// should be one of the |X509_FILETYPE_*| constants to determine if the contents +// are PEM or DER. If |type| is |X509_FILETYPE_DEFAULT|, |path| is ignored and +// instead some default system path is used. +OPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path, + int type); // Certificate verify flags @@ -2708,11 +4384,11 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_INHIBIT_ANY 0x200 // Policy variable inhibit-policy-mapping #define X509_V_FLAG_INHIBIT_MAP 0x400 -// Notify callback that policy is OK +// Does nothing #define X509_V_FLAG_NOTIFY_POLICY 0x800 -// Extended CRL features such as indirect CRLs, alternate CRL signing keys +// Causes all verifications to fail. Extended CRL features have been removed. #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 -// Delta CRL support +// Causes all verifications to fail. Delta CRL support has been removed. #define X509_V_FLAG_USE_DELTAS 0x2000 // Check selfsigned CA signature #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 @@ -2731,274 +4407,449 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); // verification. #define X509_V_FLAG_NO_CHECK_TIME 0x200000 -#define X509_VP_FLAG_DEFAULT 0x1 -#define X509_VP_FLAG_OVERWRITE 0x2 -#define X509_VP_FLAG_RESET_FLAGS 0x4 -#define X509_VP_FLAG_LOCKED 0x8 -#define X509_VP_FLAG_ONCE 0x10 - -OPENSSL_EXPORT int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, - int type, X509_NAME *name); -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_by_subject( - STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, - X509_OBJECT *x); -OPENSSL_EXPORT int X509_OBJECT_up_ref_count(X509_OBJECT *a); -OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *a); -OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *a); -OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); -OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); -OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); -OPENSSL_EXPORT void X509_STORE_free(X509_STORE *v); - -OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, - X509_NAME *nm); -OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, - X509_NAME *nm); -OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); -OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); -OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); -OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, - X509_VERIFY_PARAM *pm); -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); - -OPENSSL_EXPORT void X509_STORE_set_verify(X509_STORE *ctx, - X509_STORE_CTX_verify_fn verify); -#define X509_STORE_set_verify_func(ctx, func) \ - X509_STORE_set_verify((ctx), (func)) -OPENSSL_EXPORT void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_fn verify); -OPENSSL_EXPORT X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); - -// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets -// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| -// -// Do not use this funciton. see |X509_STORE_CTX_set_verify_cb|. -OPENSSL_EXPORT void X509_STORE_set_verify_cb( - X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); -#define X509_STORE_set_verify_cb_func(ctx, func) \ - X509_STORE_set_verify_cb((ctx), (func)) -OPENSSL_EXPORT X509_STORE_CTX_verify_cb -X509_STORE_get_verify_cb(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_get_issuer( - X509_STORE *ctx, X509_STORE_CTX_get_issuer_fn get_issuer); -OPENSSL_EXPORT X509_STORE_CTX_get_issuer_fn -X509_STORE_get_get_issuer(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_issued( - X509_STORE *ctx, X509_STORE_CTX_check_issued_fn check_issued); -OPENSSL_EXPORT X509_STORE_CTX_check_issued_fn -X509_STORE_get_check_issued(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_revocation( - X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation); -OPENSSL_EXPORT X509_STORE_CTX_check_revocation_fn -X509_STORE_get_check_revocation(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_get_crl(X509_STORE *ctx, - X509_STORE_CTX_get_crl_fn get_crl); -OPENSSL_EXPORT X509_STORE_CTX_get_crl_fn -X509_STORE_get_get_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_crl( - X509_STORE *ctx, X509_STORE_CTX_check_crl_fn check_crl); -OPENSSL_EXPORT X509_STORE_CTX_check_crl_fn -X509_STORE_get_check_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_cert_crl( - X509_STORE *ctx, X509_STORE_CTX_cert_crl_fn cert_crl); -OPENSSL_EXPORT X509_STORE_CTX_cert_crl_fn -X509_STORE_get_cert_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_lookup_certs( - X509_STORE *ctx, X509_STORE_CTX_lookup_certs_fn lookup_certs); -OPENSSL_EXPORT X509_STORE_CTX_lookup_certs_fn -X509_STORE_get_lookup_certs(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_lookup_crls( - X509_STORE *ctx, X509_STORE_CTX_lookup_crls_fn lookup_crls); -#define X509_STORE_set_lookup_crls_cb(ctx, func) \ - X509_STORE_set_lookup_crls((ctx), (func)) -OPENSSL_EXPORT X509_STORE_CTX_lookup_crls_fn -X509_STORE_get_lookup_crls(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_cleanup(X509_STORE *ctx, - X509_STORE_CTX_cleanup_fn cleanup); -OPENSSL_EXPORT X509_STORE_CTX_cleanup_fn -X509_STORE_get_cleanup(X509_STORE *ctx); - -OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); - -OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer, - X509_STORE_CTX *ctx, X509 *x); - -OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); +// X509_OBJECT_new returns a newly-allocated, empty |X509_OBJECT| or NULL on +// error. +OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void); -// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates -// in |sk|. |sk| must remain valid for the duration of |ctx|. -// -// WARNING: This function differs from most |set0| functions in that it does not -// take ownership of its input. The caller is required to ensure the lifetimes -// are consistent. -OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, - STACK_OF(X509) *sk); +// X509_OBJECT_free releases memory associated with |obj|. +OPENSSL_EXPORT void X509_OBJECT_free(X509_OBJECT *obj); -// X509_STORE_CTX_trusted_stack is a deprecated alias for -// |X509_STORE_CTX_set0_trusted_stack|. -OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, - STACK_OF(X509) *sk); +// X509_OBJECT_get_type returns the type of |obj|, which will be one of the +// |X509_LU_*| constants. +OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *obj); -OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); +// X509_OBJECT_get0_X509 returns |obj| as a certificate, or NULL if |obj| is not +// a certificate. +OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *obj); -OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); +OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *st, + X509_NAME *nm); +OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *st, + X509_NAME *nm); OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, - X509_LOOKUP_METHOD *m); + const X509_LOOKUP_METHOD *m); -OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); -OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_file(void); +OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); +OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_file(void); -OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); -OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); - -OPENSSL_EXPORT int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, - X509_NAME *name, X509_OBJECT *ret); +OPENSSL_EXPORT int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, + X509_NAME *name, + X509_OBJECT *ret); OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); -#ifndef OPENSSL_NO_STDIO OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type); OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type); -#endif - -OPENSSL_EXPORT X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); -OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); -OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx); -OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, - X509_NAME *name, X509_OBJECT *ret); -OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); -#ifndef OPENSSL_NO_STDIO OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *dir); OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); -#endif -OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); -OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x); -OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *c, - STACK_OF(X509) *sk); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, - STACK_OF(X509_CRL) *sk); -OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); -OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); -OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, - int def_purpose, int purpose, - int trust); -OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, - unsigned long flags); -OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, - unsigned long flags, time_t t); -OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, - unsigned long flags, - int64_t t); -// X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is -// called multiple times during |X509_verify_cert|. The callback returns zero to -// fail verification and non-zero to proceed. Typically, it will return |ok|, -// which preserves the default behavior. Returning one when |ok| is zero will -// proceed past some error. The callback may inspect |ctx| and the error queue -// to attempt to determine the current stage of certificate verification, but -// this is often unreliable. +typedef void *(*X509V3_EXT_NEW)(void); +typedef void (*X509V3_EXT_FREE)(void *); +typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long); +typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); +typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method, + void *ext, + STACK_OF(CONF_VALUE) *extlist); +typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, + const STACK_OF(CONF_VALUE) *values); +typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext); +typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const char *str); +typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, + BIO *out, int indent); +typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const char *str); + +// V3 extension structure + +struct v3_ext_method { + int ext_nid; + int ext_flags; + + // it determines how values of this extension are allocated, released, parsed, + // and marshalled. This must be non-NULL. + ASN1_ITEM_EXP *it; + + // The following functions are ignored in favor of |it|. They are retained in + // the struct only for source compatibility with existing struct definitions. + X509V3_EXT_NEW ext_new; + X509V3_EXT_FREE ext_free; + X509V3_EXT_D2I d2i; + X509V3_EXT_I2D i2d; + + // The following pair is used for string extensions + X509V3_EXT_I2S i2s; + X509V3_EXT_S2I s2i; + + // The following pair is used for multi-valued extensions + X509V3_EXT_I2V i2v; + X509V3_EXT_V2I v2i; + + // The following are used for raw extensions + X509V3_EXT_I2R i2r; + X509V3_EXT_R2I r2i; + + void *usr_data; // Any extension specific data +}; + +DEFINE_STACK_OF(X509V3_EXT_METHOD) + +// ext_flags values +#define X509V3_EXT_CTX_DEP 0x2 +#define X509V3_EXT_MULTILINE 0x4 + +struct BASIC_CONSTRAINTS_st { + int ca; + ASN1_INTEGER *pathlen; +}; + +typedef struct ACCESS_DESCRIPTION_st { + ASN1_OBJECT *method; + GENERAL_NAME *location; +} ACCESS_DESCRIPTION; + +DEFINE_STACK_OF(ACCESS_DESCRIPTION) + +typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; + +typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; + +typedef struct DIST_POINT_NAME_st { + int type; + union { + GENERAL_NAMES *fullname; + STACK_OF(X509_NAME_ENTRY) *relativename; + } name; + // If relativename then this contains the full distribution point name + X509_NAME *dpname; +} DIST_POINT_NAME; +// All existing reasons +#define CRLDP_ALL_REASONS 0x807f + +struct DIST_POINT_st { + DIST_POINT_NAME *distpoint; + ASN1_BIT_STRING *reasons; + GENERAL_NAMES *CRLissuer; +}; + +typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; + +DEFINE_STACK_OF(DIST_POINT) + +struct AUTHORITY_KEYID_st { + ASN1_OCTET_STRING *keyid; + GENERAL_NAMES *issuer; + ASN1_INTEGER *serial; +}; + +typedef struct NOTICEREF_st { + ASN1_STRING *organization; + STACK_OF(ASN1_INTEGER) *noticenos; +} NOTICEREF; + +typedef struct USERNOTICE_st { + NOTICEREF *noticeref; + ASN1_STRING *exptext; +} USERNOTICE; + +typedef struct POLICYQUALINFO_st { + ASN1_OBJECT *pqualid; + union { + ASN1_IA5STRING *cpsuri; + USERNOTICE *usernotice; + ASN1_TYPE *other; + } d; +} POLICYQUALINFO; + +DEFINE_STACK_OF(POLICYQUALINFO) + +typedef struct POLICYINFO_st { + ASN1_OBJECT *policyid; + STACK_OF(POLICYQUALINFO) *qualifiers; +} POLICYINFO; + +typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; + +DEFINE_STACK_OF(POLICYINFO) + +typedef struct POLICY_MAPPING_st { + ASN1_OBJECT *issuerDomainPolicy; + ASN1_OBJECT *subjectDomainPolicy; +} POLICY_MAPPING; + +DEFINE_STACK_OF(POLICY_MAPPING) + +typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; + +typedef struct GENERAL_SUBTREE_st { + GENERAL_NAME *base; + ASN1_INTEGER *minimum; + ASN1_INTEGER *maximum; +} GENERAL_SUBTREE; + +DEFINE_STACK_OF(GENERAL_SUBTREE) + +struct NAME_CONSTRAINTS_st { + STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; + STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; +}; + +typedef struct POLICY_CONSTRAINTS_st { + ASN1_INTEGER *requireExplicitPolicy; + ASN1_INTEGER *inhibitPolicyMapping; +} POLICY_CONSTRAINTS; + +struct ISSUING_DIST_POINT_st { + DIST_POINT_NAME *distpoint; + ASN1_BOOLEAN onlyuser; + ASN1_BOOLEAN onlyCA; + ASN1_BIT_STRING *onlysomereasons; + ASN1_BOOLEAN indirectCRL; + ASN1_BOOLEAN onlyattr; +}; + +// X509_PURPOSE stuff + +#define NS_SSL_CLIENT 0x80 +#define NS_SSL_SERVER 0x40 +#define NS_SMIME 0x20 +#define NS_OBJSIGN 0x10 +#define NS_SSL_CA 0x04 +#define NS_SMIME_CA 0x02 +#define NS_OBJSIGN_CA 0x01 +#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) + +typedef struct x509_purpose_st { + int purpose; + int trust; // Default trust ID + int flags; + int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); + char *name; + char *sname; + void *usr_data; +} X509_PURPOSE; + +DEFINE_STACK_OF(X509_PURPOSE) + +DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS) + +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID) + +DECLARE_ASN1_FUNCTIONS_const(EXTENDED_KEY_USAGE) + +DECLARE_ASN1_FUNCTIONS_const(CERTIFICATEPOLICIES) +DECLARE_ASN1_FUNCTIONS_const(POLICYINFO) +DECLARE_ASN1_FUNCTIONS_const(POLICYQUALINFO) +DECLARE_ASN1_FUNCTIONS_const(USERNOTICE) +DECLARE_ASN1_FUNCTIONS_const(NOTICEREF) + +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS) +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(DIST_POINT) +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT) + +OPENSSL_EXPORT int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, + X509_NAME *iname); + +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) +// TODO(https://crbug.com/boringssl/407): This is not const because it contains +// an |X509_NAME|. +DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) + +DECLARE_ASN1_ITEM(POLICY_MAPPING) +DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) +DECLARE_ASN1_ITEM(POLICY_MAPPINGS) + +DECLARE_ASN1_ITEM(GENERAL_SUBTREE) +DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) + +DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) +DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) + +DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) +DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) + +// X509V3_EXT_add registers |ext| as a custom extension for the extension type +// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's +// lifetime. It returns one on success and zero on error. // -// WARNING: Do not use this function. It is extremely fragile and unpredictable. -// This callback exposes implementation details of certificate verification, -// which change as the library evolves. Attempting to use it for security checks -// can introduce vulnerabilities if making incorrect assumptions about when the -// callback is called. Additionally, overriding |ok| may leave |ctx| in an -// inconsistent state and break invariants. +// WARNING: This function modifies global state. If other code in the same +// address space also registers an extension with type |ext->ext_nid|, the two +// registrations will conflict. Which registration takes effect is undefined. If +// the two registrations use incompatible in-memory representations, code +// expecting the other registration will then cast a type to the wrong type, +// resulting in a potentially exploitable memory error. This conflict can also +// occur if BoringSSL later adds support for |ext->ext_nid|, with a different +// in-memory representation than the one expected by |ext|. // -// Instead, customize certificate verification by configuring options on the -// |X509_STORE_CTX| before verification, or applying additional checks after -// |X509_verify_cert| completes successfully. -OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( - X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); - -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, - X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, - const char *name); - -// X509_VERIFY_PARAM functions - -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); -OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, - const char *name); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, - unsigned long flags); -OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); -OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( - X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, - int purpose); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, - int trust); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, - int depth); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, - time_t t); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, - int64_t t); -OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( - X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); +// This function, additionally, is not thread-safe and cannot be called +// concurrently with any other BoringSSL function. +// +// As a result, it is impossible to safely use this function. Registering a +// custom extension has no impact on certificate verification so, instead, +// callers should simply handle the custom extension with the byte-based +// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little +// practical value. +OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); + +// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The +// corresponding ASN.1 type is copied from |nid_from|. It returns one on success +// and zero on error. +// +// WARNING: Do not use this function. See |X509V3_EXT_add|. +OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, + int nid_from); + +OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( + const X509_EXTENSION *ext); +OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); + +// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated +// structure, with type dependent on the type of the extension. It returns NULL +// if |ext| is an unsupported extension or if there was a syntax error in the +// extension. The caller should cast the return value to the expected type and +// free the structure when done. +// +// WARNING: Casting the return value to the wrong type is a potentially +// exploitable memory error, so callers must not use this function before +// checking |ext| is of a known type. +OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); + +// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. +// If found, it decodes it and returns a newly-allocated structure, with type +// dependent on |nid|. If the extension is not found or on error, it returns +// NULL. The caller may distinguish these cases using the |out_critical| value. +// +// If |out_critical| is not NULL, this function sets |*out_critical| to one if +// the extension is found and critical, zero if it is found and not critical, -1 +// if it is not found, and -2 if there is an invalid duplicate extension. Note +// this function may set |*out_critical| to one or zero and still return NULL if +// the extension is found but has a syntax error. +// +// If |out_idx| is not NULL, this function looks for the first occurrence of the +// extension after |*out_idx|. It then sets |*out_idx| to the index of the +// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions +// are not treated as an error. Callers, however, should not rely on this +// behavior as it may be removed in the future. Duplicate extensions are +// forbidden in RFC 5280. +// +// WARNING: This function is difficult to use correctly. Callers should pass a +// non-NULL |out_critical| and check both the return value and |*out_critical| +// to handle errors. If the return value is NULL and |*out_critical| is not -1, +// there was an error. Otherwise, the function succeeded and but may return NULL +// for a missing extension. Callers should pass NULL to |out_idx| so that +// duplicate extensions are handled correctly. +// +// Additionally, casting the return value to the wrong type is a potentially +// exploitable memory error, so callers must ensure the cast and |nid| match. +OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, + int nid, int *out_critical, int *out_idx); + +// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and +// releases memory associated with it. It returns one on success and zero if +// |nid| is not a known extension. +// +// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable +// memory error, so callers must ensure |ext_data|'s type matches |nid|. +// +// TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? +OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t namelen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t namelen); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, - unsigned int flags); -OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const char *email, - size_t emaillen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, - const unsigned char *ip, - size_t iplen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, - const char *ipasc); +// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to +// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| +// object containing the serialization, or NULL on error. The |X509_EXTENSION| +// has OID |ext_nid| and is critical if |crit| is one. +// +// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable +// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, + void *ext_struc); + +// The following constants control the behavior of |X509V3_add1_i2d| and related +// functions. + +// X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate +// extensions are processed. +#define X509V3_ADD_OP_MASK 0xfL + +// X509V3_ADD_DEFAULT causes the function to fail if the extension was already +// present. +#define X509V3_ADD_DEFAULT 0L + +// X509V3_ADD_APPEND causes the function to unconditionally appended the new +// extension to to the extensions list, even if there is a duplicate. +#define X509V3_ADD_APPEND 1L + +// X509V3_ADD_REPLACE causes the function to replace the existing extension, or +// append if it is not present. +#define X509V3_ADD_REPLACE 2L + +// X509V3_ADD_REPLACE causes the function to replace the existing extension and +// fail if it is not present. +#define X509V3_ADD_REPLACE_EXISTING 3L + +// X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the +// extension if already present. +#define X509V3_ADD_KEEP_EXISTING 4L + +// X509V3_ADD_DELETE causes the function to remove the matching extension. No +// new extension is added. If there is no matching extension, the function +// fails. The |value| parameter is ignored in this mode. +#define X509V3_ADD_DELETE 5L + +// X509V3_ADD_SILENT may be ORed into one of the values above to indicate the +// function should not add to the error queue on duplicate or missing extension. +// The function will continue to return zero in those cases, and it will +// continue to return -1 and add to the error queue on other errors. +#define X509V3_ADD_SILENT 0x10 + +// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, +// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, +// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. +// The |crit| parameter determines whether the new extension is critical. +// |flags| may be some combination of the |X509V3_ADD_*| constants to control +// the function's behavior on duplicate extension. +// +// This function returns one on success, zero if the operation failed due to a +// missing or duplicate extension, and -1 on other errors. +// +// WARNING: Casting |value| to the wrong type is a potentially exploitable +// memory error, so callers must ensure |value|'s type matches |nid|. +OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, + void *value, int crit, unsigned long flags); -OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); -OPENSSL_EXPORT const char *X509_VERIFY_PARAM_get0_name( - const X509_VERIFY_PARAM *param); +OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose); -OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup( - const char *name); +OPENSSL_EXPORT int X509_PURPOSE_get_count(void); +OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int idx); +OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); +OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id); +OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); +OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); +OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); +OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *); #if defined(__cplusplus) @@ -3010,7 +4861,18 @@ extern "C++" { BSSL_NAMESPACE_BEGIN +BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) +BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) +BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) +// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. +BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) +BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) +BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) +BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) +BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free) +BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) +BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free) BORINGSSL_MAKE_DELETER(X509, X509_free) BORINGSSL_MAKE_UP_REF(X509, X509_up_ref) @@ -3023,7 +4885,6 @@ BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free) BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free) BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free) BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free) -BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free) BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free) BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free) BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h index 13bf5746..c616ec01 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h @@ -1,219 +1,36 @@ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. +/* Copyright (c) 2023, Google Inc. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). */ + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifndef OPENSSL_HEADER_X509V3_H #define OPENSSL_HEADER_X509V3_H -#include "CJWTKitBoringSSL_bio.h" -#include "CJWTKitBoringSSL_conf.h" -#include "CJWTKitBoringSSL_lhash.h" +// This header primarily exists in order to make compiling against code that +// expects OpenSSL easier. We have merged this header into . +// However, due to conflicts, some deprecated symbols are defined here. #include "CJWTKitBoringSSL_x509.h" -#if defined(__cplusplus) -extern "C" { -#endif - - -// Legacy X.509 library. -// -// This header is part of OpenSSL's X.509 implementation. It is retained for -// compatibility but otherwise underdocumented and not actively maintained. In -// the future, a replacement library will be available. Meanwhile, minimize -// dependencies on this header where possible. - - -// Forward reference -struct v3_ext_method; -struct v3_ext_ctx; - -// Useful typedefs - -typedef struct v3_ext_method X509V3_EXT_METHOD; - -typedef void *(*X509V3_EXT_NEW)(void); -typedef void (*X509V3_EXT_FREE)(void *); -typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long); -typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); -typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method, - void *ext, - STACK_OF(CONF_VALUE) *extlist); -typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *values); -typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext); -typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, const char *str); -typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, - BIO *out, int indent); -typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, const char *str); - -// V3 extension structure - -struct v3_ext_method { - int ext_nid; - int ext_flags; - - // it determines how values of this extension are allocated, released, parsed, - // and marshalled. This must be non-NULL. - ASN1_ITEM_EXP *it; - - // The following functions are ignored in favor of |it|. They are retained in - // the struct only for source compatibility with existing struct definitions. - X509V3_EXT_NEW ext_new; - X509V3_EXT_FREE ext_free; - X509V3_EXT_D2I d2i; - X509V3_EXT_I2D i2d; - - // The following pair is used for string extensions - X509V3_EXT_I2S i2s; - X509V3_EXT_S2I s2i; - - // The following pair is used for multi-valued extensions - X509V3_EXT_I2V i2v; - X509V3_EXT_V2I v2i; - - // The following are used for raw extensions - X509V3_EXT_I2R i2r; - X509V3_EXT_R2I r2i; - - void *usr_data; // Any extension specific data -}; - -DEFINE_STACK_OF(X509V3_EXT_METHOD) - -// ext_flags values -#define X509V3_EXT_CTX_DEP 0x2 -#define X509V3_EXT_MULTILINE 0x4 - -struct BASIC_CONSTRAINTS_st { - int ca; - ASN1_INTEGER *pathlen; -}; - - -typedef struct otherName_st { - ASN1_OBJECT *type_id; - ASN1_TYPE *value; -} OTHERNAME; - -typedef struct EDIPartyName_st { - ASN1_STRING *nameAssigner; - ASN1_STRING *partyName; -} EDIPARTYNAME; - -typedef struct GENERAL_NAME_st { -#define GEN_OTHERNAME 0 -#define GEN_EMAIL 1 -#define GEN_DNS 2 -#define GEN_X400 3 -#define GEN_DIRNAME 4 -#define GEN_EDIPARTY 5 -#define GEN_URI 6 -#define GEN_IPADD 7 -#define GEN_RID 8 - - int type; - union { - char *ptr; - OTHERNAME *otherName; // otherName - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; - ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; - ASN1_OCTET_STRING *iPAddress; - ASN1_OBJECT *registeredID; - - // Old names - ASN1_OCTET_STRING *ip; // iPAddress - X509_NAME *dirn; // dirn - ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier - ASN1_OBJECT *rid; // registeredID - } d; -} GENERAL_NAME; - -DEFINE_STACK_OF(GENERAL_NAME) - -typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; - -DEFINE_STACK_OF(GENERAL_NAMES) - -typedef struct ACCESS_DESCRIPTION_st { - ASN1_OBJECT *method; - GENERAL_NAME *location; -} ACCESS_DESCRIPTION; - -DEFINE_STACK_OF(ACCESS_DESCRIPTION) - -typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; - -typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; -typedef struct DIST_POINT_NAME_st { - int type; - union { - GENERAL_NAMES *fullname; - STACK_OF(X509_NAME_ENTRY) *relativename; - } name; - // If relativename then this contains the full distribution point name - X509_NAME *dpname; -} DIST_POINT_NAME; -// All existing reasons -#define CRLDP_ALL_REASONS 0x807f +// CRL reason constants. +// TODO(davidben): These constants live here because strongswan defines +// conflicting symbols and has been relying on them only being defined in +// . Defining the constants in would break +// strongswan, but we would also like for new code to only need +// . Introduce properly namespaced versions of these constants +// and, separately, see if we can fix strongswan to similarly avoid the +// conflict. Between OpenSSL, strongswan, and wincrypt.h all defining these +// constants, it seems best for everyone to just avoid them going forward. #define CRL_REASON_NONE (-1) #define CRL_REASON_UNSPECIFIED 0 #define CRL_REASON_KEY_COMPROMISE 1 @@ -226,824 +43,21 @@ typedef struct DIST_POINT_NAME_st { #define CRL_REASON_PRIVILEGE_WITHDRAWN 9 #define CRL_REASON_AA_COMPROMISE 10 -struct DIST_POINT_st { - DIST_POINT_NAME *distpoint; - ASN1_BIT_STRING *reasons; - GENERAL_NAMES *CRLissuer; - int dp_reasons; -}; - -typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; - -DEFINE_STACK_OF(DIST_POINT) - -struct AUTHORITY_KEYID_st { - ASN1_OCTET_STRING *keyid; - GENERAL_NAMES *issuer; - ASN1_INTEGER *serial; -}; - -typedef struct NOTICEREF_st { - ASN1_STRING *organization; - STACK_OF(ASN1_INTEGER) *noticenos; -} NOTICEREF; - -typedef struct USERNOTICE_st { - NOTICEREF *noticeref; - ASN1_STRING *exptext; -} USERNOTICE; - -typedef struct POLICYQUALINFO_st { - ASN1_OBJECT *pqualid; - union { - ASN1_IA5STRING *cpsuri; - USERNOTICE *usernotice; - ASN1_TYPE *other; - } d; -} POLICYQUALINFO; - -DEFINE_STACK_OF(POLICYQUALINFO) - -typedef struct POLICYINFO_st { - ASN1_OBJECT *policyid; - STACK_OF(POLICYQUALINFO) *qualifiers; -} POLICYINFO; - -typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; - -DEFINE_STACK_OF(POLICYINFO) - -typedef struct POLICY_MAPPING_st { - ASN1_OBJECT *issuerDomainPolicy; - ASN1_OBJECT *subjectDomainPolicy; -} POLICY_MAPPING; - -DEFINE_STACK_OF(POLICY_MAPPING) - -typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; - -typedef struct GENERAL_SUBTREE_st { - GENERAL_NAME *base; - ASN1_INTEGER *minimum; - ASN1_INTEGER *maximum; -} GENERAL_SUBTREE; - -DEFINE_STACK_OF(GENERAL_SUBTREE) - -struct NAME_CONSTRAINTS_st { - STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; - STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; -}; - -typedef struct POLICY_CONSTRAINTS_st { - ASN1_INTEGER *requireExplicitPolicy; - ASN1_INTEGER *inhibitPolicyMapping; -} POLICY_CONSTRAINTS; - -struct ISSUING_DIST_POINT_st { - DIST_POINT_NAME *distpoint; - int onlyuser; - int onlyCA; - ASN1_BIT_STRING *onlysomereasons; - int indirectCRL; - int onlyattr; -}; - -// Values in idp_flags field -// IDP present -#define IDP_PRESENT 0x1 -// IDP values inconsistent -#define IDP_INVALID 0x2 -// onlyuser true -#define IDP_ONLYUSER 0x4 -// onlyCA true -#define IDP_ONLYCA 0x8 -// onlyattr true -#define IDP_ONLYATTR 0x10 -// indirectCRL true -#define IDP_INDIRECT 0x20 -// onlysomereasons present -#define IDP_REASONS 0x40 - - - -// X509_PURPOSE stuff - -#define EXFLAG_BCONS 0x1 -#define EXFLAG_KUSAGE 0x2 -#define EXFLAG_XKUSAGE 0x4 -#define EXFLAG_NSCERT 0x8 - -#define EXFLAG_CA 0x10 -// Really self issued not necessarily self signed -#define EXFLAG_SI 0x20 -#define EXFLAG_V1 0x40 -#define EXFLAG_INVALID 0x80 -#define EXFLAG_SET 0x100 -#define EXFLAG_CRITICAL 0x200 - -#define EXFLAG_FRESHEST 0x1000 -// Self signed -#define EXFLAG_SS 0x2000 - -#define KU_DIGITAL_SIGNATURE 0x0080 -#define KU_NON_REPUDIATION 0x0040 -#define KU_KEY_ENCIPHERMENT 0x0020 -#define KU_DATA_ENCIPHERMENT 0x0010 -#define KU_KEY_AGREEMENT 0x0008 -#define KU_KEY_CERT_SIGN 0x0004 -#define KU_CRL_SIGN 0x0002 -#define KU_ENCIPHER_ONLY 0x0001 -#define KU_DECIPHER_ONLY 0x8000 - -#define NS_SSL_CLIENT 0x80 -#define NS_SSL_SERVER 0x40 -#define NS_SMIME 0x20 -#define NS_OBJSIGN 0x10 -#define NS_SSL_CA 0x04 -#define NS_SMIME_CA 0x02 -#define NS_OBJSIGN_CA 0x01 -#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) - -#define XKU_SSL_SERVER 0x1 -#define XKU_SSL_CLIENT 0x2 -#define XKU_SMIME 0x4 -#define XKU_CODE_SIGN 0x8 -#define XKU_SGC 0x10 -#define XKU_OCSP_SIGN 0x20 -#define XKU_TIMESTAMP 0x40 -#define XKU_DVCS 0x80 -#define XKU_ANYEKU 0x100 - -#define X509_PURPOSE_DYNAMIC 0x1 -#define X509_PURPOSE_DYNAMIC_NAME 0x2 - -typedef struct x509_purpose_st { - int purpose; - int trust; // Default trust ID - int flags; - int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); - char *name; - char *sname; - void *usr_data; -} X509_PURPOSE; - -#define X509_PURPOSE_SSL_CLIENT 1 -#define X509_PURPOSE_SSL_SERVER 2 -#define X509_PURPOSE_NS_SSL_SERVER 3 -#define X509_PURPOSE_SMIME_SIGN 4 -#define X509_PURPOSE_SMIME_ENCRYPT 5 -#define X509_PURPOSE_CRL_SIGN 6 -#define X509_PURPOSE_ANY 7 -#define X509_PURPOSE_OCSP_HELPER 8 -#define X509_PURPOSE_TIMESTAMP_SIGN 9 - -#define X509_PURPOSE_MIN 1 -#define X509_PURPOSE_MAX 9 - -DEFINE_STACK_OF(X509_PURPOSE) - -DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS) - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID) - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) -OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a); - -// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it -// appends the value to |ret| and returns |ret| on success or NULL on error. If -// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| -// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the -// result. |method| is ignored. -// -// Do not use this function. This is an internal implementation detail of the -// human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. -OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( - const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, - STACK_OF(CONF_VALUE) *ret); - -// GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. -// It returns one on success and zero on error. -// -// TODO(davidben): Actually, it just returns one and doesn't check for I/O or -// allocation errors. But it should return zero on error. -OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) - -// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is -// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL -// on error. If it returns NULL, the caller is still responsible for freeing -// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the results. |method| is ignored. -// -// Do not use this function. This is an internal implementation detail of the -// human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. -OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( - const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, - STACK_OF(CONF_VALUE) *extlist); -OPENSSL_EXPORT GENERAL_NAMES *v2i_GENERAL_NAMES( - const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *nval); - -DECLARE_ASN1_FUNCTIONS_const(OTHERNAME) -DECLARE_ASN1_FUNCTIONS_const(EDIPARTYNAME) -OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, - void *value); -OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype); -OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, - ASN1_OBJECT *oid, - ASN1_TYPE *value); -OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, - ASN1_OBJECT **poid, - ASN1_TYPE **pvalue); - -// i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a -// newly-allocated, NUL-terminated string, or NULL on error. |method| is -// ignored. The caller must release the result with |OPENSSL_free| when done. -OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, - const ASN1_OCTET_STRING *oct); - -OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( - const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); - -DECLARE_ASN1_FUNCTIONS_const(EXTENDED_KEY_USAGE) -OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a); - -DECLARE_ASN1_FUNCTIONS_const(CERTIFICATEPOLICIES) -DECLARE_ASN1_FUNCTIONS_const(POLICYINFO) -DECLARE_ASN1_FUNCTIONS_const(POLICYQUALINFO) -DECLARE_ASN1_FUNCTIONS_const(USERNOTICE) -DECLARE_ASN1_FUNCTIONS_const(NOTICEREF) - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(DIST_POINT) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT) - -OPENSSL_EXPORT int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, - X509_NAME *iname); - -OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc); - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) - -DECLARE_ASN1_ITEM(POLICY_MAPPING) -DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) -DECLARE_ASN1_ITEM(POLICY_MAPPINGS) - -DECLARE_ASN1_ITEM(GENERAL_SUBTREE) -DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) - -DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) -DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) - -DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) -DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) - -OPENSSL_EXPORT GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, int gen_type, - const char *value, int is_nc); - -OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, - const CONF_VALUE *cnf); -OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME_ex( - GENERAL_NAME *out, const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, - const CONF_VALUE *cnf, int is_nc); -OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); - - -// Deprecated config-based extension creation. -// -// The following functions allow specifying X.509 extensions using OpenSSL's -// config file syntax, from the OpenSSL command-line tool. They are retained, -// for now, for compatibility with legacy software but may be removed in the -// future. Construct the extensions using the typed C APIs instead. -// -// Callers should especially avoid these functions if passing in non-constant -// values. They use ad-hoc, string-based formats which are prone to injection -// vulnerabilities. For a CA, this means using them risks misissuance. -// -// These functions are not safe to use with untrusted inputs. The string formats -// may implicitly reference context information and, in OpenSSL (though not -// BoringSSL), one even allows reading arbitrary files. Many formats can also -// produce far larger outputs than their inputs, so untrusted inputs may lead to -// denial-of-service attacks. Finally, the parsers see much less testing and -// review than most of the library and may have bugs including memory leaks or -// crashes. - -// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for -// constructing extensions. Some string formats reference additional values in -// these objects. It must be initialized with |X509V3_set_ctx| or -// |X509V3_set_ctx_test| before use. -struct v3_ext_ctx { - int flags; - const X509 *issuer_cert; - const X509 *subject_cert; - const X509_REQ *subject_req; - const X509_CRL *crl; - const CONF *db; -}; - -#define X509V3_CTX_TEST 0x1 - -// X509V3_set_ctx initializes |ctx| with the specified objects. Some string -// formats will reference fields in these objects. Each object may be NULL to -// omit it, in which case those formats cannot be used. |flags| should be zero, -// unless called via |X509V3_set_ctx_test|. -// -// |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. -OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, - const X509 *subject, const X509_REQ *req, - const X509_CRL *crl, int flags); - -// X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and -// mocks out some features that use them. The resulting extensions may be -// incomplete and should be discarded. This can be used to partially validate -// syntax. -// -// TODO(davidben): Can we remove this? -#define X509V3_set_ctx_test(ctx) \ - X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) - -// X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must -// have previously been initialized by |X509V3_set_ctx| or -// |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. -// |conf| may be NULL, in which case these formats cannot be used. If non-NULL, -// |conf| must outlive |ctx|. -OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); - -// X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. -#define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) - -// X509V3_EXT_nconf constructs an extension of type specified by |name|, and -// value specified by |value|. It returns a newly-allocated |X509_EXTENSION| -// object on success, or NULL on error. |conf| and |ctx| specify additional -// information referenced by some formats. Either |conf| or |ctx| may be NULL, -// in which case features which use it will be disabled. -// -// If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or -// |X509V3_set_ctx_test|. -// -// Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most -// features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use -// |conf|. Callers should ensure the two match to avoid surprisingly behavior. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, - const X509V3_CTX *ctx, - const char *name, - const char *value); - -// X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension -// type is specified as a NID. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, - const X509V3_CTX *ctx, - int ext_nid, - const char *value); - -// X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. -// -// TODO(davidben): This is the only exposed instance of an LHASH in our public -// headers. cryptography.io wraps this function so we cannot, yet, replace the -// type with a dummy struct. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, - const X509V3_CTX *ctx, - int ext_nid, - const char *value); - -// X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For -// each |CONF_VALUE| in the section, it constructs an extension as in -// |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new -// extension is appended to |*sk|. If |*sk| is non-NULL, and at least one -// extension is added, it sets |*sk| to a newly-allocated -// |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, - const X509V3_CTX *ctx, - const char *section, - STACK_OF(X509_EXTENSION) **sk); - -// X509V3_EXT_add_nconf adds extensions to |cert| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, - const char *section, X509 *cert); - -// X509V3_EXT_REQ_add_nconf adds extensions to |req| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, - const X509V3_CTX *ctx, - const char *section, X509_REQ *req); - -// X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, - const X509V3_CTX *ctx, - const char *section, X509_CRL *crl); - - -OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *meth, - const ASN1_INTEGER *aint); -OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *meth, - const char *value); -OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *meth, - const ASN1_ENUMERATED *aint); - -// X509V3_EXT_add registers |ext| as a custom extension for the extension type -// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's -// lifetime. It returns one on success and zero on error. -// -// WARNING: This function modifies global state. If other code in the same -// address space also registers an extension with type |ext->ext_nid|, the two -// registrations will conflict. Which registration takes effect is undefined. If -// the two registrations use incompatible in-memory representations, code -// expecting the other registration will then cast a type to the wrong type, -// resulting in a potentially exploitable memory error. This conflict can also -// occur if BoringSSL later adds support for |ext->ext_nid|, with a different -// in-memory representation than the one expected by |ext|. -// -// This function, additionally, is not thread-safe and cannot be called -// concurrently with any other BoringSSL function. -// -// As a result, it is impossible to safely use this function. Registering a -// custom extension has no impact on certificate verification so, instead, -// callers should simply handle the custom extension with the byte-based -// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little -// practical value. -OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); - -// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The -// corresponding ASN.1 type is copied from |nid_from|. It returns one on success -// and zero on error. -// -// WARNING: Do not use this function. See |X509V3_EXT_add|. -OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, - int nid_from); - -OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( - const X509_EXTENSION *ext); -OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); -OPENSSL_EXPORT int X509V3_add_standard_extensions(void); - -// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated -// structure, with type dependent on the type of the extension. It returns NULL -// if |ext| is an unsupported extension or if there was a syntax error in the -// extension. The caller should cast the return value to the expected type and -// free the structure when done. -// -// WARNING: Casting the return value to the wrong type is a potentially -// exploitable memory error, so callers must not use this function before -// checking |ext| is of a known type. -OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); - -// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. -// If found, it decodes it and returns a newly-allocated structure, with type -// dependent on |nid|. If the extension is not found or on error, it returns -// NULL. The caller may distinguish these cases using the |out_critical| value. -// -// If |out_critical| is not NULL, this function sets |*out_critical| to one if -// the extension is found and critical, zero if it is found and not critical, -1 -// if it is not found, and -2 if there is an invalid duplicate extension. Note -// this function may set |*out_critical| to one or zero and still return NULL if -// the extension is found but has a syntax error. -// -// If |out_idx| is not NULL, this function looks for the first occurrence of the -// extension after |*out_idx|. It then sets |*out_idx| to the index of the -// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions -// are not treated as an error. Callers, however, should not rely on this -// behavior as it may be removed in the future. Duplicate extensions are -// forbidden in RFC 5280. -// -// WARNING: This function is difficult to use correctly. Callers should pass a -// non-NULL |out_critical| and check both the return value and |*out_critical| -// to handle errors. If the return value is NULL and |*out_critical| is not -1, -// there was an error. Otherwise, the function succeeded and but may return NULL -// for a missing extension. Callers should pass NULL to |out_idx| so that -// duplicate extensions are handled correctly. -// -// Additionally, casting the return value to the wrong type is a potentially -// exploitable memory error, so callers must ensure the cast and |nid| match. -OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, - int nid, int *out_critical, int *out_idx); - -// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and -// releases memory associated with it. It returns one on success and zero if -// |nid| is not a known extension. -// -// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |ext_data|'s type matches |nid|. -// -// TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? -OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); - -// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to -// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| -// object containing the serialization, or NULL on error. The |X509_EXTENSION| -// has OID |ext_nid| and is critical if |crit| is one. -// -// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, - void *ext_struc); - -// The following constants control the behavior of |X509V3_add1_i2d| and related -// functions. - -// X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate -// extensions are processed. -#define X509V3_ADD_OP_MASK 0xfL - -// X509V3_ADD_DEFAULT causes the function to fail if the extension was already -// present. -#define X509V3_ADD_DEFAULT 0L - -// X509V3_ADD_APPEND causes the function to unconditionally appended the new -// extension to to the extensions list, even if there is a duplicate. -#define X509V3_ADD_APPEND 1L - -// X509V3_ADD_REPLACE causes the function to replace the existing extension, or -// append if it is not present. -#define X509V3_ADD_REPLACE 2L - -// X509V3_ADD_REPLACE causes the function to replace the existing extension and -// fail if it is not present. -#define X509V3_ADD_REPLACE_EXISTING 3L - -// X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the -// extension if already present. -#define X509V3_ADD_KEEP_EXISTING 4L - -// X509V3_ADD_DELETE causes the function to remove the matching extension. No -// new extension is added. If there is no matching extension, the function -// fails. The |value| parameter is ignored in this mode. -#define X509V3_ADD_DELETE 5L - -// X509V3_ADD_SILENT may be ORed into one of the values above to indicate the -// function should not add to the error queue on duplicate or missing extension. -// The function will continue to return zero in those cases, and it will -// continue to return -1 and add to the error queue on other errors. -#define X509V3_ADD_SILENT 0x10 - -// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, -// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, -// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. -// The |crit| parameter determines whether the new extension is critical. -// |flags| may be some combination of the |X509V3_ADD_*| constants to control -// the function's behavior on duplicate extension. -// -// This function returns one on success, zero if the operation failed due to a -// missing or duplicate extension, and -1 on other errors. -// -// WARNING: Casting |value| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |value|'s type matches |nid|. -OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, - void *value, int crit, unsigned long flags); - -#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) - -// X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return -// failure. -#define X509V3_EXT_DEFAULT 0 -// X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print -// as "" or "", respectively. -#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) -// X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like -// |X509V3_EXT_DUMP_UNKNOWN|. -#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) -// X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a -// hexdump. -#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) - -OPENSSL_EXPORT void X509V3_EXT_val_prn(BIO *out, - const STACK_OF(CONF_VALUE) *val, - int indent, int ml); -OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, - unsigned long flag, int indent); -OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, - int flag, int indent); - -// X509V3_extensions_print prints |title|, followed by a human-readable -// representation of |exts| to |out|. It returns one on success and zero on -// error. The output is indented by |indent| spaces. |flag| is one of the -// |X509V3_EXT_*| constants and controls printing of unknown extensions and -// syntax errors. -OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, - const STACK_OF(X509_EXTENSION) *exts, - unsigned long flag, int indent); - -OPENSSL_EXPORT int X509_check_ca(X509 *x); -OPENSSL_EXPORT int X509_check_purpose(X509 *x, int id, int ca); -OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); -OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose); -OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject); -OPENSSL_EXPORT int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid); - -OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x); -OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x); -OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); - -// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. -// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not -// present or if some extension in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); - -// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key -// identifier, if the extension and field are present. (See RFC 5280, -// section 4.2.1.1.) It returns NULL if the extension is not present, if it is -// present but lacks a keyIdentifier field, or if some extension in |x509| was -// invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); - -// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s -// authority key identifier, if the extension and field are present. (See -// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, -// if it is present but lacks a authorityCertIssuer field, or if some extension -// in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); - -// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s -// authority key identifier, if the extension and field are present. (See -// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, -// if it is present but lacks a authorityCertSerialNumber field, or if some -// extension in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); - -OPENSSL_EXPORT int X509_PURPOSE_get_count(void); -OPENSSL_EXPORT X509_PURPOSE *X509_PURPOSE_get0(int idx); -OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(char *sname); -OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id); -OPENSSL_EXPORT int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, - const X509 *, int), - char *name, char *sname, void *arg); -OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); -OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); -OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); -OPENSSL_EXPORT void X509_PURPOSE_cleanup(void); -OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *); - -OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); -OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); -OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); -OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); -// Flags for X509_check_* functions - -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 -// Disable wildcard matching for dnsName fields and common name. -#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 -// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in -// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is -// always enabled. -#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 -// Skip the subject common name fallback if subjectAltNames is missing. -#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 - -OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername); -OPENSSL_EXPORT int X509_check_email(X509 *x, const char *chk, size_t chklen, - unsigned int flags); -OPENSSL_EXPORT int X509_check_ip(X509 *x, const unsigned char *chk, - size_t chklen, unsigned int flags); -OPENSSL_EXPORT int X509_check_ip_asc(X509 *x, const char *ipasc, - unsigned int flags); - -OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); -OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); - -// BEGIN ERROR CODES -// The following lines are auto generated by the script mkerr.pl. Any changes -// made after this point may be overwritten when the script is next run. - - -#if defined(__cplusplus) -} // extern C - -extern "C++" { - -BSSL_NAMESPACE_BEGIN - -BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) -BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) -BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) -// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. -BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) -BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) -BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) -BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) -BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) -BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) -BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) - -BSSL_NAMESPACE_END - -} // extern C++ -#endif -#define X509V3_R_BAD_IP_ADDRESS 100 -#define X509V3_R_BAD_OBJECT 101 -#define X509V3_R_BN_DEC2BN_ERROR 102 -#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103 -#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104 -#define X509V3_R_DIRNAME_ERROR 105 -#define X509V3_R_DISTPOINT_ALREADY_SET 106 -#define X509V3_R_DUPLICATE_ZONE_ID 107 -#define X509V3_R_ERROR_CONVERTING_ZONE 108 -#define X509V3_R_ERROR_CREATING_EXTENSION 109 -#define X509V3_R_ERROR_IN_EXTENSION 110 -#define X509V3_R_EXPECTED_A_SECTION_NAME 111 -#define X509V3_R_EXTENSION_EXISTS 112 -#define X509V3_R_EXTENSION_NAME_ERROR 113 -#define X509V3_R_EXTENSION_NOT_FOUND 114 -#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115 -#define X509V3_R_EXTENSION_VALUE_ERROR 116 -#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117 -#define X509V3_R_ILLEGAL_HEX_DIGIT 118 -#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119 -#define X509V3_R_INVALID_BOOLEAN_STRING 120 -#define X509V3_R_INVALID_EXTENSION_STRING 121 -#define X509V3_R_INVALID_MULTIPLE_RDNS 122 -#define X509V3_R_INVALID_NAME 123 -#define X509V3_R_INVALID_NULL_ARGUMENT 124 -#define X509V3_R_INVALID_NULL_NAME 125 -#define X509V3_R_INVALID_NULL_VALUE 126 -#define X509V3_R_INVALID_NUMBER 127 -#define X509V3_R_INVALID_NUMBERS 128 -#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129 -#define X509V3_R_INVALID_OPTION 130 -#define X509V3_R_INVALID_POLICY_IDENTIFIER 131 -#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132 -#define X509V3_R_INVALID_PURPOSE 133 -#define X509V3_R_INVALID_SECTION 134 -#define X509V3_R_INVALID_SYNTAX 135 -#define X509V3_R_ISSUER_DECODE_ERROR 136 -#define X509V3_R_MISSING_VALUE 137 -#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138 -#define X509V3_R_NO_CONFIG_DATABASE 139 -#define X509V3_R_NO_ISSUER_CERTIFICATE 140 -#define X509V3_R_NO_ISSUER_DETAILS 141 -#define X509V3_R_NO_POLICY_IDENTIFIER 142 -#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143 -#define X509V3_R_NO_PUBLIC_KEY 144 -#define X509V3_R_NO_SUBJECT_DETAILS 145 -#define X509V3_R_ODD_NUMBER_OF_DIGITS 146 -#define X509V3_R_OPERATION_NOT_DEFINED 147 -#define X509V3_R_OTHERNAME_ERROR 148 -#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149 -#define X509V3_R_POLICY_PATH_LENGTH 150 -#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151 -#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152 -#define X509V3_R_SECTION_NOT_FOUND 153 -#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154 -#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155 -#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156 -#define X509V3_R_UNKNOWN_EXTENSION 157 -#define X509V3_R_UNKNOWN_EXTENSION_NAME 158 -#define X509V3_R_UNKNOWN_OPTION 159 -#define X509V3_R_UNSUPPORTED_OPTION 160 -#define X509V3_R_UNSUPPORTED_TYPE 161 -#define X509V3_R_USER_TOO_LONG 162 -#define X509V3_R_INVALID_VALUE 163 -#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164 +// Deprecated constants. + +// The following constants are legacy aliases for |X509v3_KU_*|. They are +// defined here instead of in because NSS's public headers use +// the same symbols. Some callers have inadvertently relied on the conflicts +// only being defined in this header. +#define KU_DIGITAL_SIGNATURE X509v3_KU_DIGITAL_SIGNATURE +#define KU_NON_REPUDIATION X509v3_KU_NON_REPUDIATION +#define KU_KEY_ENCIPHERMENT X509v3_KU_KEY_ENCIPHERMENT +#define KU_DATA_ENCIPHERMENT X509v3_KU_DATA_ENCIPHERMENT +#define KU_KEY_AGREEMENT X509v3_KU_KEY_AGREEMENT +#define KU_KEY_CERT_SIGN X509v3_KU_KEY_CERT_SIGN +#define KU_CRL_SIGN X509v3_KU_CRL_SIGN +#define KU_ENCIPHER_ONLY X509v3_KU_ENCIPHER_ONLY +#define KU_DECIPHER_ONLY X509v3_KU_DECIPHER_ONLY #endif // OPENSSL_HEADER_X509V3_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3_errors.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3_errors.h new file mode 100644 index 00000000..293d268d --- /dev/null +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3_errors.h @@ -0,0 +1,124 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 1999. */ +/* ==================================================================== + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). */ + +#ifndef OPENSSL_HEADER_X509V3_ERRORS_H +#define OPENSSL_HEADER_X509V3_ERRORS_H + +#define X509V3_R_BAD_IP_ADDRESS 100 +#define X509V3_R_BAD_OBJECT 101 +#define X509V3_R_BN_DEC2BN_ERROR 102 +#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103 +#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104 +#define X509V3_R_DIRNAME_ERROR 105 +#define X509V3_R_DISTPOINT_ALREADY_SET 106 +#define X509V3_R_DUPLICATE_ZONE_ID 107 +#define X509V3_R_ERROR_CONVERTING_ZONE 108 +#define X509V3_R_ERROR_CREATING_EXTENSION 109 +#define X509V3_R_ERROR_IN_EXTENSION 110 +#define X509V3_R_EXPECTED_A_SECTION_NAME 111 +#define X509V3_R_EXTENSION_EXISTS 112 +#define X509V3_R_EXTENSION_NAME_ERROR 113 +#define X509V3_R_EXTENSION_NOT_FOUND 114 +#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115 +#define X509V3_R_EXTENSION_VALUE_ERROR 116 +#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117 +#define X509V3_R_ILLEGAL_HEX_DIGIT 118 +#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119 +#define X509V3_R_INVALID_BOOLEAN_STRING 120 +#define X509V3_R_INVALID_EXTENSION_STRING 121 +#define X509V3_R_INVALID_MULTIPLE_RDNS 122 +#define X509V3_R_INVALID_NAME 123 +#define X509V3_R_INVALID_NULL_ARGUMENT 124 +#define X509V3_R_INVALID_NULL_NAME 125 +#define X509V3_R_INVALID_NULL_VALUE 126 +#define X509V3_R_INVALID_NUMBER 127 +#define X509V3_R_INVALID_NUMBERS 128 +#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129 +#define X509V3_R_INVALID_OPTION 130 +#define X509V3_R_INVALID_POLICY_IDENTIFIER 131 +#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132 +#define X509V3_R_INVALID_PURPOSE 133 +#define X509V3_R_INVALID_SECTION 134 +#define X509V3_R_INVALID_SYNTAX 135 +#define X509V3_R_ISSUER_DECODE_ERROR 136 +#define X509V3_R_MISSING_VALUE 137 +#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138 +#define X509V3_R_NO_CONFIG_DATABASE 139 +#define X509V3_R_NO_ISSUER_CERTIFICATE 140 +#define X509V3_R_NO_ISSUER_DETAILS 141 +#define X509V3_R_NO_POLICY_IDENTIFIER 142 +#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143 +#define X509V3_R_NO_PUBLIC_KEY 144 +#define X509V3_R_NO_SUBJECT_DETAILS 145 +#define X509V3_R_ODD_NUMBER_OF_DIGITS 146 +#define X509V3_R_OPERATION_NOT_DEFINED 147 +#define X509V3_R_OTHERNAME_ERROR 148 +#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149 +#define X509V3_R_POLICY_PATH_LENGTH 150 +#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151 +#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152 +#define X509V3_R_SECTION_NOT_FOUND 153 +#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154 +#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155 +#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156 +#define X509V3_R_UNKNOWN_EXTENSION 157 +#define X509V3_R_UNKNOWN_EXTENSION_NAME 158 +#define X509V3_R_UNKNOWN_OPTION 159 +#define X509V3_R_UNSUPPORTED_OPTION 160 +#define X509V3_R_UNSUPPORTED_TYPE 161 +#define X509V3_R_USER_TOO_LONG 162 +#define X509V3_R_INVALID_VALUE 163 +#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164 + +#endif // OPENSSL_HEADER_X509V3_ERRORS_H diff --git a/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc b/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc index 5b76f419..6c6008e2 100644 --- a/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc +++ b/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc @@ -139,6 +139,7 @@ %xdefine _ASN1_TIME_set _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set %xdefine _ASN1_TIME_set_posix _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set_posix %xdefine _ASN1_TIME_set_string _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set_string +%xdefine _ASN1_TIME_set_string_X509 _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set_string_X509 %xdefine _ASN1_TIME_to_generalizedtime _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_generalizedtime %xdefine _ASN1_TIME_to_posix _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_posix %xdefine _ASN1_TIME_to_time_t _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_time_t @@ -222,6 +223,8 @@ %xdefine _BIO_free _ %+ BORINGSSL_PREFIX %+ _BIO_free %xdefine _BIO_free_all _ %+ BORINGSSL_PREFIX %+ _BIO_free_all %xdefine _BIO_get_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_data +%xdefine _BIO_get_ex_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_ex_data +%xdefine _BIO_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _BIO_get_ex_new_index %xdefine _BIO_get_fd _ %+ BORINGSSL_PREFIX %+ _BIO_get_fd %xdefine _BIO_get_fp _ %+ BORINGSSL_PREFIX %+ _BIO_get_fp %xdefine _BIO_get_init _ %+ BORINGSSL_PREFIX %+ _BIO_get_init @@ -279,6 +282,7 @@ %xdefine _BIO_set_conn_int_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_int_port %xdefine _BIO_set_conn_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_port %xdefine _BIO_set_data _ %+ BORINGSSL_PREFIX %+ _BIO_set_data +%xdefine _BIO_set_ex_data _ %+ BORINGSSL_PREFIX %+ _BIO_set_ex_data %xdefine _BIO_set_fd _ %+ BORINGSSL_PREFIX %+ _BIO_set_fd %xdefine _BIO_set_flags _ %+ BORINGSSL_PREFIX %+ _BIO_set_flags %xdefine _BIO_set_fp _ %+ BORINGSSL_PREFIX %+ _BIO_set_fp @@ -345,6 +349,7 @@ %xdefine _BN_bn2dec _ %+ BORINGSSL_PREFIX %+ _BN_bn2dec %xdefine _BN_bn2hex _ %+ BORINGSSL_PREFIX %+ _BN_bn2hex %xdefine _BN_bn2le_padded _ %+ BORINGSSL_PREFIX %+ _BN_bn2le_padded +%xdefine _BN_bn2lebinpad _ %+ BORINGSSL_PREFIX %+ _BN_bn2lebinpad %xdefine _BN_bn2mpi _ %+ BORINGSSL_PREFIX %+ _BN_bn2mpi %xdefine _BN_clear _ %+ BORINGSSL_PREFIX %+ _BN_clear %xdefine _BN_clear_bit _ %+ BORINGSSL_PREFIX %+ _BN_clear_bit @@ -384,6 +389,7 @@ %xdefine _BN_is_word _ %+ BORINGSSL_PREFIX %+ _BN_is_word %xdefine _BN_is_zero _ %+ BORINGSSL_PREFIX %+ _BN_is_zero %xdefine _BN_le2bn _ %+ BORINGSSL_PREFIX %+ _BN_le2bn +%xdefine _BN_lebin2bn _ %+ BORINGSSL_PREFIX %+ _BN_lebin2bn %xdefine _BN_lshift _ %+ BORINGSSL_PREFIX %+ _BN_lshift %xdefine _BN_lshift1 _ %+ BORINGSSL_PREFIX %+ _BN_lshift1 %xdefine _BN_marshal_asn1 _ %+ BORINGSSL_PREFIX %+ _BN_marshal_asn1 @@ -449,6 +455,7 @@ %xdefine _BN_value_one _ %+ BORINGSSL_PREFIX %+ _BN_value_one %xdefine _BN_zero _ %+ BORINGSSL_PREFIX %+ _BN_zero %xdefine _BORINGSSL_keccak _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak +%xdefine _BORINGSSL_keccak_absorb _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak_absorb %xdefine _BORINGSSL_keccak_init _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak_init %xdefine _BORINGSSL_keccak_squeeze _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak_squeeze %xdefine _BORINGSSL_self_test _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_self_test @@ -473,6 +480,7 @@ %xdefine _CBB_add_asn1_uint64 _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64 %xdefine _CBB_add_asn1_uint64_with_tag _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64_with_tag %xdefine _CBB_add_bytes _ %+ BORINGSSL_PREFIX %+ _CBB_add_bytes +%xdefine _CBB_add_latin1 _ %+ BORINGSSL_PREFIX %+ _CBB_add_latin1 %xdefine _CBB_add_space _ %+ BORINGSSL_PREFIX %+ _CBB_add_space %xdefine _CBB_add_u16 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u16 %xdefine _CBB_add_u16_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBB_add_u16_length_prefixed @@ -485,6 +493,9 @@ %xdefine _CBB_add_u64le _ %+ BORINGSSL_PREFIX %+ _CBB_add_u64le %xdefine _CBB_add_u8 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u8 %xdefine _CBB_add_u8_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBB_add_u8_length_prefixed +%xdefine _CBB_add_ucs2_be _ %+ BORINGSSL_PREFIX %+ _CBB_add_ucs2_be +%xdefine _CBB_add_utf32_be _ %+ BORINGSSL_PREFIX %+ _CBB_add_utf32_be +%xdefine _CBB_add_utf8 _ %+ BORINGSSL_PREFIX %+ _CBB_add_utf8 %xdefine _CBB_add_zeros _ %+ BORINGSSL_PREFIX %+ _CBB_add_zeros %xdefine _CBB_cleanup _ %+ BORINGSSL_PREFIX %+ _CBB_cleanup %xdefine _CBB_data _ %+ BORINGSSL_PREFIX %+ _CBB_data @@ -494,6 +505,7 @@ %xdefine _CBB_finish_i2d _ %+ BORINGSSL_PREFIX %+ _CBB_finish_i2d %xdefine _CBB_flush _ %+ BORINGSSL_PREFIX %+ _CBB_flush %xdefine _CBB_flush_asn1_set_of _ %+ BORINGSSL_PREFIX %+ _CBB_flush_asn1_set_of +%xdefine _CBB_get_utf8_len _ %+ BORINGSSL_PREFIX %+ _CBB_get_utf8_len %xdefine _CBB_init _ %+ BORINGSSL_PREFIX %+ _CBB_init %xdefine _CBB_init_fixed _ %+ BORINGSSL_PREFIX %+ _CBB_init_fixed %xdefine _CBB_len _ %+ BORINGSSL_PREFIX %+ _CBB_len @@ -516,6 +528,7 @@ %xdefine _CBS_get_asn1_uint64 _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1_uint64 %xdefine _CBS_get_bytes _ %+ BORINGSSL_PREFIX %+ _CBS_get_bytes %xdefine _CBS_get_last_u8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_last_u8 +%xdefine _CBS_get_latin1 _ %+ BORINGSSL_PREFIX %+ _CBS_get_latin1 %xdefine _CBS_get_optional_asn1 _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1 %xdefine _CBS_get_optional_asn1_bool _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_bool %xdefine _CBS_get_optional_asn1_octet_string _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_octet_string @@ -532,7 +545,10 @@ %xdefine _CBS_get_u64le _ %+ BORINGSSL_PREFIX %+ _CBS_get_u64le %xdefine _CBS_get_u8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u8 %xdefine _CBS_get_u8_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBS_get_u8_length_prefixed +%xdefine _CBS_get_ucs2_be _ %+ BORINGSSL_PREFIX %+ _CBS_get_ucs2_be %xdefine _CBS_get_until_first _ %+ BORINGSSL_PREFIX %+ _CBS_get_until_first +%xdefine _CBS_get_utf32_be _ %+ BORINGSSL_PREFIX %+ _CBS_get_utf32_be +%xdefine _CBS_get_utf8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_utf8 %xdefine _CBS_init _ %+ BORINGSSL_PREFIX %+ _CBS_init %xdefine _CBS_is_unsigned_asn1_integer _ %+ BORINGSSL_PREFIX %+ _CBS_is_unsigned_asn1_integer %xdefine _CBS_is_valid_asn1_bitstring _ %+ BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_bitstring @@ -583,10 +599,6 @@ %xdefine _CRYPTO_POLYVAL_finish _ %+ BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_finish %xdefine _CRYPTO_POLYVAL_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_init %xdefine _CRYPTO_POLYVAL_update_blocks _ %+ BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_update_blocks -%xdefine _CRYPTO_STATIC_MUTEX_lock_read _ %+ BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_lock_read -%xdefine _CRYPTO_STATIC_MUTEX_lock_write _ %+ BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_lock_write -%xdefine _CRYPTO_STATIC_MUTEX_unlock_read _ %+ BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_unlock_read -%xdefine _CRYPTO_STATIC_MUTEX_unlock_write _ %+ BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_unlock_write %xdefine _CRYPTO_THREADID_current _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_current %xdefine _CRYPTO_THREADID_set_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_callback %xdefine _CRYPTO_THREADID_set_numeric _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_numeric @@ -600,6 +612,7 @@ %xdefine _CRYPTO_cleanup_all_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cleanup_all_ex_data %xdefine _CRYPTO_ctr128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt %xdefine _CRYPTO_ctr128_encrypt_ctr32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32 +%xdefine _CRYPTO_fips_186_2_prf _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fips_186_2_prf %xdefine _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing %xdefine _CRYPTO_free _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free %xdefine _CRYPTO_free_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data @@ -625,9 +638,6 @@ %xdefine _CRYPTO_has_asm _ %+ BORINGSSL_PREFIX %+ _CRYPTO_has_asm %xdefine _CRYPTO_hchacha20 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_hchacha20 %xdefine _CRYPTO_init_sysrand _ %+ BORINGSSL_PREFIX %+ _CRYPTO_init_sysrand -%xdefine _CRYPTO_is_ARMv8_AES_capable_at_runtime _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_AES_capable_at_runtime -%xdefine _CRYPTO_is_ARMv8_PMULL_capable_at_runtime _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_PMULL_capable_at_runtime -%xdefine _CRYPTO_is_NEON_capable_at_runtime _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_NEON_capable_at_runtime %xdefine _CRYPTO_is_confidential_build _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_confidential_build %xdefine _CRYPTO_library_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_library_init %xdefine _CRYPTO_malloc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_malloc @@ -668,15 +678,24 @@ %xdefine _CTR_DRBG_init _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_init %xdefine _CTR_DRBG_new _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_new %xdefine _CTR_DRBG_reseed _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_reseed -%xdefine _ChaCha20_ctr32 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32 +%xdefine _ChaCha20_ctr32_avx2 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2 +%xdefine _ChaCha20_ctr32_neon _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon +%xdefine _ChaCha20_ctr32_nohw _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_nohw +%xdefine _ChaCha20_ctr32_ssse3 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3 +%xdefine _ChaCha20_ctr32_ssse3_4x _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x %xdefine _DES_decrypt3 _ %+ BORINGSSL_PREFIX %+ _DES_decrypt3 %xdefine _DES_ecb3_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ecb3_encrypt +%xdefine _DES_ecb3_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ecb3_encrypt_ex %xdefine _DES_ecb_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ecb_encrypt +%xdefine _DES_ecb_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ecb_encrypt_ex %xdefine _DES_ede2_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ede2_cbc_encrypt %xdefine _DES_ede3_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt +%xdefine _DES_ede3_cbc_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt_ex %xdefine _DES_encrypt3 _ %+ BORINGSSL_PREFIX %+ _DES_encrypt3 %xdefine _DES_ncbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ncbc_encrypt +%xdefine _DES_ncbc_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ncbc_encrypt_ex %xdefine _DES_set_key _ %+ BORINGSSL_PREFIX %+ _DES_set_key +%xdefine _DES_set_key_ex _ %+ BORINGSSL_PREFIX %+ _DES_set_key_ex %xdefine _DES_set_key_unchecked _ %+ BORINGSSL_PREFIX %+ _DES_set_key_unchecked %xdefine _DES_set_odd_parity _ %+ BORINGSSL_PREFIX %+ _DES_set_odd_parity %xdefine _DH_bits _ %+ BORINGSSL_PREFIX %+ _DH_bits @@ -862,6 +881,10 @@ %xdefine _EC_curve_nid2nist _ %+ BORINGSSL_PREFIX %+ _EC_curve_nid2nist %xdefine _EC_curve_nist2nid _ %+ BORINGSSL_PREFIX %+ _EC_curve_nist2nid %xdefine _EC_get_builtin_curves _ %+ BORINGSSL_PREFIX %+ _EC_get_builtin_curves +%xdefine _EC_group_p224 _ %+ BORINGSSL_PREFIX %+ _EC_group_p224 +%xdefine _EC_group_p256 _ %+ BORINGSSL_PREFIX %+ _EC_group_p256 +%xdefine _EC_group_p384 _ %+ BORINGSSL_PREFIX %+ _EC_group_p384 +%xdefine _EC_group_p521 _ %+ BORINGSSL_PREFIX %+ _EC_group_p521 %xdefine _EC_hash_to_curve_p256_xmd_sha256_sswu _ %+ BORINGSSL_PREFIX %+ _EC_hash_to_curve_p256_xmd_sha256_sswu %xdefine _EC_hash_to_curve_p384_xmd_sha384_sswu _ %+ BORINGSSL_PREFIX %+ _EC_hash_to_curve_p384_xmd_sha384_sswu %xdefine _ED25519_keypair _ %+ BORINGSSL_PREFIX %+ _ED25519_keypair @@ -1034,6 +1057,7 @@ %xdefine _EVP_HPKE_KEY_generate _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_generate %xdefine _EVP_HPKE_KEY_init _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_init %xdefine _EVP_HPKE_KEY_kem _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_kem +%xdefine _EVP_HPKE_KEY_move _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_move %xdefine _EVP_HPKE_KEY_new _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_new %xdefine _EVP_HPKE_KEY_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_private_key %xdefine _EVP_HPKE_KEY_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_public_key @@ -1356,6 +1380,7 @@ %xdefine _OBJ_find_sigid_algs _ %+ BORINGSSL_PREFIX %+ _OBJ_find_sigid_algs %xdefine _OBJ_find_sigid_by_algs _ %+ BORINGSSL_PREFIX %+ _OBJ_find_sigid_by_algs %xdefine _OBJ_get0_data _ %+ BORINGSSL_PREFIX %+ _OBJ_get0_data +%xdefine _OBJ_get_undef _ %+ BORINGSSL_PREFIX %+ _OBJ_get_undef %xdefine _OBJ_length _ %+ BORINGSSL_PREFIX %+ _OBJ_length %xdefine _OBJ_ln2nid _ %+ BORINGSSL_PREFIX %+ _OBJ_ln2nid %xdefine _OBJ_nid2cbb _ %+ BORINGSSL_PREFIX %+ _OBJ_nid2cbb @@ -1370,7 +1395,7 @@ %xdefine _OPENSSL_add_all_algorithms_conf _ %+ BORINGSSL_PREFIX %+ _OPENSSL_add_all_algorithms_conf %xdefine _OPENSSL_armcap_P _ %+ BORINGSSL_PREFIX %+ _OPENSSL_armcap_P %xdefine _OPENSSL_asprintf _ %+ BORINGSSL_PREFIX %+ _OPENSSL_asprintf -%xdefine _OPENSSL_built_in_curves _ %+ BORINGSSL_PREFIX %+ _OPENSSL_built_in_curves +%xdefine _OPENSSL_calloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_calloc %xdefine _OPENSSL_cleanse _ %+ BORINGSSL_PREFIX %+ _OPENSSL_cleanse %xdefine _OPENSSL_cleanup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_cleanup %xdefine _OPENSSL_clear_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_clear_free @@ -1378,7 +1403,9 @@ %xdefine _OPENSSL_cpuid_setup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_cpuid_setup %xdefine _OPENSSL_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_free %xdefine _OPENSSL_fromxdigit _ %+ BORINGSSL_PREFIX %+ _OPENSSL_fromxdigit +%xdefine _OPENSSL_get_armcap _ %+ BORINGSSL_PREFIX %+ _OPENSSL_get_armcap %xdefine _OPENSSL_get_armcap_pointer_for_test _ %+ BORINGSSL_PREFIX %+ _OPENSSL_get_armcap_pointer_for_test +%xdefine _OPENSSL_get_ia32cap _ %+ BORINGSSL_PREFIX %+ _OPENSSL_get_ia32cap %xdefine _OPENSSL_gmtime _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime %xdefine _OPENSSL_gmtime_adj _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime_adj %xdefine _OPENSSL_gmtime_diff _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime_diff @@ -1407,6 +1434,27 @@ %xdefine _OPENSSL_realloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_realloc %xdefine _OPENSSL_secure_clear_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_secure_clear_free %xdefine _OPENSSL_secure_malloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_secure_malloc +%xdefine _OPENSSL_sk_deep_copy _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_deep_copy +%xdefine _OPENSSL_sk_delete _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_delete +%xdefine _OPENSSL_sk_delete_if _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_if +%xdefine _OPENSSL_sk_delete_ptr _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_ptr +%xdefine _OPENSSL_sk_dup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_dup +%xdefine _OPENSSL_sk_find _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_find +%xdefine _OPENSSL_sk_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_free +%xdefine _OPENSSL_sk_insert _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_insert +%xdefine _OPENSSL_sk_is_sorted _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_is_sorted +%xdefine _OPENSSL_sk_new _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_new +%xdefine _OPENSSL_sk_new_null _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_new_null +%xdefine _OPENSSL_sk_num _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_num +%xdefine _OPENSSL_sk_pop _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_pop +%xdefine _OPENSSL_sk_pop_free_ex _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_pop_free_ex +%xdefine _OPENSSL_sk_push _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_push +%xdefine _OPENSSL_sk_set _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_set +%xdefine _OPENSSL_sk_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_set_cmp_func +%xdefine _OPENSSL_sk_shift _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_shift +%xdefine _OPENSSL_sk_sort _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_sort +%xdefine _OPENSSL_sk_value _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_value +%xdefine _OPENSSL_sk_zero _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_zero %xdefine _OPENSSL_strcasecmp _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strcasecmp %xdefine _OPENSSL_strdup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strdup %xdefine _OPENSSL_strhash _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strhash @@ -1420,6 +1468,7 @@ %xdefine _OPENSSL_tolower _ %+ BORINGSSL_PREFIX %+ _OPENSSL_tolower %xdefine _OPENSSL_vasprintf _ %+ BORINGSSL_PREFIX %+ _OPENSSL_vasprintf %xdefine _OPENSSL_vasprintf_internal _ %+ BORINGSSL_PREFIX %+ _OPENSSL_vasprintf_internal +%xdefine _OPENSSL_zalloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_zalloc %xdefine _OTHERNAME_free _ %+ BORINGSSL_PREFIX %+ _OTHERNAME_free %xdefine _OTHERNAME_it _ %+ BORINGSSL_PREFIX %+ _OTHERNAME_it %xdefine _OTHERNAME_new _ %+ BORINGSSL_PREFIX %+ _OTHERNAME_new @@ -1573,6 +1622,7 @@ %xdefine _RAND_bytes _ %+ BORINGSSL_PREFIX %+ _RAND_bytes %xdefine _RAND_bytes_with_additional_data _ %+ BORINGSSL_PREFIX %+ _RAND_bytes_with_additional_data %xdefine _RAND_cleanup _ %+ BORINGSSL_PREFIX %+ _RAND_cleanup +%xdefine _RAND_disable_fork_unsafe_buffering _ %+ BORINGSSL_PREFIX %+ _RAND_disable_fork_unsafe_buffering %xdefine _RAND_egd _ %+ BORINGSSL_PREFIX %+ _RAND_egd %xdefine _RAND_enable_fork_unsafe_buffering _ %+ BORINGSSL_PREFIX %+ _RAND_enable_fork_unsafe_buffering %xdefine _RAND_file_name _ %+ BORINGSSL_PREFIX %+ _RAND_file_name @@ -1745,7 +1795,6 @@ %xdefine _X509V3_EXT_nconf_nid _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_nconf_nid %xdefine _X509V3_EXT_print _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_print %xdefine _X509V3_EXT_print_fp _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_print_fp -%xdefine _X509V3_EXT_val_prn _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_val_prn %xdefine _X509V3_NAME_from_section _ %+ BORINGSSL_PREFIX %+ _X509V3_NAME_from_section %xdefine _X509V3_add1_i2d _ %+ BORINGSSL_PREFIX %+ _X509V3_add1_i2d %xdefine _X509V3_add_standard_extensions _ %+ BORINGSSL_PREFIX %+ _X509V3_add_standard_extensions @@ -1799,7 +1848,6 @@ %xdefine _X509_CRL_add_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_add_ext %xdefine _X509_CRL_cmp _ %+ BORINGSSL_PREFIX %+ _X509_CRL_cmp %xdefine _X509_CRL_delete_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_delete_ext -%xdefine _X509_CRL_diff _ %+ BORINGSSL_PREFIX %+ _X509_CRL_diff %xdefine _X509_CRL_digest _ %+ BORINGSSL_PREFIX %+ _X509_CRL_digest %xdefine _X509_CRL_dup _ %+ BORINGSSL_PREFIX %+ _X509_CRL_dup %xdefine _X509_CRL_free _ %+ BORINGSSL_PREFIX %+ _X509_CRL_free @@ -1851,15 +1899,12 @@ %xdefine _X509_EXTENSION_set_data _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_data %xdefine _X509_EXTENSION_set_object _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_object %xdefine _X509_INFO_free _ %+ BORINGSSL_PREFIX %+ _X509_INFO_free -%xdefine _X509_INFO_new _ %+ BORINGSSL_PREFIX %+ _X509_INFO_new -%xdefine _X509_LOOKUP_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_by_subject +%xdefine _X509_LOOKUP_add_dir _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_add_dir %xdefine _X509_LOOKUP_ctrl _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_ctrl %xdefine _X509_LOOKUP_file _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_file %xdefine _X509_LOOKUP_free _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_free %xdefine _X509_LOOKUP_hash_dir _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_hash_dir -%xdefine _X509_LOOKUP_init _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_init -%xdefine _X509_LOOKUP_new _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_new -%xdefine _X509_LOOKUP_shutdown _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_shutdown +%xdefine _X509_LOOKUP_load_file _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_load_file %xdefine _X509_NAME_ENTRIES_it _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRIES_it %xdefine _X509_NAME_ENTRY_create_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_NID %xdefine _X509_NAME_ENTRY_create_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_OBJ @@ -1899,25 +1944,20 @@ %xdefine _X509_NAME_print_ex _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print_ex %xdefine _X509_NAME_print_ex_fp _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print_ex_fp %xdefine _X509_NAME_set _ %+ BORINGSSL_PREFIX %+ _X509_NAME_set +%xdefine _X509_OBJECT_free _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_free %xdefine _X509_OBJECT_free_contents _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_free_contents %xdefine _X509_OBJECT_get0_X509 _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_get0_X509 %xdefine _X509_OBJECT_get_type _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_get_type -%xdefine _X509_OBJECT_idx_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_idx_by_subject -%xdefine _X509_OBJECT_retrieve_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_by_subject -%xdefine _X509_OBJECT_retrieve_match _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_match -%xdefine _X509_OBJECT_up_ref_count _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_up_ref_count -%xdefine _X509_PKEY_free _ %+ BORINGSSL_PREFIX %+ _X509_PKEY_free -%xdefine _X509_PKEY_new _ %+ BORINGSSL_PREFIX %+ _X509_PKEY_new +%xdefine _X509_OBJECT_new _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_new %xdefine _X509_PUBKEY_free _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_free %xdefine _X509_PUBKEY_get _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get +%xdefine _X509_PUBKEY_get0 _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0 %xdefine _X509_PUBKEY_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_param %xdefine _X509_PUBKEY_get0_public_key _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_public_key %xdefine _X509_PUBKEY_it _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_it %xdefine _X509_PUBKEY_new _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_new %xdefine _X509_PUBKEY_set _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_set %xdefine _X509_PUBKEY_set0_param _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_set0_param -%xdefine _X509_PURPOSE_add _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_add -%xdefine _X509_PURPOSE_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_cleanup %xdefine _X509_PURPOSE_get0 _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0 %xdefine _X509_PURPOSE_get0_name _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_name %xdefine _X509_PURPOSE_get0_sname _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_sname @@ -1942,6 +1982,7 @@ %xdefine _X509_REQ_dup _ %+ BORINGSSL_PREFIX %+ _X509_REQ_dup %xdefine _X509_REQ_extension_nid _ %+ BORINGSSL_PREFIX %+ _X509_REQ_extension_nid %xdefine _X509_REQ_free _ %+ BORINGSSL_PREFIX %+ _X509_REQ_free +%xdefine _X509_REQ_get0_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get0_pubkey %xdefine _X509_REQ_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get0_signature %xdefine _X509_REQ_get1_email _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get1_email %xdefine _X509_REQ_get_attr _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_attr @@ -1994,13 +2035,15 @@ %xdefine _X509_STORE_CTX_get0_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_cert %xdefine _X509_STORE_CTX_get0_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_chain %xdefine _X509_STORE_CTX_get0_current_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_crl -%xdefine _X509_STORE_CTX_get0_current_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_issuer %xdefine _X509_STORE_CTX_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_param %xdefine _X509_STORE_CTX_get0_parent_ctx _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_parent_ctx %xdefine _X509_STORE_CTX_get0_store _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_store %xdefine _X509_STORE_CTX_get0_untrusted _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_untrusted +%xdefine _X509_STORE_CTX_get1_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_certs %xdefine _X509_STORE_CTX_get1_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_chain +%xdefine _X509_STORE_CTX_get1_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_crls %xdefine _X509_STORE_CTX_get1_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_issuer +%xdefine _X509_STORE_CTX_get_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_by_subject %xdefine _X509_STORE_CTX_get_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_chain %xdefine _X509_STORE_CTX_get_current_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_current_cert %xdefine _X509_STORE_CTX_get_error _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error @@ -2009,11 +2052,9 @@ %xdefine _X509_STORE_CTX_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_new_index %xdefine _X509_STORE_CTX_init _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_init %xdefine _X509_STORE_CTX_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_new -%xdefine _X509_STORE_CTX_purpose_inherit _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_purpose_inherit %xdefine _X509_STORE_CTX_set0_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_crls %xdefine _X509_STORE_CTX_set0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_param %xdefine _X509_STORE_CTX_set0_trusted_stack _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_trusted_stack -%xdefine _X509_STORE_CTX_set_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_cert %xdefine _X509_STORE_CTX_set_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_chain %xdefine _X509_STORE_CTX_set_default _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_default %xdefine _X509_STORE_CTX_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_depth @@ -2026,49 +2067,24 @@ %xdefine _X509_STORE_CTX_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_trust %xdefine _X509_STORE_CTX_set_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_verify_cb %xdefine _X509_STORE_CTX_trusted_stack _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_trusted_stack -%xdefine _X509_STORE_CTX_zero _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_zero %xdefine _X509_STORE_add_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_cert %xdefine _X509_STORE_add_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_crl %xdefine _X509_STORE_add_lookup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_lookup %xdefine _X509_STORE_free _ %+ BORINGSSL_PREFIX %+ _X509_STORE_free %xdefine _X509_STORE_get0_objects _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get0_objects %xdefine _X509_STORE_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get0_param -%xdefine _X509_STORE_get1_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get1_certs -%xdefine _X509_STORE_get1_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get1_crls -%xdefine _X509_STORE_get_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_by_subject -%xdefine _X509_STORE_get_cert_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_cert_crl -%xdefine _X509_STORE_get_check_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_check_crl -%xdefine _X509_STORE_get_check_issued _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_check_issued -%xdefine _X509_STORE_get_check_revocation _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_check_revocation -%xdefine _X509_STORE_get_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_cleanup -%xdefine _X509_STORE_get_get_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_get_crl -%xdefine _X509_STORE_get_get_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_get_issuer -%xdefine _X509_STORE_get_lookup_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_certs -%xdefine _X509_STORE_get_lookup_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_crls -%xdefine _X509_STORE_get_verify _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_verify -%xdefine _X509_STORE_get_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_verify_cb %xdefine _X509_STORE_load_locations _ %+ BORINGSSL_PREFIX %+ _X509_STORE_load_locations %xdefine _X509_STORE_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_new %xdefine _X509_STORE_set1_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set1_param -%xdefine _X509_STORE_set_cert_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_cert_crl %xdefine _X509_STORE_set_check_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_crl -%xdefine _X509_STORE_set_check_issued _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_issued -%xdefine _X509_STORE_set_check_revocation _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_revocation -%xdefine _X509_STORE_set_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_cleanup %xdefine _X509_STORE_set_default_paths _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_default_paths %xdefine _X509_STORE_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_depth %xdefine _X509_STORE_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_flags %xdefine _X509_STORE_set_get_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_get_crl -%xdefine _X509_STORE_set_get_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_get_issuer -%xdefine _X509_STORE_set_lookup_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_certs -%xdefine _X509_STORE_set_lookup_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_crls %xdefine _X509_STORE_set_purpose _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_purpose %xdefine _X509_STORE_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_trust -%xdefine _X509_STORE_set_verify _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_verify %xdefine _X509_STORE_set_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_verify_cb %xdefine _X509_STORE_up_ref _ %+ BORINGSSL_PREFIX %+ _X509_STORE_up_ref -%xdefine _X509_TRUST_add _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_add -%xdefine _X509_TRUST_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_cleanup %xdefine _X509_TRUST_get0 _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get0 %xdefine _X509_TRUST_get0_name _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get0_name %xdefine _X509_TRUST_get_by_id _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_by_id @@ -2083,8 +2099,6 @@ %xdefine _X509_VERIFY_PARAM_add1_host _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add1_host %xdefine _X509_VERIFY_PARAM_clear_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_clear_flags %xdefine _X509_VERIFY_PARAM_free _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_free -%xdefine _X509_VERIFY_PARAM_get0_name _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_name -%xdefine _X509_VERIFY_PARAM_get0_peername _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_peername %xdefine _X509_VERIFY_PARAM_get_depth _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_depth %xdefine _X509_VERIFY_PARAM_get_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_flags %xdefine _X509_VERIFY_PARAM_inherit _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_inherit @@ -2095,7 +2109,6 @@ %xdefine _X509_VERIFY_PARAM_set1_host _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_host %xdefine _X509_VERIFY_PARAM_set1_ip _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip %xdefine _X509_VERIFY_PARAM_set1_ip_asc _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip_asc -%xdefine _X509_VERIFY_PARAM_set1_name _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_name %xdefine _X509_VERIFY_PARAM_set1_policies _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_policies %xdefine _X509_VERIFY_PARAM_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_depth %xdefine _X509_VERIFY_PARAM_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_flags @@ -2138,6 +2151,7 @@ %xdefine _X509_get0_extensions _ %+ BORINGSSL_PREFIX %+ _X509_get0_extensions %xdefine _X509_get0_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_get0_notAfter %xdefine _X509_get0_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_get0_notBefore +%xdefine _X509_get0_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_get0_pubkey %xdefine _X509_get0_pubkey_bitstr _ %+ BORINGSSL_PREFIX %+ _X509_get0_pubkey_bitstr %xdefine _X509_get0_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_get0_serialNumber %xdefine _X509_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_get0_signature @@ -2228,7 +2242,6 @@ %xdefine _X509v3_get_ext_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_OBJ %xdefine _X509v3_get_ext_by_critical _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_critical %xdefine _X509v3_get_ext_count _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_count -%xdefine _a2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _a2i_GENERAL_NAME %xdefine _a2i_IPADDRESS _ %+ BORINGSSL_PREFIX %+ _a2i_IPADDRESS %xdefine _a2i_IPADDRESS_NC _ %+ BORINGSSL_PREFIX %+ _a2i_IPADDRESS_NC %xdefine _aes128gcmsiv_aes_ks _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks @@ -2283,14 +2296,16 @@ %xdefine _asn1_refcount_set_one _ %+ BORINGSSL_PREFIX %+ _asn1_refcount_set_one %xdefine _asn1_set_choice_selector _ %+ BORINGSSL_PREFIX %+ _asn1_set_choice_selector %xdefine _asn1_type_cleanup _ %+ BORINGSSL_PREFIX %+ _asn1_type_cleanup +%xdefine _asn1_type_set0_string _ %+ BORINGSSL_PREFIX %+ _asn1_type_set0_string %xdefine _asn1_type_value_as_pointer _ %+ BORINGSSL_PREFIX %+ _asn1_type_value_as_pointer %xdefine _asn1_utctime_to_tm _ %+ BORINGSSL_PREFIX %+ _asn1_utctime_to_tm %xdefine _beeu_mod_inverse_vartime _ %+ BORINGSSL_PREFIX %+ _beeu_mod_inverse_vartime %xdefine _bio_clear_socket_error _ %+ BORINGSSL_PREFIX %+ _bio_clear_socket_error -%xdefine _bio_fd_should_retry _ %+ BORINGSSL_PREFIX %+ _bio_fd_should_retry +%xdefine _bio_errno_should_retry _ %+ BORINGSSL_PREFIX %+ _bio_errno_should_retry %xdefine _bio_ip_and_port_to_socket_and_addr _ %+ BORINGSSL_PREFIX %+ _bio_ip_and_port_to_socket_and_addr %xdefine _bio_sock_error _ %+ BORINGSSL_PREFIX %+ _bio_sock_error %xdefine _bio_socket_nbio _ %+ BORINGSSL_PREFIX %+ _bio_socket_nbio +%xdefine _bio_socket_should_retry _ %+ BORINGSSL_PREFIX %+ _bio_socket_should_retry %xdefine _bn_abs_sub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_abs_sub_consttime %xdefine _bn_add_words _ %+ BORINGSSL_PREFIX %+ _bn_add_words %xdefine _bn_assert_fits_in_bytes _ %+ BORINGSSL_PREFIX %+ _bn_assert_fits_in_bytes @@ -2313,7 +2328,6 @@ %xdefine _bn_minimal_width _ %+ BORINGSSL_PREFIX %+ _bn_minimal_width %xdefine _bn_mod_add_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_add_consttime %xdefine _bn_mod_add_words _ %+ BORINGSSL_PREFIX %+ _bn_mod_add_words -%xdefine _bn_mod_exp_base_2_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_exp_base_2_consttime %xdefine _bn_mod_exp_mont_small _ %+ BORINGSSL_PREFIX %+ _bn_mod_exp_mont_small %xdefine _bn_mod_inverse0_prime_mont_small _ %+ BORINGSSL_PREFIX %+ _bn_mod_inverse0_prime_mont_small %xdefine _bn_mod_inverse_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_inverse_consttime @@ -2325,15 +2339,21 @@ %xdefine _bn_mod_sub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_sub_consttime %xdefine _bn_mod_sub_words _ %+ BORINGSSL_PREFIX %+ _bn_mod_sub_words %xdefine _bn_mod_u16_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_u16_consttime +%xdefine _bn_mont_ctx_cleanup _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_cleanup +%xdefine _bn_mont_ctx_init _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_init +%xdefine _bn_mont_ctx_set_RR_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_set_RR_consttime %xdefine _bn_mont_n0 _ %+ BORINGSSL_PREFIX %+ _bn_mont_n0 +%xdefine _bn_mul4x_mont _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont %xdefine _bn_mul_add_words _ %+ BORINGSSL_PREFIX %+ _bn_mul_add_words %xdefine _bn_mul_comba4 _ %+ BORINGSSL_PREFIX %+ _bn_mul_comba4 %xdefine _bn_mul_comba8 _ %+ BORINGSSL_PREFIX %+ _bn_mul_comba8 %xdefine _bn_mul_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mul_consttime %xdefine _bn_mul_mont _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont %xdefine _bn_mul_mont_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_gather5 +%xdefine _bn_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_nohw %xdefine _bn_mul_small _ %+ BORINGSSL_PREFIX %+ _bn_mul_small %xdefine _bn_mul_words _ %+ BORINGSSL_PREFIX %+ _bn_mul_words +%xdefine _bn_mulx4x_mont _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont %xdefine _bn_odd_number_is_obviously_composite _ %+ BORINGSSL_PREFIX %+ _bn_odd_number_is_obviously_composite %xdefine _bn_one_to_montgomery _ %+ BORINGSSL_PREFIX %+ _bn_one_to_montgomery %xdefine _bn_power5 _ %+ BORINGSSL_PREFIX %+ _bn_power5 @@ -2351,6 +2371,7 @@ %xdefine _bn_set_static_words _ %+ BORINGSSL_PREFIX %+ _bn_set_static_words %xdefine _bn_set_words _ %+ BORINGSSL_PREFIX %+ _bn_set_words %xdefine _bn_sqr8x_internal _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_internal +%xdefine _bn_sqr8x_mont _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_mont %xdefine _bn_sqr_comba4 _ %+ BORINGSSL_PREFIX %+ _bn_sqr_comba4 %xdefine _bn_sqr_comba8 _ %+ BORINGSSL_PREFIX %+ _bn_sqr_comba8 %xdefine _bn_sqr_consttime _ %+ BORINGSSL_PREFIX %+ _bn_sqr_consttime @@ -2369,15 +2390,6 @@ %xdefine _c2i_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_BIT_STRING %xdefine _c2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER %xdefine _c2i_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT -%xdefine _cbb_add_latin1 _ %+ BORINGSSL_PREFIX %+ _cbb_add_latin1 -%xdefine _cbb_add_ucs2_be _ %+ BORINGSSL_PREFIX %+ _cbb_add_ucs2_be -%xdefine _cbb_add_utf32_be _ %+ BORINGSSL_PREFIX %+ _cbb_add_utf32_be -%xdefine _cbb_add_utf8 _ %+ BORINGSSL_PREFIX %+ _cbb_add_utf8 -%xdefine _cbb_get_utf8_len _ %+ BORINGSSL_PREFIX %+ _cbb_get_utf8_len -%xdefine _cbs_get_latin1 _ %+ BORINGSSL_PREFIX %+ _cbs_get_latin1 -%xdefine _cbs_get_ucs2_be _ %+ BORINGSSL_PREFIX %+ _cbs_get_ucs2_be -%xdefine _cbs_get_utf32_be _ %+ BORINGSSL_PREFIX %+ _cbs_get_utf32_be -%xdefine _cbs_get_utf8 _ %+ BORINGSSL_PREFIX %+ _cbs_get_utf8 %xdefine _chacha20_poly1305_open _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open %xdefine _chacha20_poly1305_seal _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal %xdefine _crypto_gcm_clmul_enabled _ %+ BORINGSSL_PREFIX %+ _crypto_gcm_clmul_enabled @@ -2433,7 +2445,6 @@ %xdefine _d2i_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY %xdefine _d2i_EC_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_bio %xdefine _d2i_EC_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_fp -%xdefine _d2i_EDIPARTYNAME _ %+ BORINGSSL_PREFIX %+ _d2i_EDIPARTYNAME %xdefine _d2i_EXTENDED_KEY_USAGE _ %+ BORINGSSL_PREFIX %+ _d2i_EXTENDED_KEY_USAGE %xdefine _d2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_GENERAL_NAME %xdefine _d2i_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _d2i_GENERAL_NAMES @@ -2441,7 +2452,6 @@ %xdefine _d2i_NETSCAPE_SPKAC _ %+ BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKAC %xdefine _d2i_NETSCAPE_SPKI _ %+ BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKI %xdefine _d2i_NOTICEREF _ %+ BORINGSSL_PREFIX %+ _d2i_NOTICEREF -%xdefine _d2i_OTHERNAME _ %+ BORINGSSL_PREFIX %+ _d2i_OTHERNAME %xdefine _d2i_PKCS12 _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12 %xdefine _d2i_PKCS12_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12_bio %xdefine _d2i_PKCS12_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12_fp @@ -2487,7 +2497,6 @@ %xdefine _d2i_X509_EXTENSION _ %+ BORINGSSL_PREFIX %+ _d2i_X509_EXTENSION %xdefine _d2i_X509_EXTENSIONS _ %+ BORINGSSL_PREFIX %+ _d2i_X509_EXTENSIONS %xdefine _d2i_X509_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_X509_NAME -%xdefine _d2i_X509_NAME_ENTRY _ %+ BORINGSSL_PREFIX %+ _d2i_X509_NAME_ENTRY %xdefine _d2i_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_X509_PUBKEY %xdefine _d2i_X509_REQ _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ %xdefine _d2i_X509_REQ_INFO _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ_INFO @@ -2498,6 +2507,7 @@ %xdefine _d2i_X509_VAL _ %+ BORINGSSL_PREFIX %+ _d2i_X509_VAL %xdefine _d2i_X509_bio _ %+ BORINGSSL_PREFIX %+ _d2i_X509_bio %xdefine _d2i_X509_fp _ %+ BORINGSSL_PREFIX %+ _d2i_X509_fp +%xdefine _dh_check_params_fast _ %+ BORINGSSL_PREFIX %+ _dh_check_params_fast %xdefine _dh_compute_key_padded_no_self_test _ %+ BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test %xdefine _dsa_asn1_meth _ %+ BORINGSSL_PREFIX %+ _dsa_asn1_meth %xdefine _dsa_check_key _ %+ BORINGSSL_PREFIX %+ _dsa_check_key @@ -2509,9 +2519,6 @@ %xdefine _ec_GFp_mont_felem_reduce _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_reduce %xdefine _ec_GFp_mont_felem_sqr _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_sqr %xdefine _ec_GFp_mont_felem_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_to_bytes -%xdefine _ec_GFp_mont_group_finish _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_group_finish -%xdefine _ec_GFp_mont_group_init _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_group_init -%xdefine _ec_GFp_mont_group_set_curve _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_group_set_curve %xdefine _ec_GFp_mont_init_precomp _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_init_precomp %xdefine _ec_GFp_mont_mul _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul %xdefine _ec_GFp_mont_mul_base _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_base @@ -2522,9 +2529,7 @@ %xdefine _ec_GFp_simple_cmp_x_coordinate _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_cmp_x_coordinate %xdefine _ec_GFp_simple_felem_from_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_from_bytes %xdefine _ec_GFp_simple_felem_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_to_bytes -%xdefine _ec_GFp_simple_group_finish _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_group_finish %xdefine _ec_GFp_simple_group_get_curve _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_group_get_curve -%xdefine _ec_GFp_simple_group_init _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_group_init %xdefine _ec_GFp_simple_group_set_curve _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_group_set_curve %xdefine _ec_GFp_simple_invert _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_invert %xdefine _ec_GFp_simple_is_at_infinity _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_is_at_infinity @@ -2546,13 +2551,13 @@ %xdefine _ec_felem_from_bytes _ %+ BORINGSSL_PREFIX %+ _ec_felem_from_bytes %xdefine _ec_felem_neg _ %+ BORINGSSL_PREFIX %+ _ec_felem_neg %xdefine _ec_felem_non_zero_mask _ %+ BORINGSSL_PREFIX %+ _ec_felem_non_zero_mask +%xdefine _ec_felem_one _ %+ BORINGSSL_PREFIX %+ _ec_felem_one %xdefine _ec_felem_select _ %+ BORINGSSL_PREFIX %+ _ec_felem_select %xdefine _ec_felem_sub _ %+ BORINGSSL_PREFIX %+ _ec_felem_sub %xdefine _ec_felem_to_bignum _ %+ BORINGSSL_PREFIX %+ _ec_felem_to_bignum %xdefine _ec_felem_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_felem_to_bytes %xdefine _ec_get_x_coordinate_as_bytes _ %+ BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_bytes %xdefine _ec_get_x_coordinate_as_scalar _ %+ BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_scalar -%xdefine _ec_group_new _ %+ BORINGSSL_PREFIX %+ _ec_group_new %xdefine _ec_hash_to_curve_p256_xmd_sha256_sswu _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_curve_p256_xmd_sha256_sswu %xdefine _ec_hash_to_curve_p384_xmd_sha384_sswu _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha384_sswu %xdefine _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 @@ -2612,6 +2617,10 @@ %xdefine _ecp_nistz256_sub _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sub %xdefine _ed25519_asn1_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_asn1_meth %xdefine _ed25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_pkey_meth +%xdefine _fiat_curve25519_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul +%xdefine _fiat_curve25519_adx_square _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square +%xdefine _fiat_p256_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_p256_adx_mul +%xdefine _fiat_p256_adx_sqr _ %+ BORINGSSL_PREFIX %+ _fiat_p256_adx_sqr %xdefine _gcm_ghash_avx _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_avx %xdefine _gcm_ghash_clmul _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_clmul %xdefine _gcm_ghash_neon _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_neon @@ -2631,7 +2640,6 @@ %xdefine _gcm_init_ssse3 _ %+ BORINGSSL_PREFIX %+ _gcm_init_ssse3 %xdefine _gcm_init_v8 _ %+ BORINGSSL_PREFIX %+ _gcm_init_v8 %xdefine _hkdf_pkey_meth _ %+ BORINGSSL_PREFIX %+ _hkdf_pkey_meth -%xdefine _i2a_ACCESS_DESCRIPTION _ %+ BORINGSSL_PREFIX %+ _i2a_ACCESS_DESCRIPTION %xdefine _i2a_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_ENUMERATED %xdefine _i2a_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_INTEGER %xdefine _i2a_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_OBJECT @@ -2689,7 +2697,6 @@ %xdefine _i2d_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY %xdefine _i2d_EC_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_bio %xdefine _i2d_EC_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_fp -%xdefine _i2d_EDIPARTYNAME _ %+ BORINGSSL_PREFIX %+ _i2d_EDIPARTYNAME %xdefine _i2d_EXTENDED_KEY_USAGE _ %+ BORINGSSL_PREFIX %+ _i2d_EXTENDED_KEY_USAGE %xdefine _i2d_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_GENERAL_NAME %xdefine _i2d_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _i2d_GENERAL_NAMES @@ -2697,7 +2704,6 @@ %xdefine _i2d_NETSCAPE_SPKAC _ %+ BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKAC %xdefine _i2d_NETSCAPE_SPKI _ %+ BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKI %xdefine _i2d_NOTICEREF _ %+ BORINGSSL_PREFIX %+ _i2d_NOTICEREF -%xdefine _i2d_OTHERNAME _ %+ BORINGSSL_PREFIX %+ _i2d_OTHERNAME %xdefine _i2d_PKCS12 _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12 %xdefine _i2d_PKCS12_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12_bio %xdefine _i2d_PKCS12_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12_fp @@ -2748,7 +2754,6 @@ %xdefine _i2d_X509_EXTENSION _ %+ BORINGSSL_PREFIX %+ _i2d_X509_EXTENSION %xdefine _i2d_X509_EXTENSIONS _ %+ BORINGSSL_PREFIX %+ _i2d_X509_EXTENSIONS %xdefine _i2d_X509_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_X509_NAME -%xdefine _i2d_X509_NAME_ENTRY _ %+ BORINGSSL_PREFIX %+ _i2d_X509_NAME_ENTRY %xdefine _i2d_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_X509_PUBKEY %xdefine _i2d_X509_REQ _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ %xdefine _i2d_X509_REQ_INFO _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ_INFO @@ -2770,6 +2775,7 @@ %xdefine _i2t_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _i2t_ASN1_OBJECT %xdefine _i2v_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _i2v_GENERAL_NAME %xdefine _i2v_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _i2v_GENERAL_NAMES +%xdefine _k25519Precomp _ %+ BORINGSSL_PREFIX %+ _k25519Precomp %xdefine _kBoringSSLRSASqrtTwo _ %+ BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwo %xdefine _kBoringSSLRSASqrtTwoLen _ %+ BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwoLen %xdefine _kOpenSSLReasonStringData _ %+ BORINGSSL_PREFIX %+ _kOpenSSLReasonStringData @@ -2833,31 +2839,62 @@ %xdefine _rsaz_1024_sqr_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_sqr_avx2 %xdefine _s2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _s2i_ASN1_INTEGER %xdefine _s2i_ASN1_OCTET_STRING _ %+ BORINGSSL_PREFIX %+ _s2i_ASN1_OCTET_STRING -%xdefine _sha1_block_data_order _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order -%xdefine _sha256_block_data_order _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order -%xdefine _sha512_block_data_order _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order -%xdefine _sk_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_deep_copy -%xdefine _sk_delete _ %+ BORINGSSL_PREFIX %+ _sk_delete -%xdefine _sk_delete_if _ %+ BORINGSSL_PREFIX %+ _sk_delete_if -%xdefine _sk_delete_ptr _ %+ BORINGSSL_PREFIX %+ _sk_delete_ptr -%xdefine _sk_dup _ %+ BORINGSSL_PREFIX %+ _sk_dup -%xdefine _sk_find _ %+ BORINGSSL_PREFIX %+ _sk_find +%xdefine _sha1_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_avx +%xdefine _sha1_block_data_order_avx2 _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_avx2 +%xdefine _sha1_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_hw +%xdefine _sha1_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_nohw +%xdefine _sha1_block_data_order_ssse3 _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_ssse3 +%xdefine _sha256_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_avx +%xdefine _sha256_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_hw +%xdefine _sha256_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_nohw +%xdefine _sha256_block_data_order_ssse3 _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_ssse3 +%xdefine _sha512_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_avx +%xdefine _sha512_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_hw +%xdefine _sha512_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_nohw %xdefine _sk_free _ %+ BORINGSSL_PREFIX %+ _sk_free -%xdefine _sk_insert _ %+ BORINGSSL_PREFIX %+ _sk_insert -%xdefine _sk_is_sorted _ %+ BORINGSSL_PREFIX %+ _sk_is_sorted -%xdefine _sk_new _ %+ BORINGSSL_PREFIX %+ _sk_new %xdefine _sk_new_null _ %+ BORINGSSL_PREFIX %+ _sk_new_null %xdefine _sk_num _ %+ BORINGSSL_PREFIX %+ _sk_num %xdefine _sk_pop _ %+ BORINGSSL_PREFIX %+ _sk_pop %xdefine _sk_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_pop_free %xdefine _sk_pop_free_ex _ %+ BORINGSSL_PREFIX %+ _sk_pop_free_ex %xdefine _sk_push _ %+ BORINGSSL_PREFIX %+ _sk_push -%xdefine _sk_set _ %+ BORINGSSL_PREFIX %+ _sk_set -%xdefine _sk_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_set_cmp_func -%xdefine _sk_shift _ %+ BORINGSSL_PREFIX %+ _sk_shift -%xdefine _sk_sort _ %+ BORINGSSL_PREFIX %+ _sk_sort %xdefine _sk_value _ %+ BORINGSSL_PREFIX %+ _sk_value -%xdefine _sk_zero _ %+ BORINGSSL_PREFIX %+ _sk_zero +%xdefine _spx_base_b _ %+ BORINGSSL_PREFIX %+ _spx_base_b +%xdefine _spx_copy_keypair_addr _ %+ BORINGSSL_PREFIX %+ _spx_copy_keypair_addr +%xdefine _spx_fors_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _spx_fors_pk_from_sig +%xdefine _spx_fors_sign _ %+ BORINGSSL_PREFIX %+ _spx_fors_sign +%xdefine _spx_fors_sk_gen _ %+ BORINGSSL_PREFIX %+ _spx_fors_sk_gen +%xdefine _spx_fors_treehash _ %+ BORINGSSL_PREFIX %+ _spx_fors_treehash +%xdefine _spx_generate_key _ %+ BORINGSSL_PREFIX %+ _spx_generate_key +%xdefine _spx_generate_key_from_seed _ %+ BORINGSSL_PREFIX %+ _spx_generate_key_from_seed +%xdefine _spx_get_tree_index _ %+ BORINGSSL_PREFIX %+ _spx_get_tree_index +%xdefine _spx_ht_sign _ %+ BORINGSSL_PREFIX %+ _spx_ht_sign +%xdefine _spx_ht_verify _ %+ BORINGSSL_PREFIX %+ _spx_ht_verify +%xdefine _spx_set_chain_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_chain_addr +%xdefine _spx_set_hash_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_hash_addr +%xdefine _spx_set_keypair_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_keypair_addr +%xdefine _spx_set_layer_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_layer_addr +%xdefine _spx_set_tree_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_tree_addr +%xdefine _spx_set_tree_height _ %+ BORINGSSL_PREFIX %+ _spx_set_tree_height +%xdefine _spx_set_tree_index _ %+ BORINGSSL_PREFIX %+ _spx_set_tree_index +%xdefine _spx_set_type _ %+ BORINGSSL_PREFIX %+ _spx_set_type +%xdefine _spx_sign _ %+ BORINGSSL_PREFIX %+ _spx_sign +%xdefine _spx_thash_f _ %+ BORINGSSL_PREFIX %+ _spx_thash_f +%xdefine _spx_thash_h _ %+ BORINGSSL_PREFIX %+ _spx_thash_h +%xdefine _spx_thash_hmsg _ %+ BORINGSSL_PREFIX %+ _spx_thash_hmsg +%xdefine _spx_thash_prf _ %+ BORINGSSL_PREFIX %+ _spx_thash_prf +%xdefine _spx_thash_prfmsg _ %+ BORINGSSL_PREFIX %+ _spx_thash_prfmsg +%xdefine _spx_thash_tk _ %+ BORINGSSL_PREFIX %+ _spx_thash_tk +%xdefine _spx_thash_tl _ %+ BORINGSSL_PREFIX %+ _spx_thash_tl +%xdefine _spx_to_uint64 _ %+ BORINGSSL_PREFIX %+ _spx_to_uint64 +%xdefine _spx_treehash _ %+ BORINGSSL_PREFIX %+ _spx_treehash +%xdefine _spx_uint64_to_len_bytes _ %+ BORINGSSL_PREFIX %+ _spx_uint64_to_len_bytes +%xdefine _spx_verify _ %+ BORINGSSL_PREFIX %+ _spx_verify +%xdefine _spx_wots_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _spx_wots_pk_from_sig +%xdefine _spx_wots_pk_gen _ %+ BORINGSSL_PREFIX %+ _spx_wots_pk_gen +%xdefine _spx_wots_sign _ %+ BORINGSSL_PREFIX %+ _spx_wots_sign +%xdefine _spx_xmss_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _spx_xmss_pk_from_sig +%xdefine _spx_xmss_sign _ %+ BORINGSSL_PREFIX %+ _spx_xmss_sign %xdefine _v2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME %xdefine _v2i_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAMES %xdefine _v2i_GENERAL_NAME_ex _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME_ex @@ -2916,12 +2953,15 @@ %xdefine _x25519_ge_p3_to_cached _ %+ BORINGSSL_PREFIX %+ _x25519_ge_p3_to_cached %xdefine _x25519_ge_scalarmult _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult %xdefine _x25519_ge_scalarmult_base _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base +%xdefine _x25519_ge_scalarmult_base_adx _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base_adx %xdefine _x25519_ge_scalarmult_small_precomp _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_small_precomp %xdefine _x25519_ge_sub _ %+ BORINGSSL_PREFIX %+ _x25519_ge_sub %xdefine _x25519_ge_tobytes _ %+ BORINGSSL_PREFIX %+ _x25519_ge_tobytes %xdefine _x25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _x25519_pkey_meth %xdefine _x25519_sc_reduce _ %+ BORINGSSL_PREFIX %+ _x25519_sc_reduce +%xdefine _x25519_scalar_mult_adx _ %+ BORINGSSL_PREFIX %+ _x25519_scalar_mult_adx %xdefine _x509V3_add_value_asn1_string _ %+ BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string +%xdefine _x509_check_issued_with_callback _ %+ BORINGSSL_PREFIX %+ _x509_check_issued_with_callback %xdefine _x509_digest_sign_algorithm _ %+ BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm %xdefine _x509_digest_verify_init _ %+ BORINGSSL_PREFIX %+ _x509_digest_verify_init %xdefine _x509_print_rsa_pss_params _ %+ BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params @@ -3059,6 +3099,7 @@ %xdefine ASN1_TIME_set BORINGSSL_PREFIX %+ _ASN1_TIME_set %xdefine ASN1_TIME_set_posix BORINGSSL_PREFIX %+ _ASN1_TIME_set_posix %xdefine ASN1_TIME_set_string BORINGSSL_PREFIX %+ _ASN1_TIME_set_string +%xdefine ASN1_TIME_set_string_X509 BORINGSSL_PREFIX %+ _ASN1_TIME_set_string_X509 %xdefine ASN1_TIME_to_generalizedtime BORINGSSL_PREFIX %+ _ASN1_TIME_to_generalizedtime %xdefine ASN1_TIME_to_posix BORINGSSL_PREFIX %+ _ASN1_TIME_to_posix %xdefine ASN1_TIME_to_time_t BORINGSSL_PREFIX %+ _ASN1_TIME_to_time_t @@ -3142,6 +3183,8 @@ %xdefine BIO_free BORINGSSL_PREFIX %+ _BIO_free %xdefine BIO_free_all BORINGSSL_PREFIX %+ _BIO_free_all %xdefine BIO_get_data BORINGSSL_PREFIX %+ _BIO_get_data +%xdefine BIO_get_ex_data BORINGSSL_PREFIX %+ _BIO_get_ex_data +%xdefine BIO_get_ex_new_index BORINGSSL_PREFIX %+ _BIO_get_ex_new_index %xdefine BIO_get_fd BORINGSSL_PREFIX %+ _BIO_get_fd %xdefine BIO_get_fp BORINGSSL_PREFIX %+ _BIO_get_fp %xdefine BIO_get_init BORINGSSL_PREFIX %+ _BIO_get_init @@ -3199,6 +3242,7 @@ %xdefine BIO_set_conn_int_port BORINGSSL_PREFIX %+ _BIO_set_conn_int_port %xdefine BIO_set_conn_port BORINGSSL_PREFIX %+ _BIO_set_conn_port %xdefine BIO_set_data BORINGSSL_PREFIX %+ _BIO_set_data +%xdefine BIO_set_ex_data BORINGSSL_PREFIX %+ _BIO_set_ex_data %xdefine BIO_set_fd BORINGSSL_PREFIX %+ _BIO_set_fd %xdefine BIO_set_flags BORINGSSL_PREFIX %+ _BIO_set_flags %xdefine BIO_set_fp BORINGSSL_PREFIX %+ _BIO_set_fp @@ -3265,6 +3309,7 @@ %xdefine BN_bn2dec BORINGSSL_PREFIX %+ _BN_bn2dec %xdefine BN_bn2hex BORINGSSL_PREFIX %+ _BN_bn2hex %xdefine BN_bn2le_padded BORINGSSL_PREFIX %+ _BN_bn2le_padded +%xdefine BN_bn2lebinpad BORINGSSL_PREFIX %+ _BN_bn2lebinpad %xdefine BN_bn2mpi BORINGSSL_PREFIX %+ _BN_bn2mpi %xdefine BN_clear BORINGSSL_PREFIX %+ _BN_clear %xdefine BN_clear_bit BORINGSSL_PREFIX %+ _BN_clear_bit @@ -3304,6 +3349,7 @@ %xdefine BN_is_word BORINGSSL_PREFIX %+ _BN_is_word %xdefine BN_is_zero BORINGSSL_PREFIX %+ _BN_is_zero %xdefine BN_le2bn BORINGSSL_PREFIX %+ _BN_le2bn +%xdefine BN_lebin2bn BORINGSSL_PREFIX %+ _BN_lebin2bn %xdefine BN_lshift BORINGSSL_PREFIX %+ _BN_lshift %xdefine BN_lshift1 BORINGSSL_PREFIX %+ _BN_lshift1 %xdefine BN_marshal_asn1 BORINGSSL_PREFIX %+ _BN_marshal_asn1 @@ -3369,6 +3415,7 @@ %xdefine BN_value_one BORINGSSL_PREFIX %+ _BN_value_one %xdefine BN_zero BORINGSSL_PREFIX %+ _BN_zero %xdefine BORINGSSL_keccak BORINGSSL_PREFIX %+ _BORINGSSL_keccak +%xdefine BORINGSSL_keccak_absorb BORINGSSL_PREFIX %+ _BORINGSSL_keccak_absorb %xdefine BORINGSSL_keccak_init BORINGSSL_PREFIX %+ _BORINGSSL_keccak_init %xdefine BORINGSSL_keccak_squeeze BORINGSSL_PREFIX %+ _BORINGSSL_keccak_squeeze %xdefine BORINGSSL_self_test BORINGSSL_PREFIX %+ _BORINGSSL_self_test @@ -3393,6 +3440,7 @@ %xdefine CBB_add_asn1_uint64 BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64 %xdefine CBB_add_asn1_uint64_with_tag BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64_with_tag %xdefine CBB_add_bytes BORINGSSL_PREFIX %+ _CBB_add_bytes +%xdefine CBB_add_latin1 BORINGSSL_PREFIX %+ _CBB_add_latin1 %xdefine CBB_add_space BORINGSSL_PREFIX %+ _CBB_add_space %xdefine CBB_add_u16 BORINGSSL_PREFIX %+ _CBB_add_u16 %xdefine CBB_add_u16_length_prefixed BORINGSSL_PREFIX %+ _CBB_add_u16_length_prefixed @@ -3405,6 +3453,9 @@ %xdefine CBB_add_u64le BORINGSSL_PREFIX %+ _CBB_add_u64le %xdefine CBB_add_u8 BORINGSSL_PREFIX %+ _CBB_add_u8 %xdefine CBB_add_u8_length_prefixed BORINGSSL_PREFIX %+ _CBB_add_u8_length_prefixed +%xdefine CBB_add_ucs2_be BORINGSSL_PREFIX %+ _CBB_add_ucs2_be +%xdefine CBB_add_utf32_be BORINGSSL_PREFIX %+ _CBB_add_utf32_be +%xdefine CBB_add_utf8 BORINGSSL_PREFIX %+ _CBB_add_utf8 %xdefine CBB_add_zeros BORINGSSL_PREFIX %+ _CBB_add_zeros %xdefine CBB_cleanup BORINGSSL_PREFIX %+ _CBB_cleanup %xdefine CBB_data BORINGSSL_PREFIX %+ _CBB_data @@ -3414,6 +3465,7 @@ %xdefine CBB_finish_i2d BORINGSSL_PREFIX %+ _CBB_finish_i2d %xdefine CBB_flush BORINGSSL_PREFIX %+ _CBB_flush %xdefine CBB_flush_asn1_set_of BORINGSSL_PREFIX %+ _CBB_flush_asn1_set_of +%xdefine CBB_get_utf8_len BORINGSSL_PREFIX %+ _CBB_get_utf8_len %xdefine CBB_init BORINGSSL_PREFIX %+ _CBB_init %xdefine CBB_init_fixed BORINGSSL_PREFIX %+ _CBB_init_fixed %xdefine CBB_len BORINGSSL_PREFIX %+ _CBB_len @@ -3436,6 +3488,7 @@ %xdefine CBS_get_asn1_uint64 BORINGSSL_PREFIX %+ _CBS_get_asn1_uint64 %xdefine CBS_get_bytes BORINGSSL_PREFIX %+ _CBS_get_bytes %xdefine CBS_get_last_u8 BORINGSSL_PREFIX %+ _CBS_get_last_u8 +%xdefine CBS_get_latin1 BORINGSSL_PREFIX %+ _CBS_get_latin1 %xdefine CBS_get_optional_asn1 BORINGSSL_PREFIX %+ _CBS_get_optional_asn1 %xdefine CBS_get_optional_asn1_bool BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_bool %xdefine CBS_get_optional_asn1_octet_string BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_octet_string @@ -3452,7 +3505,10 @@ %xdefine CBS_get_u64le BORINGSSL_PREFIX %+ _CBS_get_u64le %xdefine CBS_get_u8 BORINGSSL_PREFIX %+ _CBS_get_u8 %xdefine CBS_get_u8_length_prefixed BORINGSSL_PREFIX %+ _CBS_get_u8_length_prefixed +%xdefine CBS_get_ucs2_be BORINGSSL_PREFIX %+ _CBS_get_ucs2_be %xdefine CBS_get_until_first BORINGSSL_PREFIX %+ _CBS_get_until_first +%xdefine CBS_get_utf32_be BORINGSSL_PREFIX %+ _CBS_get_utf32_be +%xdefine CBS_get_utf8 BORINGSSL_PREFIX %+ _CBS_get_utf8 %xdefine CBS_init BORINGSSL_PREFIX %+ _CBS_init %xdefine CBS_is_unsigned_asn1_integer BORINGSSL_PREFIX %+ _CBS_is_unsigned_asn1_integer %xdefine CBS_is_valid_asn1_bitstring BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_bitstring @@ -3503,10 +3559,6 @@ %xdefine CRYPTO_POLYVAL_finish BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_finish %xdefine CRYPTO_POLYVAL_init BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_init %xdefine CRYPTO_POLYVAL_update_blocks BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_update_blocks -%xdefine CRYPTO_STATIC_MUTEX_lock_read BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_lock_read -%xdefine CRYPTO_STATIC_MUTEX_lock_write BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_lock_write -%xdefine CRYPTO_STATIC_MUTEX_unlock_read BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_unlock_read -%xdefine CRYPTO_STATIC_MUTEX_unlock_write BORINGSSL_PREFIX %+ _CRYPTO_STATIC_MUTEX_unlock_write %xdefine CRYPTO_THREADID_current BORINGSSL_PREFIX %+ _CRYPTO_THREADID_current %xdefine CRYPTO_THREADID_set_callback BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_callback %xdefine CRYPTO_THREADID_set_numeric BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_numeric @@ -3520,6 +3572,7 @@ %xdefine CRYPTO_cleanup_all_ex_data BORINGSSL_PREFIX %+ _CRYPTO_cleanup_all_ex_data %xdefine CRYPTO_ctr128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt %xdefine CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32 +%xdefine CRYPTO_fips_186_2_prf BORINGSSL_PREFIX %+ _CRYPTO_fips_186_2_prf %xdefine CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing %xdefine CRYPTO_free BORINGSSL_PREFIX %+ _CRYPTO_free %xdefine CRYPTO_free_ex_data BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data @@ -3545,9 +3598,6 @@ %xdefine CRYPTO_has_asm BORINGSSL_PREFIX %+ _CRYPTO_has_asm %xdefine CRYPTO_hchacha20 BORINGSSL_PREFIX %+ _CRYPTO_hchacha20 %xdefine CRYPTO_init_sysrand BORINGSSL_PREFIX %+ _CRYPTO_init_sysrand -%xdefine CRYPTO_is_ARMv8_AES_capable_at_runtime BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_AES_capable_at_runtime -%xdefine CRYPTO_is_ARMv8_PMULL_capable_at_runtime BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_PMULL_capable_at_runtime -%xdefine CRYPTO_is_NEON_capable_at_runtime BORINGSSL_PREFIX %+ _CRYPTO_is_NEON_capable_at_runtime %xdefine CRYPTO_is_confidential_build BORINGSSL_PREFIX %+ _CRYPTO_is_confidential_build %xdefine CRYPTO_library_init BORINGSSL_PREFIX %+ _CRYPTO_library_init %xdefine CRYPTO_malloc BORINGSSL_PREFIX %+ _CRYPTO_malloc @@ -3588,15 +3638,24 @@ %xdefine CTR_DRBG_init BORINGSSL_PREFIX %+ _CTR_DRBG_init %xdefine CTR_DRBG_new BORINGSSL_PREFIX %+ _CTR_DRBG_new %xdefine CTR_DRBG_reseed BORINGSSL_PREFIX %+ _CTR_DRBG_reseed -%xdefine ChaCha20_ctr32 BORINGSSL_PREFIX %+ _ChaCha20_ctr32 +%xdefine ChaCha20_ctr32_avx2 BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2 +%xdefine ChaCha20_ctr32_neon BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon +%xdefine ChaCha20_ctr32_nohw BORINGSSL_PREFIX %+ _ChaCha20_ctr32_nohw +%xdefine ChaCha20_ctr32_ssse3 BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3 +%xdefine ChaCha20_ctr32_ssse3_4x BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x %xdefine DES_decrypt3 BORINGSSL_PREFIX %+ _DES_decrypt3 %xdefine DES_ecb3_encrypt BORINGSSL_PREFIX %+ _DES_ecb3_encrypt +%xdefine DES_ecb3_encrypt_ex BORINGSSL_PREFIX %+ _DES_ecb3_encrypt_ex %xdefine DES_ecb_encrypt BORINGSSL_PREFIX %+ _DES_ecb_encrypt +%xdefine DES_ecb_encrypt_ex BORINGSSL_PREFIX %+ _DES_ecb_encrypt_ex %xdefine DES_ede2_cbc_encrypt BORINGSSL_PREFIX %+ _DES_ede2_cbc_encrypt %xdefine DES_ede3_cbc_encrypt BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt +%xdefine DES_ede3_cbc_encrypt_ex BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt_ex %xdefine DES_encrypt3 BORINGSSL_PREFIX %+ _DES_encrypt3 %xdefine DES_ncbc_encrypt BORINGSSL_PREFIX %+ _DES_ncbc_encrypt +%xdefine DES_ncbc_encrypt_ex BORINGSSL_PREFIX %+ _DES_ncbc_encrypt_ex %xdefine DES_set_key BORINGSSL_PREFIX %+ _DES_set_key +%xdefine DES_set_key_ex BORINGSSL_PREFIX %+ _DES_set_key_ex %xdefine DES_set_key_unchecked BORINGSSL_PREFIX %+ _DES_set_key_unchecked %xdefine DES_set_odd_parity BORINGSSL_PREFIX %+ _DES_set_odd_parity %xdefine DH_bits BORINGSSL_PREFIX %+ _DH_bits @@ -3782,6 +3841,10 @@ %xdefine EC_curve_nid2nist BORINGSSL_PREFIX %+ _EC_curve_nid2nist %xdefine EC_curve_nist2nid BORINGSSL_PREFIX %+ _EC_curve_nist2nid %xdefine EC_get_builtin_curves BORINGSSL_PREFIX %+ _EC_get_builtin_curves +%xdefine EC_group_p224 BORINGSSL_PREFIX %+ _EC_group_p224 +%xdefine EC_group_p256 BORINGSSL_PREFIX %+ _EC_group_p256 +%xdefine EC_group_p384 BORINGSSL_PREFIX %+ _EC_group_p384 +%xdefine EC_group_p521 BORINGSSL_PREFIX %+ _EC_group_p521 %xdefine EC_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_PREFIX %+ _EC_hash_to_curve_p256_xmd_sha256_sswu %xdefine EC_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_PREFIX %+ _EC_hash_to_curve_p384_xmd_sha384_sswu %xdefine ED25519_keypair BORINGSSL_PREFIX %+ _ED25519_keypair @@ -3954,6 +4017,7 @@ %xdefine EVP_HPKE_KEY_generate BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_generate %xdefine EVP_HPKE_KEY_init BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_init %xdefine EVP_HPKE_KEY_kem BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_kem +%xdefine EVP_HPKE_KEY_move BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_move %xdefine EVP_HPKE_KEY_new BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_new %xdefine EVP_HPKE_KEY_private_key BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_private_key %xdefine EVP_HPKE_KEY_public_key BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_public_key @@ -4276,6 +4340,7 @@ %xdefine OBJ_find_sigid_algs BORINGSSL_PREFIX %+ _OBJ_find_sigid_algs %xdefine OBJ_find_sigid_by_algs BORINGSSL_PREFIX %+ _OBJ_find_sigid_by_algs %xdefine OBJ_get0_data BORINGSSL_PREFIX %+ _OBJ_get0_data +%xdefine OBJ_get_undef BORINGSSL_PREFIX %+ _OBJ_get_undef %xdefine OBJ_length BORINGSSL_PREFIX %+ _OBJ_length %xdefine OBJ_ln2nid BORINGSSL_PREFIX %+ _OBJ_ln2nid %xdefine OBJ_nid2cbb BORINGSSL_PREFIX %+ _OBJ_nid2cbb @@ -4290,7 +4355,7 @@ %xdefine OPENSSL_add_all_algorithms_conf BORINGSSL_PREFIX %+ _OPENSSL_add_all_algorithms_conf %xdefine OPENSSL_armcap_P BORINGSSL_PREFIX %+ _OPENSSL_armcap_P %xdefine OPENSSL_asprintf BORINGSSL_PREFIX %+ _OPENSSL_asprintf -%xdefine OPENSSL_built_in_curves BORINGSSL_PREFIX %+ _OPENSSL_built_in_curves +%xdefine OPENSSL_calloc BORINGSSL_PREFIX %+ _OPENSSL_calloc %xdefine OPENSSL_cleanse BORINGSSL_PREFIX %+ _OPENSSL_cleanse %xdefine OPENSSL_cleanup BORINGSSL_PREFIX %+ _OPENSSL_cleanup %xdefine OPENSSL_clear_free BORINGSSL_PREFIX %+ _OPENSSL_clear_free @@ -4298,7 +4363,9 @@ %xdefine OPENSSL_cpuid_setup BORINGSSL_PREFIX %+ _OPENSSL_cpuid_setup %xdefine OPENSSL_free BORINGSSL_PREFIX %+ _OPENSSL_free %xdefine OPENSSL_fromxdigit BORINGSSL_PREFIX %+ _OPENSSL_fromxdigit +%xdefine OPENSSL_get_armcap BORINGSSL_PREFIX %+ _OPENSSL_get_armcap %xdefine OPENSSL_get_armcap_pointer_for_test BORINGSSL_PREFIX %+ _OPENSSL_get_armcap_pointer_for_test +%xdefine OPENSSL_get_ia32cap BORINGSSL_PREFIX %+ _OPENSSL_get_ia32cap %xdefine OPENSSL_gmtime BORINGSSL_PREFIX %+ _OPENSSL_gmtime %xdefine OPENSSL_gmtime_adj BORINGSSL_PREFIX %+ _OPENSSL_gmtime_adj %xdefine OPENSSL_gmtime_diff BORINGSSL_PREFIX %+ _OPENSSL_gmtime_diff @@ -4327,6 +4394,27 @@ %xdefine OPENSSL_realloc BORINGSSL_PREFIX %+ _OPENSSL_realloc %xdefine OPENSSL_secure_clear_free BORINGSSL_PREFIX %+ _OPENSSL_secure_clear_free %xdefine OPENSSL_secure_malloc BORINGSSL_PREFIX %+ _OPENSSL_secure_malloc +%xdefine OPENSSL_sk_deep_copy BORINGSSL_PREFIX %+ _OPENSSL_sk_deep_copy +%xdefine OPENSSL_sk_delete BORINGSSL_PREFIX %+ _OPENSSL_sk_delete +%xdefine OPENSSL_sk_delete_if BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_if +%xdefine OPENSSL_sk_delete_ptr BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_ptr +%xdefine OPENSSL_sk_dup BORINGSSL_PREFIX %+ _OPENSSL_sk_dup +%xdefine OPENSSL_sk_find BORINGSSL_PREFIX %+ _OPENSSL_sk_find +%xdefine OPENSSL_sk_free BORINGSSL_PREFIX %+ _OPENSSL_sk_free +%xdefine OPENSSL_sk_insert BORINGSSL_PREFIX %+ _OPENSSL_sk_insert +%xdefine OPENSSL_sk_is_sorted BORINGSSL_PREFIX %+ _OPENSSL_sk_is_sorted +%xdefine OPENSSL_sk_new BORINGSSL_PREFIX %+ _OPENSSL_sk_new +%xdefine OPENSSL_sk_new_null BORINGSSL_PREFIX %+ _OPENSSL_sk_new_null +%xdefine OPENSSL_sk_num BORINGSSL_PREFIX %+ _OPENSSL_sk_num +%xdefine OPENSSL_sk_pop BORINGSSL_PREFIX %+ _OPENSSL_sk_pop +%xdefine OPENSSL_sk_pop_free_ex BORINGSSL_PREFIX %+ _OPENSSL_sk_pop_free_ex +%xdefine OPENSSL_sk_push BORINGSSL_PREFIX %+ _OPENSSL_sk_push +%xdefine OPENSSL_sk_set BORINGSSL_PREFIX %+ _OPENSSL_sk_set +%xdefine OPENSSL_sk_set_cmp_func BORINGSSL_PREFIX %+ _OPENSSL_sk_set_cmp_func +%xdefine OPENSSL_sk_shift BORINGSSL_PREFIX %+ _OPENSSL_sk_shift +%xdefine OPENSSL_sk_sort BORINGSSL_PREFIX %+ _OPENSSL_sk_sort +%xdefine OPENSSL_sk_value BORINGSSL_PREFIX %+ _OPENSSL_sk_value +%xdefine OPENSSL_sk_zero BORINGSSL_PREFIX %+ _OPENSSL_sk_zero %xdefine OPENSSL_strcasecmp BORINGSSL_PREFIX %+ _OPENSSL_strcasecmp %xdefine OPENSSL_strdup BORINGSSL_PREFIX %+ _OPENSSL_strdup %xdefine OPENSSL_strhash BORINGSSL_PREFIX %+ _OPENSSL_strhash @@ -4340,6 +4428,7 @@ %xdefine OPENSSL_tolower BORINGSSL_PREFIX %+ _OPENSSL_tolower %xdefine OPENSSL_vasprintf BORINGSSL_PREFIX %+ _OPENSSL_vasprintf %xdefine OPENSSL_vasprintf_internal BORINGSSL_PREFIX %+ _OPENSSL_vasprintf_internal +%xdefine OPENSSL_zalloc BORINGSSL_PREFIX %+ _OPENSSL_zalloc %xdefine OTHERNAME_free BORINGSSL_PREFIX %+ _OTHERNAME_free %xdefine OTHERNAME_it BORINGSSL_PREFIX %+ _OTHERNAME_it %xdefine OTHERNAME_new BORINGSSL_PREFIX %+ _OTHERNAME_new @@ -4493,6 +4582,7 @@ %xdefine RAND_bytes BORINGSSL_PREFIX %+ _RAND_bytes %xdefine RAND_bytes_with_additional_data BORINGSSL_PREFIX %+ _RAND_bytes_with_additional_data %xdefine RAND_cleanup BORINGSSL_PREFIX %+ _RAND_cleanup +%xdefine RAND_disable_fork_unsafe_buffering BORINGSSL_PREFIX %+ _RAND_disable_fork_unsafe_buffering %xdefine RAND_egd BORINGSSL_PREFIX %+ _RAND_egd %xdefine RAND_enable_fork_unsafe_buffering BORINGSSL_PREFIX %+ _RAND_enable_fork_unsafe_buffering %xdefine RAND_file_name BORINGSSL_PREFIX %+ _RAND_file_name @@ -4665,7 +4755,6 @@ %xdefine X509V3_EXT_nconf_nid BORINGSSL_PREFIX %+ _X509V3_EXT_nconf_nid %xdefine X509V3_EXT_print BORINGSSL_PREFIX %+ _X509V3_EXT_print %xdefine X509V3_EXT_print_fp BORINGSSL_PREFIX %+ _X509V3_EXT_print_fp -%xdefine X509V3_EXT_val_prn BORINGSSL_PREFIX %+ _X509V3_EXT_val_prn %xdefine X509V3_NAME_from_section BORINGSSL_PREFIX %+ _X509V3_NAME_from_section %xdefine X509V3_add1_i2d BORINGSSL_PREFIX %+ _X509V3_add1_i2d %xdefine X509V3_add_standard_extensions BORINGSSL_PREFIX %+ _X509V3_add_standard_extensions @@ -4719,7 +4808,6 @@ %xdefine X509_CRL_add_ext BORINGSSL_PREFIX %+ _X509_CRL_add_ext %xdefine X509_CRL_cmp BORINGSSL_PREFIX %+ _X509_CRL_cmp %xdefine X509_CRL_delete_ext BORINGSSL_PREFIX %+ _X509_CRL_delete_ext -%xdefine X509_CRL_diff BORINGSSL_PREFIX %+ _X509_CRL_diff %xdefine X509_CRL_digest BORINGSSL_PREFIX %+ _X509_CRL_digest %xdefine X509_CRL_dup BORINGSSL_PREFIX %+ _X509_CRL_dup %xdefine X509_CRL_free BORINGSSL_PREFIX %+ _X509_CRL_free @@ -4771,15 +4859,12 @@ %xdefine X509_EXTENSION_set_data BORINGSSL_PREFIX %+ _X509_EXTENSION_set_data %xdefine X509_EXTENSION_set_object BORINGSSL_PREFIX %+ _X509_EXTENSION_set_object %xdefine X509_INFO_free BORINGSSL_PREFIX %+ _X509_INFO_free -%xdefine X509_INFO_new BORINGSSL_PREFIX %+ _X509_INFO_new -%xdefine X509_LOOKUP_by_subject BORINGSSL_PREFIX %+ _X509_LOOKUP_by_subject +%xdefine X509_LOOKUP_add_dir BORINGSSL_PREFIX %+ _X509_LOOKUP_add_dir %xdefine X509_LOOKUP_ctrl BORINGSSL_PREFIX %+ _X509_LOOKUP_ctrl %xdefine X509_LOOKUP_file BORINGSSL_PREFIX %+ _X509_LOOKUP_file %xdefine X509_LOOKUP_free BORINGSSL_PREFIX %+ _X509_LOOKUP_free %xdefine X509_LOOKUP_hash_dir BORINGSSL_PREFIX %+ _X509_LOOKUP_hash_dir -%xdefine X509_LOOKUP_init BORINGSSL_PREFIX %+ _X509_LOOKUP_init -%xdefine X509_LOOKUP_new BORINGSSL_PREFIX %+ _X509_LOOKUP_new -%xdefine X509_LOOKUP_shutdown BORINGSSL_PREFIX %+ _X509_LOOKUP_shutdown +%xdefine X509_LOOKUP_load_file BORINGSSL_PREFIX %+ _X509_LOOKUP_load_file %xdefine X509_NAME_ENTRIES_it BORINGSSL_PREFIX %+ _X509_NAME_ENTRIES_it %xdefine X509_NAME_ENTRY_create_by_NID BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_NID %xdefine X509_NAME_ENTRY_create_by_OBJ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_OBJ @@ -4819,25 +4904,20 @@ %xdefine X509_NAME_print_ex BORINGSSL_PREFIX %+ _X509_NAME_print_ex %xdefine X509_NAME_print_ex_fp BORINGSSL_PREFIX %+ _X509_NAME_print_ex_fp %xdefine X509_NAME_set BORINGSSL_PREFIX %+ _X509_NAME_set +%xdefine X509_OBJECT_free BORINGSSL_PREFIX %+ _X509_OBJECT_free %xdefine X509_OBJECT_free_contents BORINGSSL_PREFIX %+ _X509_OBJECT_free_contents %xdefine X509_OBJECT_get0_X509 BORINGSSL_PREFIX %+ _X509_OBJECT_get0_X509 %xdefine X509_OBJECT_get_type BORINGSSL_PREFIX %+ _X509_OBJECT_get_type -%xdefine X509_OBJECT_idx_by_subject BORINGSSL_PREFIX %+ _X509_OBJECT_idx_by_subject -%xdefine X509_OBJECT_retrieve_by_subject BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_by_subject -%xdefine X509_OBJECT_retrieve_match BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_match -%xdefine X509_OBJECT_up_ref_count BORINGSSL_PREFIX %+ _X509_OBJECT_up_ref_count -%xdefine X509_PKEY_free BORINGSSL_PREFIX %+ _X509_PKEY_free -%xdefine X509_PKEY_new BORINGSSL_PREFIX %+ _X509_PKEY_new +%xdefine X509_OBJECT_new BORINGSSL_PREFIX %+ _X509_OBJECT_new %xdefine X509_PUBKEY_free BORINGSSL_PREFIX %+ _X509_PUBKEY_free %xdefine X509_PUBKEY_get BORINGSSL_PREFIX %+ _X509_PUBKEY_get +%xdefine X509_PUBKEY_get0 BORINGSSL_PREFIX %+ _X509_PUBKEY_get0 %xdefine X509_PUBKEY_get0_param BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_param %xdefine X509_PUBKEY_get0_public_key BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_public_key %xdefine X509_PUBKEY_it BORINGSSL_PREFIX %+ _X509_PUBKEY_it %xdefine X509_PUBKEY_new BORINGSSL_PREFIX %+ _X509_PUBKEY_new %xdefine X509_PUBKEY_set BORINGSSL_PREFIX %+ _X509_PUBKEY_set %xdefine X509_PUBKEY_set0_param BORINGSSL_PREFIX %+ _X509_PUBKEY_set0_param -%xdefine X509_PURPOSE_add BORINGSSL_PREFIX %+ _X509_PURPOSE_add -%xdefine X509_PURPOSE_cleanup BORINGSSL_PREFIX %+ _X509_PURPOSE_cleanup %xdefine X509_PURPOSE_get0 BORINGSSL_PREFIX %+ _X509_PURPOSE_get0 %xdefine X509_PURPOSE_get0_name BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_name %xdefine X509_PURPOSE_get0_sname BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_sname @@ -4862,6 +4942,7 @@ %xdefine X509_REQ_dup BORINGSSL_PREFIX %+ _X509_REQ_dup %xdefine X509_REQ_extension_nid BORINGSSL_PREFIX %+ _X509_REQ_extension_nid %xdefine X509_REQ_free BORINGSSL_PREFIX %+ _X509_REQ_free +%xdefine X509_REQ_get0_pubkey BORINGSSL_PREFIX %+ _X509_REQ_get0_pubkey %xdefine X509_REQ_get0_signature BORINGSSL_PREFIX %+ _X509_REQ_get0_signature %xdefine X509_REQ_get1_email BORINGSSL_PREFIX %+ _X509_REQ_get1_email %xdefine X509_REQ_get_attr BORINGSSL_PREFIX %+ _X509_REQ_get_attr @@ -4914,13 +4995,15 @@ %xdefine X509_STORE_CTX_get0_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_cert %xdefine X509_STORE_CTX_get0_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_chain %xdefine X509_STORE_CTX_get0_current_crl BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_crl -%xdefine X509_STORE_CTX_get0_current_issuer BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_issuer %xdefine X509_STORE_CTX_get0_param BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_param %xdefine X509_STORE_CTX_get0_parent_ctx BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_parent_ctx %xdefine X509_STORE_CTX_get0_store BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_store %xdefine X509_STORE_CTX_get0_untrusted BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_untrusted +%xdefine X509_STORE_CTX_get1_certs BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_certs %xdefine X509_STORE_CTX_get1_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_chain +%xdefine X509_STORE_CTX_get1_crls BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_crls %xdefine X509_STORE_CTX_get1_issuer BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_issuer +%xdefine X509_STORE_CTX_get_by_subject BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_by_subject %xdefine X509_STORE_CTX_get_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_chain %xdefine X509_STORE_CTX_get_current_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_current_cert %xdefine X509_STORE_CTX_get_error BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error @@ -4929,11 +5012,9 @@ %xdefine X509_STORE_CTX_get_ex_new_index BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_new_index %xdefine X509_STORE_CTX_init BORINGSSL_PREFIX %+ _X509_STORE_CTX_init %xdefine X509_STORE_CTX_new BORINGSSL_PREFIX %+ _X509_STORE_CTX_new -%xdefine X509_STORE_CTX_purpose_inherit BORINGSSL_PREFIX %+ _X509_STORE_CTX_purpose_inherit %xdefine X509_STORE_CTX_set0_crls BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_crls %xdefine X509_STORE_CTX_set0_param BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_param %xdefine X509_STORE_CTX_set0_trusted_stack BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_trusted_stack -%xdefine X509_STORE_CTX_set_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_cert %xdefine X509_STORE_CTX_set_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_chain %xdefine X509_STORE_CTX_set_default BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_default %xdefine X509_STORE_CTX_set_depth BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_depth @@ -4946,49 +5027,24 @@ %xdefine X509_STORE_CTX_set_trust BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_trust %xdefine X509_STORE_CTX_set_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_verify_cb %xdefine X509_STORE_CTX_trusted_stack BORINGSSL_PREFIX %+ _X509_STORE_CTX_trusted_stack -%xdefine X509_STORE_CTX_zero BORINGSSL_PREFIX %+ _X509_STORE_CTX_zero %xdefine X509_STORE_add_cert BORINGSSL_PREFIX %+ _X509_STORE_add_cert %xdefine X509_STORE_add_crl BORINGSSL_PREFIX %+ _X509_STORE_add_crl %xdefine X509_STORE_add_lookup BORINGSSL_PREFIX %+ _X509_STORE_add_lookup %xdefine X509_STORE_free BORINGSSL_PREFIX %+ _X509_STORE_free %xdefine X509_STORE_get0_objects BORINGSSL_PREFIX %+ _X509_STORE_get0_objects %xdefine X509_STORE_get0_param BORINGSSL_PREFIX %+ _X509_STORE_get0_param -%xdefine X509_STORE_get1_certs BORINGSSL_PREFIX %+ _X509_STORE_get1_certs -%xdefine X509_STORE_get1_crls BORINGSSL_PREFIX %+ _X509_STORE_get1_crls -%xdefine X509_STORE_get_by_subject BORINGSSL_PREFIX %+ _X509_STORE_get_by_subject -%xdefine X509_STORE_get_cert_crl BORINGSSL_PREFIX %+ _X509_STORE_get_cert_crl -%xdefine X509_STORE_get_check_crl BORINGSSL_PREFIX %+ _X509_STORE_get_check_crl -%xdefine X509_STORE_get_check_issued BORINGSSL_PREFIX %+ _X509_STORE_get_check_issued -%xdefine X509_STORE_get_check_revocation BORINGSSL_PREFIX %+ _X509_STORE_get_check_revocation -%xdefine X509_STORE_get_cleanup BORINGSSL_PREFIX %+ _X509_STORE_get_cleanup -%xdefine X509_STORE_get_get_crl BORINGSSL_PREFIX %+ _X509_STORE_get_get_crl -%xdefine X509_STORE_get_get_issuer BORINGSSL_PREFIX %+ _X509_STORE_get_get_issuer -%xdefine X509_STORE_get_lookup_certs BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_certs -%xdefine X509_STORE_get_lookup_crls BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_crls -%xdefine X509_STORE_get_verify BORINGSSL_PREFIX %+ _X509_STORE_get_verify -%xdefine X509_STORE_get_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_get_verify_cb %xdefine X509_STORE_load_locations BORINGSSL_PREFIX %+ _X509_STORE_load_locations %xdefine X509_STORE_new BORINGSSL_PREFIX %+ _X509_STORE_new %xdefine X509_STORE_set1_param BORINGSSL_PREFIX %+ _X509_STORE_set1_param -%xdefine X509_STORE_set_cert_crl BORINGSSL_PREFIX %+ _X509_STORE_set_cert_crl %xdefine X509_STORE_set_check_crl BORINGSSL_PREFIX %+ _X509_STORE_set_check_crl -%xdefine X509_STORE_set_check_issued BORINGSSL_PREFIX %+ _X509_STORE_set_check_issued -%xdefine X509_STORE_set_check_revocation BORINGSSL_PREFIX %+ _X509_STORE_set_check_revocation -%xdefine X509_STORE_set_cleanup BORINGSSL_PREFIX %+ _X509_STORE_set_cleanup %xdefine X509_STORE_set_default_paths BORINGSSL_PREFIX %+ _X509_STORE_set_default_paths %xdefine X509_STORE_set_depth BORINGSSL_PREFIX %+ _X509_STORE_set_depth %xdefine X509_STORE_set_flags BORINGSSL_PREFIX %+ _X509_STORE_set_flags %xdefine X509_STORE_set_get_crl BORINGSSL_PREFIX %+ _X509_STORE_set_get_crl -%xdefine X509_STORE_set_get_issuer BORINGSSL_PREFIX %+ _X509_STORE_set_get_issuer -%xdefine X509_STORE_set_lookup_certs BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_certs -%xdefine X509_STORE_set_lookup_crls BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_crls %xdefine X509_STORE_set_purpose BORINGSSL_PREFIX %+ _X509_STORE_set_purpose %xdefine X509_STORE_set_trust BORINGSSL_PREFIX %+ _X509_STORE_set_trust -%xdefine X509_STORE_set_verify BORINGSSL_PREFIX %+ _X509_STORE_set_verify %xdefine X509_STORE_set_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_set_verify_cb %xdefine X509_STORE_up_ref BORINGSSL_PREFIX %+ _X509_STORE_up_ref -%xdefine X509_TRUST_add BORINGSSL_PREFIX %+ _X509_TRUST_add -%xdefine X509_TRUST_cleanup BORINGSSL_PREFIX %+ _X509_TRUST_cleanup %xdefine X509_TRUST_get0 BORINGSSL_PREFIX %+ _X509_TRUST_get0 %xdefine X509_TRUST_get0_name BORINGSSL_PREFIX %+ _X509_TRUST_get0_name %xdefine X509_TRUST_get_by_id BORINGSSL_PREFIX %+ _X509_TRUST_get_by_id @@ -5003,8 +5059,6 @@ %xdefine X509_VERIFY_PARAM_add1_host BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add1_host %xdefine X509_VERIFY_PARAM_clear_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_clear_flags %xdefine X509_VERIFY_PARAM_free BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_free -%xdefine X509_VERIFY_PARAM_get0_name BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_name -%xdefine X509_VERIFY_PARAM_get0_peername BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_peername %xdefine X509_VERIFY_PARAM_get_depth BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_depth %xdefine X509_VERIFY_PARAM_get_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_flags %xdefine X509_VERIFY_PARAM_inherit BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_inherit @@ -5015,7 +5069,6 @@ %xdefine X509_VERIFY_PARAM_set1_host BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_host %xdefine X509_VERIFY_PARAM_set1_ip BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip %xdefine X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip_asc -%xdefine X509_VERIFY_PARAM_set1_name BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_name %xdefine X509_VERIFY_PARAM_set1_policies BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_policies %xdefine X509_VERIFY_PARAM_set_depth BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_depth %xdefine X509_VERIFY_PARAM_set_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_flags @@ -5058,6 +5111,7 @@ %xdefine X509_get0_extensions BORINGSSL_PREFIX %+ _X509_get0_extensions %xdefine X509_get0_notAfter BORINGSSL_PREFIX %+ _X509_get0_notAfter %xdefine X509_get0_notBefore BORINGSSL_PREFIX %+ _X509_get0_notBefore +%xdefine X509_get0_pubkey BORINGSSL_PREFIX %+ _X509_get0_pubkey %xdefine X509_get0_pubkey_bitstr BORINGSSL_PREFIX %+ _X509_get0_pubkey_bitstr %xdefine X509_get0_serialNumber BORINGSSL_PREFIX %+ _X509_get0_serialNumber %xdefine X509_get0_signature BORINGSSL_PREFIX %+ _X509_get0_signature @@ -5148,7 +5202,6 @@ %xdefine X509v3_get_ext_by_OBJ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_OBJ %xdefine X509v3_get_ext_by_critical BORINGSSL_PREFIX %+ _X509v3_get_ext_by_critical %xdefine X509v3_get_ext_count BORINGSSL_PREFIX %+ _X509v3_get_ext_count -%xdefine a2i_GENERAL_NAME BORINGSSL_PREFIX %+ _a2i_GENERAL_NAME %xdefine a2i_IPADDRESS BORINGSSL_PREFIX %+ _a2i_IPADDRESS %xdefine a2i_IPADDRESS_NC BORINGSSL_PREFIX %+ _a2i_IPADDRESS_NC %xdefine aes128gcmsiv_aes_ks BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks @@ -5203,14 +5256,16 @@ %xdefine asn1_refcount_set_one BORINGSSL_PREFIX %+ _asn1_refcount_set_one %xdefine asn1_set_choice_selector BORINGSSL_PREFIX %+ _asn1_set_choice_selector %xdefine asn1_type_cleanup BORINGSSL_PREFIX %+ _asn1_type_cleanup +%xdefine asn1_type_set0_string BORINGSSL_PREFIX %+ _asn1_type_set0_string %xdefine asn1_type_value_as_pointer BORINGSSL_PREFIX %+ _asn1_type_value_as_pointer %xdefine asn1_utctime_to_tm BORINGSSL_PREFIX %+ _asn1_utctime_to_tm %xdefine beeu_mod_inverse_vartime BORINGSSL_PREFIX %+ _beeu_mod_inverse_vartime %xdefine bio_clear_socket_error BORINGSSL_PREFIX %+ _bio_clear_socket_error -%xdefine bio_fd_should_retry BORINGSSL_PREFIX %+ _bio_fd_should_retry +%xdefine bio_errno_should_retry BORINGSSL_PREFIX %+ _bio_errno_should_retry %xdefine bio_ip_and_port_to_socket_and_addr BORINGSSL_PREFIX %+ _bio_ip_and_port_to_socket_and_addr %xdefine bio_sock_error BORINGSSL_PREFIX %+ _bio_sock_error %xdefine bio_socket_nbio BORINGSSL_PREFIX %+ _bio_socket_nbio +%xdefine bio_socket_should_retry BORINGSSL_PREFIX %+ _bio_socket_should_retry %xdefine bn_abs_sub_consttime BORINGSSL_PREFIX %+ _bn_abs_sub_consttime %xdefine bn_add_words BORINGSSL_PREFIX %+ _bn_add_words %xdefine bn_assert_fits_in_bytes BORINGSSL_PREFIX %+ _bn_assert_fits_in_bytes @@ -5233,7 +5288,6 @@ %xdefine bn_minimal_width BORINGSSL_PREFIX %+ _bn_minimal_width %xdefine bn_mod_add_consttime BORINGSSL_PREFIX %+ _bn_mod_add_consttime %xdefine bn_mod_add_words BORINGSSL_PREFIX %+ _bn_mod_add_words -%xdefine bn_mod_exp_base_2_consttime BORINGSSL_PREFIX %+ _bn_mod_exp_base_2_consttime %xdefine bn_mod_exp_mont_small BORINGSSL_PREFIX %+ _bn_mod_exp_mont_small %xdefine bn_mod_inverse0_prime_mont_small BORINGSSL_PREFIX %+ _bn_mod_inverse0_prime_mont_small %xdefine bn_mod_inverse_consttime BORINGSSL_PREFIX %+ _bn_mod_inverse_consttime @@ -5245,15 +5299,21 @@ %xdefine bn_mod_sub_consttime BORINGSSL_PREFIX %+ _bn_mod_sub_consttime %xdefine bn_mod_sub_words BORINGSSL_PREFIX %+ _bn_mod_sub_words %xdefine bn_mod_u16_consttime BORINGSSL_PREFIX %+ _bn_mod_u16_consttime +%xdefine bn_mont_ctx_cleanup BORINGSSL_PREFIX %+ _bn_mont_ctx_cleanup +%xdefine bn_mont_ctx_init BORINGSSL_PREFIX %+ _bn_mont_ctx_init +%xdefine bn_mont_ctx_set_RR_consttime BORINGSSL_PREFIX %+ _bn_mont_ctx_set_RR_consttime %xdefine bn_mont_n0 BORINGSSL_PREFIX %+ _bn_mont_n0 +%xdefine bn_mul4x_mont BORINGSSL_PREFIX %+ _bn_mul4x_mont %xdefine bn_mul_add_words BORINGSSL_PREFIX %+ _bn_mul_add_words %xdefine bn_mul_comba4 BORINGSSL_PREFIX %+ _bn_mul_comba4 %xdefine bn_mul_comba8 BORINGSSL_PREFIX %+ _bn_mul_comba8 %xdefine bn_mul_consttime BORINGSSL_PREFIX %+ _bn_mul_consttime %xdefine bn_mul_mont BORINGSSL_PREFIX %+ _bn_mul_mont %xdefine bn_mul_mont_gather5 BORINGSSL_PREFIX %+ _bn_mul_mont_gather5 +%xdefine bn_mul_mont_nohw BORINGSSL_PREFIX %+ _bn_mul_mont_nohw %xdefine bn_mul_small BORINGSSL_PREFIX %+ _bn_mul_small %xdefine bn_mul_words BORINGSSL_PREFIX %+ _bn_mul_words +%xdefine bn_mulx4x_mont BORINGSSL_PREFIX %+ _bn_mulx4x_mont %xdefine bn_odd_number_is_obviously_composite BORINGSSL_PREFIX %+ _bn_odd_number_is_obviously_composite %xdefine bn_one_to_montgomery BORINGSSL_PREFIX %+ _bn_one_to_montgomery %xdefine bn_power5 BORINGSSL_PREFIX %+ _bn_power5 @@ -5271,6 +5331,7 @@ %xdefine bn_set_static_words BORINGSSL_PREFIX %+ _bn_set_static_words %xdefine bn_set_words BORINGSSL_PREFIX %+ _bn_set_words %xdefine bn_sqr8x_internal BORINGSSL_PREFIX %+ _bn_sqr8x_internal +%xdefine bn_sqr8x_mont BORINGSSL_PREFIX %+ _bn_sqr8x_mont %xdefine bn_sqr_comba4 BORINGSSL_PREFIX %+ _bn_sqr_comba4 %xdefine bn_sqr_comba8 BORINGSSL_PREFIX %+ _bn_sqr_comba8 %xdefine bn_sqr_consttime BORINGSSL_PREFIX %+ _bn_sqr_consttime @@ -5289,15 +5350,6 @@ %xdefine c2i_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _c2i_ASN1_BIT_STRING %xdefine c2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER %xdefine c2i_ASN1_OBJECT BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT -%xdefine cbb_add_latin1 BORINGSSL_PREFIX %+ _cbb_add_latin1 -%xdefine cbb_add_ucs2_be BORINGSSL_PREFIX %+ _cbb_add_ucs2_be -%xdefine cbb_add_utf32_be BORINGSSL_PREFIX %+ _cbb_add_utf32_be -%xdefine cbb_add_utf8 BORINGSSL_PREFIX %+ _cbb_add_utf8 -%xdefine cbb_get_utf8_len BORINGSSL_PREFIX %+ _cbb_get_utf8_len -%xdefine cbs_get_latin1 BORINGSSL_PREFIX %+ _cbs_get_latin1 -%xdefine cbs_get_ucs2_be BORINGSSL_PREFIX %+ _cbs_get_ucs2_be -%xdefine cbs_get_utf32_be BORINGSSL_PREFIX %+ _cbs_get_utf32_be -%xdefine cbs_get_utf8 BORINGSSL_PREFIX %+ _cbs_get_utf8 %xdefine chacha20_poly1305_open BORINGSSL_PREFIX %+ _chacha20_poly1305_open %xdefine chacha20_poly1305_seal BORINGSSL_PREFIX %+ _chacha20_poly1305_seal %xdefine crypto_gcm_clmul_enabled BORINGSSL_PREFIX %+ _crypto_gcm_clmul_enabled @@ -5353,7 +5405,6 @@ %xdefine d2i_EC_PUBKEY BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY %xdefine d2i_EC_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_bio %xdefine d2i_EC_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_fp -%xdefine d2i_EDIPARTYNAME BORINGSSL_PREFIX %+ _d2i_EDIPARTYNAME %xdefine d2i_EXTENDED_KEY_USAGE BORINGSSL_PREFIX %+ _d2i_EXTENDED_KEY_USAGE %xdefine d2i_GENERAL_NAME BORINGSSL_PREFIX %+ _d2i_GENERAL_NAME %xdefine d2i_GENERAL_NAMES BORINGSSL_PREFIX %+ _d2i_GENERAL_NAMES @@ -5361,7 +5412,6 @@ %xdefine d2i_NETSCAPE_SPKAC BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKAC %xdefine d2i_NETSCAPE_SPKI BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKI %xdefine d2i_NOTICEREF BORINGSSL_PREFIX %+ _d2i_NOTICEREF -%xdefine d2i_OTHERNAME BORINGSSL_PREFIX %+ _d2i_OTHERNAME %xdefine d2i_PKCS12 BORINGSSL_PREFIX %+ _d2i_PKCS12 %xdefine d2i_PKCS12_bio BORINGSSL_PREFIX %+ _d2i_PKCS12_bio %xdefine d2i_PKCS12_fp BORINGSSL_PREFIX %+ _d2i_PKCS12_fp @@ -5407,7 +5457,6 @@ %xdefine d2i_X509_EXTENSION BORINGSSL_PREFIX %+ _d2i_X509_EXTENSION %xdefine d2i_X509_EXTENSIONS BORINGSSL_PREFIX %+ _d2i_X509_EXTENSIONS %xdefine d2i_X509_NAME BORINGSSL_PREFIX %+ _d2i_X509_NAME -%xdefine d2i_X509_NAME_ENTRY BORINGSSL_PREFIX %+ _d2i_X509_NAME_ENTRY %xdefine d2i_X509_PUBKEY BORINGSSL_PREFIX %+ _d2i_X509_PUBKEY %xdefine d2i_X509_REQ BORINGSSL_PREFIX %+ _d2i_X509_REQ %xdefine d2i_X509_REQ_INFO BORINGSSL_PREFIX %+ _d2i_X509_REQ_INFO @@ -5418,6 +5467,7 @@ %xdefine d2i_X509_VAL BORINGSSL_PREFIX %+ _d2i_X509_VAL %xdefine d2i_X509_bio BORINGSSL_PREFIX %+ _d2i_X509_bio %xdefine d2i_X509_fp BORINGSSL_PREFIX %+ _d2i_X509_fp +%xdefine dh_check_params_fast BORINGSSL_PREFIX %+ _dh_check_params_fast %xdefine dh_compute_key_padded_no_self_test BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test %xdefine dsa_asn1_meth BORINGSSL_PREFIX %+ _dsa_asn1_meth %xdefine dsa_check_key BORINGSSL_PREFIX %+ _dsa_check_key @@ -5429,9 +5479,6 @@ %xdefine ec_GFp_mont_felem_reduce BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_reduce %xdefine ec_GFp_mont_felem_sqr BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_sqr %xdefine ec_GFp_mont_felem_to_bytes BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_to_bytes -%xdefine ec_GFp_mont_group_finish BORINGSSL_PREFIX %+ _ec_GFp_mont_group_finish -%xdefine ec_GFp_mont_group_init BORINGSSL_PREFIX %+ _ec_GFp_mont_group_init -%xdefine ec_GFp_mont_group_set_curve BORINGSSL_PREFIX %+ _ec_GFp_mont_group_set_curve %xdefine ec_GFp_mont_init_precomp BORINGSSL_PREFIX %+ _ec_GFp_mont_init_precomp %xdefine ec_GFp_mont_mul BORINGSSL_PREFIX %+ _ec_GFp_mont_mul %xdefine ec_GFp_mont_mul_base BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_base @@ -5442,9 +5489,7 @@ %xdefine ec_GFp_simple_cmp_x_coordinate BORINGSSL_PREFIX %+ _ec_GFp_simple_cmp_x_coordinate %xdefine ec_GFp_simple_felem_from_bytes BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_from_bytes %xdefine ec_GFp_simple_felem_to_bytes BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_to_bytes -%xdefine ec_GFp_simple_group_finish BORINGSSL_PREFIX %+ _ec_GFp_simple_group_finish %xdefine ec_GFp_simple_group_get_curve BORINGSSL_PREFIX %+ _ec_GFp_simple_group_get_curve -%xdefine ec_GFp_simple_group_init BORINGSSL_PREFIX %+ _ec_GFp_simple_group_init %xdefine ec_GFp_simple_group_set_curve BORINGSSL_PREFIX %+ _ec_GFp_simple_group_set_curve %xdefine ec_GFp_simple_invert BORINGSSL_PREFIX %+ _ec_GFp_simple_invert %xdefine ec_GFp_simple_is_at_infinity BORINGSSL_PREFIX %+ _ec_GFp_simple_is_at_infinity @@ -5466,13 +5511,13 @@ %xdefine ec_felem_from_bytes BORINGSSL_PREFIX %+ _ec_felem_from_bytes %xdefine ec_felem_neg BORINGSSL_PREFIX %+ _ec_felem_neg %xdefine ec_felem_non_zero_mask BORINGSSL_PREFIX %+ _ec_felem_non_zero_mask +%xdefine ec_felem_one BORINGSSL_PREFIX %+ _ec_felem_one %xdefine ec_felem_select BORINGSSL_PREFIX %+ _ec_felem_select %xdefine ec_felem_sub BORINGSSL_PREFIX %+ _ec_felem_sub %xdefine ec_felem_to_bignum BORINGSSL_PREFIX %+ _ec_felem_to_bignum %xdefine ec_felem_to_bytes BORINGSSL_PREFIX %+ _ec_felem_to_bytes %xdefine ec_get_x_coordinate_as_bytes BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_bytes %xdefine ec_get_x_coordinate_as_scalar BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_scalar -%xdefine ec_group_new BORINGSSL_PREFIX %+ _ec_group_new %xdefine ec_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_PREFIX %+ _ec_hash_to_curve_p256_xmd_sha256_sswu %xdefine ec_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha384_sswu %xdefine ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 @@ -5532,6 +5577,10 @@ %xdefine ecp_nistz256_sub BORINGSSL_PREFIX %+ _ecp_nistz256_sub %xdefine ed25519_asn1_meth BORINGSSL_PREFIX %+ _ed25519_asn1_meth %xdefine ed25519_pkey_meth BORINGSSL_PREFIX %+ _ed25519_pkey_meth +%xdefine fiat_curve25519_adx_mul BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul +%xdefine fiat_curve25519_adx_square BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square +%xdefine fiat_p256_adx_mul BORINGSSL_PREFIX %+ _fiat_p256_adx_mul +%xdefine fiat_p256_adx_sqr BORINGSSL_PREFIX %+ _fiat_p256_adx_sqr %xdefine gcm_ghash_avx BORINGSSL_PREFIX %+ _gcm_ghash_avx %xdefine gcm_ghash_clmul BORINGSSL_PREFIX %+ _gcm_ghash_clmul %xdefine gcm_ghash_neon BORINGSSL_PREFIX %+ _gcm_ghash_neon @@ -5551,7 +5600,6 @@ %xdefine gcm_init_ssse3 BORINGSSL_PREFIX %+ _gcm_init_ssse3 %xdefine gcm_init_v8 BORINGSSL_PREFIX %+ _gcm_init_v8 %xdefine hkdf_pkey_meth BORINGSSL_PREFIX %+ _hkdf_pkey_meth -%xdefine i2a_ACCESS_DESCRIPTION BORINGSSL_PREFIX %+ _i2a_ACCESS_DESCRIPTION %xdefine i2a_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _i2a_ASN1_ENUMERATED %xdefine i2a_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2a_ASN1_INTEGER %xdefine i2a_ASN1_OBJECT BORINGSSL_PREFIX %+ _i2a_ASN1_OBJECT @@ -5609,7 +5657,6 @@ %xdefine i2d_EC_PUBKEY BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY %xdefine i2d_EC_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_bio %xdefine i2d_EC_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_fp -%xdefine i2d_EDIPARTYNAME BORINGSSL_PREFIX %+ _i2d_EDIPARTYNAME %xdefine i2d_EXTENDED_KEY_USAGE BORINGSSL_PREFIX %+ _i2d_EXTENDED_KEY_USAGE %xdefine i2d_GENERAL_NAME BORINGSSL_PREFIX %+ _i2d_GENERAL_NAME %xdefine i2d_GENERAL_NAMES BORINGSSL_PREFIX %+ _i2d_GENERAL_NAMES @@ -5617,7 +5664,6 @@ %xdefine i2d_NETSCAPE_SPKAC BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKAC %xdefine i2d_NETSCAPE_SPKI BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKI %xdefine i2d_NOTICEREF BORINGSSL_PREFIX %+ _i2d_NOTICEREF -%xdefine i2d_OTHERNAME BORINGSSL_PREFIX %+ _i2d_OTHERNAME %xdefine i2d_PKCS12 BORINGSSL_PREFIX %+ _i2d_PKCS12 %xdefine i2d_PKCS12_bio BORINGSSL_PREFIX %+ _i2d_PKCS12_bio %xdefine i2d_PKCS12_fp BORINGSSL_PREFIX %+ _i2d_PKCS12_fp @@ -5668,7 +5714,6 @@ %xdefine i2d_X509_EXTENSION BORINGSSL_PREFIX %+ _i2d_X509_EXTENSION %xdefine i2d_X509_EXTENSIONS BORINGSSL_PREFIX %+ _i2d_X509_EXTENSIONS %xdefine i2d_X509_NAME BORINGSSL_PREFIX %+ _i2d_X509_NAME -%xdefine i2d_X509_NAME_ENTRY BORINGSSL_PREFIX %+ _i2d_X509_NAME_ENTRY %xdefine i2d_X509_PUBKEY BORINGSSL_PREFIX %+ _i2d_X509_PUBKEY %xdefine i2d_X509_REQ BORINGSSL_PREFIX %+ _i2d_X509_REQ %xdefine i2d_X509_REQ_INFO BORINGSSL_PREFIX %+ _i2d_X509_REQ_INFO @@ -5690,6 +5735,7 @@ %xdefine i2t_ASN1_OBJECT BORINGSSL_PREFIX %+ _i2t_ASN1_OBJECT %xdefine i2v_GENERAL_NAME BORINGSSL_PREFIX %+ _i2v_GENERAL_NAME %xdefine i2v_GENERAL_NAMES BORINGSSL_PREFIX %+ _i2v_GENERAL_NAMES +%xdefine k25519Precomp BORINGSSL_PREFIX %+ _k25519Precomp %xdefine kBoringSSLRSASqrtTwo BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwo %xdefine kBoringSSLRSASqrtTwoLen BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwoLen %xdefine kOpenSSLReasonStringData BORINGSSL_PREFIX %+ _kOpenSSLReasonStringData @@ -5753,31 +5799,62 @@ %xdefine rsaz_1024_sqr_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_sqr_avx2 %xdefine s2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _s2i_ASN1_INTEGER %xdefine s2i_ASN1_OCTET_STRING BORINGSSL_PREFIX %+ _s2i_ASN1_OCTET_STRING -%xdefine sha1_block_data_order BORINGSSL_PREFIX %+ _sha1_block_data_order -%xdefine sha256_block_data_order BORINGSSL_PREFIX %+ _sha256_block_data_order -%xdefine sha512_block_data_order BORINGSSL_PREFIX %+ _sha512_block_data_order -%xdefine sk_deep_copy BORINGSSL_PREFIX %+ _sk_deep_copy -%xdefine sk_delete BORINGSSL_PREFIX %+ _sk_delete -%xdefine sk_delete_if BORINGSSL_PREFIX %+ _sk_delete_if -%xdefine sk_delete_ptr BORINGSSL_PREFIX %+ _sk_delete_ptr -%xdefine sk_dup BORINGSSL_PREFIX %+ _sk_dup -%xdefine sk_find BORINGSSL_PREFIX %+ _sk_find +%xdefine sha1_block_data_order_avx BORINGSSL_PREFIX %+ _sha1_block_data_order_avx +%xdefine sha1_block_data_order_avx2 BORINGSSL_PREFIX %+ _sha1_block_data_order_avx2 +%xdefine sha1_block_data_order_hw BORINGSSL_PREFIX %+ _sha1_block_data_order_hw +%xdefine sha1_block_data_order_nohw BORINGSSL_PREFIX %+ _sha1_block_data_order_nohw +%xdefine sha1_block_data_order_ssse3 BORINGSSL_PREFIX %+ _sha1_block_data_order_ssse3 +%xdefine sha256_block_data_order_avx BORINGSSL_PREFIX %+ _sha256_block_data_order_avx +%xdefine sha256_block_data_order_hw BORINGSSL_PREFIX %+ _sha256_block_data_order_hw +%xdefine sha256_block_data_order_nohw BORINGSSL_PREFIX %+ _sha256_block_data_order_nohw +%xdefine sha256_block_data_order_ssse3 BORINGSSL_PREFIX %+ _sha256_block_data_order_ssse3 +%xdefine sha512_block_data_order_avx BORINGSSL_PREFIX %+ _sha512_block_data_order_avx +%xdefine sha512_block_data_order_hw BORINGSSL_PREFIX %+ _sha512_block_data_order_hw +%xdefine sha512_block_data_order_nohw BORINGSSL_PREFIX %+ _sha512_block_data_order_nohw %xdefine sk_free BORINGSSL_PREFIX %+ _sk_free -%xdefine sk_insert BORINGSSL_PREFIX %+ _sk_insert -%xdefine sk_is_sorted BORINGSSL_PREFIX %+ _sk_is_sorted -%xdefine sk_new BORINGSSL_PREFIX %+ _sk_new %xdefine sk_new_null BORINGSSL_PREFIX %+ _sk_new_null %xdefine sk_num BORINGSSL_PREFIX %+ _sk_num %xdefine sk_pop BORINGSSL_PREFIX %+ _sk_pop %xdefine sk_pop_free BORINGSSL_PREFIX %+ _sk_pop_free %xdefine sk_pop_free_ex BORINGSSL_PREFIX %+ _sk_pop_free_ex %xdefine sk_push BORINGSSL_PREFIX %+ _sk_push -%xdefine sk_set BORINGSSL_PREFIX %+ _sk_set -%xdefine sk_set_cmp_func BORINGSSL_PREFIX %+ _sk_set_cmp_func -%xdefine sk_shift BORINGSSL_PREFIX %+ _sk_shift -%xdefine sk_sort BORINGSSL_PREFIX %+ _sk_sort %xdefine sk_value BORINGSSL_PREFIX %+ _sk_value -%xdefine sk_zero BORINGSSL_PREFIX %+ _sk_zero +%xdefine spx_base_b BORINGSSL_PREFIX %+ _spx_base_b +%xdefine spx_copy_keypair_addr BORINGSSL_PREFIX %+ _spx_copy_keypair_addr +%xdefine spx_fors_pk_from_sig BORINGSSL_PREFIX %+ _spx_fors_pk_from_sig +%xdefine spx_fors_sign BORINGSSL_PREFIX %+ _spx_fors_sign +%xdefine spx_fors_sk_gen BORINGSSL_PREFIX %+ _spx_fors_sk_gen +%xdefine spx_fors_treehash BORINGSSL_PREFIX %+ _spx_fors_treehash +%xdefine spx_generate_key BORINGSSL_PREFIX %+ _spx_generate_key +%xdefine spx_generate_key_from_seed BORINGSSL_PREFIX %+ _spx_generate_key_from_seed +%xdefine spx_get_tree_index BORINGSSL_PREFIX %+ _spx_get_tree_index +%xdefine spx_ht_sign BORINGSSL_PREFIX %+ _spx_ht_sign +%xdefine spx_ht_verify BORINGSSL_PREFIX %+ _spx_ht_verify +%xdefine spx_set_chain_addr BORINGSSL_PREFIX %+ _spx_set_chain_addr +%xdefine spx_set_hash_addr BORINGSSL_PREFIX %+ _spx_set_hash_addr +%xdefine spx_set_keypair_addr BORINGSSL_PREFIX %+ _spx_set_keypair_addr +%xdefine spx_set_layer_addr BORINGSSL_PREFIX %+ _spx_set_layer_addr +%xdefine spx_set_tree_addr BORINGSSL_PREFIX %+ _spx_set_tree_addr +%xdefine spx_set_tree_height BORINGSSL_PREFIX %+ _spx_set_tree_height +%xdefine spx_set_tree_index BORINGSSL_PREFIX %+ _spx_set_tree_index +%xdefine spx_set_type BORINGSSL_PREFIX %+ _spx_set_type +%xdefine spx_sign BORINGSSL_PREFIX %+ _spx_sign +%xdefine spx_thash_f BORINGSSL_PREFIX %+ _spx_thash_f +%xdefine spx_thash_h BORINGSSL_PREFIX %+ _spx_thash_h +%xdefine spx_thash_hmsg BORINGSSL_PREFIX %+ _spx_thash_hmsg +%xdefine spx_thash_prf BORINGSSL_PREFIX %+ _spx_thash_prf +%xdefine spx_thash_prfmsg BORINGSSL_PREFIX %+ _spx_thash_prfmsg +%xdefine spx_thash_tk BORINGSSL_PREFIX %+ _spx_thash_tk +%xdefine spx_thash_tl BORINGSSL_PREFIX %+ _spx_thash_tl +%xdefine spx_to_uint64 BORINGSSL_PREFIX %+ _spx_to_uint64 +%xdefine spx_treehash BORINGSSL_PREFIX %+ _spx_treehash +%xdefine spx_uint64_to_len_bytes BORINGSSL_PREFIX %+ _spx_uint64_to_len_bytes +%xdefine spx_verify BORINGSSL_PREFIX %+ _spx_verify +%xdefine spx_wots_pk_from_sig BORINGSSL_PREFIX %+ _spx_wots_pk_from_sig +%xdefine spx_wots_pk_gen BORINGSSL_PREFIX %+ _spx_wots_pk_gen +%xdefine spx_wots_sign BORINGSSL_PREFIX %+ _spx_wots_sign +%xdefine spx_xmss_pk_from_sig BORINGSSL_PREFIX %+ _spx_xmss_pk_from_sig +%xdefine spx_xmss_sign BORINGSSL_PREFIX %+ _spx_xmss_sign %xdefine v2i_GENERAL_NAME BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME %xdefine v2i_GENERAL_NAMES BORINGSSL_PREFIX %+ _v2i_GENERAL_NAMES %xdefine v2i_GENERAL_NAME_ex BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME_ex @@ -5836,12 +5913,15 @@ %xdefine x25519_ge_p3_to_cached BORINGSSL_PREFIX %+ _x25519_ge_p3_to_cached %xdefine x25519_ge_scalarmult BORINGSSL_PREFIX %+ _x25519_ge_scalarmult %xdefine x25519_ge_scalarmult_base BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base +%xdefine x25519_ge_scalarmult_base_adx BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base_adx %xdefine x25519_ge_scalarmult_small_precomp BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_small_precomp %xdefine x25519_ge_sub BORINGSSL_PREFIX %+ _x25519_ge_sub %xdefine x25519_ge_tobytes BORINGSSL_PREFIX %+ _x25519_ge_tobytes %xdefine x25519_pkey_meth BORINGSSL_PREFIX %+ _x25519_pkey_meth %xdefine x25519_sc_reduce BORINGSSL_PREFIX %+ _x25519_sc_reduce +%xdefine x25519_scalar_mult_adx BORINGSSL_PREFIX %+ _x25519_scalar_mult_adx %xdefine x509V3_add_value_asn1_string BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string +%xdefine x509_check_issued_with_callback BORINGSSL_PREFIX %+ _x509_check_issued_with_callback %xdefine x509_digest_sign_algorithm BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm %xdefine x509_digest_verify_init BORINGSSL_PREFIX %+ _x509_digest_verify_init %xdefine x509_print_rsa_pss_params BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_mul.S b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_mul.S new file mode 100644 index 00000000..436b68c1 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_mul.S @@ -0,0 +1,183 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ + (defined(__APPLE__) || defined(__ELF__)) + +.intel_syntax noprefix +.text +#if defined(__APPLE__) +.private_extern _fiat_curve25519_adx_mul +.global _fiat_curve25519_adx_mul +_fiat_curve25519_adx_mul: +#else +.type fiat_curve25519_adx_mul, @function +.hidden fiat_curve25519_adx_mul +.global fiat_curve25519_adx_mul +fiat_curve25519_adx_mul: +#endif + +.cfi_startproc +_CET_ENDBR +push rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset rbp, -16 +mov rbp, rsp + +mov rax, rdx +mov rdx, [ rsi + 0x18 ] +mulx r11, r10, [ rax + 0x8 ] +mov rdx, [ rax + 0x0 ] +mov [ rsp - 0x58 ], r15 +.cfi_offset r15, -16-0x58 +mulx r8, rcx, [ rsi + 0x18 ] +mov rdx, [ rsi + 0x8 ] +mov [ rsp - 0x80 ], rbx +.cfi_offset rbx, -16-0x80 +mulx rbx, r9, [ rax + 0x18 ] +mov rdx, [ rsi + 0x8 ] +mov [ rsp - 0x70 ], r12 +.cfi_offset r12, -16-0x70 +mulx r15, r12, [ rax + 0x8 ] +mov rdx, [ rsi + 0x0 ] +mov [ rsp - 0x68 ], r13 +.cfi_offset r13, -16-0x68 +mov [ rsp - 0x60 ], r14 +.cfi_offset r14, -16-0x60 +mulx r14, r13, [ rax + 0x0 ] +mov rdx, [ rax + 0x10 ] +mov [ rsp - 0x18 ], r15 +mov [ rsp - 0x50 ], rdi +mulx rdi, r15, [ rsi + 0x0 ] +mov rdx, [ rax + 0x18 ] +mov [ rsp - 0x48 ], r13 +mov [ rsp - 0x40 ], r9 +mulx r9, r13, [ rsi + 0x0 ] +test al, al +adox rcx, rdi +mov rdx, [ rsi + 0x10 ] +mov [ rsp - 0x38 ], r13 +mulx r13, rdi, [ rax + 0x8 ] +adox r10, r9 +mov rdx, 0x0 +adox rbx, rdx +adcx rdi, rcx +adcx r8, r10 +mov r9, rdx +adcx r9, rbx +mov rdx, [ rsi + 0x10 ] +mulx r10, rcx, [ rax + 0x0 ] +mov rdx, [ rsi + 0x0 ] +mov [ rsp - 0x30 ], r15 +mulx r15, rbx, [ rax + 0x8 ] +mov rdx, -0x2 +inc rdx +adox rcx, r15 +setc r15b +clc +adcx rcx, r12 +adox r10, rdi +mov rdx, [ rax + 0x10 ] +mov [ rsp - 0x78 ], rcx +mulx rcx, rdi, [ rsi + 0x10 ] +adox rdi, r8 +mov rdx, [ rax + 0x18 ] +mov [ rsp - 0x28 ], rcx +mulx rcx, r8, [ rsi + 0x10 ] +mov rdx, [ rax + 0x10 ] +mov [ rsp - 0x20 ], r8 +mulx r12, r8, [ rsi + 0x18 ] +adox r8, r9 +mov rdx, [ rsi + 0x8 ] +mov [ rsp - 0x10 ], r12 +mulx r12, r9, [ rax + 0x10 ] +movzx rdx, r15b +lea rdx, [ rdx + rcx ] +adcx r9, r10 +adcx r13, rdi +mov r15, 0x0 +mov r10, r15 +adox r10, rdx +mov rdx, [ rax + 0x18 ] +mulx rcx, rdi, [ rsi + 0x18 ] +adox rcx, r15 +adcx r11, r8 +mov rdx, r15 +adcx rdx, r10 +adcx rcx, r15 +mov r8, rdx +mov rdx, [ rax + 0x0 ] +mulx r15, r10, [ rsi + 0x8 ] +test al, al +adox r10, r14 +adcx rbx, r10 +adox r15, [ rsp - 0x78 ] +adcx r15, [ rsp - 0x30 ] +adox r9, [ rsp - 0x18 ] +adcx r9, [ rsp - 0x38 ] +adox r13, [ rsp - 0x40 ] +adcx r12, r13 +adox r11, [ rsp - 0x20 ] +adcx r11, [ rsp - 0x28 ] +mov rdx, 0x26 +mulx rsi, r14, r12 +adox rdi, r8 +adcx rdi, [ rsp - 0x10 ] +mulx r10, r8, r11 +mov r13, 0x0 +adox rcx, r13 +adcx rcx, r13 +mulx r11, r12, rdi +xor rdi, rdi +adox r8, rbx +adox r12, r15 +mulx rbx, r13, rcx +adcx r14, [ rsp - 0x48 ] +adox r13, r9 +adox rbx, rdi +adcx rsi, r8 +adcx r10, r12 +adcx r11, r13 +adc rbx, 0x0 +mulx r9, r15, rbx +xor r9, r9 +adox r15, r14 +mov rdi, r9 +adox rdi, rsi +mov rcx, r9 +adox rcx, r10 +mov r8, [ rsp - 0x50 ] +mov [ r8 + 0x8 ], rdi +mov r12, r9 +adox r12, r11 +mov r14, r9 +cmovo r14, rdx +mov [ r8 + 0x18 ], r12 +adcx r15, r14 +mov [ r8 + 0x0 ], r15 +mov [ r8 + 0x10 ], rcx +mov rbx, [ rsp - 0x80 ] +.cfi_restore rbx +mov r12, [ rsp - 0x70 ] +.cfi_restore r12 +mov r13, [ rsp - 0x68 ] +.cfi_restore r13 +mov r14, [ rsp - 0x60 ] +.cfi_restore r14 +mov r15, [ rsp - 0x58 ] +.cfi_restore r15 + +pop rbp +.cfi_restore rbp +.cfi_adjust_cfa_offset -8 +ret +.cfi_endproc +#if defined(__ELF__) +.size fiat_curve25519_adx_mul, .-fiat_curve25519_adx_mul +#endif + +#endif +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_square.S b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_square.S new file mode 100644 index 00000000..dd1d0bb0 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_square.S @@ -0,0 +1,151 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ + (defined(__APPLE__) || defined(__ELF__)) + +.intel_syntax noprefix +.text +#if defined(__APPLE__) +.private_extern _fiat_curve25519_adx_square +.global _fiat_curve25519_adx_square +_fiat_curve25519_adx_square: +#else +.type fiat_curve25519_adx_square, @function +.hidden fiat_curve25519_adx_square +.global fiat_curve25519_adx_square +fiat_curve25519_adx_square: +#endif + +.cfi_startproc +_CET_ENDBR +push rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset rbp, -16 +mov rbp, rsp + +mov rdx, [ rsi + 0x0 ] +mulx r10, rax, [ rsi + 0x8 ] +mov rdx, [ rsi + 0x0 ] +mulx rcx, r11, [ rsi + 0x10 ] +xor rdx, rdx +adox r11, r10 +mov rdx, [ rsi + 0x0 ] +mulx r9, r8, [ rsi + 0x18 ] +mov rdx, [ rsi + 0x8 ] +mov [ rsp - 0x80 ], rbx +.cfi_offset rbx, -16-0x80 +mulx rbx, r10, [ rsi + 0x18 ] +adox r8, rcx +mov [rsp - 0x48 ], rdi +adox r10, r9 +adcx rax, rax +mov rdx, [ rsi + 0x10 ] +mulx r9, rcx, [ rsi + 0x18 ] +adox rcx, rbx +mov rdx, [ rsi + 0x10 ] +mulx rdi, rbx, [ rsi + 0x8 ] +mov rdx, 0x0 +adox r9, rdx +mov [ rsp - 0x70 ], r12 +.cfi_offset r12, -16-0x70 +mov r12, -0x3 +inc r12 +adox rbx, r8 +adox rdi, r10 +adcx r11, r11 +mov r8, rdx +adox r8, rcx +mov r10, rdx +adox r10, r9 +adcx rbx, rbx +mov rdx, [ rsi + 0x0 ] +mulx r9, rcx, rdx +mov rdx, [ rsi + 0x8 ] +mov [ rsp - 0x68 ], r13 +.cfi_offset r13, -16-0x68 +mov [ rsp - 0x60 ], r14 +.cfi_offset r14, -16-0x60 +mulx r14, r13, rdx +seto dl +inc r12 +adox r9, rax +adox r13, r11 +adox r14, rbx +adcx rdi, rdi +mov al, dl +mov rdx, [ rsi + 0x10 ] +mulx rbx, r11, rdx +adox r11, rdi +adcx r8, r8 +adox rbx, r8 +adcx r10, r10 +movzx rdx, al +mov rdi, 0x0 +adcx rdx, rdi +movzx r8, al +lea r8, [ r8 + rdx ] +mov rdx, [ rsi + 0x18 ] +mulx rdi, rax, rdx +adox rax, r10 +mov rdx, 0x26 +mov [ rsp - 0x58 ], r15 +.cfi_offset r15, -16-0x58 +mulx r15, r10, r11 +clc +adcx r10, rcx +mulx r11, rcx, rbx +adox r8, rdi +mulx rdi, rbx, r8 +inc r12 +adox rcx, r9 +mulx r8, r9, rax +adcx r15, rcx +adox r9, r13 +adcx r11, r9 +adox rbx, r14 +adox rdi, r12 +adcx r8, rbx +adc rdi, 0x0 +mulx r14, r13, rdi +test al, al +mov rdi, [ rsp - 0x48 ] +adox r13, r10 +mov r14, r12 +adox r14, r15 +mov [ rdi + 0x8 ], r14 +mov rax, r12 +adox rax, r11 +mov r10, r12 +adox r10, r8 +mov [ rdi + 0x10 ], rax +mov rcx, r12 +cmovo rcx, rdx +adcx r13, rcx +mov [ rdi + 0x0 ], r13 +mov [ rdi + 0x18 ], r10 +mov rbx, [ rsp - 0x80 ] +.cfi_restore rbx +mov r12, [ rsp - 0x70 ] +.cfi_restore r12 +mov r13, [ rsp - 0x68 ] +.cfi_restore r13 +mov r14, [ rsp - 0x60 ] +.cfi_restore r14 +mov r15, [ rsp - 0x58 ] +.cfi_restore r15 + +pop rbp +.cfi_restore rbp +.cfi_adjust_cfa_offset -8 +ret +.cfi_endproc +#if defined(__ELF__) +.size fiat_curve25519_adx_square, .-fiat_curve25519_adx_square +#endif + +#endif +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S new file mode 100644 index 00000000..90060f5b --- /dev/null +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S @@ -0,0 +1,183 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ + (defined(__APPLE__) || defined(__ELF__)) + +.intel_syntax noprefix +.text +#if defined(__APPLE__) +.private_extern _fiat_p256_adx_mul +.global _fiat_p256_adx_mul +_fiat_p256_adx_mul: +#else +.type fiat_p256_adx_mul, @function +.hidden fiat_p256_adx_mul +.global fiat_p256_adx_mul +fiat_p256_adx_mul: +#endif + +.cfi_startproc +_CET_ENDBR +push rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset rbp, -16 +mov rbp, rsp +mov rax, rdx +mov rdx, [ rsi + 0x0 ] +test al, al +mulx r8, rcx, [ rax + 0x0 ] +mov [ rsp - 0x80 ], rbx +.cfi_offset rbx, -16-0x80 +mulx rbx, r9, [ rax + 0x8 ] +mov [ rsp - 0x68 ], r14 +.cfi_offset r14, -16-0x68 +adc r9, r8 +mov [ rsp - 0x60 ], r15 +.cfi_offset r15, -16-0x60 +mulx r15, r14, [ rax + 0x10 ] +mov [ rsp - 0x78 ], r12 +.cfi_offset r12, -16-0x78 +adc r14, rbx +mulx r11, r10, [ rax + 0x18 ] +mov [ rsp - 0x70 ], r13 +.cfi_offset r13, -16-0x70 +adc r10, r15 +mov rdx, [ rsi + 0x8 ] +mulx rbx, r8, [ rax + 0x0 ] +adc r11, 0x0 +xor r15, r15 +adcx r8, r9 +adox rbx, r14 +mov [ rsp - 0x58 ], rdi +mulx rdi, r9, [ rax + 0x8 ] +adcx r9, rbx +adox rdi, r10 +mulx rbx, r14, [ rax + 0x10 ] +adcx r14, rdi +adox rbx, r11 +mulx r13, r12, [ rax + 0x18 ] +adcx r12, rbx +mov rdx, 0x100000000 +mulx r11, r10, rcx +adox r13, r15 +adcx r13, r15 +xor rdi, rdi +adox r10, r8 +mulx r8, rbx, r10 +adox r11, r9 +adcx rbx, r11 +adox r8, r14 +mov rdx, 0xffffffff00000001 +mulx r9, r15, rcx +adcx r15, r8 +adox r9, r12 +mulx r14, rcx, r10 +mov rdx, [ rsi + 0x10 ] +mulx r10, r12, [ rax + 0x8 ] +adcx rcx, r9 +adox r14, r13 +mulx r11, r13, [ rax + 0x0 ] +mov r9, rdi +adcx r14, r9 +adox rdi, rdi +adc rdi, 0x0 +xor r9, r9 +adcx r13, rbx +adox r11, r15 +mov rdx, [ rsi + 0x10 ] +mulx r15, r8, [ rax + 0x10 ] +adox r10, rcx +mulx rcx, rbx, [ rax + 0x18 ] +mov rdx, [ rsi + 0x18 ] +adcx r12, r11 +mulx rsi, r11, [ rax + 0x8 ] +adcx r8, r10 +adox r15, r14 +adcx rbx, r15 +adox rcx, r9 +adcx rcx, r9 +mulx r15, r10, [ rax + 0x0 ] +add rcx, rdi +mov r14, r9 +adc r14, 0 +xor r9, r9 +adcx r10, r12 +adox r15, r8 +adcx r11, r15 +adox rsi, rbx +mulx r8, r12, [ rax + 0x10 ] +adox r8, rcx +mulx rcx, rbx, [ rax + 0x18 ] +adcx r12, rsi +adox rcx, r9 +mov rdx, 0x100000000 +adcx rbx, r8 +adc rcx, 0 +mulx rdi, r15, r13 +xor rax, rax +adcx rcx, r14 +adc rax, 0 +xor r9, r9 +adox r15, r10 +mulx r14, r10, r15 +adox rdi, r11 +mov rdx, 0xffffffff00000001 +adox r14, r12 +adcx r10, rdi +mulx r12, r11, r13 +adcx r11, r14 +adox r12, rbx +mulx rbx, r13, r15 +adcx r13, r12 +adox rbx, rcx +mov r8, r9 +adox rax, r9 +adcx r8, rbx +adc rax, 0x0 +mov rcx, rax +mov r15, 0xffffffffffffffff +mov rdi, r10 +sub rdi, r15 +mov r14, 0xffffffff +mov r12, r11 +sbb r12, r14 +mov rbx, r13 +sbb rbx, r9 +mov rax, rax +mov rax, r8 +sbb rax, rdx +sbb rcx, r9 +cmovc rdi, r10 +mov r10, [ rsp - 0x58 ] +cmovc rbx, r13 +mov r13, [ rsp - 0x70 ] +.cfi_restore r13 +cmovc r12, r11 +cmovc rax, r8 +mov [ r10 + 0x10 ], rbx +mov rbx, [ rsp - 0x80 ] +.cfi_restore rbx +mov [ r10 + 0x0 ], rdi +mov [ r10 + 0x8 ], r12 +mov [ r10 + 0x18 ], rax +mov r12, [ rsp - 0x78 ] +.cfi_restore r12 +mov r14, [ rsp - 0x68 ] +.cfi_restore r14 +mov r15, [ rsp - 0x60 ] +.cfi_restore r15 +pop rbp +.cfi_restore rbp +.cfi_adjust_cfa_offset -8 +ret +.cfi_endproc +#if defined(__ELF__) +.size fiat_p256_adx_mul, .-fiat_p256_adx_mul +#endif + +#endif +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S new file mode 100644 index 00000000..b74359ef --- /dev/null +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S @@ -0,0 +1,172 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ + (defined(__APPLE__) || defined(__ELF__)) + +.intel_syntax noprefix +.text +#if defined(__APPLE__) +.private_extern _fiat_p256_adx_sqr +.global _fiat_p256_adx_sqr +_fiat_p256_adx_sqr: +#else +.type fiat_p256_adx_sqr, @function +.hidden fiat_p256_adx_sqr +.global fiat_p256_adx_sqr +fiat_p256_adx_sqr: +#endif + +.cfi_startproc +_CET_ENDBR +push rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset rbp, -16 +mov rbp, rsp +mov rdx, [ rsi + 0x0 ] +mulx r10, rax, [ rsi + 0x18 ] +mulx rcx, r11, rdx +mulx r9, r8, [ rsi + 0x8 ] +mov [ rsp - 0x80 ], rbx +.cfi_offset rbx, -16-0x80 +xor rbx, rbx +adox r8, r8 +mov [ rsp - 0x78 ], r12 +.cfi_offset r12, -16-0x78 +mulx r12, rbx, [ rsi + 0x10 ] +mov rdx, [ rsi + 0x8 ] +mov [ rsp - 0x70 ], r13 +.cfi_offset r13, -16-0x70 +mov [ rsp - 0x68 ], r14 +.cfi_offset r14, -16-0x68 +mulx r14, r13, rdx +mov [ rsp - 0x60 ], r15 +.cfi_offset r15, -16-0x60 +mov [ rsp - 0x58 ], rdi +mulx rdi, r15, [ rsi + 0x10 ] +adcx r12, r15 +mov [ rsp - 0x50 ], r11 +mulx r11, r15, [ rsi + 0x18 ] +adcx r10, rdi +mov rdi, 0x0 +adcx r11, rdi +clc +adcx rbx, r9 +adox rbx, rbx +adcx rax, r12 +adox rax, rax +adcx r15, r10 +adox r15, r15 +mov rdx, [ rsi + 0x10 ] +mulx r12, r9, [ rsi + 0x18 ] +adcx r9, r11 +adcx r12, rdi +mulx r11, r10, rdx +clc +adcx rcx, r8 +adcx r13, rbx +adcx r14, rax +adox r9, r9 +adcx r10, r15 +mov rdx, [ rsi + 0x18 ] +mulx rbx, r8, rdx +adox r12, r12 +adcx r11, r9 +mov rsi, [ rsp - 0x50 ] +adcx r8, r12 +mov rax, 0x100000000 +mov rdx, rax +mulx r15, rax, rsi +adcx rbx, rdi +adox rbx, rdi +xor r9, r9 +adox rax, rcx +adox r15, r13 +mulx rcx, rdi, rax +adcx rdi, r15 +adox rcx, r14 +mov rdx, 0xffffffff00000001 +mulx r14, r13, rsi +adox r14, r10 +adcx r13, rcx +mulx r12, r10, rax +adox r12, r11 +mov r11, r9 +adox r11, r8 +adcx r10, r14 +mov r8, r9 +adcx r8, r12 +mov rax, r9 +adcx rax, r11 +mov r15, r9 +adox r15, rbx +mov rdx, 0x100000000 +mulx rcx, rbx, rdi +mov r14, r9 +adcx r14, r15 +mov r12, r9 +adox r12, r12 +adcx r12, r9 +adox rbx, r13 +mulx r11, r13, rbx +mov r15, 0xffffffff00000001 +mov rdx, r15 +mulx rsi, r15, rbx +adox rcx, r10 +adox r11, r8 +mulx r8, r10, rdi +adcx r13, rcx +adox r8, rax +adcx r10, r11 +adox rsi, r14 +mov rdi, r12 +mov rax, r9 +adox rdi, rax +adcx r15, r8 +mov r14, rax +adcx r14, rsi +adcx rdi, r9 +dec r9 +mov rbx, r13 +sub rbx, r9 +mov rcx, 0xffffffff +mov r11, r10 +sbb r11, rcx +mov r8, r15 +sbb r8, rax +mov rsi, r14 +sbb rsi, rdx +sbb rdi, rax +cmovc rbx, r13 +cmovc r8, r15 +cmovc r11, r10 +cmovc rsi, r14 +mov rdi, [ rsp - 0x58 ] +mov [ rdi + 0x18 ], rsi +mov [ rdi + 0x0 ], rbx +mov [ rdi + 0x8 ], r11 +mov [ rdi + 0x10 ], r8 +mov rbx, [ rsp - 0x80 ] +.cfi_restore rbx +mov r12, [ rsp - 0x78 ] +.cfi_restore r12 +mov r13, [ rsp - 0x70 ] +.cfi_restore r13 +mov r14, [ rsp - 0x68 ] +.cfi_restore r14 +mov r15, [ rsp - 0x60 ] +.cfi_restore r15 +pop rbp +.cfi_restore rbp +.cfi_adjust_cfa_offset -8 +ret +.cfi_endproc +#if defined(__ELF__) +.size fiat_p256_adx_sqr, .-fiat_p256_adx_sqr +#endif + +#endif +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64_adx.h b/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64_adx.h new file mode 100644 index 00000000..4a665bd1 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64_adx.h @@ -0,0 +1,693 @@ +#include +#include "../../crypto/internal.h" + +#include +#include +#include + +typedef uint64_t fe4[4]; +typedef uint8_t fiat_uint1; +typedef int8_t fiat_int1; + +static __inline__ uint64_t fiat_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} + +__attribute__((target("adx,bmi2"))) +static inline void fe4_mul(fe4 out, const fe4 x, const fe4 y) { fiat_curve25519_adx_mul(out, x, y); } + +__attribute__((target("adx,bmi2"))) +static inline void fe4_sq(fe4 out, const fe4 x) { fiat_curve25519_adx_square(out, x); } + +/* + * The function fiat_mulx_u64 is a multiplication, returning the full double-width result. + * + * Postconditions: + * out1 = (arg1 * arg2) mod 2^64 + * out2 = ⌊arg1 * arg2 / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0xffffffffffffffff] + */ +__attribute__((target("adx,bmi2"))) +static inline void fiat_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { +// NOTE: edited after generation +#if defined(_M_X64) + unsigned long long t; + *out1 = _umul128(arg1, arg2, &t); + *out2 = t; +#elif defined(_M_ARM64) + *out1 = arg1 * arg2; + *out2 = __umulh(arg1, arg2); +#else + unsigned __int128 t = (unsigned __int128)arg1 * arg2; + *out1 = t; + *out2 = (t >> 64); +#endif +} + +/* + * The function fiat_addcarryx_u64 is an addition with carry. + * + * Postconditions: + * out1 = (arg1 + arg2 + arg3) mod 2^64 + * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +__attribute__((target("adx,bmi2"))) +static inline void fiat_addcarryx_u64(uint64_t* out1, fiat_uint1* out2, fiat_uint1 arg1, uint64_t arg2, uint64_t arg3) { +// NOTE: edited after generation +#if defined(__has_builtin) +# if __has_builtin(__builtin_ia32_addcarryx_u64) +# define addcarry64 __builtin_ia32_addcarryx_u64 +# endif +#endif +#if defined(addcarry64) + long long unsigned int t; + *out2 = addcarry64(arg1, arg2, arg3, &t); + *out1 = t; +#elif defined(_M_X64) + long long unsigned int t; + *out2 = _addcarry_u64(arg1, arg2, arg3, out1); + *out1 = t; +#else + arg2 += arg1; + arg1 = arg2 < arg1; + uint64_t ret = arg2 + arg3; + arg1 += ret < arg2; + *out1 = ret; + *out2 = arg1; +#endif +#undef addcarry64 +} + +/* + * The function fiat_subborrowx_u64 is a subtraction with borrow. + * + * Postconditions: + * out1 = (-arg1 + arg2 + -arg3) mod 2^64 + * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [0x0 ~> 0x1] + */ +__attribute__((target("adx,bmi2"))) +static inline void fiat_subborrowx_u64(uint64_t* out1, fiat_uint1* out2, fiat_uint1 arg1, uint64_t arg2, uint64_t arg3) { +#if defined(__has_builtin) +# if __has_builtin(__builtin_ia32_subborrow_u64) +# define subborrow64 __builtin_ia32_subborrow_u64 +# endif +#endif +#if defined(subborrow64) + long long unsigned int t; + *out2 = subborrow64(arg1, arg2, arg3, &t); + *out1 = t; +#elif defined(_M_X64) + long long unsigned int t; + *out2 = _subborrow_u64(arg1, arg2, arg3, &t); // NOTE: edited after generation + *out1 = t; +#else + *out1 = arg2 - arg3 - arg1; + *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1); +#endif +#undef subborrow64 +} + +/* + * The function fiat_cmovznz_u64 is a single-word conditional move. + * + * Postconditions: + * out1 = (if arg1 = 0 then arg2 else arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [0x0 ~> 0xffffffffffffffff] + * arg3: [0x0 ~> 0xffffffffffffffff] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + */ +__attribute__((target("adx,bmi2"))) +static inline void fiat_cmovznz_u64(uint64_t* out1, fiat_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_value_barrier_u64(x2) & arg3) | (fiat_value_barrier_u64((~x2)) & arg2)); + *out1 = x3; +} + +/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +__attribute__((target("adx,bmi2"))) +static void fe4_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + fiat_uint1 x2; + uint64_t x3; + fiat_uint1 x4; + uint64_t x5; + fiat_uint1 x6; + uint64_t x7; + fiat_uint1 x8; + uint64_t x9; + uint64_t x10; + fiat_uint1 x11; + uint64_t x12; + fiat_uint1 x13; + uint64_t x14; + fiat_uint1 x15; + uint64_t x16; + fiat_uint1 x17; + uint64_t x18; + uint64_t x19; + fiat_uint1 x20; + fiat_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_cmovznz_u64(&x9, x8, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and + fiat_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_addcarryx_u64(&x12, &x13, x11, x3, 0x0); + fiat_addcarryx_u64(&x14, &x15, x13, x5, 0x0); + fiat_addcarryx_u64(&x16, &x17, x15, x7, 0x0); + fiat_cmovznz_u64(&x18, x17, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and + fiat_addcarryx_u64(&x19, &x20, 0x0, x10, x18); + out1[0] = x19; + out1[1] = x12; + out1[2] = x14; + out1[3] = x16; +} + +/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +__attribute__((target("adx,bmi2"))) +static void fe4_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { + uint64_t x1; + uint64_t x2; + fiat_uint1 x3; + uint64_t x4; + uint64_t x5; + fiat_uint1 x6; + uint64_t x7; + uint64_t x8; + fiat_uint1 x9; + uint64_t x10; + uint64_t x11; + fiat_uint1 x12; + uint64_t x13; + uint64_t x14; + fiat_uint1 x15; + uint64_t x16; + fiat_uint1 x17; + uint64_t x18; + fiat_uint1 x19; + uint64_t x20; + fiat_uint1 x21; + uint64_t x22; + uint64_t x23; + fiat_uint1 x24; + x1 = (arg2[0]); + fiat_subborrowx_u64(&x2, &x3, 0x0, (arg1[0]), x1); + x4 = (arg2[1]); + fiat_subborrowx_u64(&x5, &x6, x3, (arg1[1]), x4); + x7 = (arg2[2]); + fiat_subborrowx_u64(&x8, &x9, x6, (arg1[2]), x7); + x10 = (arg2[3]); + fiat_subborrowx_u64(&x11, &x12, x9, (arg1[3]), x10); + fiat_cmovznz_u64(&x13, x12, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and + fiat_subborrowx_u64(&x14, &x15, 0x0, x2, x13); + fiat_subborrowx_u64(&x16, &x17, x15, x5, 0x0); + fiat_subborrowx_u64(&x18, &x19, x17, x8, 0x0); + fiat_subborrowx_u64(&x20, &x21, x19, x11, 0x0); + fiat_cmovznz_u64(&x22, x21, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and + fiat_subborrowx_u64(&x23, &x24, 0x0, x14, x22); + out1[0] = x23; + out1[1] = x16; + out1[2] = x18; + out1[3] = x20; +} + +/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg2: [0x0 ~> 0x3ffffffffffffff] // NOTE: this is not any uint64! + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +__attribute__((target("adx,bmi2"))) +static void fe4_scmul(uint64_t out1[4], const uint64_t arg1[4], uint64_t arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + fiat_uint1 x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + fiat_uint1 x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_uint1 x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + fiat_uint1 x18; + uint64_t x19; + fiat_uint1 x20; + uint64_t x21; + fiat_uint1 x22; + uint64_t x23; + fiat_uint1 x24; + uint64_t x25; + uint64_t x26; + fiat_uint1 x27; + fiat_mulx_u64(&x1, &x2, (arg1[0]), arg2); + fiat_mulx_u64(&x3, &x4, (arg1[1]), arg2); + fiat_addcarryx_u64(&x5, &x6, 0x0, x2, x3); + fiat_mulx_u64(&x7, &x8, (arg1[2]), arg2); + fiat_addcarryx_u64(&x9, &x10, x6, x4, x7); + fiat_mulx_u64(&x11, &x12, (arg1[3]), arg2); + fiat_addcarryx_u64(&x13, &x14, x10, x8, x11); + fiat_mulx_u64(&x15, &x16, (x12 + (uint64_t)x14), UINT8_C(0x26)); + fiat_addcarryx_u64(&x17, &x18, 0x0, x1, x15); + fiat_addcarryx_u64(&x19, &x20, x18, x5, 0x0); + fiat_addcarryx_u64(&x21, &x22, x20, x9, 0x0); + fiat_addcarryx_u64(&x23, &x24, x22, x13, 0x0); + fiat_cmovznz_u64(&x25, x24, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and + fiat_addcarryx_u64(&x26, &x27, 0x0, x17, x25); + out1[0] = x26; + out1[1] = x19; + out1[2] = x21; + out1[3] = x23; +} + +/* + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +__attribute__((target("adx,bmi2"))) +static void fe4_canon(uint64_t out1[4], const uint64_t arg1[4]) { + uint64_t x1; + fiat_uint1 x2; + uint64_t x3; + fiat_uint1 x4; + uint64_t x5; + fiat_uint1 x6; + uint64_t x7; + fiat_uint1 x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_uint1 x14; + uint64_t x15; + fiat_uint1 x16; + uint64_t x17; + fiat_uint1 x18; + uint64_t x19; + fiat_uint1 x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + fiat_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0xffffffffffffffed)); + fiat_subborrowx_u64(&x3, &x4, x2, (arg1[1]), UINT64_C(0xffffffffffffffff)); + fiat_subborrowx_u64(&x5, &x6, x4, (arg1[2]), UINT64_C(0xffffffffffffffff)); + fiat_subborrowx_u64(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7fffffffffffffff)); + fiat_cmovznz_u64(&x9, x8, x1, (arg1[0])); + fiat_cmovznz_u64(&x10, x8, x3, (arg1[1])); + fiat_cmovznz_u64(&x11, x8, x5, (arg1[2])); + fiat_cmovznz_u64(&x12, x8, x7, (arg1[3])); + fiat_subborrowx_u64(&x13, &x14, 0x0, x9, UINT64_C(0xffffffffffffffed)); + fiat_subborrowx_u64(&x15, &x16, x14, x10, UINT64_C(0xffffffffffffffff)); + fiat_subborrowx_u64(&x17, &x18, x16, x11, UINT64_C(0xffffffffffffffff)); + fiat_subborrowx_u64(&x19, &x20, x18, x12, UINT64_C(0x7fffffffffffffff)); + fiat_cmovznz_u64(&x21, x20, x13, x9); + fiat_cmovznz_u64(&x22, x20, x15, x10); + fiat_cmovznz_u64(&x23, x20, x17, x11); + fiat_cmovznz_u64(&x24, x20, x19, x12); + out1[0] = x21; + out1[1] = x22; + out1[2] = x23; + out1[3] = x24; +} + +/* + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +__attribute__((target("adx,bmi2"))) +static void fe4_cswap(uint64_t out1[4], uint64_t out2[4], fiat_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + // NOTE: clang 14 for Zen 2 uses YMM registers + fiat_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); + fiat_cmovznz_u64(&x5, arg1, (arg3[0]), (arg2[0])); + fiat_cmovznz_u64(&x6, arg1, (arg3[1]), (arg2[1])); + fiat_cmovznz_u64(&x7, arg1, (arg3[2]), (arg2[2])); + fiat_cmovznz_u64(&x8, arg1, (arg3[3]), (arg2[3])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out2[0] = x5; + out2[1] = x6; + out2[2] = x7; + out2[3] = x8; +} + +// The following functions are adaped from crypto/curve25519/curve25519.c +// It would be desirable to share the code, but with the current field +// implementations both 4-limb and 5-limb versions of the curve-level code need +// to be included in builds targetting an unknown variant of x86_64. + +__attribute__((target("adx,bmi2"))) +static void fe4_invert(fe4 out, const fe4 z) { + fe4 t0; + fe4 t1; + fe4 t2; + fe4 t3; + int i; + + fe4_sq(t0, z); + fe4_sq(t1, t0); + for (i = 1; i < 2; ++i) { + fe4_sq(t1, t1); + } + fe4_mul(t1, z, t1); + fe4_mul(t0, t0, t1); + fe4_sq(t2, t0); + fe4_mul(t1, t1, t2); + fe4_sq(t2, t1); + for (i = 1; i < 5; ++i) { + fe4_sq(t2, t2); + } + fe4_mul(t1, t2, t1); + fe4_sq(t2, t1); + for (i = 1; i < 10; ++i) { + fe4_sq(t2, t2); + } + fe4_mul(t2, t2, t1); + fe4_sq(t3, t2); + for (i = 1; i < 20; ++i) { + fe4_sq(t3, t3); + } + fe4_mul(t2, t3, t2); + fe4_sq(t2, t2); + for (i = 1; i < 10; ++i) { + fe4_sq(t2, t2); + } + fe4_mul(t1, t2, t1); + fe4_sq(t2, t1); + for (i = 1; i < 50; ++i) { + fe4_sq(t2, t2); + } + fe4_mul(t2, t2, t1); + fe4_sq(t3, t2); + for (i = 1; i < 100; ++i) { + fe4_sq(t3, t3); + } + fe4_mul(t2, t3, t2); + fe4_sq(t2, t2); + for (i = 1; i < 50; ++i) { + fe4_sq(t2, t2); + } + fe4_mul(t1, t2, t1); + fe4_sq(t1, t1); + for (i = 1; i < 5; ++i) { + fe4_sq(t1, t1); + } + fe4_mul(out, t1, t0); +} + +__attribute__((target("adx,bmi2"))) +void x25519_scalar_mult_adx(uint8_t out[32], const uint8_t scalar[32], + const uint8_t point[32]) { + uint8_t e[32]; + OPENSSL_memcpy(e, scalar, 32); + e[0] &= 248; + e[31] &= 127; + e[31] |= 64; + + // The following implementation was transcribed to Coq and proven to + // correspond to unary scalar multiplication in affine coordinates given that + // x1 != 0 is the x coordinate of some point on the curve. It was also checked + // in Coq that doing a ladderstep with x1 = x3 = 0 gives z2' = z3' = 0, and z2 + // = z3 = 0 gives z2' = z3' = 0. The statement was quantified over the + // underlying field, so it applies to Curve25519 itself and the quadratic + // twist of Curve25519. It was not proven in Coq that prime-field arithmetic + // correctly simulates extension-field arithmetic on prime-field values. + // The decoding of the byte array representation of e was not considered. + // Specification of Montgomery curves in affine coordinates: + // + // Proof that these form a group that is isomorphic to a Weierstrass curve: + // + // Coq transcription and correctness proof of the loop (where scalarbits=255): + // + // + // preconditions: 0 <= e < 2^255 (not necessarily e < order), fe_invert(0) = 0 + fe4 x1, x2 = {1}, z2 = {0}, x3, z3 = {1}, tmp0, tmp1; + OPENSSL_memcpy(x1, point, sizeof(fe4)); + x1[3] &= (uint64_t)(-1)>>1; + OPENSSL_memcpy(x3, x1, sizeof(fe4)); + + unsigned swap = 0; + int pos; + for (pos = 254; pos >= 0; --pos) { + // loop invariant as of right before the test, for the case where x1 != 0: + // pos >= -1; if z2 = 0 then x2 is nonzero; if z3 = 0 then x3 is nonzero + // let r := e >> (pos+1) in the following equalities of projective points: + // to_xz (r*P) === if swap then (x3, z3) else (x2, z2) + // to_xz ((r+1)*P) === if swap then (x2, z2) else (x3, z3) + // x1 is the nonzero x coordinate of the nonzero point (r*P-(r+1)*P) + unsigned b = 1 & (e[pos / 8] >> (pos & 7)); + swap ^= b; + fe4_cswap(x2, x3, swap, x2, x3); + fe4_cswap(z2, z3, swap, z2, z3); + swap = b; + // Coq transcription of ladderstep formula (called from transcribed loop): + // + // + // x1 != 0 + // x1 = 0 + fe4_sub(tmp0, x3, z3); + fe4_sub(tmp1, x2, z2); + fe4_add(x2, x2, z2); + fe4_add(z2, x3, z3); + fe4_mul(z3, tmp0, x2); + fe4_mul(z2, z2, tmp1); + fe4_sq(tmp0, tmp1); + fe4_sq(tmp1, x2); + fe4_add(x3, z3, z2); + fe4_sub(z2, z3, z2); + fe4_mul(x2, tmp1, tmp0); + fe4_sub(tmp1, tmp1, tmp0); + fe4_sq(z2, z2); + fe4_scmul(z3, tmp1, 121666); + fe4_sq(x3, x3); + fe4_add(tmp0, tmp0, z3); + fe4_mul(z3, x1, z2); + fe4_mul(z2, tmp1, tmp0); + } + // here pos=-1, so r=e, so to_xz (e*P) === if swap then (x3, z3) else (x2, z2) + fe4_cswap(x2, x3, swap, x2, x3); + fe4_cswap(z2, z3, swap, z2, z3); + + fe4_invert(z2, z2); + fe4_mul(x2, x2, z2); + fe4_canon(x2, x2); + OPENSSL_memcpy(out, x2, sizeof(fe4)); +} + +typedef struct { + fe4 X; + fe4 Y; + fe4 Z; + fe4 T; +} ge_p3_4; + +typedef struct { + fe4 yplusx; + fe4 yminusx; + fe4 xy2d; +} ge_precomp_4; + +__attribute__((target("adx,bmi2"))) +static void inline_x25519_ge_dbl_4(ge_p3_4 *r, const ge_p3_4 *p, bool skip_t) { + // Transcribed from a Coq function proven against affine coordinates. + // https://github.com/mit-plv/fiat-crypto/blob/9943ba9e7d8f3e1c0054b2c94a5edca46ea73ef8/src/Curves/Edwards/XYZT/Basic.v#L136-L165 + fe4 trX, trZ, trT, t0, cX, cY, cZ, cT; + fe4_sq(trX, p->X); + fe4_sq(trZ, p->Y); + fe4_sq(trT, p->Z); + fe4_add(trT, trT, trT); + fe4_add(cY, p->X, p->Y); + fe4_sq(t0, cY); + fe4_add(cY, trZ, trX); + fe4_sub(cZ, trZ, trX); + fe4_sub(cX, t0, cY); + fe4_sub(cT, trT, cZ); + fe4_mul(r->X, cX, cT); + fe4_mul(r->Y, cY, cZ); + fe4_mul(r->Z, cZ, cT); + if (!skip_t) { + fe4_mul(r->T, cX, cY); + } +} + +__attribute__((target("adx,bmi2"))) +__attribute__((always_inline)) // 4% speedup with clang14 and zen2 +static inline void +ge_p3_add_p3_precomp_4(ge_p3_4 *r, const ge_p3_4 *p, const ge_precomp_4 *q) { + fe4 A, B, C, YplusX, YminusX, D, X3, Y3, Z3, T3; + // Transcribed from a Coq function proven against affine coordinates. + // https://github.com/mit-plv/fiat-crypto/blob/a36568d1d73aff5d7accc79fd28be672882f9c17/src/Curves/Edwards/XYZT/Precomputed.v#L38-L56 + fe4_add(YplusX, p->Y, p->X); + fe4_sub(YminusX, p->Y, p->X); + fe4_mul(A, YplusX, q->yplusx); + fe4_mul(B, YminusX, q->yminusx); + fe4_mul(C, q->xy2d, p->T); + fe4_add(D, p->Z, p->Z); + fe4_sub(X3, A, B); + fe4_add(Y3, A, B); + fe4_add(Z3, D, C); + fe4_sub(T3, D, C); + fe4_mul(r->X, X3, T3); + fe4_mul(r->Y, Y3, Z3); + fe4_mul(r->Z, Z3, T3); + fe4_mul(r->T, X3, Y3); +} + +__attribute__((always_inline)) // 25% speedup with clang14 and zen2 +static inline void table_select_4(ge_precomp_4 *t, const int pos, + const signed char b) { + uint8_t bnegative = constant_time_msb_w(b); + uint8_t babs = b - ((bnegative & b) << 1); + + uint8_t t_bytes[3][32] = { + {constant_time_is_zero_w(b) & 1}, {constant_time_is_zero_w(b) & 1}, {0}}; +#if defined(__clang__) + __asm__("" : "+m" (t_bytes) : /*no inputs*/); +#endif + static_assert(sizeof(t_bytes) == sizeof(k25519Precomp[pos][0]), ""); + for (int i = 0; i < 8; i++) { + constant_time_conditional_memxor(t_bytes, k25519Precomp[pos][i], + sizeof(t_bytes), + constant_time_eq_w(babs, 1 + i)); + } + + static_assert(sizeof(t_bytes) == sizeof(ge_precomp_4), ""); + + // fe4 uses saturated 64-bit limbs, so converting from bytes is just a copy. + OPENSSL_memcpy(t, t_bytes, sizeof(ge_precomp_4)); + + fe4 xy2d_neg = {0}; + fe4_sub(xy2d_neg, xy2d_neg, t->xy2d); + constant_time_conditional_memcpy(t->yplusx, t_bytes[1], sizeof(fe4), + bnegative); + constant_time_conditional_memcpy(t->yminusx, t_bytes[0], sizeof(fe4), + bnegative); + constant_time_conditional_memcpy(t->xy2d, xy2d_neg, sizeof(fe4), bnegative); +} + +// h = a * B +// where a = a[0]+256*a[1]+...+256^31 a[31] +// B is the Ed25519 base point (x,4/5) with x positive. +// +// Preconditions: +// a[31] <= 127 +__attribute__((target("adx,bmi2"))) +void x25519_ge_scalarmult_base_adx(uint8_t h[4][32], const uint8_t a[32]) { + signed char e[64]; + signed char carry; + + for (unsigned i = 0; i < 32; ++i) { + e[2 * i + 0] = (a[i] >> 0) & 15; + e[2 * i + 1] = (a[i] >> 4) & 15; + } + // each e[i] is between 0 and 15 + // e[63] is between 0 and 7 + + carry = 0; + for (unsigned i = 0; i < 63; ++i) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry << 4; + } + e[63] += carry; + // each e[i] is between -8 and 8 + + ge_p3_4 r = {{0}, {1}, {1}, {0}}; + for (unsigned i = 1; i < 64; i += 2) { + ge_precomp_4 t; + table_select_4(&t, i / 2, e[i]); + ge_p3_add_p3_precomp_4(&r, &r, &t); + } + + inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/true); + inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/true); + inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/true); + inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/false); + + for (unsigned i = 0; i < 64; i += 2) { + ge_precomp_4 t; + table_select_4(&t, i / 2, e[i]); + ge_p3_add_p3_precomp_4(&r, &r, &t); + } + + // fe4 uses saturated 64-bit limbs, so converting to bytes is just a copy. + // Satisfy stated precondition of fiat_25519_from_bytes; tests pass either way + fe4_canon(r.X, r.X); + fe4_canon(r.Y, r.Y); + fe4_canon(r.Z, r.Z); + fe4_canon(r.T, r.T); + static_assert(sizeof(ge_p3_4) == sizeof(uint8_t[4][32]), ""); + OPENSSL_memcpy(h, &r, sizeof(ge_p3_4)); +} diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h b/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h index c7726384..b0e06fc0 100644 --- a/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h @@ -1,3 +1,10 @@ +#include +#include "../../crypto/internal.h" +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) +void fiat_p256_adx_mul(uint64_t*, const uint64_t*, const uint64_t*); +void fiat_p256_adx_sqr(uint64_t*, const uint64_t*); +#endif + /* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ /* curve description: p256 */ /* machine_wordsize = 64 (from "64") */ @@ -165,6 +172,13 @@ static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p25 * */ static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) + if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_ADX_capable()) { + fiat_p256_adx_mul(out1, arg1, arg2); + return; + } +#endif uint64_t x1; uint64_t x2; uint64_t x3; @@ -472,6 +486,13 @@ static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_fiel * */ static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { +#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) + if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_ADX_capable()) { + fiat_p256_adx_sqr(out1, arg1); + return; + } +#endif uint64_t x1; uint64_t x2; uint64_t x3; diff --git a/Sources/JWTKit/RSA/RSAKey.swift b/Sources/JWTKit/RSA/RSAKey.swift index ed6885f7..f17ec517 100644 --- a/Sources/JWTKit/RSA/RSAKey.swift +++ b/Sources/JWTKit/RSA/RSAKey.swift @@ -172,18 +172,20 @@ public final class RSAKey: OpenSSLKey { } let type: KeyType - - internal var c: UnsafeMutablePointer { - return self.cRaw.assumingMemoryBound(to: RSA.self) + + internal var c: OpaquePointer { + return CJWTKitBoringSSL_EVP_PKEY_get1_RSA(self.cRaw) } - internal let cRaw: UnsafeMutableRawPointer//RSA + + let cRaw: OpaquePointer - init(_ c: UnsafeMutablePointer, _ type: KeyType) { + init(_ c: OpaquePointer, _ type: KeyType) { self.type = type - self.cRaw = UnsafeMutableRawPointer(c) + self.cRaw = CJWTKitBoringSSL_EVP_PKEY_new() + CJWTKitBoringSSL_EVP_PKEY_assign_RSA(cRaw, c) } deinit { - CJWTKitBoringSSL_RSA_free(self.c) + CJWTKitBoringSSL_EVP_PKEY_free(self.c) } } diff --git a/scripts/build-asm.py b/scripts/build-asm.py index b5d8298f..d7122f79 100644 --- a/scripts/build-asm.py +++ b/scripts/build-asm.py @@ -73,12 +73,13 @@ def ExtractPerlAsmFromCMakeFile(cmakefile): raise ValueError('Bad perlasm line in %s' % cmakefile) # Remove "perlasm(" from start and ")" from end params = line[8:-1].split() - if len(params) != 4: - raise ValueError('Bad perlasm line in %s' % cmakefile) + if len(params) < 4: + raise ValueError('Bad perlasm line in %s: %s' % (cmakefile, line)) perlasms.append({ 'arch': params[1], 'output': os.path.join(os.path.dirname(cmakefile), params[2]), 'input': os.path.join(os.path.dirname(cmakefile), params[3]), + 'extra_args': params[4:], }) return perlasms @@ -122,7 +123,8 @@ def WriteAsmFiles(perlasms): raise ValueError('output missing crypto: %s' % output) output = os.path.join(outDir, output[17:]) output = '%s-%s.%s' % (output, osname, asm_ext) - PerlAsm(output, perlasm['input'], perlasm_style, extra_args) + per_command_extra_args = extra_args + perlasm['extra_args'] + PerlAsm(output, perlasm['input'], perlasm_style, per_command_extra_args) asmfiles.setdefault(key, []).append(output) return asmfiles @@ -203,4 +205,3 @@ def main(): if __name__ == '__main__': main() - diff --git a/scripts/vendor-boringssl.sh b/scripts/vendor-boringssl.sh index ca3b1699..995e13c6 100755 --- a/scripts/vendor-boringssl.sh +++ b/scripts/vendor-boringssl.sh @@ -53,8 +53,6 @@ HERE=$(pwd) DSTROOT=Sources/CJWTKitBoringSSL TMPDIR=$(mktemp -d /tmp/.workingXXXXXX) SRCROOT="${TMPDIR}/src/boringssl.googlesource.com/boringssl" -#CROSS_COMPILE_TARGET_LOCATION="/Library/Developer/Destinations" -CROSS_COMPILE_VERSION="5.8-jammy" # This function namespaces the awkward inline functions declared in OpenSSL # and BoringSSL. @@ -93,8 +91,8 @@ function mangle_symbols { # Begin by building for macOS. We build for two target triples, Intel # and Apple Silicon. - swift build --triple "x86_64-apple-macosx" --product CJWTKitBoringSSL - swift build --triple "arm64-apple-macosx" --product CJWTKitBoringSSL + swift build --triple "x86_64-apple-macosx" --product CJWTKitBoringSSL --enable-test-discovery + swift build --triple "arm64-apple-macosx" --product CJWTKitBoringSSL --enable-test-discovery ( cd "${SRCROOT}" go mod tidy -modcacherw @@ -112,31 +110,9 @@ function mangle_symbols { ) # Now cross compile for our targets. - # If you have trouble with the script around this point, consider - # https://github.com/CSCIX65G/SwiftCrossCompilers to obtain cross - # compilers for the architectures we care about. - # -# for cc_target in "${CROSS_COMPILE_TARGET_LOCATION}"/*"${CROSS_COMPILE_VERSION}"*.json; do -# echo "Cross compiling for ${cc_target}" -# swift build --product CJWTKitBoringSSL --destination "${cc_target}" -# done; - - # N.B.: The cross-compilation "support" used by the original version of - # this script (see above) is very painful and unreliable, so we're using a - # couple of quick-and-dirty Docker commands instead (which means we can't - # generate symbols for 32-bit architectures). Fortunately, true cross-compilation - # support was said to be imminent at the time of this writing. - # - # Requirements for this approach: - # - Docker Desktop for Mac version 4.19.0 or higher - # - File sharing for the directory containing this repository must be allowed - # - "Use Virtualization framework" must be enabled - # - "Use Rosetta for x86/amd64 emulation on Apple Silicon" must be enabled - docker run -t -i --rm --privileged -v$(pwd):/src -w/src --platform linux/arm64 \ - "swift:${CROSS_COMPILE_VERSION}" \ + docker run -t -i --rm --privileged -v$(pwd):/src -w/src --platform linux/arm64 swift:5.8-jammy \ swift build --product CJWTKitBoringSSL - docker run -t -i --rm --privileged -v$(pwd):/src -w/src --platform linux/amd64 \ - "swift:${CROSS_COMPILE_VERSION}" \ + docker run -t -i --rm --privileged -v$(pwd):/src -w/src --platform linux/amd64 swift:5.8-jammy \ swift build --product CJWTKitBoringSSL # Now we need to generate symbol mangles for Linux. We can do this in @@ -232,6 +208,7 @@ PATTERNS=( 'crypto/*/*/*.S' 'crypto/*/*/*/*.c' 'third_party/fiat/*.h' +'third_party/fiat/asm/*.S' #'third_party/fiat/*.c' ) @@ -273,7 +250,7 @@ rm -f $DSTROOT/crypto/fipsmodule/bcm.c echo "REMOVING libssl" ( cd "$DSTROOT" - rm "include/openssl/ssl.h" "include/openssl/srtp.h" "include/openssl/ssl3.h" "include/openssl/tls1.h" + rm "include/openssl/dtls1.h" "include/openssl/ssl.h" "include/openssl/srtp.h" "include/openssl/ssl3.h" "include/openssl/tls1.h" rm -rf "ssl" ) @@ -325,8 +302,21 @@ git apply "${HERE}/scripts/patch-2-more-inttypes.patch" # We need BoringSSL to be modularised echo "MODULARISING BoringSSL" cat << EOF > "$DSTROOT/include/CJWTKitBoringSSL.h" -#ifndef C_JWT_KIT_BORINGSSL_H -#define C_JWT_KIT_BORINGSSL_H +//===----------------------------------------------------------------------===// +// +// This source file is part of the SwiftCrypto open source project +// +// Copyright (c) 2019 Apple Inc. and the SwiftCrypto project authors +// Licensed under Apache License v2.0 +// +// See LICENSE.txt for license information +// See CONTRIBUTORS.md for the list of SwiftCrypto project authors +// +// SPDX-License-Identifier: Apache-2.0 +// +//===----------------------------------------------------------------------===// +#ifndef C_CRYPTO_BORINGSSL_H +#define C_CRYPTO_BORINGSSL_H #include "CJWTKitBoringSSL_aes.h" #include "CJWTKitBoringSSL_arm_arch.h" @@ -345,7 +335,6 @@ cat << EOF > "$DSTROOT/include/CJWTKitBoringSSL.h" #include "CJWTKitBoringSSL_cpu.h" #include "CJWTKitBoringSSL_curve25519.h" #include "CJWTKitBoringSSL_des.h" -#include "CJWTKitBoringSSL_dtls1.h" #include "CJWTKitBoringSSL_e_os2.h" #include "CJWTKitBoringSSL_ec.h" #include "CJWTKitBoringSSL_ec_key.h" @@ -374,7 +363,7 @@ cat << EOF > "$DSTROOT/include/CJWTKitBoringSSL.h" #include "CJWTKitBoringSSL_trust_token.h" #include "CJWTKitBoringSSL_x509v3.h" -#endif // C_JWT_KIT_BORINGSSL_H +#endif // C_CRYPTO_BORINGSSL_H EOF # modulemap is required by the cmake build @@ -392,4 +381,3 @@ echo "This directory is derived from BoringSSL cloned from https://boringssl.goo echo "CLEANING temporary directory" rm -rf "${TMPDIR}" -